fix(release): sync internal dependency versions in release PRs

[yacosta738]

Related Issues

• Related to the release PR failure caused by internal dependency version drift between clients/cerebro and clients/agent-runtime.

---

Summary

• Add a canonical internalReleaseDependencies contract plus a new scripts/sync-internal-release-deps.mjs tool to validate and normalize versioned internal path dependencies.
• Wire the sync into PR checks, both release-please workflows, and Cargo lockfile regeneration so release PRs repair drift before lockfiles and heavier Rust validation fail.

---

Tested Information

• Ran node --test scripts/release-contract.test.mjs.
• Ran node scripts/sync-internal-release-deps.mjs --check.
• Ran node scripts/sync-internal-release-deps.mjs --write.
• Ran cargo metadata --manifest-path clients/agent-runtime/Cargo.toml --locked --format-version 1 --no-deps.
• Ran cargo metadata --manifest-path clients/cerebro/Cargo.toml --locked --format-version 1 --no-deps.
• Push hooks also passed the changed-docs web validation path before publishing the branch.

---

Documentation Impact

• Docs updated in:
  • clients/web/apps/docs/src/content/docs/guides/release.md
  • clients/web/apps/docs/src/content/docs/es/guides/release.md
  • openspec/changes/release-internal-dependency-sync/proposal.md
  • openspec/changes/release-internal-dependency-sync/design.md
  • openspec/changes/release-internal-dependency-sync/tasks.md
  • openspec/changes/release-internal-dependency-sync/state.yaml
• No docs update required because:
• I verified the documentation matches the current behavior.

---

Breaking Changes

• None.

---

Checklist

• I have checked that there isn’t already a PR solving the same problem.
• I have read the Contributing Guidelines.
• I ensured my code follows the project's style guidelines.
• I have added or updated tests that prove my fix is effective or that my feature works.
• I have updated the documentation, or I explained above why no documentation update is needed.
• I verified the documentation matches the current behavior.
• I have documented any breaking changes in the Breaking Changes section.
• I have linked the related issue (if any).

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a canonical internal-release-dependencies contract, a new Node CLI to validate/sync versioned Rust path dependencies (--check/--write), integrates it into PR and release GitHub Actions (run before lockfile regeneration), updates configs, tests, and release runbooks.

Changes

Cohort / File(s)	Summary
Workflows \.github/workflows/pull-request-check.yml, \.github/workflows/release-please.yml, \.github/workflows/release-please-beta.yml, \.github/workflows/sync-cargo-lockfiles.yml	Run scripts/sync-internal-release-deps.mjs in appropriate modes (PR checks use --check, release flows use --write), skip bot PRs for lightweight check, and stage/commit rewritten Cargo manifests when diffs exist; ensure sync runs before Cargo.lock regen/validation.
Sync CLI scripts/sync-internal-release-deps.mjs	New executable that enforces/repairs a declared internalReleaseDependencies contract: resolves upstream versions, validates downstream dependency path and version, errors on unmanaged/internal mismatches in --check, and updates manifests in --write.
Release components config & validation config/release-components.json, scripts/release-components.mjs	Adds internalReleaseDependencies entries (example: corvus-runtime → cerebro) and validation logic; exports VALID_INTERNAL_RELEASE_DEPENDENCY_MODES.
Tests scripts/release-contract.test.mjs	Extensive contract tests: exercise --check/--write behaviors, fixture patching, drift/path/unmanaged-edge diagnostics, workflow step ordering, and docs/openspec assertions.
Docs / Runbooks clients/web/apps/docs/src/content/docs/guides/release.md, .../es/guides/release.md	Document sync step in stable release flow, add troubleshooting for drift (use --check/--write), and constrain PR review scope to stable artifacts plus internal dependency pins.
Lockfile sync update \.github/workflows/sync-cargo-lockfiles.yml	Run sync script prior to lockfile regen and expand commit staging to include all clients/**/*.Cargo.toml and **/*.Cargo.lock.
Specs / Design / Archives openspec/.../release-internal-dependency-sync/*, openspec/specs/release-management/spec.md	New design, proposal, spec, tasks, verification artifacts defining contract, behavior, failure modes, workflow ordering, and rollout/verification results.

