feat(web): configure Codecov and Vitest coverage

[yacosta738]

This PR configures Codecov and Vitest coverage for the web apps in Corvus.

Key changes:

• Enabled Vitest coverage using the v8 provider in clients/web/apps/chat and clients/web/apps/dashboard.
• Added test:coverage scripts to the respective package.json files.
• Added `@vitest/coverage-v8` to the pnpm catalog in `clients/web/pnpm-workspace.yaml`.
• Configured Codecov flags (`web`, `rust`, `kotlin`) in `.github/codecov.yml` to better categorize coverage reports.
• Added a `testCoverageAllWebApps` task to `clients/web/build.gradle.kts` for aggregate coverage runs.
• Updated the GitHub Actions `pull-request-check.yml` workflow to run web coverage tests and upload the resulting `lcov.info` files to Codecov.

---

PR created automatically by Jules for task 9099908332132229006 started by @yacosta738

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds Vitest v8 coverage support for web apps: new test:coverage npm scripts and Vitest coverage config, per-app Gradle Exec tasks plus aggregate testCoverageAllWebApps, CI workflow changes to run/collect web coverage and upload Codecov flags, and minor docs/diagram additions. No runtime API changes.

Changes

Cohort / File(s)	Summary
Docs / Journal .agents/journal/scribe-journal.md	Added "Codecov Web Configuration" subsection documenting the web coverage changes.
Codecov & CI .github/codecov.yml, .github/workflows/pull-request-check.yml	Added web coverage flag mapping; CI now runs testCoverageAllWebApps and uploads separate Codecov artifacts for kotlin/rust and web with appropriate flags and directories.
Web apps — Chat clients/web/apps/chat/package.json, clients/web/apps/chat/vite.config.ts	Added test:coverage script, added @vitest/coverage-v8 devDependency, moved tailwind-merge to dependencies, and enabled Vitest v8 coverage reporters (text/json/html/lcov).
Web apps — Dashboard clients/web/apps/dashboard/package.json, clients/web/apps/dashboard/vite.config.ts	Added test:coverage script, added @vitest/coverage-v8 devDependency, and enabled Vitest v8 coverage reporters.
Build & Workspace clients/web/build.gradle.kts, clients/web/pnpm-workspace.yaml	Registered @vitest/coverage-v8 in the pnpm catalog; added per-app Exec tasks to run pnpm run test:coverage (guarded by onlyIf) and aggregate testCoverageAllWebApps task.
Docs / Site clients/web/apps/docs/.../diagrams/.../system-containers.puml, clients/web/apps/docs/.../gpg-setup.md	Added C4 container diagrams (EN/ES) and a GPG setup guide (EN/ES) to docs.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant App as "Web App (chat/dashboard)"
  participant PNPM as "pnpm / Node"
  participant Gradle as "Gradle (clients/web)"
  participant CI as "CI Workflow"
  participant Codecov as "Codecov"

  App->>PNPM: `pnpm run test:coverage` (per-app Exec task)
  PNPM-->>App: produce coverage artefacts (lcov.info, html, json)
  Gradle->>PNPM: invoke per-app Exec tasks (from build.gradle.kts)
  Gradle-->>CI: aggregate `testCoverageAllWebApps` completes
  CI->>Gradle: run `testCodeCoverageReport` and `testCoverageAllWebApps`
  CI->>Codecov: upload kotlin/rust coverage (coverage.xml) with flags `rust,kotlin`
  CI->>Codecov: upload web coverage (lcov.info from apps/*/coverage) with flag `web`
  Codecov-->>CI: acknowledge uploads

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat: add basic chat UI with vue.js #24 — Related Vitest/testing configuration changes for web apps that this PR extends with coverage scripts and CI uploads.
• feat: plugin store #62 — Changes adding/registering new web apps and build logic that may interact with the per-app Gradle tasks introduced here.
• docs(agent-runtime): document providers and cleanup obsolete guides #134 — Touches the same docs/diagram files (overlapping additions/deletions) and may conflict with the new docs added.

Suggested labels

area:web, area:ci, area:gradle

Suggested reviewers

• yuniel-acosta

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	PR description covers the purpose, key changes, and includes related task references. However, the template requires specific sections (Related Issues, Tested Information, Breaking Changes, Checklist) which are not present.	Add the missing template sections (Related Issues, Tested Information, Breaking Changes, Checklist) to ensure consistency with repository standards and provide testing details.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title follows Conventional Commits style with 'feat' prefix and clear scope 'web', accurately describing the main changes around Codecov and Vitest coverage configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/web-codecov-config-9099908332132229006

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying corvus with    Cloudflare Pages

Latest commit:	5d3bb62
Status:	✅  Deploy successful!
Preview URL:	https://0cbf8f35.corvus-42x.pages.dev
Branch Preview URL:	https://feat-web-codecov-config-9099.corvus-42x.pages.dev

