From 2a3539350be0d31dcb950866d697db01e89dfd6f Mon Sep 17 00:00:00 2001
From: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
Date: Tue, 21 Apr 2026 08:20:41 +0000
Subject: [PATCH 1/6] AI-review (#6)

Co-authored-by: gitea_admin <admin@forteapps.net>
Reviewed-on: https://git.forteapps.net/Forte/launchpad/pulls/6
Co-authored-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
Co-committed-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
---
 .gitea/workflows/ai-review.yaml | 44 +++++++++++++++++++
 .gitmodules                     |  3 ++
 docs/REFERENCE.md               | 78 +++++++++++++++++++++++++++++++++
 3 files changed, 125 insertions(+)
 create mode 100644 .gitea/workflows/ai-review.yaml
 create mode 100644 .gitmodules

diff --git a/.gitea/workflows/ai-review.yaml b/.gitea/workflows/ai-review.yaml
new file mode 100644
index 0000000..daa1cd7
--- /dev/null
+++ b/.gitea/workflows/ai-review.yaml
@@ -0,0 +1,44 @@
+name: AI Code Review
+
+on:
+  pull_request:
+    types: [ opened, synchronize, reopened ]
+
+jobs:
+  ai-review:
+    runs-on: ubuntu-latest
+
+    env:
+      AI_REVIEW_CONFIG_FILE_YAML: ./shared-prompts/iac/.ai-review.yaml
+      # VCS configuration
+      VCS__PROVIDER: GITEA
+      VCS__PIPELINE__OWNER: ${{ github.repository_owner }}
+      VCS__PIPELINE__REPO: ${{ github.event.repository.name }}
+      VCS__PIPELINE__PULL_NUMBER: ${{ github.event.pull_request.number }}
+      VCS__HTTP_CLIENT__API_URL: https://git.forteapps.net/api/v1
+      VCS__HTTP_CLIENT__API_TOKEN: ${{ secrets.AI_REVIEW_TOKEN }}
+      # Review — disable fallback to see real Gitea API errors
+      REVIEW__INLINE_COMMENT_FALLBACK: "false"
+      # LLM configuration
+      LLM__PROVIDER: CLAUDE
+      LLM__META__MODEL: claude-sonnet-4-20250514
+      LLM__META__MAX_TOKENS: "4096"
+      LLM__HTTP_CLIENT__API_URL: https://api.anthropic.com
+      LLM__HTTP_CLIENT__API_TOKEN: ${{ secrets.ANTHROPIC_API_KEY }}
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        submodules: true
+        fetch-depth: 0
+
+    - name: Run inline review
+      uses: docker://nikitafilonov/ai-review:latest
+      with:
+        args: ai-review run-inline
+
+    - name: Run summary review
+      uses: docker://nikitafilonov/ai-review:latest
+      with:
+        args: ai-review run-summary
diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..2e05419
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "shared-prompts"]
+	path = shared-prompts
+	url = https://git.forteapps.net/Forte/ai-review-prompts.git
diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md
index 5ba17aa..4cf4d0a 100644
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -876,6 +876,84 @@ dind:
 - Gitea admin panel (`/admin/runners`) — runners show as Online
 - Create test workflow in `.gitea/workflows/test.yml` — job executes
 
+### AI Code Review (ai-review)
+
+**Type**: Gitea Actions workflow (`.gitea/workflows/ai-review.yaml`)
+**Trigger**: `pull_request` events (`opened`, `synchronize`)
+**Runner**: `ubuntu-latest` (container: `nikitafilonov/ai-review:latest`)
+
+**Purpose**: Automated AI-powered code review on pull requests using Claude (Anthropic). Posts inline comments on changed lines and a PR summary comment highlighting infrastructure impact.
+
+**Architecture**:
+- Uses [xai-review](https://github.com/nicktechnologies/xai-review) Docker image
+- Shared configuration and prompts live in the `shared-prompts` Git submodule (→ `Forte/ai-review-prompts`)
+- Review mode: `ONLY_ADDED_WITH_CONTEXT` — reviews only new/changed lines plus surrounding context (token-efficient)
+- Agent mode: disabled (one-shot review, no multi-turn reasoning)
+- LLM: Claude Sonnet (`claude-sonnet-4-20250514`)
+
+**Shared Prompts Structure** (submodule: `Forte/ai-review-prompts`):
+```
+shared-prompts/
+  base/
+    security.md          # org-wide security rules (all profiles)
+  iac/
+    .ai-review.yaml      # IaC/GitOps profile config
+    inline.md            # inline review prompt
+    summary.md           # PR summary prompt
+  # future profiles: backend/, frontend/, etc.
+```
+
+**Configuration** (`shared-prompts/iac/.ai-review.yaml`):
+```yaml
+llm:
+  provider: CLAUDE
+  model: claude-sonnet-4-20250514
+vcs:
+  provider: GITEA
+review:
+  mode: ONLY_ADDED_WITH_CONTEXT
+agent:
+  enabled: false
+prompt:
+  inline_prompt_files:            # concatenated in order
+    - ./shared-prompts/base/security.md
+    - ./shared-prompts/iac/inline.md
+  summary_prompt_files:
+    - ./shared-prompts/iac/summary.md
+ignore:
+  - "*.sealed.yaml"
+  - "*.lock"
+  - "docs/**"
+```
+
+**Custom Prompts** (IaC profile):
+- `shared-prompts/base/security.md` — org-wide security rules, concatenated before every inline review prompt
+- `shared-prompts/iac/inline.md` — IaC-specific inline review (YAML, Helm, K8s manifests, shell scripts), max 7 comments
+- `shared-prompts/iac/summary.md` — PR summary: affected services/namespaces, infrastructure impact, security flags
+
+**Prompt composition**: ai-review does not support Jinja includes. Instead, list multiple files under `inline_prompt_files` / `summary_prompt_files` — they are concatenated in order with double newlines.
+
+**Adding a new profile**: Create a new directory (e.g., `backend/`) with its own `.ai-review.yaml`, `inline.md`, and `summary.md`. The `inline_prompt_files` list should include `base/security.md` first, then the profile-specific prompt. Reference it in the consuming repo's workflow: `AI_REVIEW_CONFIG_FILE_YAML=./shared-prompts/backend/.ai-review.yaml`
+
+**Required Secrets** (configure in Gitea repo or org settings):
+
+| Secret | Purpose |
+|--------|---------|
+| `ANTHROPIC_API_KEY` | Claude API key (from Anthropic console) |
+| `AI_REVIEW_TOKEN` | Gitea API token with `write:repository` + `read:repository` scopes (use a bot/service account) |
+
+**Setup Steps**:
+1. Create a Gitea bot/service account and generate an API token with `write:repository` + `read:repository` scopes
+2. Add `AI_REVIEW_TOKEN` secret in Gitea repo settings → Actions → Secrets
+3. Add `ANTHROPIC_API_KEY` secret with your Anthropic API key
+4. Ensure the `shared-prompts` submodule is initialized (`git submodule update --init`)
+5. Push the workflow file — it triggers automatically on PR creation/update
+
+**Verification**:
+- Open a PR with infrastructure changes → workflow runs → inline comments + summary appear
+- Check Gitea Actions tab for workflow run status and logs
+- Monitor Anthropic usage dashboard for token consumption
+
 ### Keycloak Client Registrar
 
 **Type**: CronJob (deployed via Keycloak Helm chart `extraDeploy`)

From d2596568f282aa000f69d9a1439bace41d575b86 Mon Sep 17 00:00:00 2001
From: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
Date: Tue, 21 Apr 2026 15:17:52 +0200
Subject: [PATCH 2/6] version tag

---
 .gitea/workflows/ai-review.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/ai-review.yaml b/.gitea/workflows/ai-review.yaml
index daa1cd7..f224df4 100644
--- a/.gitea/workflows/ai-review.yaml
+++ b/.gitea/workflows/ai-review.yaml
@@ -34,11 +34,11 @@ jobs:
         fetch-depth: 0
 
     - name: Run inline review
-      uses: docker://nikitafilonov/ai-review:latest
+      uses: docker://nikitafilonov/ai-review:v0.64.0
       with:
         args: ai-review run-inline
 
     - name: Run summary review
-      uses: docker://nikitafilonov/ai-review:latest
+      uses: docker://nikitafilonov/ai-review:v0.64.0
       with:
         args: ai-review run-summary

From 3bf9fa783742ba31bde1deb4bb020cf11edba4df Mon Sep 17 00:00:00 2001
From: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
Date: Wed, 22 Apr 2026 08:48:05 +0200
Subject: [PATCH 3/6] pr label

---
 .gitea/workflows/ai-review.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/ai-review.yaml b/.gitea/workflows/ai-review.yaml
index f224df4..602a592 100644
--- a/.gitea/workflows/ai-review.yaml
+++ b/.gitea/workflows/ai-review.yaml
@@ -2,10 +2,11 @@ name: AI Code Review
 
 on:
   pull_request:
-    types: [ opened, synchronize, reopened ]
+    types: [ labeled ]
 
 jobs:
   ai-review:
+    if: contains(toJSON(gitea.event.changes.added_labels), 'ai-review')
     runs-on: ubuntu-latest
 
     env:

From d7c7242aa1bdd9e61b25c4b43cddfd4e7feeebcd Mon Sep 17 00:00:00 2001
From: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
Date: Wed, 22 Apr 2026 09:10:38 +0200
Subject: [PATCH 4/6] submodule

---
 shared-prompts | 1 +
 1 file changed, 1 insertion(+)
 create mode 160000 shared-prompts

diff --git a/shared-prompts b/shared-prompts
new file mode 160000
index 0000000..4ec0c92
--- /dev/null
+++ b/shared-prompts
@@ -0,0 +1 @@
+Subproject commit 4ec0c926c7b33553409c4024dfdfb379686c5437

From d05a16840e837fad318006915db5b35db3811f79 Mon Sep 17 00:00:00 2001
From: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
Date: Wed, 22 Apr 2026 09:11:40 +0200
Subject: [PATCH 5/6] pr trigger

---
 .gitea/workflows/ai-review.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/ai-review.yaml b/.gitea/workflows/ai-review.yaml
index 602a592..808bb33 100644
--- a/.gitea/workflows/ai-review.yaml
+++ b/.gitea/workflows/ai-review.yaml
@@ -2,11 +2,12 @@ name: AI Code Review
 
 on:
   pull_request:
-    types: [ labeled ]
+    types: [ labeled, synchronize ]
 
 jobs:
   ai-review:
-    if: contains(toJSON(gitea.event.changes.added_labels), 'ai-review')
+    if: >-
+      (github.event.action == 'synchronized' && contains(toJSON(github.event.pull_request.labels), 'ai-review')) || contains(toJSON(gitea.event.changes.added_labels), 'ai-review')
     runs-on: ubuntu-latest
 
     env:

From c88938adb56c6c3c17f1ec20ba2a329e84142146 Mon Sep 17 00:00:00 2001
From: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
Date: Wed, 22 Apr 2026 09:30:02 +0000
Subject: [PATCH 6/6] feature/ai-review (#7)

Co-authored-by: gitea_admin <admin@forteapps.net>
Reviewed-on: https://git.forteapps.net/Forte/launchpad/pulls/7
Co-authored-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
Co-committed-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
---
 docs/REFERENCE.md                   | 2 ++
 infra/values/base/gitea-values.yaml | 5 ++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md
index 4cf4d0a..0ba2013 100644
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -819,6 +819,8 @@ postgresql:
 
 **Email Notifications**: Enabled (`ENABLE_NOTIFY_MAIL: true`). SMTP credentials injected via `gitea-smtp-secret` using `additionalConfigFromEnvs` with `GITEA__mailer__USER` / `GITEA__mailer__PASSWD` environment variables.
 
+**Auto-Watch**: Disabled (`AUTO_WATCH_ON_CHANGES: false`, `AUTO_WATCH_NEW_REPOS: false`). Prevents contributors from being auto-subscribed to repo notifications on push, reducing email noise from CI bots (e.g., ai-review PR comments). Users who were already watching before this change need to manually unwatch or switch to "Only participating".
+
 **Endpoints**:
 - Web UI: `https://git.forteapps.net`
 - SSH: port 22 (ClusterIP)
diff --git a/infra/values/base/gitea-values.yaml b/infra/values/base/gitea-values.yaml
index e34f256..2153b89 100644
--- a/infra/values/base/gitea-values.yaml
+++ b/infra/values/base/gitea-values.yaml
@@ -29,7 +29,10 @@ gitea:
       ALLOW_ONLY_EXTERNAL_REGISTRATION: true
       ENABLE_BASIC_AUTHENTICATION: true
       ENABLE_PASSWORD_SIGNIN_FORM: false
-      ENABLE_NOTIFY_MAIL: true
+      AUTO_WATCH_ON_CHANGES: false
+      AUTO_WATCH_NEW_REPOS: false
+      ENABLE_NOTIFY_MAIL: false
+      ENABLE_TIMETRACKING: false
 
     openid:
       ENABLE_OPENID_SIGNIN: false