Sequence Diagram(s)

sequenceDiagram
    participant GH as GitHub Actions Runner
    participant RP as release-please Action
    participant SY as sync-internal-release-deps.mjs
    participant GL as Cargo.lock regen / Rust checks
    participant Git as Git remote

    GH->>RP: run release-please (update manifests)
    RP-->>GH: release-please updated manifests
    GH->>SY: run sync-internal-release-deps.mjs --write
    SY-->>GH: report changes / write updated Cargo.toml(s)
    GH->>Git: git add staged manifests
    alt staged changes exist
        GH->>Git: commit & push synced manifests
    else no staged changes
        GH-->>GH: skip commit
    end
    GH->>GL: regenerate Cargo.lock & run Rust validation
    GL-->>GH: lockfiles updated / validations

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• chore: add release-please automation #236: modifies release-please workflow to integrate post-release steps for syncing and committing manifests — directly related to workflow edits here.
• fix(release): harden release-please diagnostics #451: updates release-please and contract tests; overlaps with test and workflow ordering changes in this PR.
• fix(release): publish stable artifacts from github releases #462: touches release workflows and release-please handling; related to the commit/push behavior added after syncing.

Suggested labels

area:ci, area:docs, risk:high

Suggested reviewers

• yuniel-acosta

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows Conventional Commit style with 'fix' prefix and clearly describes the main change: syncing internal dependency versions in release PRs.
Description check	✅ Passed	The PR description covers all required template sections: Related Issues, Summary, Tested Information, Documentation Impact, Breaking Changes, and a completed Checklist with verification of documentation accuracy.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/internal-release-dependency-sync

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

✅ Contributor Report

User: @yacosta738
Status: Passed (12/13 metrics passed)

Metric	Description	Value	Threshold	Status
PR Merge Rate	PRs merged vs closed	92%	>= 30%	✅
Repo Quality	Repos with ≥100 stars	0	>= 0	✅
Positive Reactions	Positive reactions received	9	>= 1	✅
Negative Reactions	Negative reactions received	0	<= 5	✅
Account Age	GitHub account age	3106 days	>= 30 days	✅
Activity Consistency	Regular activity over time	108%	>= 0%	✅
Issue Engagement	Issues with community engagement	0	>= 0	✅
Code Reviews	Code reviews given to others	605	>= 0	✅
Merger Diversity	Unique maintainers who merged PRs	2	>= 0	✅
Repo History Merge Rate	Merge rate in this repo	93%	>= 0%	✅
Repo History Min PRs	Previous PRs in this repo	300	>= 0	✅
Profile Completeness	Profile richness (bio, followers)	90	>= 0	✅
Suspicious Patterns	Spam-like activity detection	1	N/A	❌

---

_{Contributor Report evaluates based on public GitHub activity. Analysis period: 2025-04-29 to 2026-04-29}

[coderabbitai]

Actionable comments posted: 7

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release-please-beta.yml:
- Around line 91-94: After running node scripts/sync-internal-release-deps.mjs
--write, add a step that configures git (git config user.name/email), stages the
changed Cargo.toml files (git add), and conditionally commits and pushes them
(use SKIP_GIT_HOOKS=1, check git diff --cached --quiet and if not empty run git
commit -m "chore: sync internal release dependencies" and git push). Ensure the
step references the same script name sync-internal-release-deps.mjs and only
commits when there are staged changes to persist the modifications made by the
script.

In @.github/workflows/release-please.yml:
- Around line 90-93: The "🔁 Sync internal release dependencies" step runs
scripts/sync-internal-release-deps.mjs which updates Cargo.toml but never
commits or pushes those changes; add a follow-up step that stages the modified
files, creates a descriptive commit (e.g. "chore: sync internal release deps"),
and pushes the branch (or use git config user.name/email and force-with-lease if
needed) immediately after that run step so the updated pins are persisted, or
alternatively move the sync step to run before the release-please action if you
prefer the changes to be included in the release PR.