View logs

[github-actions]

✅ Contributor Report

User: @yacosta738
Status: Passed (12/13 metrics passed)

Metric	Description	Value	Threshold	Status
PR Merge Rate	PRs merged vs closed	88%	>= 30%	✅
Repo Quality	Repos with ≥100 stars	0	>= 0	✅
Positive Reactions	Positive reactions received	9	>= 1	✅
Negative Reactions	Negative reactions received	0	<= 5	✅
Account Age	GitHub account age	3049 days	>= 30 days	✅
Activity Consistency	Regular activity over time	108%	>= 0%	✅
Issue Engagement	Issues with community engagement	0	>= 0	✅
Code Reviews	Code reviews given to others	383	>= 0	✅
Merger Diversity	Unique maintainers who merged PRs	2	>= 0	✅
Repo History Merge Rate	Merge rate in this repo	91%	>= 0%	✅
Repo History Min PRs	Previous PRs in this repo	102	>= 0	✅
Profile Completeness	Profile richness (bio, followers)	90	>= 0	✅
Suspicious Patterns	Spam-like activity detection	1	N/A	❌

---

_{Contributor Report evaluates based on public GitHub activity. Analysis period: 2025-03-04 to 2026-03-04}

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.agents/journal/scribe-journal.md:
- Line 105: Update the journal heading string "## Codecov Web Configuration
(2025-03-04)" to use the correct year "2026" so it reads "## Codecov Web
Configuration (2026-03-04)"; locate and edit that exact heading text in
.agents/journal/scribe-journal.md (the heading line containing "Codecov Web
Configuration") and change the year from 2025 to 2026.

In @.github/workflows/pull-request-check.yml:
- Around line 101-102: The workflow upload step is currently setting a universal
"flags" value for all artifacts (the flags key) while also listing multiple
artifact globs in the files entry, which forces all flags on every file; either
remove the flags key so Codecov uses your path-based mappings in
.github/codecov.yml, or split this single upload into two targeted upload steps:
one step uploading the Gradle coverage XML glob with the appropriate
Kotlin/Gradle flag, and a separate step uploading the web lcov glob with the web
flag, ensuring each step sets only the correct flags for its files.

In `@clients/web/build.gradle.kts`:
- Line 158: Remove the blanket isIgnoreExitValue = true setting that masks
failing tests; instead detect whether the module defines a coverage/test task
(e.g., presence of the "test" or "test:coverage" task) and only register or
execute the coverage task for those modules, or conditionally set
isIgnoreExitValue for genuinely missing-test modules; update the logic around
the test/coverage task registration in build.gradle.kts so failing tests surface
as failures unless the module explicitly opts out or lacks tests.
- Around line 151-153: The local unused binding appTestCoverage is causing a
Detekt UnusedPrivateProperty error; remove the unused val by registering the
task without assigning it to a local variable (i.e., call
tasks.register<Exec>("${appName}TestCoverage") { ... } without the preceding val
appTestCoverage =) or, if you intend to keep a reference, use the reference
elsewhere — but the simplest fix is to delete the unused appTestCoverage
declaration and just register the task inline.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0cf6baa9-1a07-45f4-b40c-9b7b54aa8cc2

📥 Commits

Reviewing files that changed from the base of the PR and between 3d09cd0 and e51fef7.

⛔ Files ignored due to path filters (1)

• clients/web/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (9)

• .agents/journal/scribe-journal.md
• .github/codecov.yml
• .github/workflows/pull-request-check.yml
• clients/web/apps/chat/package.json
• clients/web/apps/chat/vite.config.ts
• clients/web/apps/dashboard/package.json
• clients/web/apps/dashboard/vite.config.ts
• clients/web/build.gradle.kts
• clients/web/pnpm-workspace.yaml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: sonar
• GitHub Check: Cloudflare Pages

🧰 Additional context used

📓 Path-based instructions (2)

**/*

⚙️ CodeRabbit configuration file

**/*: Security first, performance second.
Validate input boundaries, auth/authz implications, and secret management.
Look for behavioral regressions, missing tests, and contract breaks across modules.

Files:

• clients/web/apps/chat/vite.config.ts
• clients/web/apps/dashboard/package.json
• clients/web/apps/dashboard/vite.config.ts
• clients/web/apps/chat/package.json
• clients/web/pnpm-workspace.yaml
• clients/web/build.gradle.kts

**/*.gradle.kts

⚙️ CodeRabbit configuration file

**/*.gradle.kts: Prefer tasks.register/configureEach, avoid afterEvaluate, and preserve configuration cache.
Ensure dependencies come from version catalogs and avoid eager task realization.
Review plugin/config changes for supply-chain and reproducibility risks.

