feat(enrichment): changed-line coverage-delta analyzer (#1516

[dale053]

Summary

Adds a coverageDelta analyzer to REES (#1516) that surfaces added/changed PR lines not covered by the project's own CI test suite, without requiring a repo checkout.

• Fetches recent successful GitHub Actions workflow runs for the PR's head SHA, finds the first artifact whose name matches a coverage-related pattern (coverage, lcov, cov-report, etc.), downloads its ZIP, and parses the first recognised coverage file inside it.
• Supports three formats: lcov (lcov.info / *.lcov), Istanbul/NYC JSON (coverage-final.json), and Cobertura XML (coverage.xml / cobertura.xml).
• ZIP extraction uses only Node.js built-in zlib.inflateRawSync (no new dependencies); the central-directory reader supports stored (method 0) and DEFLATE (method 8) entries.
• Cobertura XML is parsed line-by-line to avoid [\s\S]*? ReDoS patterns on attacker-influenced input.
• Fail-safe throughout: any network error, non-ok response, or unparseable artifact returns [] without throwing.
• Caps: 5 MB artifact ZIP, 2 MB per uncompressed file, 5 runs to search, 15 files reported, 20 uncovered lines per file.
• Findings are rendered in the promptSection as a ### Changed lines not covered by tests block.

Resolves #1516.

Scope

• The PR title follows type(scope): short summary Conventional Commit format, for example fix(api): restore profile access checks.
• This PR is focused and does not mix unrelated backend, UI, MCP, docs, dependency, and deploy changes.
• This follows CONTRIBUTING.md and does not reintroduce GitHub Pages, VitePress, site/, or CNAME.
• I linked an issue, or this is small enough that the summary explains why an issue is not needed.

Validation

• git diff --check
• npm run actionlint
• npm run typecheck
• npm run test:coverage locally; codecov/patch requires ≥97% coverage of the lines AND branches you changed (aim for 98%+ on your diff so CI variance does not fail near the threshold). Global coverage is a non-blocking trend with a loose 90% backstop, not the gate.
• npm run test:workers
• npm run build:mcp
• npm run test:mcp-pack
• npm run ui:openapi:check
• npm run ui:lint
• npm run ui:typecheck
• npm run ui:build
• npm audit --audit-level=moderate
• New or changed behavior has unit/integration tests for new branches, fallback paths, and sanitizer boundaries

If any required check was skipped, explain why:

• test:workers — no Cloudflare Worker bindings touched; REES is a standalone Node.js service.

Safety

• No secrets, wallet details, hotkeys, coldkeys, user PATs, private keys, raw trust scores, private rankings, or private maintainer evidence are exposed.
• Public GitHub text stays sanitized, low-noise, and does not imply compensation guarantees or optimization tactics.
• Auth, cookie, CORS, GitHub App, Cloudflare, or session changes include negative-path tests.
• API/OpenAPI/MCP behavior is updated and tested where needed.
• UI changes use live API data or real empty/error/loading states, not production mock/demo fallbacks.
• Visible UI changes include a UI Evidence section below with JPG/JPEG or PNG screenshots arranged as organized, captioned, clickable thumbnails. SVG screenshots are not used as review evidence. Review-only screenshots or recordings are not committed to the repository.
• Public docs/changelogs are updated where needed; changelogs are only edited for release-prep PRs.

UI Evidence

No visible UI changes — REES is a backend enrichment service; output appears only in the review engine's prompt section.

Notes

• Path matching handles workspace-prefixed absolute paths (e.g. /home/runner/work/repo/repo/src/foo.ts matches PR file src/foo.ts) via a suffix check in pathMatches.
• The makeStoredZip test helper builds a minimal valid ZIP (stored compression, central directory + EOCD) entirely from Buffer.alloc/writeUInt* — no fixture files needed. toArrayBuffer slices the Buffer into a standalone ArrayBuffer to avoid Node.js pool byteOffset issues when passing to Buffer.from(arrayBuffer).

[superagent-security]

P2: ZIP decompression bomb risk: inflateRawSync lacks output size limit

A compromised CI artifact with a high-ratio DEFLATE bomb can exhaust memory before the 2 MB cap is checked.