In @.github/workflows/sync-cargo-lockfiles.yml:
- Around line 63-66: The workflow runs node
scripts/sync-internal-release-deps.mjs --write which mutates
clients/agent-runtime/Cargo.toml, but the subsequent commit only stages the two
Cargo.lock files; update the commit step (the one after the "🔁 Sync internal
release dependencies" run) to also git add the rewritten manifest
(clients/agent-runtime/Cargo.toml) or simply git add -A (or git add .) so the
mutated Cargo.toml is included in the commit alongside the Cargo.lock files.

In `@openspec/changes/release-internal-dependency-sync/design.md`:
- Around line 30-53: The doc uses snake_case names internal_release_dependency
and version_selector but the implemented contract and validator use camelCase
internalReleaseDependencies and versionSelector; update the design text to use
the actual config field names (internalReleaseDependencies and versionSelector)
everywhere (including the example block and field list) so the spec matches the
code and validator naming exactly.

In `@openspec/changes/release-internal-dependency-sync/tasks.md`:
- Around line 11-19: Update the task spec to use the canonical config key name
`internalReleaseDependencies` (instead of `internal_release_dependencies`) so it
matches the actual schema in `config/release-components.json`; update all
references in the phase list (e.g., step "1.4" and any mentions in steps
"2.1"/"2.2") and ensure the script `scripts/sync-internal-release-deps.mjs`
check/write behavior and tests are described with `internalReleaseDependencies`
to prevent implementation drift.

In `@scripts/release-contract.test.mjs`:
- Around line 149-185: Add tests to cover failure paths for the internal release
dependency sync contract: create new tests in scripts/release-contract.test.mjs
that manipulate the test graph or fixture manifests and call
runInternalReleaseSync (and readJson if needed) to assert failure behaviors for
drift (version mismatch), path-mismatch (dependencyPath mismatch), missing-entry
(an expected internalReleaseDependency absent from manifest), and unmanaged-edge
(an edge present in manifest but not declared in internalReleaseDependencies).
For each case, assert runInternalReleaseSync(["--check"]) returns a
non-success/error message describing the specific problem and that
runInternalReleaseSync(["--write"]) either reports fixes where applicable or
still fails when it cannot auto-fix; reuse existing helpers used in other tests
(runInternalReleaseSync, readJson, the internalReleaseDependencies fixture) and
mirror the style of current assertions (assert.match / assert.deepEqual) so
these regressions are covered.

In `@scripts/sync-internal-release-deps.mjs`:
- Around line 75-127: The script only updates edges present in
graph.internalReleaseDependencies and always uses extractPackageVersion
(package.version) and ignores versionSelector; update
sync-internal-release-deps.mjs to (1) scan each component manifest (using
readText and the existing dependency/block helpers: extractDependencyBlock and
extractField) for internal path dependencies that are not present in
graph.internalReleaseDependencies and treat them as unmanaged edges (fail in
mode === "check" with a clear message and report them in changes when writing),
and (2) honor the configured version selector for each upstream component when
resolving expectedVersion (use the selector from the component metadata in
loadReleaseComponents() instead of always calling extractPackageVersion; you may
add a helper that applies versionSelector to upstream manifest content), then
continue to validate path equality (edge.dependencyPath vs actualPath) and
update via updateVersionInBlock/writeText as before; reference symbols:
loadReleaseComponents, graph.internalReleaseDependencies, extractPackageVersion,
extractDependencyBlock, extractField, updateVersionInBlock, readText, writeText,
mode, edge.manifestPath, edge.dependencyName, edge.dependencyPath.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1297548a-3a95-43f1-8d3b-d48e985b6d45

📥 Commits

Reviewing files that changed from the base of the PR and between a0b7b87 and b66354a.

