From a2a1e644ab1d1172d6aa65233f48fca6fded2d75 Mon Sep 17 00:00:00 2001
From: Molecule AI Core-DevOps <core-devops@agents.moleculesai.app>
Date: Tue, 12 May 2026 00:42:58 +0000
Subject: [PATCH 1/2] feat(ci): wire review-check.sh regression tests into CI
 (closes #540)

New workflow .gitea/workflows/review-check-tests.yml triggers on
every PR + push that touches review-check.sh or its test fixtures.
Runs the existing 22-scenario regression suite (test_review_check.sh)
which covers all issue #540 acceptance criteria.

CONTRIBUTING.md updated with:
- review-check-tests row in the CI job table
- Local testing section with the smoke command

Note: tests are bash-based (not bats) per existing test_review_check.sh
design. Converting to bats would be refactoring rather than closing the gap.
Bats dependency was never added to the runner-base image.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/review-check-tests.yml | 51 +++++++++++++++++++++++++
 CONTRIBUTING.md                         | 10 +++++
 2 files changed, 61 insertions(+)
 create mode 100644 .gitea/workflows/review-check-tests.yml

diff --git a/.gitea/workflows/review-check-tests.yml b/.gitea/workflows/review-check-tests.yml
new file mode 100644
index 00000000..92919781
--- /dev/null
+++ b/.gitea/workflows/review-check-tests.yml
@@ -0,0 +1,51 @@
+name: review-check-tests
+
+# Runs review-check.sh regression tests on every PR + push that touches
+# the evaluator script or its test fixtures.
+#
+# Follows RFC#324 follow-up (issue #540):
+#   .gitea/scripts/review-check.sh is load-bearing for PR merge gates.
+#   It has ZERO production CI coverage. This workflow closes that gap.
+#
+# Design choices:
+#   - Bash test harness (not bats). The existing test_review_check.sh
+#     uses a custom assert_eq/assert_contains framework that is already
+#     working and covers all 13 acceptance criteria (issue #540 §Acceptance).
+#     Converting to bats would be refactoring, not closing the gap.
+#   - No bats dependency: the runner-base image needs no extra tooling.
+#   - continue-on-error: false — these tests must pass; a failure means
+#     the review-gate evaluator is broken and must not be merged.
+
+on:
+  push:
+    branches: [main, staging]
+    paths:
+      - '.gitea/scripts/review-check.sh'
+      - '.gitea/scripts/tests/test_review_check.sh'
+      - '.gitea/scripts/tests/_review_check_fixture.py'
+      - '.gitea/workflows/review-check-tests.yml'
+  pull_request:
+    branches: [main, staging]
+    paths:
+      - '.gitea/scripts/review-check.sh'
+      - '.gitea/scripts/tests/test_review_check.sh'
+      - '.gitea/scripts/tests/_review_check_fixture.py'
+      - '.gitea/workflows/review-check-tests.yml'
+  workflow_dispatch:
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    name: review-check.sh regression tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Run review-check.sh regression suite
+        run: bash .gitea/scripts/tests/test_review_check.sh
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index f0d0a9dd..d0f5531b 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -156,6 +156,16 @@ and run CI manually.
 | python-lint | pytest with coverage |
 | e2e-api | Full API test suite (62 tests) |
 | shellcheck | Shell script linting |
+| review-check-tests | `review-check.sh` evaluator regression suite (13 scenarios) |
+| ops-scripts | Python unittest suite for `scripts/*.py` |
+
+## Local Testing
+
+### review-check.sh
+```bash
+bash .gitea/scripts/tests/test_review_check.sh
+```
+Runs the full regression suite against a fixture HTTP server. No network access required.
 
 ## Code Style
 

From c74c0a02830cf5599c7816e493ef800144a8d04e Mon Sep 17 00:00:00 2001
From: Molecule AI Core-DevOps <core-devops@agents.moleculesai.app>
Date: Tue, 12 May 2026 00:56:20 +0000
Subject: [PATCH 2/2] fix(ci): add jq install to review-check-tests workflow +
 fix /tmp/jq hardcode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two fixes found during first CI run:

1. Workflow missing jq installation step — T12 jq-filter test needs jq
   which is not in the Gitea Actions ubuntu-latest runner image.
   Add the same install dance as sop-tier-check.yml (apt-get first,
   GitHub binary download fallback, infra#241 belt-and-suspenders).

2. test_review_check.sh hardcodes /tmp/jq in T12. In CI jq gets
   installed to /usr/bin/jq via apt-get. Fix: use `command -v jq` to
   resolve from PATH first, fall back to /tmp/jq for local dev.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/scripts/tests/test_review_check.sh |  3 ++-
 .gitea/workflows/review-check-tests.yml   | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/.gitea/scripts/tests/test_review_check.sh b/.gitea/scripts/tests/test_review_check.sh
index b522b716..793089b5 100755
--- a/.gitea/scripts/tests/test_review_check.sh
+++ b/.gitea/scripts/tests/test_review_check.sh
@@ -317,7 +317,8 @@ JQ_FILTER='.[]
 
 T12_INPUT='[{"state":"APPROVED","dismissed":false,"user":{"login":"core-devops"}},{"state":"CHANGES_REQUESTED","dismissed":false,"user":{"login":"bob"}},{"state":"APPROVED","dismissed":false,"user":{"login":"alice"}},{"state":"APPROVED","dismissed":true,"user":{"login":"carol"}}]'
 
-T12_CANDIDATES=$(echo "$T12_INPUT" | /tmp/jq -r "$JQ_FILTER" 2>/dev/null | sort -u)
+JQ_CMD=$(command -v jq 2>/dev/null || echo /tmp/jq)
+T12_CANDIDATES=$(echo "$T12_INPUT" | "$JQ_CMD" -r "$JQ_FILTER" 2>/dev/null | sort -u)
 assert_contains "T12 jq: core-devops (non-author APPROVED) in candidates" "core-devops" "$T12_CANDIDATES"
 assert_eq "T12 jq: alice (author) NOT in candidates" "" "$(echo "$T12_CANDIDATES" | grep '^alice$' || true)"
 assert_eq "T12 jq: carol (dismissed) NOT in candidates" "" "$(echo "$T12_CANDIDATES" | grep '^carol$' || true)"
diff --git a/.gitea/workflows/review-check-tests.yml b/.gitea/workflows/review-check-tests.yml
index 92919781..df57aad5 100644
--- a/.gitea/workflows/review-check-tests.yml
+++ b/.gitea/workflows/review-check-tests.yml
@@ -47,5 +47,24 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
+      - name: Install jq
+        # Required for T12 jq-filter test case. Gitea Actions runners (ubuntu-latest
+        # label) do not bundle jq. Install via apt-get first (reliable for Ubuntu
+        # runners with internet access to package mirrors). Falls back to GitHub
+        # binary download. GitHub releases may be blocked on some runner networks
+        # (infra#241 follow-up).
+        continue-on-error: true
+        run: |
+          if apt-get update -qq && apt-get install -y -qq jq; then
+            echo "::notice::jq installed via apt-get: $(jq --version)"
+          elif timeout 120 curl -sSL \
+            "https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64" \
+            -o /usr/local/bin/jq && chmod +x /usr/local/bin/jq; then
+            echo "::notice::jq binary downloaded: $(/usr/local/bin/jq --version)"
+          else
+            echo "::warning::jq install failed — apt-get and GitHub download both failed."
+          fi
+          jq --version 2>/dev/null || echo "::notice::jq not yet available — continuing"
+
       - name: Run review-check.sh regression suite
         run: bash .gitea/scripts/tests/test_review_check.sh