Files:

• clients/web/build.gradle.kts

🧠 Learnings (7)

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/*.rs : Run `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` for code validation, or document which checks were skipped and why

Applied to files:

• .github/codecov.yml
• .agents/journal/scribe-journal.md

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/{security,gateway,tools}/**/*.rs : Treat `src/security/`, `src/gateway/`, `src/tools/` as high-risk surfaces and never broaden filesystem/network execution scope without explicit policy checks

Applied to files:

• .github/codecov.yml

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Preserve release-size profile assumptions in `Cargo.toml` and avoid adding heavy dependencies unless clearly justified

Applied to files:

• .github/codecov.yml

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Do not add heavy dependencies for minor convenience; justify new crate additions

Applied to files:

• .github/codecov.yml

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/**/*.rs : Never log secrets, tokens, raw credentials, or sensitive payloads in any logging statements

Applied to files:

• .github/codecov.yml

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/{security,gateway,tools,config}/**/*.rs : Do not silently weaken security policy or access constraints; keep default behavior secure-by-default with deny-by-default where applicable

Applied to files:

• .github/codecov.yml

📚 Learning: 2026-02-21T09:07:52.298Z

Learnt from: yacosta738
Repo: dallay/corvus PR: 62
File: .agents/journal/sentinnel-journal.md:1-1
Timestamp: 2026-02-21T09:07:52.298Z
Learning: Branding guideline: The intentional brand name for the security-first agent in the dallay/corvus repository is 'Sentinnel' (with double n). Do not treat it as a typo of 'Sentinel'. Ensure all agent-related docs and journals under .agents/journal consistently use 'Sentinnel' with double n.

Applied to files:

• .agents/journal/scribe-journal.md

🪛 GitHub Actions: Scan with Detekt

clients/web/build.gradle.kts

[error] 151-151: Private property appTestCoverage is unused. [UnusedPrivateProperty]

🪛 LanguageTool

.agents/journal/scribe-journal.md

[uncategorized] ~109-~109: The official name of this software platform is spelled with a capital “H”.
Context: ...package.json of these apps. - Updated .github/codecov.yml with flags for rust, `ko...

(GITHUB)

---

[uncategorized] ~111-~111: The official name of this software platform is spelled with a capital “H”.
Context: ...ask testCoverageAllWebApps. - Updated .github/workflows/pull-request-check.yml to ex...

(GITHUB)

🔇 Additional comments (8)

clients/web/apps/dashboard/package.json (1)

16-17: Coverage script/dependency wiring looks correct.

test:coverage and @vitest/coverage-v8 are consistently added and aligned with the workspace catalog-based versioning.

Also applies to: 30-30

clients/web/pnpm-workspace.yaml (1)

29-29: Catalog pin is a good reproducibility improvement.

Centralizing @vitest/coverage-v8 at workspace level prevents app-level drift.

.github/codecov.yml (1)

20-32: Codecov flag path segmentation is well-structured.

The rust/kotlin/web flag scoping is clear and supports separate coverage attribution.

clients/web/apps/dashboard/vite.config.ts (1)

15-18: Coverage reporter configuration is correctly set for CI ingestion.

Including lcov here aligns with the upload step expecting coverage/lcov.info.

clients/web/apps/chat/vite.config.ts (1)

15-18: Chat app coverage config is consistent and CI-friendly.

v8 + lcov reporter setup matches the intended Codecov pipeline.

clients/web/apps/chat/package.json (1)

16-17: Package updates are consistent with the coverage rollout.

Scripts and dependencies are wired coherently (test:coverage + @vitest/coverage-v8) and remain catalog-driven.

Also applies to: 21-23, 31-31

clients/web/build.gradle.kts (1)

192-196: Aggregate coverage task registration is clean and idiomatic.

Using a dedicated testCoverageAllWebApps aggregator keeps CI orchestration simple.

.github/workflows/pull-request-check.yml (1)

93-93: LGTM!

Adding testCoverageAllWebApps alongside the existing coverage task cleanly integrates the new web coverage generation.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/pull-request-check.yml:
- Around line 95-115: The workflow uses
codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de with files:
./clients/web/apps/*/coverage/lcov.info but that version does not expand globs;
update the job so the Web coverage upload supplies explicit file paths or a
directory argument: either (a) add a preceding shell step that finds matching
lcov.info files, constructs a comma-separated string into an env var and pass
that env var to the codecov step via files: ${{ env.FILES }}, or (b) replace the
files: entry with directory: ./clients/web/apps so the action will search under
that directory; ensure you keep fail_ci_if_error: true and reference the same
codecov-action step name (📤 Upload Web coverage to Codecov) when updating.