📒 Files selected for processing (14)

• .github/workflows/pull-request-check.yml
• .github/workflows/release-please-beta.yml
• .github/workflows/release-please.yml
• .github/workflows/sync-cargo-lockfiles.yml
• clients/web/apps/docs/src/content/docs/es/guides/release.md
• clients/web/apps/docs/src/content/docs/guides/release.md
• config/release-components.json
• openspec/changes/release-internal-dependency-sync/design.md
• openspec/changes/release-internal-dependency-sync/proposal.md
• openspec/changes/release-internal-dependency-sync/state.yaml
• openspec/changes/release-internal-dependency-sync/tasks.md
• scripts/release-components.mjs
• scripts/release-contract.test.mjs
• scripts/sync-internal-release-deps.mjs

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: pr-checks
• GitHub Check: sonar
• GitHub Check: submit-gradle
• GitHub Check: Cloudflare Pages

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{md,mdx}

⚙️ CodeRabbit configuration file

**/*.{md,mdx}: Verify technical accuracy and that docs stay aligned with code changes.
For user-facing docs, check EN/ES parity or explicitly note pending translation gaps.

Files:

• openspec/changes/release-internal-dependency-sync/tasks.md
• clients/web/apps/docs/src/content/docs/es/guides/release.md
• clients/web/apps/docs/src/content/docs/guides/release.md
• openspec/changes/release-internal-dependency-sync/proposal.md
• openspec/changes/release-internal-dependency-sync/design.md

**/*

⚙️ CodeRabbit configuration file

**/*: Security first, performance second.
Validate input boundaries, auth/authz implications, and secret management.
Look for behavioral regressions, missing tests, and contract breaks across modules.

Files:

• openspec/changes/release-internal-dependency-sync/tasks.md
• scripts/sync-internal-release-deps.mjs
• openspec/changes/release-internal-dependency-sync/state.yaml
• scripts/release-components.mjs
• clients/web/apps/docs/src/content/docs/es/guides/release.md
• clients/web/apps/docs/src/content/docs/guides/release.md
• openspec/changes/release-internal-dependency-sync/proposal.md
• scripts/release-contract.test.mjs
• config/release-components.json
• openspec/changes/release-internal-dependency-sync/design.md

🧠 Learnings (6)

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/.github/**/*.{yml,yaml} : For workflow/template-only changes, ensure YAML/template syntax validity

Applied to files:

• .github/workflows/pull-request-check.yml

📚 Learning: 2026-04-25T06:56:44.008Z

Learnt from: yacosta738
Repo: dallay/corvus PR: 0
File: :0-0
Timestamp: 2026-04-25T06:56:44.008Z
Learning: In release-please configuration files (`release-please-config.json`, `release-please-beta-config.json`), each entry under `extra-files` supports only a single `jsonpath` string per object — not a list of selectors. When multiple fields in the same file need to be updated (e.g., multiple `optionalDependencies` entries in a `package.json`), the correct approach is to repeat the file path entry with a different `jsonpath` per object. This is intentional and required by the release-please schema.

Applied to files:

• scripts/release-components.mjs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Preserve release-size profile assumptions in `Cargo.toml` and avoid adding heavy dependencies unless clearly justified

Applied to files:

• clients/web/apps/docs/src/content/docs/guides/release.md
• config/release-components.json
• openspec/changes/release-internal-dependency-sync/design.md

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/*.rs : Run `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` for code validation, or document which checks were skipped and why

Applied to files:

• clients/web/apps/docs/src/content/docs/guides/release.md

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Do not add heavy dependencies for minor convenience; justify new crate additions

Applied to files:

• config/release-components.json
• openspec/changes/release-internal-dependency-sync/design.md

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/main.rs : Preserve CLI contract unless change is intentional and documented; prefer explicit errors over silent fallback for unsupported critical paths

Applied to files:

• openspec/changes/release-internal-dependency-sync/design.md

🔇 Additional comments (7)

.github/workflows/pull-request-check.yml (1)

124-129: Good early gate placement.

This catches internal dependency drift before the heavier Rust metadata checks, and it keeps the existing bot-skip behavior consistent with the rest of the job.

config/release-components.json (1)

72-83: The new internal dependency edge looks consistent.

