fix(ci): bump-sha PR backfill + deploy secrets + gitignore Claude artifacts

[YiWang24]

Summary

Three CI/infra fixes bundled together:

• fix(deploy): pass image-digest + ssh/kubeconfig secrets to staging and production deploy jobs so the deploy step can actually authenticate and target the right image.
• chore(gitignore): ignore Claude Code per-developer runtime artifacts (.claude/worktrees/, .claude/scheduled_tasks.lock, .claude/agents/, .claude/projects/, .claude/todos/) so they stop leaking into commits. Also adds the harness parity plan doc at docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md.
• fix(bump-sha): harden on-main-bump-sha.yml after a silent failure where the workflow pushed chore/bump-self-sha-89792333 but never opened a PR. Root cause: gh pr create --label "chore" failed because no chore label exists, and 2>/dev/null || true swallowed the error.

bump-sha workflow changes

• Drop the non-existent chore label and the error-swallowing redirect
• set -euo pipefail on the run block
• git checkout -B + git push --force-with-lease so re-runs are idempotent
• Before opening the new PR: close older chore/bump-self-sha-* PRs (with --delete-branch and a "Superseded by" comment) and sweep orphan bump branches that never got a PR
• gh pr create itself is now idempotent: skip if a PR already exists for the head branch

Related

• PR chore(manifest): bump YiAgent/OpenCI SHA to 89792333 #85 was filed manually as the backfill for the bump that this workflow run missed.
• Orphan branch chore/bump-self-sha-cd1b4273 was deleted from origin.

Test plan

• CI green on this PR
• After merge, next push to main triggers on-main-bump-sha and either no-ops (SHA already current) or opens a fresh PR with all older chore/bump-self-sha-* PRs closed and their branches deleted
• Re-running the workflow on the same commit is idempotent (no duplicate PRs, no push errors)
• .claude/ runtime artifacts no longer show up in git status for new contributors
• Staging + production deploys can resolve image-digest and authenticate via ssh/kubeconfig secrets

---

^{Need help on this PR? Tag @codesmith with what you need.}

• Let Codesmith autofix CI failures and bot reviews

Summary by CodeRabbit

• Chores

  • Improved deploy workflow to accept explicit image digests, pass concrete references, and forward additional staging/production secrets.
  • Hardened automated bump process for safer branch/PR handling and reruns.
  • Renamed and cleaned up several reusable workflows and adjusted release concurrency rules.
  • Updated CI permissions for security-event write access.

• Documentation

  • Added plan for upstream parameter parity in the harness.

• Tests

  • Relaxed shellcheck for specific workflow integrity tests.

[qodo-code-review]

ⓘ You've reached your Qodo monthly free-tier limit. Reviews pause until next month — upgrade your plan to continue now, or link your paid account if you already have one.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: d185e848-0817-4222-86c1-3dd8e0765741

📥 Commits

Reviewing files that changed from the base of the PR and between 98a55b6 and 3b756a4.

📒 Files selected for processing (6)

• .github/workflows/ci-self-test.yml
• .github/workflows/on-main-bump-sha.yml
• .github/workflows/reusable-agent.yml
• .github/workflows/reusable-deps.yml
• .github/workflows/reusable-release.yml
• tests/actions/workflow-integrity.bats

---

📝 Walkthrough

Walkthrough

Adds dispatch inputs and secrets plumbing to the deploy workflow for image-digest/stage safety gates; hardens the on-main bump-sha workflow to force-replace branches, force-with-lease push, close/cleanup superseded PRs, and reuse existing PRs; renames and trims reusable workflows; small CI permission change, .gitignore entries, docs, and test linter comments.

Changes

Deploy Workflow Input & Secrets Plumbing

Layer / File(s)	Summary
Input Declaration .github/workflows/deploy.yml	Added workflow_dispatch inputs: image-digest, stg-image-digest, stg-deploy-time (strings, default empty).
Staging Reusable Integration .github/workflows/deploy.yml	stg reusable invocation now forwards image-digest (fallback to vars.LAST_CI_IMAGE_DIGEST) and secrets kubeconfig-stg, ssh-key-stg.
Production Reusable Integration .github/workflows/deploy.yml	prd reusable invocation now forwards image-digest, stg-image-digest, stg-deploy-time (with vars.LAST_* fallbacks) and secrets kubeconfig-prd, ssh-key-prd.

SHA Bump Workflow Hardening

Layer / File(s)	Summary
Shell/Branch/Push Hardening .github/workflows/on-main-bump-sha.yml	Commit step runs with set -euo pipefail, uses git checkout -B to recreate branch, and pushes with git push --force-with-lease.
PR Lifecycle Management .github/workflows/on-main-bump-sha.yml	Added logic to close older auto-bump PRs whose head matches chore/bump-self-sha-* (and delete their branches), prune orphan remote branches, and reuse an existing open PR for the current head instead of unconditionally creating one. Step name updated to reflect supersession behavior.

Reusable Workflow Metadata Changes

Layer / File(s)	Summary
Name changes .github/workflows/reusable-agent.yml, .github/workflows/reusable-deps.yml	Top-level name changed: claude-harness → reusable-agent; dep-auto-merge → reusable-deps.
Concurrency removal .github/workflows/reusable-release.yml	Removed workflow-level concurrency block and added comments explaining callers should own concurrency.

CI Permissions

Layer / File(s)	Summary
Permissions update .github/workflows/ci-self-test.yml	Added security-events: write to workflow-level permissions (keeping contents: read).

Tests / Linting Adjustments

Layer / File(s)	Summary
ShellCheck disables in tests tests/actions/workflow-integrity.bats	Inserted # shellcheck disable=SC2013 comments before three for ... in $(...) loops to allow intentional word-splitting.

Developer Environment Ignore

Layer / File(s)	Summary
.gitignore additions .gitignore	Added ignore patterns for Claude Code runtime artifacts: .claude/worktrees/, .claude/scheduled_tasks.lock, .claude/agents/, .claude/projects/, .claude/todos/.

Parameter Parity Planning Documentation

Layer / File(s)	Summary
Plan doc docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md	New two-phase plan to expose additional anthropics/claude-code-action@v1 inputs via the harness with optional defaults; Phase 1 (pass-throughs and env plumbing), Phase 2 (additional YAML pass-throughs), file map, verification, and skipped-parameter rationale.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• YiAgent/OpenCI#36: Modifies deploy reusable invocations; related to image-digest and stg/prd wiring.
• YiAgent/OpenCI#86: Overlaps on deploy.yml and on-main-bump-sha.yml edits (dispatch inputs and bump-sha handling).
• YiAgent/OpenCI#35: Related changes to deploy reusable workflow references and input/secret forwarding.

Poem

🐰 In branches we hop and in digests we trust,

Superseding old PRs, pruning the dust.
Secrets tucked safe in each staged deploy,
Linted loops and docs bring harnessing joy—
A rabbit's small cheer for workflows robust.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the three main changes: deploy workflow fixes (bump-sha PR backfill + deploy secrets) and gitignore additions for Claude artifacts, matching the changeset content.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/deploy-critical-issues

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

OpenCI issue agent executed:

• escalate: needs-human

Reasoning:
Agent output did not contain a parseable action plan.

[coderabbitai]

Actionable comments posted: 4

♻️ Duplicate comments (2)

docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md (2)

379-379: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Replace hardcoded absolute path (duplicate issue).

Same portability issue: the path /Users/wy/projects/yiagent/OpenCI should be replaced with a relative reference or repository root variable.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md` at line
379, Replace the hardcoded absolute path used in the shell command "cd
/Users/wy/projects/yiagent/OpenCI" with a portable reference (e.g., a
repository-root variable, environment variable like $REPO_ROOT, or a relative
path) so the script works across machines; locate the literal "cd
/Users/wy/projects/yiagent/OpenCI" in the file and update it to use the chosen
repo-root symbol or a relative path and ensure any callers export or resolve
that variable before this command runs.

---

201-201: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Replace hardcoded absolute path (duplicate issue).

