Summary
Two improvements surfaced from external-repo validation (crewAI, gpt-researcher, and 8 OSS baseline repos):
- Code review bug-finding mode — the code review module produces no bug-finding signal on repos that don't use icontract.
MISSING_ICONTRACT floods warnings on external repos. CrossHair runs but with a 2s timeout too tight to find counterexamples. No security/bug semgrep rules exist.
- Sidecar venv self-scan bug — sidecar installs deps into
.specfact/venv, then framework extractors scan the full repo tree including the venv. gpt-researcher reported 25,947 routes (real: 19).
Change
OpenSpec change: openspec/changes/code-review-bug-finding-and-sidecar-venv-fix/
Scope
packages/specfact-code-review — --bug-hunt flag, CrossHair timeout params, MISSING_ICONTRACT auto-suppression, bugs.yaml semgrep passpackages/specfact-codebase — exclude .specfact/ from all sidecar framework extractor scan paths
Capabilities
- New:
code-review-bug-finding, sidecar-route-extraction
- Modified:
contract-runner, review-run-command
Parent Feature
Part of #175 — [Feature] Code Review External Repo Quality and Bug Finding
Summary
Two improvements surfaced from external-repo validation (crewAI, gpt-researcher, and 8 OSS baseline repos):
MISSING_ICONTRACTfloods warnings on external repos. CrossHair runs but with a 2s timeout too tight to find counterexamples. No security/bug semgrep rules exist..specfact/venv, then framework extractors scan the full repo tree including the venv. gpt-researcher reported 25,947 routes (real: 19).Change
OpenSpec change:
openspec/changes/code-review-bug-finding-and-sidecar-venv-fix/Scope
packages/specfact-code-review—--bug-huntflag, CrossHair timeout params,MISSING_ICONTRACTauto-suppression,bugs.yamlsemgrep passpackages/specfact-codebase— exclude.specfact/from all sidecar framework extractor scan pathsCapabilities
code-review-bug-finding,sidecar-route-extractioncontract-runner,review-run-commandParent Feature
Part of #175 — [Feature] Code Review External Repo Quality and Bug Finding