The corvus-runtime -> cerebro edge matches the validator contract and the referenced components already exist in the graph, so this should load cleanly.

openspec/changes/release-internal-dependency-sync/proposal.md (1)

1-81: The proposal is clear and aligned with the implementation.

The scope, risks, rollback, and success criteria all match the new check/write contract and workflow ordering.

scripts/release-components.mjs (1)

6-16: Validator wiring looks solid.

The new mode export and graph validation fail closed on malformed or unknown internal dependency edges, which is the right contract for the sync script.

Also applies to: 28-62, 79-80, 133-137

clients/web/apps/docs/src/content/docs/guides/release.md (1)

45-45: Runbook updates are technically on target.

The new sync step and the drift-troubleshooting section line up with the new release-contract behavior and distinguish it from generic lockfile failures.

Also applies to: 75-77, 205-209

clients/web/apps/docs/src/content/docs/es/guides/release.md (1)

45-45: Spanish runbook stays aligned with the release workflow.

The new sync step, lockfile ordering, and drift troubleshooting match the updated release contract.

Also applies to: 78-80, 238-243

openspec/changes/release-internal-dependency-sync/state.yaml (1)

1-25: Planned rollout metadata looks consistent.

The phase state and artifact list match a change that is still gated behind apply/verify.

[cloudflare-workers-and-pages]

Deploying corvus with    Cloudflare Pages

Latest commit:	92baee4
Status:	✅  Deploy successful!
Preview URL:	https://c783e365.corvus-42x.pages.dev
Branch Preview URL:	https://fix-internal-release-depende.corvus-42x.pages.dev

View logs

[coderabbitai]

Actionable comments posted: 5

♻️ Duplicate comments (1)

scripts/sync-internal-release-deps.mjs (1)

113-133: ⚠️ Potential issue | 🟠 Major

Scan every release-managed Cargo manifest for unmanaged internal edges.

manifestTexts is seeded only from edge.manifestPath, so a brand-new versioned internal path dependency in another managed manifest is never inspected and can bypass the fail-closed check until someone also adds a contract entry.

Suggested fix

 const manifestTexts = new Map();
-for (const edge of graph.internalReleaseDependencies) {
-  if (!manifestTexts.has(edge.manifestPath)) {
-    manifestTexts.set(edge.manifestPath, readText(edge.manifestPath));
-  }
+for (const component of Object.values(graph.components)) {
+  for (const versionSurface of component.versionSurfaces ?? []) {
+    if (versionSurface.endsWith("Cargo.toml") && !manifestTexts.has(versionSurface)) {
+      manifestTexts.set(versionSurface, readText(versionSurface));
+    }
+  }
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/sync-internal-release-deps.mjs` around lines 113 - 133, The code only
seeds manifestTexts from graph.internalReleaseDependencies' edge.manifestPath,
so manifests that only contain newly added versioned internal path dependencies
(and not yet present in internalReleaseDependencies) are never scanned; change
the seeding so you collect every release-managed Cargo manifest (e.g., iterate
graph.manifests or otherwise gather all manifest paths under
releaseManagedPathPrefixes) instead of only edge.manifestPath, then call
collectInternalPathDependencies(manifestText) for each to detect unmanaged
edges; keep the existing checks that use releaseManagedPathPrefixes,
managedEdges and edgeKey(manifestPath, dependency.dependencyName) so newly-added
manifests are inspected and the fail-closed behavior is enforced.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/sync-cargo-lockfiles.yml:
- Line 83: The git add invocation in .github/workflows/sync-cargo-lockfiles.yml
currently hardcodes three manifests and will miss future rewrites; change the
staging step (the git add command) to add all updated Cargo.toml and Cargo.lock
files produced by sync-internal-release-deps.mjs, e.g. replace the explicit file
list with a recursive pattern such as git add -- clients/**/*.Cargo.toml
clients/**/*.Cargo.lock or use git add -A (or git add --all) after the script
runs so any newly rewritten manifests are committed without needing workflow
edits.