Same portability issue as Task 1: use a relative path or repository root placeholder instead of /Users/wy/projects/yiagent/OpenCI.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md` at line
201, Replace the hardcoded absolute cd command "cd
/Users/wy/projects/yiagent/OpenCI" with a portable alternative: use a relative
path (e.g., "cd ./OpenCI" or "cd ../OpenCI" depending on context) or a
repository-root placeholder/lookup (e.g., "${REPO_ROOT}" or computing root via
"git rev-parse --show-toplevel") so the script is not tied to a single
developer's home directory; update the line in
docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md to use the
chosen portable form and ensure any surrounding instructions reflect that
change.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/deploy.yml:
- Around line 97-103: Update the input fallback and pre-checks so PRD digest
validation can't be bypassed: add vars.LAST_CI_IMAGE_DIGEST to the fallback
chain for the image-digest input (so image-digest uses inputs.image-digest ||
vars.LAST_RELEASE_IMAGE_DIGEST || vars.LAST_CI_IMAGE_DIGEST || ''), and then add
a non-empty validation step before invoking the prd path (or before calling
verify-version-align) that fails the workflow if any of image-digest,
stg-image-digest, or stg-deploy-time resolve to an empty string; ensure the
check references the inputs/vars names (image-digest, stg-image-digest,
stg-deploy-time, vars.LAST_RELEASE_IMAGE_DIGEST, vars.LAST_STG_IMAGE_DIGEST,
vars.LAST_CI_IMAGE_DIGEST) and prevents running verify-version-align/prd when
any are empty.

In `@docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md`:
- Line 410: Replace the hard-coded branch name "claude/objective-galileo-742e23"
used in the git push command with a reusable placeholder (e.g.,
`<feature-branch>`) or an environment variable token (e.g., `${BRANCH_NAME}`) so
the plan is reusable; update the line `git push -u origin
claude/objective-galileo-742e23` to use the chosen placeholder/token throughout
the document wherever that branch name appears.
- Line 68: Replace the hardcoded absolute path command "cd
/Users/wy/projects/yiagent/OpenCI" with a portable alternative—use a relative
path or a placeholder variable such as cd "${REPO_ROOT}" (and add a note to set
REPO_ROOT) or simply cd . to use the current repository root; update the line
that contains the "cd /Users/wy/projects/yiagent/OpenCI" command accordingly so
the plan is portable across machines.
- Around line 400-402: The grep command in the snippet uses an invalid option
`--exclude-path`; update the invocation that searches for the pattern
"classify.inline\|include.fix\|extra.permissions\|session.timeout\|plugins\|commit.signing\|bot.id\|bot.name\|base.branch"
to either use grep's `--exclude-dir` to skip the "claude-harness" directory or
replace the pipeline with a find + grep approach to exclude paths (e.g., use
find to select "*.yml" files and filter out "*/claude-harness/*" before running
grep), ensuring the final behavior still echoes "No callers use new inputs —
backward compat confirmed" when nothing is found.

---

Duplicate comments:
In `@docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md`:
- Line 379: Replace the hardcoded absolute path used in the shell command "cd
/Users/wy/projects/yiagent/OpenCI" with a portable reference (e.g., a
repository-root variable, environment variable like $REPO_ROOT, or a relative
path) so the script works across machines; locate the literal "cd
/Users/wy/projects/yiagent/OpenCI" in the file and update it to use the chosen
repo-root symbol or a relative path and ensure any callers export or resolve
that variable before this command runs.
- Line 201: Replace the hardcoded absolute cd command "cd
/Users/wy/projects/yiagent/OpenCI" with a portable alternative: use a relative
path (e.g., "cd ./OpenCI" or "cd ../OpenCI" depending on context) or a
repository-root placeholder/lookup (e.g., "${REPO_ROOT}" or computing root via
"git rev-parse --show-toplevel") so the script is not tied to a single
developer's home directory; update the line in
docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md to use the
chosen portable form and ensure any surrounding instructions reflect that
change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: d57e23e7-f985-4407-a6d2-9196af9d48b5

📥 Commits

Reviewing files that changed from the base of the PR and between 4415cb2 and 98a55b6.

