Skip to content

feat(prd-621): per-request path, branch, and credential for the prompts repo override #633

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vfarcic merged 7 commits into from
Jun 13, 2026
Merged

feat(prd-621): per-request path, branch, and credential for the prompts repo override #633

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
33e3716
feat(prd-621): per-request path, branch, and credential for prompts r…
vfarcic Jun 12, 2026
06907a8
fix(prd-621): spawn git directly for token clone; serialize prompts c…
vfarcic Jun 12, 2026
ec23ac8
docs(prd-621): mark M1-M6 complete, M7 drafted (CI-verified green)
vfarcic Jun 12, 2026
f948fee
fix(prd-621): address CodeRabbit review on PR #633
vfarcic Jun 12, 2026
83c8c76
Merge remote-tracking branch 'origin/main' into prd-621-per-request-p…
vfarcic Jun 12, 2026
9008f4f
fix(prd-621): guard single-settle in token-clone spawn handler
vfarcic Jun 13, 2026
ae64102
chore(agent-deck): release worker owns prd-done-except-merge + CI/rev…
vfarcic Jun 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 12 additions & 4 deletions .dot-agent-deck.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,14 +30,16 @@ Workflow:
- After implementation lands: delegate to reviewer and auditor in parallel. Re-delegate findings you agree with to coder (implementation-side) or tester (test-side).
- For docs-only changes: delegate to documenter.
- Resolve any blocking review/audit findings before moving on.
- Final integration-test gate: before release, delegate the FULL `npm run test:integration` (no pattern, whole suite) to the tester — run once here, not per task during TDD. CLAUDE.md makes this mandatory before any work is complete, and it spins up a Kind cluster. Proceed only if it passes; on failure, re-delegate the fix to coder/tester and re-run until green.
- Before release: summarize what changed end-to-end and STOP until the user confirms. Then delegate to release.
- Final integration-test gate: the full `npm run test:integration` suite runs as the PR's CI (it spins up a Kind cluster; CLAUDE.md makes it mandatory before any work is complete). It runs once, on the PR — not per task during TDD, and not as a separate pre-PR run. The release worker watches that CI and reports the result back.
- Pre-release: summarize what changed end-to-end and STOP until the user confirms. Then delegate /prd-done to release. Release opens the PR, waits for the PR's CI and automated reviews (e.g. CodeRabbit) to settle, and reports back — it does NOT merge. Route any CI failures or review findings it reports to coder (implementation-side) or tester (test-side), then re-engage release to re-check.
- Merge: only on the user's explicit go-ahead do you re-delegate to release to finish /prd-done (merge the PR, close the issue). Never merge without that go-ahead.
Comment on lines +33 to +35

@coderabbitai coderabbitai Bot Jun 13, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Conflicting final-gate ownership between orchestrator and tester prompts

Line 33 defines PR CI as the only final full-suite gate, but the tester prompt (Line 93) still says to run the full suite when delegated the final gate. This creates ambiguous routing and can trigger duplicate long-running integration runs.

Suggested alignment patch 
- Full suite (gate only): run the entire `npm run test:integration` (no pattern) ONLY when the orchestrator delegates the final integration-test gate before release — not on every task.
+ Full suite (gate ownership): do NOT run the entire `npm run test:integration` manually as a release gate. The final full-suite gate is the PR CI run watched by the release role. During TDD, run only scoped patterns delegated by the orchestrator.
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.dot-agent-deck.toml around lines 33 - 35, The review flags a conflict where
the "Final integration-test gate" (the orchestrator-owned PR CI full-suite run)
is duplicated by the tester prompt that still instructs running the full suite;
update the tester prompt text so it no longer triggers the full `npm run
test:integration` run and instead either waits for the orchestrator's PR CI
result or runs a lightweight smoke check (or reports only), ensuring the tester
prompt references the orchestrator's final-gate ownership and explicitly defers
to the PR CI outcome; edit the tester prompt block (the prompt around Line 93)
and any mentions of "final gate" or "run the full suite" to reflect this
delegation to avoid duplicate long-running integration runs.


PRD-driven work: this project tracks active work in prds/. When the user references a PRD by number or name, paste the path (e.g. prds/581-per-request-user-prompts-repo.md) in --task to whichever worker you delegate to.

Coordination slash commands you may run yourself (do NOT delegate these):
- /prd-next, /prd-update-progress, /prds-get — progress tracking and PRD navigation
- /changelog-fragment — required before any commit with user-facing changes

The changelog fragment is created inside /prd-done (the release worker's job) — you do not run /changelog-fragment yourself.

Context handoff (CRITICAL): every worker cold-starts with no memory of prior conversation or other workers' outputs. Whatever you write in --task is the entire context they have. Therefore:
- Always include relevant file paths (the spec under prds/, the files being modified, tests to run).
Expand Down Expand Up @@ -101,5 +103,11 @@ command = "devbox run agent-medium"
description = "Runs the project's release/PR/merge workflow; never modifies code"
clear = false
prompt_template = """
Your job is to run the project's release flow using the project's slash commands: /prd-done (branch + PR + merge + issue close), and /changelog-fragment (when a fragment is missing). Do NOT modify source code. If any step fails, report the exact error and stop — do not attempt to diagnose or fix the failure yourself. If the task is missing context (PR title, target branch, release notes path), report that via work-done rather than improvising.
Your job is to run /prd-done to complete the PRD workflow (branch, push, PR, merge, close issue). Do NOT modify source code, and do NOT delegate to other roles.

If any step fails (failing CI, merge conflict, or a CHANGES_REQUESTED review state), report the exact error and stop — do not diagnose or fix it; the orchestrator will re-delegate to coder/tester.

After opening the PR, WAIT for all PR processes to finish — CI / GitHub Actions and automated reviews (e.g. CodeRabbit; fall back to `gh` if its MCP is unauthenticated) — then report back: the PR URL, per-check CI conclusions (for any failure, the job/test name + a `gh run view <id> --log-failed` excerpt and a real-regression-vs-flake read; you MAY re-run one clearly-transient job once), and a categorised summary of automated-review findings (severity, file:line, one-line description). Route any decision about findings back through the orchestrator, never the end-user.

Once the PR is open, CI is green, and reviews have settled, STOP — do NOT merge. Report back via work-done with the PR URL so the orchestrator can pause for user review. Only merge the PR and close the issue when the orchestrator re-delegates with an explicit instruction to continue.
"""
9 changes: 9 additions & 0 deletions changelog.d/621.feature.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
## Per-Request Path, Branch, and Credential for the Prompts Repo Override

The per-request prompts-repo override now carries a subdirectory, a branch, and a credential, so a secondary skills source no longer has to live at the repository root on `main` behind the server's single git token. Previously the override (`?repo=`) cloned only the repository root of the default branch using the server's `DOT_AI_GIT_TOKEN`, which left repositories that keep skills under a `skills/`-style subdirectory, on a non-default branch, or in a different authentication realm unusable as a source.

`GET /api/v1/prompts` and `POST /api/v1/prompts/:name` now accept `?path=` and `?branch=` query parameters, and `POST /api/v1/prompts/refresh` accepts `path` and `branch` body fields, so the override can target a subdirectory on any branch. A new `X-Dot-AI-Git-Token` request header authenticates the override clone against its own host and takes precedence over the server's `DOT_AI_GIT_TOKEN` for that request only — letting you pull from a private repository in a separate auth realm without reconfiguring the server. The forwarded token is scoped to the source host (never forwarded across a redirect), never written to logs, error messages, the `source` field, or the cache key, and token-bearing requests are cloned in isolation so a private source is never served from or into the shared cache.

All three additions are optional and additive: omit `path` for the repository root, omit `branch` for `main`, and omit the header to use the server's environment credential. A request that sends none of them behaves identically to before, so existing deployments see no change.

See the [Prompts REST API reference](https://devopstoolkit.ai/docs/mcp/ai-engine/api/rest-api) and the [multi-source skills override guide](https://devopstoolkit.ai/docs/mcp/ai-engine/tools/prompts) for parameters, defaults, and precedence.
Loading
Loading