In
`@openspec/changes/archive/2026-04-29-release-internal-dependency-sync/state.yaml`:
- Around line 4-19: The state metadata is stale: update the top-level status
value from "planned" to "completed" and set phases.apply.status and
phases.verify.status from "pending" to "completed" so the YAML reflects the
archive's PASS verify report; change the "status" key and the
"phases.apply.status" and "phases.verify.status" entries accordingly.

In
`@openspec/changes/archive/2026-04-29-release-internal-dependency-sync/verify-report.md`:
- Line 77: The follow-up sentence "Archive should be retried after this report
is accepted so delta specs can be synced into
`openspec/specs/release-management/*`." in verify-report.md is outdated; either
remove that line or replace it with the correct post-merge action reflecting the
current archived state (e.g., no retry needed or a different sync step), and
ensure the updated text accurately references the delta spec sync workflow and
the `openspec/specs/release-management/*` path if relevant.

In `@scripts/release-contract.test.mjs`:
- Around line 220-279: Tests hard-code the cerebro crate version ("3.6.2") which
drifts; update all tests in scripts/release-contract.test.mjs that replace or
assert on that literal to use the shared releaseVersion value instead. Locate
usages inside withPatchedFile and assertions that reference "3.6.2" (and the
expected regexes like /3\.6\.2/ or the replacement string '0.0.0 -> 3.6.2') and
build those replacement strings and regexes dynamically from releaseVersion
(e.g., construct the replacement line passed to withPatchedFile and the expected
match patterns for assert.match using releaseVersion), keeping existing calls to
runInternalReleaseSync, runInternalReleaseSyncFailure and readText unchanged.
Ensure regex escapes are generated for dots when creating assertions from
releaseVersion.
- Around line 360-362: The test "openspec design and tasks use canonical
internalReleaseDependencies naming" fails because readText() is pointing at the
old paths; update the two readText calls that set design and tasks to use the
archived OpenSpec paths (replace
"openspec/changes/release-internal-dependency-sync/..." with
"openspec/changes/archive/2026-04-29-release-internal-dependency-sync/...") so
the variables design and tasks load the archived design.md and tasks.md
correctly before the assertions run.

---

Duplicate comments:
In `@scripts/sync-internal-release-deps.mjs`:
- Around line 113-133: The code only seeds manifestTexts from
graph.internalReleaseDependencies' edge.manifestPath, so manifests that only
contain newly added versioned internal path dependencies (and not yet present in
internalReleaseDependencies) are never scanned; change the seeding so you
collect every release-managed Cargo manifest (e.g., iterate graph.manifests or
otherwise gather all manifest paths under releaseManagedPathPrefixes) instead of
only edge.manifestPath, then call collectInternalPathDependencies(manifestText)
for each to detect unmanaged edges; keep the existing checks that use
releaseManagedPathPrefixes, managedEdges and edgeKey(manifestPath,
dependency.dependencyName) so newly-added manifests are inspected and the
fail-closed behavior is enforced.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9c3d356e-be29-4d8d-b52c-c14b06c1566b

📥 Commits

Reviewing files that changed from the base of the PR and between b66354a and daa8300.

📒 Files selected for processing (13)

• .github/workflows/release-please-beta.yml
• .github/workflows/release-please.yml
• .github/workflows/sync-cargo-lockfiles.yml
• config/release-components.json
• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/design.md
• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/proposal.md
• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/specs/release-management/spec.md
• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/state.yaml
• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/tasks.md
• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/verify-report.md
• openspec/specs/release-management/spec.md
• scripts/release-contract.test.mjs
• scripts/sync-internal-release-deps.mjs

📜 Review details

🧰 Additional context used

📓 Path-based instructions (2)

**/*

⚙️ CodeRabbit configuration file

**/*: Security first, performance second.
Validate input boundaries, auth/authz implications, and secret management.
Look for behavioral regressions, missing tests, and contract breaks across modules.