📒 Files selected for processing (4)

• .github/workflows/deploy.yml
• .github/workflows/on-main-bump-sha.yml
• .gitignore
• docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify which workflows write/read the digest variables and whether LAST_RELEASE_IMAGE_DIGEST is guaranteed.
set -euo pipefail

echo "== Writers/readers of digest/time vars =="
rg -n -C2 'LAST_(CI|RELEASE|STG)_(IMAGE_DIGEST|DEPLOY_TIME)' .github/workflows

echo
echo "== Any explicit variable writes/updates in workflows =="
rg -n -C3 '(gh variable set|LAST_RELEASE_IMAGE_DIGEST|LAST_CI_IMAGE_DIGEST|LAST_STG_IMAGE_DIGEST|LAST_STG_DEPLOY_TIME)' .github/workflows

Repository: YiAgent/OpenCI

Length of output: 4708

---

🏁 Script executed:

cat -n .github/workflows/deploy.yml | sed -n '75,120p'

Repository: YiAgent/OpenCI

Length of output: 3088

---

🏁 Script executed:

# Check the reusable-prd.yml for input validation
fd -name 'reusable-prd.yml' .github/workflows && cat -n .github/workflows/reusable-prd.yml | head -80

echo
echo "== Looking for gh variable set commands =="
rg -n 'gh variable set' .github/workflows

Repository: YiAgent/OpenCI

Length of output: 351

---

🏁 Script executed:

# Find reusable-prd.yml
fd 'reusable-prd' .github/

echo
echo "== Check for variable writes (broader search) =="
rg 'LAST_RELEASE_IMAGE_DIGEST|LAST_STG_IMAGE_DIGEST|LAST_STG_DEPLOY_TIME' --type yaml

echo
echo "== Check for gh command usage anywhere =="
rg 'gh ' --type yaml | head -20

Repository: YiAgent/OpenCI

Length of output: 2311

---

🏁 Script executed:

cat -n .github/workflows/reusable-prd.yml | head -150

Repository: YiAgent/OpenCI

Length of output: 5696

---

🏁 Script executed:

cat -n .github/workflows/reusable-prd.yml | sed -n '150,300p'

Repository: YiAgent/OpenCI

Length of output: 7139

---

🏁 Script executed:

fd 'pre-check' .openci/actions 2>/dev/null || find . -name 'pre-check' -type d 2>/dev/null | head -5

Repository: YiAgent/OpenCI

Length of output: 82

---

🏁 Script executed:

cat -n ./actions/prd/pre-check/action.yml

Repository: YiAgent/OpenCI

Length of output: 4041

---

🏁 Script executed:

cat -n ./actions/prd/observe-window/action.yml
echo
echo "=== verify-version-align ==="
cat -n ./actions/prd/verify-version-align/action.yml

Repository: YiAgent/OpenCI

Length of output: 2854

---

🏁 Script executed:

cat -n ./actions/prd/observe-window/check.sh

Repository: YiAgent/OpenCI

Length of output: 2210

---

🏁 Script executed:

# Check if there are any other places where these vars are written/set
rg 'LAST_RELEASE_IMAGE_DIGEST|LAST_CI_IMAGE_DIGEST' --type bash

Repository: YiAgent/OpenCI

Length of output: 87

---

🏁 Script executed:

rg 'LAST_RELEASE_IMAGE_DIGEST|LAST_CI_IMAGE_DIGEST' -t sh

Repository: YiAgent/OpenCI

Length of output: 40

---

🏁 Script executed:

rg 'LAST_RELEASE_IMAGE_DIGEST|LAST_CI_IMAGE_DIGEST|LAST_STG' --type yaml --type json

Repository: YiAgent/OpenCI

Length of output: 40

---

Add non-empty validation for PRD digest inputs; harmonize fallback chain with STG.

