Skip to content

fix(review): framework-aware false-positive guards for injection/constructor claims (#337)#396

Merged
devops-thiago merged 4 commits into
release/v0.5.0from
claude/github-issue-337-6bf89c
Jul 17, 2026
Merged

fix(review): framework-aware false-positive guards for injection/constructor claims (#337)#396
devops-thiago merged 4 commits into
release/v0.5.0from
claude/github-issue-337-6bf89c

Conversation

@devops-thiago

Copy link
Copy Markdown
Owner

Summary

  • Adds a deterministic FrameworkFalsePositiveFilter (review/) that drops "missing no-arg/default constructor" findings when the flagged file's own diff shows a constructor annotated @Inject (CDI/Quarkus/Jakarta, bare or fully qualified) or @Autowired (Spring) — constructor injection needs no no-arg constructor, so the diff refutes the claim outright. Conservative in the same direction as FindingQuoteValidator: deleted lines never count as evidence, other files' hunks can't refute, and when the constructor sits outside the diff window the finding passes through unchanged.
  • Wires the filter into both FindingPipeline paths (single-call refine and per-batch processBatch), right after quote validation, with the summary recounted on drop.
  • Adds the CDI constructor-injection fact to the reviewer prompt (PrReviewPrompts.SYSTEM confidence-calibration section) and as a rejection rule in FindingVerifierPrompts.SYSTEM, plus a new "Framework facts" section in .github/thrillhousebot.md.

Reproduces the #270 dogfood shape: the bot posted MEDIUM — missing no-arg CDI constructor on PrSummaryGenerator despite a valid @Inject constructor. That exact shape is the primary test fixture and is now suppressed deterministically, with the prompt guardrails preventing the claim upstream.

Issue

Fixes #337

Test plan

  • FrameworkFalsePositiveFilterTest (20 tests): drops the fix(review): v0.3.0 final-review — unreadable CI first-class + CiStatusEvaluator cleanup + glob-filter perf #270-class claim on an @Inject constructor-only bean (annotation above, inline, and with interleaved annotations; claim in title or description); keeps the finding when there is no @Inject constructor, when @Inject is on a field, when the annotated constructor was deleted, when the evidence is in another file, on constructor invocations (new X(...)), on non-Java/missing file paths, and on unrelated findings; recounts the summary when dropping.
  • FindingPipelineTest/ReviewOrchestratorTest updated for the new pipeline dependency.
  • ./mvnw verify passes locally (1608 tests, SpotBugs, JaCoCo gate); new class at 99% instruction coverage with the one previously-missed line now covered.

🤖 Generated with Claude Code

…tor claims (#337)

The model recurrently flags "missing no-arg/default constructor" on CDI beans
whose constructor is annotated @Inject — a Quarkus/Jakarta false positive (seen
on PR #270). Add a deterministic FrameworkFalsePositiveFilter that drops such a
finding when the flagged file's own diff shows an injection-annotated
(@Inject/@Autowired) constructor, wired into both FindingPipeline paths right
after quote validation. Also add the CDI constructor-injection fact to the
reviewer and verifier prompts and to .github/thrillhousebot.md.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown
Contributor

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@thrillhousebot

Copy link
Copy Markdown

🤖 ThrillhouseBot PR Summary

What this PR does

Adds FrameworkFalsePositiveFilter that drops AI findings about missing no-arg constructors when the diff shows an @Inject or @Autowired constructor, and updates prompts to prevent such claims upstream. Wires the filter into both pipeline paths.

Control-Flow Diagram

🔀 Show diagram
flowchart TD
    A["ReviewResponse (raw AI output)"]
    B["quoteValidator.validate()"]
    C["frameworkFilter.filter() (new)"]
    D["deduplicator.dedupe()"]
    E["findingVerificationService.verify()"]
    F["Final findings"]
    A --> B
    B --> C
    C --> D
    D --> E
    E --> F
Loading

Changes Overview

  • Files changed: 8
  • Lines added: +473
  • Lines removed: 0

Changed Files

File Change Summary
.github/thrillhousebot.md Modified Documents CDI constructor-injection as a framework fact the bot must not contradict.
src/main/java/dev/thiagogonzaga/thrillhousebot/review/FindingPipeline.java Modified Injects FrameworkFalsePositiveFilter after quote validation in both refine() and processBatch().
src/main/java/dev/thiagogonzaga/thrillhousebot/review/FrameworkFalsePositiveFilter.java Added New filter that drops missing-no-arg-constructor findings when an injection-annotated constructor appears in the diff.
src/main/java/dev/thiagogonzaga/thrillhousebot/review/ai/FindingVerifierPrompts.java Modified Adds rejection rule for findings that conflict with the injected constructor pattern.
src/main/java/dev/thiagogonzaga/thrillhousebot/review/ai/PrReviewPrompts.java Modified Adds calibration rule to never report missing no-arg constructor on @Inject/@Autowired beans.
src/test/java/dev/thiagogonzaga/thrillhousebot/review/FindingPipelineTest.java Modified Adds FrameworkFalsePositiveFilter mock to pipeline constructor tests.
src/test/java/dev/thiagogonzaga/thrillhousebot/review/FrameworkFalsePositiveFilterTest.java Added 20 tests covering the filter's drop conditions, kept findings, edge cases, and summary recount.
src/test/java/dev/thiagogonzaga/thrillhousebot/review/ReviewOrchestratorTest.java Modified Adds real FrameworkFalsePositiveFilter to the orchestrator test setup.

Risk Assessment

Risk Count
🔴 Critical 0
🟠 High 0
🟡 Medium 0
🔵 Low 0

No new issues found in this PR, but the review cannot be approved until required CI is confirmed green.

⚠️ Required CI Checks Status

Some required checks are still pending or have failed:

Check Type Status Detail
format missing ⏳ Pending -
test missing ⏳ Pending -
frontend missing ⏳ Pending -
trivy missing ⏳ Pending -
dependency-review missing ⏳ Pending -

Automated review by ThrillhouseBot. Reply with /review to re-run.

@codecov

codecov Bot commented Jul 15, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

devops-thiago and others added 3 commits July 15, 2026 15:33
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…ize keep-tests

Splits the no-arg-constructor claim pattern into simple token patterns with a
proximity pairing (S5843), extracts the annotation lookahead into a helper
(S3776), and merges the similar keep-the-finding tests into one parameterized
test (S5976). Adds a token-proximity negative case for full branch coverage.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@sonarqubecloud

Copy link
Copy Markdown

@devops-thiago
devops-thiago changed the base branch from main to release/v0.5.0 July 17, 2026 16:21
@devops-thiago
devops-thiago merged commit d7f5e3d into release/v0.5.0 Jul 17, 2026
16 checks passed
@devops-thiago
devops-thiago deleted the claude/github-issue-337-6bf89c branch July 17, 2026 16:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix(review): framework-aware false-positive guards for injection/constructor claims

1 participant