Files:

• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/state.yaml
• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/proposal.md
• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/verify-report.md
• config/release-components.json
• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/tasks.md
• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/specs/release-management/spec.md
• openspec/specs/release-management/spec.md
• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/design.md
• scripts/sync-internal-release-deps.mjs
• scripts/release-contract.test.mjs

**/*.{md,mdx}

⚙️ CodeRabbit configuration file

**/*.{md,mdx}: Verify technical accuracy and that docs stay aligned with code changes.
For user-facing docs, check EN/ES parity or explicitly note pending translation gaps.

Files:

• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/proposal.md
• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/verify-report.md
• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/tasks.md
• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/specs/release-management/spec.md
• openspec/specs/release-management/spec.md
• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/design.md

🧠 Learnings (7)

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Preserve release-size profile assumptions in `Cargo.toml` and avoid adding heavy dependencies unless clearly justified

Applied to files:

• config/release-components.json
• openspec/specs/release-management/spec.md
• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/design.md
• .github/workflows/sync-cargo-lockfiles.yml

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Do not add heavy dependencies for minor convenience; justify new crate additions

Applied to files:

• config/release-components.json
• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/design.md
• .github/workflows/sync-cargo-lockfiles.yml

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Keep changes local and avoid cross-module refactors in unrelated tasks to maintain code stability

Applied to files:

• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/tasks.md

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/.github/**/*.{yml,yaml} : For workflow/template-only changes, ensure YAML/template syntax validity

Applied to files:

• .github/workflows/release-please-beta.yml
• .github/workflows/sync-cargo-lockfiles.yml

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/main.rs : Preserve CLI contract unless change is intentional and documented; prefer explicit errors over silent fallback for unsupported critical paths

Applied to files:

• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/design.md

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/*.rs : Run `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` for code validation, or document which checks were skipped and why

Applied to files:

• .github/workflows/sync-cargo-lockfiles.yml
• scripts/sync-internal-release-deps.mjs
• scripts/release-contract.test.mjs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Include threat/risk notes and rollback strategy for security, runtime, and gateway changes; add or update tests for boundary checks and failure modes

Applied to files:

• scripts/release-contract.test.mjs

🔇 Additional comments (5)

.github/workflows/release-please.yml (1)

90-109: Sync-and-persist flow looks correct.

The workflow now rewrites internal pins and persists only when staged changes exist, which avoids no-op commits and preserves deterministic behavior.

.github/workflows/release-please-beta.yml (1)

91-110: Beta workflow parity is solid.

The added sync + conditional commit/push block matches stable-release behavior and correctly persists rewritten manifests only when needed.

config/release-components.json (1)

72-83: Canonical internal edge declaration looks correct.

The new internalReleaseDependencies entry is complete and consistent with the sync/validation contract.

openspec/specs/release-management/spec.md (1)

159-214: Spec additions align with implementation.

The new requirements/scenarios correctly codify --check/--write behavior and persistence expectations in stable/beta/lockfile workflows.

openspec/changes/archive/2026-04-29-release-internal-dependency-sync/proposal.md (1)

1-81: Proposal is clear and well-scoped.

Intent, scope boundaries, risks, rollback, and success signals are consistent with the implemented automation.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/sync-cargo-lockfiles.yml:
- Line 83: The git add pathspecs are wrong: replace the glob patterns
"clients/**/*.Cargo.toml" and "clients/**/*.Cargo.lock" with
"clients/**/Cargo.toml" and "clients/**/Cargo.lock" in the workflow step that
runs git add (the line containing git add --all -- clients/**/*.Cargo.toml
clients/**/*.Cargo.lock) so the actual Cargo.toml/Cargo.lock files are matched;
also update the matching assertion in scripts/release-contract.test.mjs to use
the same corrected patterns ("clients/**/Cargo.toml" and
"clients/**/Cargo.lock").