Lines 101-103: The image-digest and stg-image-digest inputs can resolve to empty strings (if LAST_RELEASE_IMAGE_DIGEST and LAST_STG_IMAGE_DIGEST are unset), which silently bypass digest validation in verify-version-align since equal empty strings pass the equality check. Additionally, image-digest at line 101 lacks the vars.LAST_CI_IMAGE_DIGEST fallback that the STG deployment uses at line 68, reducing resilience when LAST_RELEASE_IMAGE_DIGEST is unavailable.

Add the missing fallback to line 101 and validate all three inputs are non-empty before running prd:

Suggested hardening diff

   prd:
     if: >-
       (github.event_name == 'workflow_run'
         && github.event.workflow_run.name == 'release'
         && github.event.workflow_run.conclusion == 'success')
-      || (github.event_name == 'workflow_dispatch' && inputs.mode == 'prd')
+      || (github.event_name == 'workflow_dispatch' && inputs.mode == 'prd')
+      && ((inputs.image-digest     || vars.LAST_RELEASE_IMAGE_DIGEST || vars.LAST_CI_IMAGE_DIGEST || '') != '')
+      && ((inputs.stg-image-digest || vars.LAST_STG_IMAGE_DIGEST     || '') != '')
+      && ((inputs.stg-deploy-time  || vars.LAST_STG_DEPLOY_TIME      || '') != '')
     uses: YiAgent/OpenCI/.github/workflows/reusable-prd.yml@cd1b427370ebacb56cc9c0b418d6d8985c9be539
     with:
       app-name:            ${{ vars.APP_NAME || github.event.repository.name }}
       image-name:          ${{ vars.IMAGE_NAME || github.event.repository.name }}
       # The 3 prd-specific safety-gate inputs MUST be set or the
       # observation-window check is skipped silently. Source order:
       #   1. workflow_dispatch input (manual override)
       #   2. vars.* recorded by the upstream stg deploy on success
-      image-digest:        ${{ inputs.image-digest     || vars.LAST_RELEASE_IMAGE_DIGEST || '' }}
+      image-digest:        ${{ inputs.image-digest     || vars.LAST_RELEASE_IMAGE_DIGEST || vars.LAST_CI_IMAGE_DIGEST || '' }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy.yml around lines 97 - 103, Update the input
fallback and pre-checks so PRD digest validation can't be bypassed: add
vars.LAST_CI_IMAGE_DIGEST to the fallback chain for the image-digest input (so
image-digest uses inputs.image-digest || vars.LAST_RELEASE_IMAGE_DIGEST ||
vars.LAST_CI_IMAGE_DIGEST || ''), and then add a non-empty validation step
before invoking the prd path (or before calling verify-version-align) that fails
the workflow if any of image-digest, stg-image-digest, or stg-deploy-time
resolve to an empty string; ensure the check references the inputs/vars names
(image-digest, stg-image-digest, stg-deploy-time,
vars.LAST_RELEASE_IMAGE_DIGEST, vars.LAST_STG_IMAGE_DIGEST,
vars.LAST_CI_IMAGE_DIGEST) and prevents running verify-version-align/prd when
any are empty.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Replace hardcoded absolute path with relative path or placeholder.

The absolute path /Users/wy/projects/yiagent/OpenCI is machine-specific and reduces the portability of this plan. Use a relative path or a placeholder like cd "${REPO_ROOT}" with a note to set the variable appropriately.

📝 Suggested fix

-cd /Users/wy/projects/yiagent/OpenCI
+cd "${REPO_ROOT:-$(git rev-parse --show-toplevel)}"
 python3 -c "import yaml; yaml.safe_load(open('actions/_common/claude-harness/action.yml'))" && echo "YAML OK"

Or simply:

-cd /Users/wy/projects/yiagent/OpenCI
+# Run from repository root
 python3 -c "import yaml; yaml.safe_load(open('actions/_common/claude-harness/action.yml'))" && echo "YAML OK"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	cd /Users/wy/projects/yiagent/OpenCI
	cd "${REPO_ROOT:-$(git rev-parse --show-toplevel)}"
	python3 -c "import yaml; yaml.safe_load(open('actions/_common/claude-harness/action.yml'))" && echo "YAML OK"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md` at line 68,
Replace the hardcoded absolute path command "cd
/Users/wy/projects/yiagent/OpenCI" with a portable alternative—use a relative
path or a placeholder variable such as cd "${REPO_ROOT}" (and add a note to set
REPO_ROOT) or simply cd . to use the current repository root; update the line
that contains the "cd /Users/wy/projects/yiagent/OpenCI" command accordingly so
the plan is portable across machines.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix invalid grep option.

The --exclude-path option is not valid for grep. Use --exclude-dir to skip directories, or restructure the command to filter results differently.

🔧 Suggested fix

-grep -r "classify.inline\|include.fix\|extra.permissions\|session.timeout\|plugins\|commit.signing\|bot.id\|bot.name\|base.branch" \
-  /Users/wy/projects/yiagent/OpenCI/actions --include="*.yml" \
-  --exclude-path="*/claude-harness/*" | grep -v "^Binary" || echo "No callers use new inputs — backward compat confirmed"
+grep -r "classify.inline\|include.fix\|extra.permissions\|session.timeout\|plugins\|commit.signing\|bot.id\|bot.name\|base.branch" \
+  actions --include="*.yml" \
+  --exclude-dir="claude-harness" | grep -v "^Binary" || echo "No callers use new inputs — backward compat confirmed"

Or use find with grep for more control:

find actions -name "*.yml" -not -path "*/claude-harness/*" -exec grep -H "classify.inline\|include.fix\|extra.permissions\|session.timeout\|plugins\|commit.signing\|bot.id\|bot.name\|base.branch" {} + || echo "No callers use new inputs — backward compat confirmed"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	grep -r "classify.inline\|include.fix\|extra.permissions\|session.timeout\|plugins\|commit.signing\|bot.id\|bot.name\|base.branch" \
	/Users/wy/projects/yiagent/OpenCI/actions --include="*.yml" \
	--exclude-path="*/claude-harness/*" | grep -v "^Binary" || echo "No callers use new inputs — backward compat confirmed"
	grep -r "classify.inline\|include.fix\|extra.permissions\|session.timeout\|plugins\|commit.signing\|bot.id\|bot.name\|base.branch" \
	actions --include="*.yml" \
	--exclude-dir="claude-harness" | grep -v "^Binary" || echo "No callers use new inputs — backward compat confirmed"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md` around
lines 400 - 402, The grep command in the snippet uses an invalid option
`--exclude-path`; update the invocation that searches for the pattern
"classify.inline\|include.fix\|extra.permissions\|session.timeout\|plugins\|commit.signing\|bot.id\|bot.name\|base.branch"
to either use grep's `--exclude-dir` to skip the "claude-harness" directory or
replace the pipeline with a find + grep approach to exclude paths (e.g., use
find to select "*.yml" files and filter out "*/claude-harness/*" before running
grep), ensuring the final behavior still echoes "No callers use new inputs —
backward compat confirmed" when nothing is found.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use a placeholder for the branch name.

The branch name claude/objective-galileo-742e23 appears to be specific to a particular implementation run. For a reusable plan document, use a placeholder like <feature-branch> or an environment variable like ${BRANCH_NAME}.

📝 Suggested improvement

-git push -u origin claude/objective-galileo-742e23
+# Replace <feature-branch> with your actual branch name
+git push -u origin <feature-branch>

Or:

-git push -u origin claude/objective-galileo-742e23
+git push -u origin "$(git branch --show-current)"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/superpowers/plans/2026-05-02-claude-harness-param-parity.md` at line
410, Replace the hard-coded branch name "claude/objective-galileo-742e23" used
in the git push command with a reusable placeholder (e.g., `<feature-branch>`)
or an environment variable token (e.g., `${BRANCH_NAME}`) so the plan is
reusable; update the line `git push -u origin claude/objective-galileo-742e23`
to use the chosen placeholder/token throughout the document wherever that branch
name appears.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

OpenCI issue agent executed:

• escalate: needs-human

Reasoning:
Agent output did not contain a parseable action plan.