In `@clients/web/build.gradle.kts`:
- Around line 150-172: The current configuration-phase read of package.json via
pkgJson and hasCoverageScript breaks Gradle configuration cache; instead defer
detection to execution or use the Provider/ValueSource pattern: remove the
top-level JsonSlurper parse and always register the "${appName}TestCoverage"
task(s) but perform package.json parsing inside the task (e.g., in a doFirst or
decide enabled/onlyIf at execution time) or replace the eager read with a
Provider/ValueSource that reads package.json lazily (matching your existing
gradle/build-logic approach); update the tasks.register blocks that reference
appInstall, workingDir, commandLine, and description so they use the lazy result
(or set task.enabled/onlyIf based on the runtime check) rather than the
hasCoverageScript boolean computed during configuration.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: e85d8ba4-837e-42dd-b060-1cf10ae13179

📥 Commits

Reviewing files that changed from the base of the PR and between e51fef7 and b6bf043.

📒 Files selected for processing (3)

• .agents/journal/scribe-journal.md
• .github/workflows/pull-request-check.yml
• clients/web/build.gradle.kts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: sonar
• GitHub Check: pr-checks
• GitHub Check: pr-checks
• GitHub Check: Cloudflare Pages

🧰 Additional context used

📓 Path-based instructions (2)

**/*.gradle.kts

⚙️ CodeRabbit configuration file

**/*.gradle.kts: Prefer tasks.register/configureEach, avoid afterEvaluate, and preserve configuration cache.
Ensure dependencies come from version catalogs and avoid eager task realization.
Review plugin/config changes for supply-chain and reproducibility risks.

Files:

• clients/web/build.gradle.kts

**/*

⚙️ CodeRabbit configuration file

**/*: Security first, performance second.
Validate input boundaries, auth/authz implications, and secret management.
Look for behavioral regressions, missing tests, and contract breaks across modules.

Files:

• clients/web/build.gradle.kts

🧠 Learnings (3)

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/.github/**/*.{yml,yaml} : For workflow/template-only changes, ensure YAML/template syntax validity

Applied to files:

• .github/workflows/pull-request-check.yml

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/*.rs : Run `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` for code validation, or document which checks were skipped and why

Applied to files:

• .agents/journal/scribe-journal.md

📚 Learning: 2026-02-21T09:07:52.298Z

Learnt from: yacosta738
Repo: dallay/corvus PR: 62
File: .agents/journal/sentinnel-journal.md:1-1
Timestamp: 2026-02-21T09:07:52.298Z
Learning: Branding guideline: The intentional brand name for the security-first agent in the dallay/corvus repository is 'Sentinnel' (with double n). Do not treat it as a typo of 'Sentinel'. Ensure all agent-related docs and journals under .agents/journal consistently use 'Sentinnel' with double n.

Applied to files:

• .agents/journal/scribe-journal.md

🪛 LanguageTool

.agents/journal/scribe-journal.md

[uncategorized] ~109-~109: The official name of this software platform is spelled with a capital “H”.
Context: ...package.json of these apps. - Updated .github/codecov.yml with flags for rust, `ko...

(GITHUB)

---

[uncategorized] ~111-~111: The official name of this software platform is spelled with a capital “H”.
Context: ...ask testCoverageAllWebApps. - Updated .github/workflows/pull-request-check.yml to ex...

(GITHUB)

🔇 Additional comments (5)

.agents/journal/scribe-journal.md (1)

104-112: LGTM!

Documentation accurately captures the Codecov/Vitest configuration changes. Date now correctly shows 2026-03-04.

.github/workflows/pull-request-check.yml (1)

91-93: LGTM!

Running both testCodeCoverageReport and testCoverageAllWebApps in a single Gradle invocation is efficient and ensures all coverage artifacts are generated before uploads.

clients/web/build.gradle.kts (3)

158-165: Previous review concerns addressed.

The isIgnoreExitValue = true is now removed—coverage test failures will properly fail the build. The unused local binding is also gone. Clean implementation.

---

166-172: Fallback placeholder task prevents aggregate breakage.

Registering a no-op task for apps without test:coverage ensures testCoverageAllWebApps won't fail due to missing dependencies. Solid defensive pattern.

---

205-209: Aggregate task correctly wires dependencies.

testCoverageAllWebApps depends on all per-app coverage tasks (real or placeholder), enabling a single Gradle invocation from CI.

[coderabbitai]

Actionable comments posted: 8

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@clients/web/apps/docs/src/content/docs/en/guides/architecture/diagrams/container/system-containers.puml`:
- Line 6: The PlantUML include currently references the C4-PlantUML repo on the
master branch which can change; update the include URL in the file (the line
containing "!include
https://raw.githubusercontent.com/plantuml-stdlib/C4-PlantUML/master/C4_Container.puml")
to pin to the specific release tag by replacing "master" with "v2.13.0" (i.e.
use "!include
https://raw.githubusercontent.com/plantuml-stdlib/C4-PlantUML/v2.13.0/C4_Container.puml")
so the docs build is reproducible and stable.

In `@clients/web/apps/docs/src/content/docs/en/guides/gpg-setup.md`:
- Around line 72-77: Replace the gpg export command under "Option A: Subkey only
(RECOMMENDED for CI/CD)" so it uses --export-secret-subkeys instead of
--export-secret-keys; specifically update the command string "gpg
--export-secret-keys --armor YOUR_SUBKEY_ID > private-subkey.asc" to use
"--export-secret-subkeys" (keeping the --armor, YOUR_SUBKEY_ID token and output
filename) and adjust the surrounding text to note that this exports only subkeys
with a primary-key stub to keep primary key material offline.
- Line 25: Remove the inaccurate claim that Maven Central enforces a minimum key
size in the line containing "**Key size:** `4096` bits" and rephrase to
recommend 4096 bits as a best practice (e.g., "Recommended key size: 4096 bits —
recommended for stronger security and follows Apache Maven guidance") or
attribute it explicitly (e.g., "4096 bits (recommended; not required by
Sonatype/Maven Central)"). Ensure the phrasing replaces the parenthetical
"minimum required by Maven Central" and preserves the `4096` value and context
in the gpg-setup.md content.

In
`@clients/web/apps/docs/src/content/docs/es/guides/architecture/diagrams/container/system-containers.puml`:
- Line 6: Replace the unpinned PlantUML include in the system-containers diagram
(the line referencing C4_Container.puml) with a URL that pins to a specific
release tag (e.g., change the raw.githubusercontent.com path to a release tag
like /releases/tag/<version>/ or the raw file at a known tag/commit) so the
included C4_Container.puml is stable and reproducible.
- Line 12: The actor label in the diagram uses English ("End User") while the
description is Spanish; update the Person declaration by replacing the display
name "End User" with its Spanish equivalent (e.g., "Usuario final") in the
Person(endUser, "...", "...") line so both the label and the tooltip/description
are consistently localized.

In `@clients/web/apps/docs/src/content/docs/es/guides/gpg-setup.md`:
- Around line 159-165: The fenced code block containing the PGP private key
block (the ````-----BEGIN PGP PRIVATE KEY BLOCK-----```` ... ````-----END PGP
PRIVATE KEY BLOCK-----```` snippet) is missing a language tag and triggers
MD040; update that fenced block to declare a language (for example `text`)
immediately after the opening backticks so the block reads like ```text to
satisfy markdownlint while preserving the exact block contents.
- Line 25: Update the line containing "**Tamaño:** `4096` bits (mínimo requerido
por Maven Central)" so it no longer claims Maven Central mandates a 4096-bit
minimum; instead attribute the 4096-bit recommendation to Apache Maven or
present it as a best-practice recommendation (e.g., "Recomendado: 4096 bits —
según prácticas de Apache Maven" or "4096 bits (recomendado, no obligatorio)").
Locate and edit the exact text fragment "**Tamaño:** `4096` bits (mínimo
requerido por Maven Central)" to reflect this corrected source and wording.
- Around line 72-77: The guide currently instructs using gpg
--export-secret-keys to export a private subkey; change this to use gpg
--export-secret-subkeys so only the signing subkey is exported for the “Opción
A: Solo subclave (RECOMENDADO para CI/CD)” flow—update the command that writes
to private-subkey.asc and any accompanying text to explain this exports the
subkey (sec#) and not the full primary key, so CI retains only the unusable
primary key offline.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 518186fe-d4ef-4e26-a6b3-588ba8f96d40

📥 Commits

Reviewing files that changed from the base of the PR and between b6bf043 and a61b4ed.

📒 Files selected for processing (7)

• .agents/journal/scribe-journal.md
• .github/workflows/pull-request-check.yml
• clients/web/apps/docs/src/content/docs/en/guides/architecture/diagrams/container/system-containers.puml
• clients/web/apps/docs/src/content/docs/en/guides/gpg-setup.md
• clients/web/apps/docs/src/content/docs/es/guides/architecture/diagrams/container/system-containers.puml
• clients/web/apps/docs/src/content/docs/es/guides/gpg-setup.md
• clients/web/build.gradle.kts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: pr-checks
• GitHub Check: sonar
• GitHub Check: pr-checks
• GitHub Check: Cloudflare Pages

🧰 Additional context used

📓 Path-based instructions (3)

**/*

⚙️ CodeRabbit configuration file

**/*: Security first, performance second.
Validate input boundaries, auth/authz implications, and secret management.
Look for behavioral regressions, missing tests, and contract breaks across modules.

Files:

• clients/web/apps/docs/src/content/docs/en/guides/architecture/diagrams/container/system-containers.puml
• clients/web/apps/docs/src/content/docs/es/guides/architecture/diagrams/container/system-containers.puml
• clients/web/apps/docs/src/content/docs/en/guides/gpg-setup.md
• clients/web/build.gradle.kts
• clients/web/apps/docs/src/content/docs/es/guides/gpg-setup.md

**/*.{md,mdx}

⚙️ CodeRabbit configuration file

**/*.{md,mdx}: Verify technical accuracy and that docs stay aligned with code changes.
For user-facing docs, check EN/ES parity or explicitly note pending translation gaps.

Files:

• clients/web/apps/docs/src/content/docs/en/guides/gpg-setup.md
• clients/web/apps/docs/src/content/docs/es/guides/gpg-setup.md

**/*.gradle.kts

⚙️ CodeRabbit configuration file

**/*.gradle.kts: Prefer tasks.register/configureEach, avoid afterEvaluate, and preserve configuration cache.
Ensure dependencies come from version catalogs and avoid eager task realization.
Review plugin/config changes for supply-chain and reproducibility risks.

Files:

• clients/web/build.gradle.kts

🧠 Learnings (3)

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/*.rs : Run `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` for code validation, or document which checks were skipped and why

Applied to files:

• .agents/journal/scribe-journal.md
• clients/web/build.gradle.kts

📚 Learning: 2026-02-21T09:07:52.298Z

Learnt from: yacosta738
Repo: dallay/corvus PR: 62
File: .agents/journal/sentinnel-journal.md:1-1
Timestamp: 2026-02-21T09:07:52.298Z
Learning: Branding guideline: The intentional brand name for the security-first agent in the dallay/corvus repository is 'Sentinnel' (with double n). Do not treat it as a typo of 'Sentinel'. Ensure all agent-related docs and journals under .agents/journal consistently use 'Sentinnel' with double n.

Applied to files:

• .agents/journal/scribe-journal.md

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/.github/**/*.{yml,yaml} : For workflow/template-only changes, ensure YAML/template syntax validity

Applied to files:

• .github/workflows/pull-request-check.yml

🪛 Gitleaks (8.30.0)

clients/web/apps/docs/src/content/docs/es/guides/gpg-setup.md

[high] 79-160: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.

(private-key)

🪛 LanguageTool

.agents/journal/scribe-journal.md

[uncategorized] ~109-~109: The official name of this software platform is spelled with a capital “H”.
Context: ...package.json of these apps. - Updated .github/codecov.yml with flags for rust, `ko...

(GITHUB)

---

[uncategorized] ~111-~111: The official name of this software platform is spelled with a capital “H”.
Context: ...ask testCoverageAllWebApps. - Updated .github/workflows/pull-request-check.yml to ex...

(GITHUB)

clients/web/apps/docs/src/content/docs/es/guides/gpg-setup.md

[grammar] ~5-~5: Elimina la palabra o signo.
Context: ...rtefactos en Maven Central usando GitHub Actions. ## Requisitos Previos - GPG i...

(QB_NEW_ES_OTHER_ERROR_IDS_UNNECESSARY_SPACE)

---

[grammar] ~8-~8: Corrige la mayúscula.
Context: ...l usando GitHub Actions. ## Requisitos Previos - GPG instalado: brew install gnupg (mac...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~10-~10: Cambia la palabra o signo.
Context: ...g(macOS) oapt install gnupg` (Linux) - Cuenta en Sonatype: https://central.sona...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_SPACE)

---

[grammar] ~15-~15: Corrige la mayúscula.
Context: ...onatype.com --- ## Paso 1: Generar tu Par de Claves GPG ```bash # Generar una nu...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~15-~15: Corrige la mayúscula.
Context: ....com --- ## Paso 1: Generar tu Par de Claves GPG ```bash # Generar una nueva clave ...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~24-~24: Cambia la palabra o signo.
Context: ...Tipo de clave:** RSA y RSA (por defecto) - Tamaño: 4096 bits (mínimo requerido ...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_SPACE)

---

[grammar] ~25-~25: Cambia la palabra o signo.
Context: ...its (mínimo requerido por Maven Central) - Validez: 0 = sin expiración (o la du...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_SPACE)

---

[grammar] ~26-~26: Cambia la palabra o signo.
Context: ...expiración (o la duración que prefieras) - Nombre: Tu nombre real - Correo: E...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_SPACE)

---

[grammar] ~27-~27: Cambia la palabra o signo.
Context: ... prefieras) - Nombre: Tu nombre real - Correo: El correo asociado a tu cuenta...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_SPACE)

---

[grammar] ~28-~28: Cambia la palabra o signo.
Context: ...El correo asociado a tu cuenta de GitHub - Contraseña: Una contraseña segura (guá...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_SPACE)

---

[grammar] ~33-~33: Corrige la mayúscula.
Context: ...árdala bien) --- ## Paso 2: Crear una Subclave de Firma (Recomendado para CI/CD) Usar...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~33-~33: Corrige la mayúscula.
Context: ... --- ## Paso 2: Crear una Subclave de Firma (Recomendado para CI/CD) Usar subclave...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~33-~33: Corrige la mayúscula.
Context: ...## Paso 2: Crear una Subclave de Firma (Recomendado para CI/CD) Usar subclaves es más segu...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~70-~70: Corrige la mayúscula.
Context: ...> quit ``` --- ## Paso 3: Exportar tu Clave Privada en ASCII **Opción A: Solo subc...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~70-~70: Corrige la mayúscula.
Context: ... ``` --- ## Paso 3: Exportar tu Clave Privada en ASCII **Opción A: Solo subclave (RE...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~115-~115: Corrige la mayúscula.
Context: ...345678 --- ## Paso 5: Publicar tu Clave Pública en un Servidor de Claves ba...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~115-~115: Corrige la mayúscula.
Context: ... --- ## Paso 5: Publicar tu Clave Pública en un Servidor de Claves bash # Env...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~115-~115: Corrige la mayúscula.
Context: ...Paso 5: Publicar tu Clave Pública en un Servidor de Claves ```bash # Enviar al keyserve...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~115-~115: Corrige la mayúscula.
Context: ...icar tu Clave Pública en un Servidor de Claves bash # Enviar al keyserver (elige uno) gpg --keyserver keyserver.ubuntu.com --send-keys TU_ID_DE_CLAVE # Otros servidores: # gpg --keyserver keys.openpgp.org --send-keys TU_ID_DE_CLAVE # gpg --keyserver pgp.mit.edu --send-keys TU_ID_DE_CLAVE --- ## Paso 6: Configurar los Secrets en GitHub...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~128-~128: Corrige la mayúscula.
Context: ...AVE ``` --- ## Paso 6: Configurar los Secrets en GitHub Ve a **GitHub → Repositorio ...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~143-~143: Cambia la palabra o signo.
Context: ...pe 1. Ve a https://central.sonatype.com 2. Inicia sesión con tu cuenta de Sonatype ...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_OTHER)

---

[grammar] ~144-~144: Cambia la palabra o signo.
Context: ... Inicia sesión con tu cuenta de Sonatype 3. Haz clic en tu avatar → Profile 4. B...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_OTHER)

---

[grammar] ~145-~145: Cambia la palabra o signo.
Context: ...ype 3. Haz clic en tu avatar → Profile 4. Busca User Token o *Generate Token...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_OTHER)

---

[grammar] ~146-~146: Cambia la palabra o signo.
Context: ... Busca User Token o Generate Token 5. Crea un token y copia: - Username ...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_OTHER)

---

[grammar] ~148-~148: Cambia la palabra o signo.
Context: ...ea un token y copia: - Username → MAVEN_CENTRAL_USERNAME - Password → MAVEN_CENTRAL_PASSWORD *...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_SPACE)

---

[grammar] ~149-~149: Aquí puede haber un error.
Context: ...EN_CENTRAL_USERNAME - **Password** →MAVEN_CENTRAL_PASSWORD` Importante: Nunca uses un token sin ex...

(QB_NEW_ES)

---

[grammar] ~151-~151: Agrega un espacio.
Context: ...MAVEN_CENTRAL_PASSWORD` Importante: Nunca uses un token sin expiración. Rota...

(QB_NEW_ES_OTHER_ERROR_IDS_MISSING_ORTHOGRAPHY_SPACE)

---

[grammar] ~155-~155: Corrige la mayúscula.
Context: ...icamente. --- ## Paso 8: Verificar el Formato de la Clave GPG Asegúrate de que tu se...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~155-~155: Corrige la mayúscula.
Context: ... ## Paso 8: Verificar el Formato de la Clave GPG Asegúrate de que tu secret `SIGNIN...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~157-~157: Corrige el error ortográfico.
Context: ...to de la Clave GPG Asegúrate de que tu secret SIGNING_IN_MEMORY_KEY contenga: ``` ...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_SPELLING)

---

[grammar] ~171-~171: Corrige la mayúscula.
Context: ...aracteres aleatorios). --- ## Pruebas Locales bash # Exporta variables y prueba la publicación export ORG_GRADLE_PROJECT_signingInMemory_KEY="$(cat private-subkey.asc)" export ORG_GRADLE_PROJECT_signingInMemory_KEY_PASSWORD="tu_contraseña" export ORG_GRADLE_PROJECT_mavenCentralUsername="tu_usuario_sonatype" export ORG_GRADLE_PROJECT_mavenCentralPassword="tu_token_sonatype" # Prueba (modo dry-run si está disponible) ./gradlew publishToMavenCentral --dry-run # O publicación real ./gradlew publishToMavenCentral --- ## Solución de Problemas ### "gpg: signing...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~189-~189: Corrige la mayúscula.
Context: ...ToMavenCentral ``` --- ## Solución de Problemas ### "gpg: signing failed: Inappropriate ioct...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~193-~193: Elimina la palabra o signo.
Context: ...e proyecto usa claves en memoria, lo que debería evitar este problema. ### Error...

(QB_NEW_ES_OTHER_ERROR_IDS_UNNECESSARY_SPACE)

---

[grammar] ~200-~200: Cambia la palabra o signo.
Context: ...tó con el flag --armor (formato ASCII) 2. El secret incluye `-----BEGIN PGP PRIVAT...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_OTHER)

---

[grammar] ~201-~201: Cambia la palabra o signo.
Context: ...or(formato ASCII) 2. El secret incluye-----BEGIN PGP PRIVATE KEY BLOCK-----` 3. Se usa el ID de clave correcto (si usas ...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_OTHER)

---

[grammar] ~202-~202: Aquí puede haber un error.
Context: ... ID de clave correcto (si usas subclave) ### Clave expirada Para extender la expirac...

(QB_NEW_ES)

---

[grammar] ~223-~223: Corrige la mayúscula.
Context: ...keys TU_ID_DE_CLAVE ``` --- ## Buenas Prácticas de Seguridad 1. NUNCA subas archiv...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~223-~223: Corrige la mayúscula.
Context: ..._CLAVE ``` --- ## Buenas Prácticas de Seguridad 1. NUNCA subas archivos .asc o claves p...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~225-~225: Cambia la palabra o signo.
Context: ... claves privadas al control de versiones 2. USA SIEMPRE User Tokens en Sonatype, n...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_OTHER)

---

[grammar] ~226-~226: Cambia la palabra o signo.
Context: ... en Sonatype, no tu contraseña de cuenta 3. Las subclaves expiran: pon recordatori...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_OTHER)

---

[grammar] ~227-~227: Cambia la palabra o signo.
Context: ...ios para renovarlas antes de que expiren 4. Haz backup de tu clave maestra de form...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_OTHER)

---

[grammar] ~228-~228: Cambia la palabra o signo.
Context: ...ura (USB cifrado, hardware wallet, etc.) 5. Considera usar llaves de hardware (Yub...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_OTHER)

---

[grammar] ~229-~229: Cambia la palabra o signo.
Context: ...rdware** (YubiKey) para máxima seguridad 6. Rota los tokens periódicamente, especi...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_OTHER)

---

[grammar] ~230-~230: Aquí puede haber un error.
Context: ...ecialmente si sospechas de un compromiso --- ## Referencias - [Maven Central: GPG Signi...

(QB_NEW_ES)

---

[grammar] ~236-~236: Elimina la palabra o signo.
Context: ...Maven Central: GPG Signing Requirements - [GitHub: Usar secretos en workflows](https://doc...

(QB_NEW_ES_OTHER_ERROR_IDS_UNNECESSARY_SPACE)

---

[grammar] ~237-~237: Cambia la palabra o signo.
Context: .../) - GitHub: Usar secretos en workflows - [GnuPG Documentation](https://gnupg.org/d...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_SPACE)

🪛 markdownlint-cli2 (0.21.0)

clients/web/apps/docs/src/content/docs/es/guides/gpg-setup.md

[warning] 159-159: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🔇 Additional comments (7)

.agents/journal/scribe-journal.md (1)

105-115: Documentation update is accurate and internally consistent.

The new journal section cleanly matches the implemented coverage/Codecov changes and uses the corrected date.

clients/web/build.gradle.kts (2)

153-176: Coverage task registration is robust and cache-friendly.

Good use of tasks.register and execution-time onlyIf script detection; this avoids configuration-time JSON parsing while keeping failing coverage tests visible.

---

208-212: Aggregate web coverage task wiring looks correct.

testCoverageAllWebApps cleanly composes per-app coverage tasks and provides a single CI entrypoint.

.github/workflows/pull-request-check.yml (2)

93-93: Coverage generation command now includes web apps as intended.

Running testCoverageAllWebApps alongside the existing aggregate coverage task is the right CI integration point.

---

95-115: Codecov upload split is correctly implemented.

Separate Kotlin/Rust vs Web uploads with targeted flags and directory-based web discovery is a solid reliability improvement.

clients/web/apps/docs/src/content/docs/en/guides/architecture/diagrams/container/system-containers.puml (1)

1-55: LGTM!

Well-structured C4 Container diagram with clear separation of external systems, internal containers, and their relationships. Protocol annotations (HTTPS, Bolt, gRPC/FFI) add useful context.

clients/web/apps/docs/src/content/docs/es/guides/architecture/diagrams/container/system-containers.puml (1)

14-55: LGTM!

Spanish translations are accurate and consistent with the English version structure.

[sonarqubecloud]

Quality Gate failed

Failed conditions
18.6% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud