gitea-codex/TODO.md

TODO

Open Items By Priority

P0 (Critical)

• BUG: True isolated runner flow: clone/fetch/checkout PR branch inside the ephemeral container itself, not on host before prompt generation.
• BUG: Remove host-side fallback path for review execution, or gate it behind explicit ALLOW_HOST_FALLBACK=false by default so isolation cannot be bypassed silently.
• BUG: Enforce .codex-review.yml enabled=false at runtime (currently loaded but not enforced).
• BUG: Enforce .codex-review.yml fix policy (commands.allow_fix) for @codex fix (currently only global ENABLE_FIX_COMMANDS is checked).
• BUG: Add stuck-job recovery for running jobs (lease timeout + requeue/fail) so one crashed worker does not deadlock the queue.
• BUG: Validate required secrets/settings are non-empty at startup (GITEA_WEBHOOK_SECRET, GITEA_TOKEN, ALLOWED_REPOS) and fail fast if blank.
• TEST: Add integration test proving the runner executes the exact PR head SHA in isolated mode and does not rely on host checkout.

P1 (Important)

• FEATURE: Full control UI to update the bots settings. Password in env variable protected login page. No more env variables.
• FEATURE: Automatic Trigger on new PRs and or commits on PRs with context that its a change that needs review not the whole PR again. GITEA_ALLOW_PR_AUTO_REVIEW=true would be needed
• BUG: Container runner hardcodes codex exec --json -m gpt-5; use OPENAI_REVIEW_MODEL and OPENAI_REASONING_EFFORT consistently across runner paths.
• BUG: Preserve command arguments losslessly (quoted args are currently flattened by " ".join(...) + .split() roundtrip).
• BUG: parse_command only matches when @codex is at the start of the comment; support inline command usage in normal review-discussion comments.
• BUG: Add max comment length handling/chunking before posting to Gitea to avoid failures on large review outputs.
• FEATURE: Add retries/backoff for codex exec bootstrap (npm install -g @openai/codex) to reduce transient network/setup failures.
• FEATURE: WEBHOOK_MODE is currently informational only; add runtime validation/check endpoint that confirms expected webhook scope (repo or global) is actually configured in Gitea by host admin.
• TEST: Add end-to-end test path against live Gitea + MariaDB + docker runner (webhook -> queue -> runner -> PR comment update).
• FEATURE: Add username as possible command prefix, ex. "@bot-name review" in addition to "@codex review", for better UX discoverability.

P2 (Nice to Have)

• FEATURE: Add a note line generated by the reviewer at the end of comments to show model tokens used and such.
• FEATURE: Little static tailwind cdn styled page for any http endpoint that just shows what this is, incase this gets discovered by some random lad. Other routes than "/" should return a 404 with if a browser accessed it a again, tailwind cdn themed 404 page. Both should be nicely designed and minimalistic.
• FEATURE: Apply .codex-review.yml review.default_mode when @codex review is issued without explicit mode.
• FEATURE: Add per-repo command policy in .codex-review.yml for enabling/disabling review, fix, explain, and rerun independently.
• TEST: Add structured log redaction tests to ensure PAT/keys never appear in logs/comments.
• TEST: Stabilize pytest temp/cache paths on locked-down hosts (configure workspace-local basetemp and cache path) to avoid PermissionError in test setup.
• DOCS: Add explicit env docs for reverse-proxy deployment (BASE_PUBLIC_URL, trusted headers).

P3 (Backlog)

• FEATURE: Add queue metrics and traces (queued/running age, success/failure counters, fallback usage) for operations visibility.
• FEATURE: Add superseded-job cancellation for same PR/head to avoid running obsolete queued jobs.
• FEATURE: Add @codex status command to report latest job state/run ID for a PR.
• TEST: Add property/fuzz tests for command parsing and webhook payload edge cases.