Pass maxOutputLength: MAX_COVERAGE_BYTES to inflateRawSync so decompression aborts early.

AI prompt

Check if this security scanner issue is valid. If so, understand the root cause and fix it. If appropriate, update or add tests. Keep the change focused and preserve intended behavior.

<file name="review-enrichment/src/analyzers/coverage-delta.ts">
<violation number="1" location="review-enrichment/src/analyzers/coverage-delta.ts:184">
<priority>P2</priority>
<title>ZIP decompression bomb risk: inflateRawSync lacks output size limit</title>
<evidence>`readZipEntries` calls `inflateRawSync(compData)` at line 184 without passing a `maxOutputLength` option, then checks `data.length &gt; MAX_COVERAGE_BYTES` only after the full buffer has been decompressed into memory. A compromised or attacker-influenced CI artifact with a high-ratio DEFLATE bomb could exhaust memory or crash the Node.js process before the size cap is enforced.</evidence>
<recommendation>Pass `maxOutputLength: MAX_COVERAGE_BYTES` to `inflateRawSync` so decompression aborts early if the output exceeds the 2 MB cap. Alternatively, use a streaming inflater and abort once the cap is reached.</recommendation>
</violation>
</file>

[gittensory-orb]

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review — held for maintainer review

5 files · 1 AI reviewer · no blockers · readiness 55/100 · CI green · dirty

⏸️ Held for maintainer review — Large change — held for manual review

Signal	Result	Evidence
Code review	✅ No blockers	1 reviewer
Linked issue	✅ Linked	#1516
Related work	⚠️ 3 scoped overlaps	Top overlaps are listed below; lower-confidence bulk is hidden.
Review load	❌ 8/20	Readiness component derived from cached public PR metadata and labels; size label size:L.
Validation evidence	❌ 5/25	Cached preflight status is hold.
Open PR queue	❌ 3/10	16 open PR(s), 12 likely reviewable, 4 unlinked.
Contributor context	✅ Confirmed Gittensor contributor	dale053; Gittensor profile; 43 PR(s), 20 issue(s).
Gate result	⚠️ Not blocking	Advisory; not blocking this PR.

Nits — 2 non-blocking

• Readiness score is below the configured threshold — Use the readiness panel as advisory maintainer context; the score does not block this PR.
• Large change — held for manual review — Split this into smaller, focused PRs, or a maintainer reviews and merges it manually.

Review context

• Author: dale053
• Role context: outside_contributor
• Public audience mode: oss maintainer
• Lane context: Repository registration is not available in the local Gittensory cache.
• Public profile languages: not available
• Official Gittensor activity: 43 PR(s), 20 issue(s).
• Related work: Items reference the same linked issue feat(enrichment): Changed-line coverage-delta #1516. (issue #1516)
• Related work: Open PR work references issue feat(enrichment): Changed-line coverage-delta #1516. (issue #1516)
• Related work: Titles/paths share 5 meaningful terms. (PR #1704)
• Additional title-only matches omitted; title-only overlap does not block.

Contributor next steps

• Review top overlaps.
• Add scope summary.
• Fix blocker.
• Expect slower review.
• Refresh registry data or choose a registered active repo.
• Check active issues and PRs before submitting.

Signal definitions

• Related work = same linked issue, overlapping active PRs, or title/path similarity.
• Review load = cached public PR metadata such as size labels, changed paths, and preflight status.
• Open PR queue = repo-wide review pressure; it is not a PR quality failure.
• Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

_{🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed}

---

💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

• Re-run Gittensory review

[JSONbored]

Similar to the last review I left, there are 4 merge conflicts due to previous analyzer merges - please resubmit after fixing..

This branch has conflicts that must be resolved
Use the [web editor](https://github.com/JSONbored/gittensory/pull/1637/conflicts) or the command line to resolve conflicts before continuing.

review-enrichment/src/brief.ts
review-enrichment/src/render.ts
review-enrichment/src/types.ts
review-enrichment/test/enrichment.test.ts