In
`@openspec/changes/archive/2026-04-29-release-internal-dependency-sync/verify-report.md`:
- Around line 32-60: The markdown headings beginning with "#### Scenario:"
(e.g., "#### Scenario: Aligned internal release dependency passes validation",
"#### Scenario: Drifted internal release dependency is repaired in write mode",
etc.) need a blank line after each heading so markdownlint stops flagging them;
update the document by inserting a single empty line between every "####
Scenario: ..." heading line and the following list/paragraph content throughout
the file (including the Requirement and Scenario sections) to ensure proper
markdown spacing.

In `@scripts/sync-internal-release-deps.mjs`:
- Around line 111-137: The unmanaged-edge check currently tests dependency.path
prefixes directly (releaseManagedPathPrefixes) which misses sibling client
references like "../cerebro"; update the check to resolve dependency.path
relative to manifestPath before testing: for each dependency from
collectInternalPathDependencies, compute the normalized target path by resolving
path.dirname(manifestPath) + dependency.path (use
path.resolve/path.posix.resolve) and then test whether that resolved/normalized
path is under the clients/ tree (e.g., startsWith("clients/") or otherwise
matches the patterns used to build releaseManagedManifestPaths) instead of
matching the raw dependency.path; keep using
managedEdges.has(edgeKey(manifestPath, dependency.dependencyName)) for the final
existence check.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9c84f4fa-7863-414c-bcd2-f52f115e4b99

📥 Commits

Reviewing files that changed from the base of the PR and between daa8300 and 38abdd9.

📒 Files selected for processing (5)

• .github/workflows/sync-cargo-lockfiles.yml
• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/state.yaml
• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/verify-report.md
• scripts/release-contract.test.mjs
• scripts/sync-internal-release-deps.mjs

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: sonar
• GitHub Check: pr-checks
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: submit-gradle
• GitHub Check: Cloudflare Pages

🧰 Additional context used

📓 Path-based instructions (2)

**/*

⚙️ CodeRabbit configuration file

**/*: Security first, performance second.
Validate input boundaries, auth/authz implications, and secret management.
Look for behavioral regressions, missing tests, and contract breaks across modules.

Files:

• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/state.yaml
• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/verify-report.md
• scripts/sync-internal-release-deps.mjs
• scripts/release-contract.test.mjs

**/*.{md,mdx}

⚙️ CodeRabbit configuration file

**/*.{md,mdx}: Verify technical accuracy and that docs stay aligned with code changes.
For user-facing docs, check EN/ES parity or explicitly note pending translation gaps.

Files:

• openspec/changes/archive/2026-04-29-release-internal-dependency-sync/verify-report.md

🧠 Learnings (5)

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/*.rs : Run `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` for code validation, or document which checks were skipped and why

Applied to files:

• .github/workflows/sync-cargo-lockfiles.yml
• scripts/sync-internal-release-deps.mjs
• scripts/release-contract.test.mjs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/.github/**/*.{yml,yaml} : For workflow/template-only changes, ensure YAML/template syntax validity

Applied to files:

• .github/workflows/sync-cargo-lockfiles.yml

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Preserve release-size profile assumptions in `Cargo.toml` and avoid adding heavy dependencies unless clearly justified

Applied to files:

• .github/workflows/sync-cargo-lockfiles.yml
• scripts/release-contract.test.mjs

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Do not add heavy dependencies for minor convenience; justify new crate additions

Applied to files:

• .github/workflows/sync-cargo-lockfiles.yml

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Include threat/risk notes and rollback strategy for security, runtime, and gateway changes; add or update tests for boundary checks and failure modes

Applied to files:

• scripts/release-contract.test.mjs

🪛 LanguageTool

openspec/changes/archive/2026-04-29-release-internal-dependency-sync/verify-report.md

[uncategorized] ~55-~55: The official name of this software platform is spelled with a capital “H”.
Context: ...e: scripts/release-contract.test.mjs, .github/workflows/release-please.yml, `.github...

(GITHUB)

🪛 markdownlint-cli2 (0.22.1)

openspec/changes/archive/2026-04-29-release-internal-dependency-sync/verify-report.md

[warning] 32-32: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 37-37: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 42-42: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 47-47: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 54-54: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 59-59: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot
18.8% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud