SK: 2832 Added Claude Code setup for Java#335
Conversation
- Add CLAUDE.md with project conventions, version info, commit guidelines - Add .claude/commands: code-review, code-smell, code-security, sdk-sample, test, commit (Jira-aware) - Add .claude/hooks/checkstyle-on-edit.py for per-edit lint feedback - Add .claude/settings.json with permissions and PostToolUse hook - Add .claude/skills/requesting-code-review for context-fork reviews - Add .github/workflows/claude-pr-review.yml: automated SDK + security review on PRs - Add .github/workflows/claude-changelog.yml: auto-generated release notes on tag push - Add .github/workflows/release-v1.yml: v1 public release targeting v1 branch - Update .cspell.json with British English and project-specific terms Requires ANTHROPIC_API_KEY secret in GitHub Actions for claude-* workflows. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
- Move file placement, deprecated folder note, and sample rules into samples/CLAUDE.md (loads only when working on samples) - Remove samples paths and content from root CLAUDE.md to reduce token load on every non-samples session Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…-setup-v2 # Conflicts: # .cspell.json
|
✅ Gitleaks Findings: No secrets detected. Safe to proceed! |
|
Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging. |
|
✅ Gitleaks Findings: No secrets detected. Safe to proceed! |
|
Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging. |
|
✅ Gitleaks Findings: No secrets detected. Safe to proceed! |
|
Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging. |
Claude SDK Patterns ReviewFiles reviewed: |
|
✅ Gitleaks Findings: No secrets detected. Safe to proceed! |
|
Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging. |
Claude SDK Patterns ReviewFiles reviewed: |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Claude SDK Review
No spelling issues. Now I have all the information needed to produce the consolidated PR/CI mode report.
Analysis of added lines:
VaultClient.java / ConnectionClient.java — catch (Exception e) at lines ~92/942:
The original code threw new RuntimeException(e) — a raw unchecked exception that leaked the original exception's message as the error. The new code throws new SkyflowException(ErrorCode.SERVER_ERROR.getCode(), ErrorMessage.EmptyCredentials.getMessage()). This is semantically wrong: EmptyCredentials is a validation-error message about credentials being empty/invalid. In a generic catch (Exception e) handler that catches unknown/unexpected exceptions, using EmptyCredentials as the error message is misleading — callers seeing a 500 SERVER_ERROR with "Invalid credentials. Credentials must not be empty" will misdiagnose the problem. The original exception e is completely discarded with no diagnostic information preserved.
HttpUtility.java — line 88:
new SkyflowException(httpCode, new Throwable(description), responseHeaders, "{}") — the "{}" empty JSON body is correct since there's no error stream, and ErrorMessage.ErrorOccurred is appropriate. The requestID variable passed to appendRequestId can be null at this point (line 75 shows it may be null if the header is absent), but appendRequestId likely handles that. This is a good fix overall.
synchronized on setBearerToken:
Added to both VaultClient and ConnectionClient — correct thread-safety fix per security check §7.
REQUEST CHANGES — the catch (Exception e) handler in both VaultClient.java and ConnectionClient.java uses ErrorMessage.EmptyCredentials for a generic unexpected exception, discards the original cause entirely, and will mislead callers debugging non-credential failures.
| File:Line | Severity | Category | Finding |
|---|---|---|---|
src/main/java/com/skyflow/VaultClient.java:942 |
Bug | Error Handling | catch (Exception e) throws ErrorMessage.EmptyCredentials for any unexpected exception, discarding the original cause. An unrelated runtime error (e.g. NullPointerException) will surface as "Invalid credentials. Credentials must not be empty" — misleading and untraceable. The original exception e must be preserved (pass it as the cause or use its message). |
src/main/java/com/skyflow/ConnectionClient.java:92 |
Bug | Error Handling | Same issue: generic catch (Exception e) maps all unknown errors to ErrorMessage.EmptyCredentials, silently discarding e. |
Advisory (Quality / Smell / Low / Info) — 1 items
| File:Line | Severity | Finding |
|---|---|---|
src/main/java/com/skyflow/utils/HttpUtility.java:87 |
Info | requestID passed to appendRequestId may be null when the server response lacks an x-request-id header; the resulting string will contain "null" literally. Harmless but worth guarding if the method doesn't already normalise null. |
| throw e; | ||
| } catch (Exception e) { | ||
| throw new RuntimeException(e); | ||
| throw new SkyflowException(ErrorCode.SERVER_ERROR.getCode(), ErrorMessage.EmptyCredentials.getMessage()); |
There was a problem hiding this comment.
Bug: catch (Exception e) discards the original exception and throws ErrorMessage.EmptyCredentials for any unexpected error. A NullPointerException or similar will surface to callers as "Invalid credentials. Credentials must not be empty" — completely misleading. Preserve the original cause, e.g.: throw new SkyflowException(ErrorCode.SERVER_ERROR.getCode(), e.getMessage() != null ? e.getMessage() : ErrorMessage.ErrorOccurred.getMessage()).
| throw e; | ||
| } catch (Exception e) { | ||
| throw new RuntimeException(e); | ||
| throw new SkyflowException(ErrorCode.SERVER_ERROR.getCode(), ErrorMessage.EmptyCredentials.getMessage()); |
There was a problem hiding this comment.
Bug: Same issue as VaultClient.java: catch (Exception e) maps all unknown exceptions to ErrorMessage.EmptyCredentials, discarding the original cause. Any unexpected runtime failure will be reported to callers as a credential validation error.
…egory The blocking set mixed severity levels (Critical/High/Medium) with issue types (Bug/Edge Case) in a single column, which reads oddly — a Critical/High finding *is* a bug. Now there are two independent axes: - Severity (how serious): Critical / High / Medium / Low / Info — one scale shared by SDK-pattern, smell, and security findings. - Category (what kind): Correctness / Edge case / Security / Pattern / Naming / Tests / Smell. Blocking = Critical / High / Medium; Advisory = Low / Info. "Bug" is now Severity High/Critical + Category Correctness; "Quality"/"Smell" map to Low/Info. Updated the Step 1 table/legend, the CI output buckets + tables, the inline json schema (adds "category"), and the workflow inline-comment body. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
✅ Gitleaks Findings: No secrets detected. Safe to proceed! |
|
Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging. |
There was a problem hiding this comment.
Claude SDK Review
Now I have enough information to produce the full review. Let me analyze all the findings from the diff.
Analysis of added lines:
ConnectionClient.java line 92 / VaultClient.java line 942:
catch (Exception e) → throw new SkyflowException(ErrorCode.SERVER_ERROR.getCode(), ErrorMessage.EmptyCredentials.getMessage())
Issues:
- Misleading error message: Using
EmptyCredentialsfor a genericExceptioncatch block is semantically wrong — the exception caught here is not necessarily caused by empty credentials. This is a Correctness issue because callers get a misleading message for any unexpected exception (e.g., network errors, NullPointerExceptions, etc.). - Original exception discarded: The original exception
eis not passed as the cause, losing the stack trace and root cause information.
HttpUtility.java line 87-88:
ErrorMessage.ErrorOccurred.getMessage() passed to appendRequestId() — the ErrorMessage.ErrorOccurred.getMessage() value contains the %s0 placeholder already replaced with the SDK prefix. This is fine.
The SkyflowException(int httpCode, Throwable cause, Map<String, List<String>> responseHeaders, String responseBody) constructor is used, and a new Throwable(description) is the cause. This is an improvement over the old "replace with description" placeholder magic string. However, new Throwable(description) wraps the description as a Throwable — this is fine given the constructor signature.
VaultClient.java / ConnectionClient.java synchronized on setBearerToken():
This is a positive security fix for thread safety — addresses the authentication lifecycle thread-safety check (§7 of code-security). No issues here.
VaultClient.java import expansion (wildcard → explicit):
These are all added lines but they're purely refactoring (checkstyle-driven explicit imports). No functional issues.
REQUEST CHANGES — the catch block uses ErrorMessage.EmptyCredentials to report a generic unexpected exception, giving callers a misleading error message and swallowing the root cause (e is unused).
| File:Line | Severity | Category | Finding |
|---|---|---|---|
src/main/java/com/skyflow/VaultClient.java:942 |
High | Correctness | catch (Exception e) throws EmptyCredentials error message for any unexpected exception — message is semantically wrong (e.g. a NullPointerException or IOException unrelated to credentials would surface as "Credentials must not be empty"). Original exception e is discarded as the cause, losing stack trace and root cause. |
src/main/java/com/skyflow/ConnectionClient.java:92 |
High | Correctness | Same issue as VaultClient.java:942 — EmptyCredentials message used for a generic catch block; original exception e discarded. |
Advisory (Low / Info) — 2 items
| File:Line | Severity | Finding |
|---|---|---|
src/main/java/com/skyflow/VaultClient.java:942 |
Low | The SkyflowException(int code, String message) constructor hardcodes httpStatus = HttpStatus.BAD_REQUEST (400) regardless of the passed code — so passing ErrorCode.SERVER_ERROR.getCode() (500) as the code will still result in an HTTP status of 400 in the exception. This is a pre-existing constructor behaviour, but it means the 500 code passed here is misleading. |
src/main/java/com/skyflow/utils/HttpUtility.java:88 |
Info | new Throwable(description) as the cause parameter is unusual — the description is the actual human-readable message, but wrapping it in a Throwable just to satisfy the constructor signature adds an unnecessary wrapper. The (int code, String message) constructor would be cleaner if it weren't for the pre-existing HTTP-status hardcoding issue. |
| throw e; | ||
| } catch (Exception e) { | ||
| throw new RuntimeException(e); | ||
| throw new SkyflowException(ErrorCode.SERVER_ERROR.getCode(), ErrorMessage.EmptyCredentials.getMessage()); |
There was a problem hiding this comment.
High · Correctness: catch (Exception e) throws EmptyCredentials — this message is semantically wrong for any non-credentials exception (e.g. NullPointerException, IOException). The original exception e should be passed as the cause: throw new SkyflowException(ErrorCode.SERVER_ERROR.getCode(), e.getMessage()) or similar, so callers get the real root cause rather than a misleading 'Credentials must not be empty' message.
| throw e; | ||
| } catch (Exception e) { | ||
| throw new RuntimeException(e); | ||
| throw new SkyflowException(ErrorCode.SERVER_ERROR.getCode(), ErrorMessage.EmptyCredentials.getMessage()); |
There was a problem hiding this comment.
High · Correctness: catch (Exception e) throws EmptyCredentials — same issue as VaultClient.java: the error message is semantically wrong for any unexpected exception, and the original exception e is discarded as the cause. Pass e as the cause so the real failure is propagated.
…ider cols)
- Rename the posted comment header "Claude SDK Review" -> "AI Code Review".
- Strip model preamble/narration ("Now I have… / Let me…") before posting:
instruct the command that its entire output is the comment body starting at
the verdict, and defensively slice anything before the verdict/heading in the
workflow.
- Crisp summary: blocking findings carry their full explanation in the inline
comment; the summary table keeps the Finding cell to one line (no duplication).
- Merge Severity + Category into one "Severity · Category" column so the columns
aren't cramped.
- Frame the summary as the review outcome, not a restatement of the PR.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
✅ Gitleaks Findings: No secrets detected. Safe to proceed! |
|
Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging. |
There was a problem hiding this comment.
AI Code Review
REQUEST CHANGES — HttpUtility.java:88 introduces a null return from getMessage() on the no-body error path, replacing a working (but placeholder-string) constructor call with a four-arg constructor that never assigns this.message.
java\nthrow new SkyflowException(httpCode, appendRequestId(ErrorMessage.ErrorOccurred.getMessage(), requestID));\n```\nThis sets this.httpCode, `this.message`, `this.httpStatus`, and `this.details` correctly." }]
---
REQUEST CHANGES — the changed lines introduce one blocking correctness bug in `HttpUtility.java`.
| File:Line | Severity · Category | Finding |
|-----------|---------------------|---------|
| `src/main/java/com/skyflow/utils/HttpUtility.java:88` | High · Correctness | `getMessage()` returns `null` on the no-body error path — four-arg constructor never assigns `this.message` when `responseBody` is `"{}"` |
| `src/main/java/com/skyflow/VaultClient.java:942` | Medium · Pattern | `catch (Exception e)` throws `ErrorMessage.EmptyCredentials` ("credentials must not be empty") for any unexpected runtime exception — misleading message that hides the real cause |
| `src/main/java/com/skyflow/ConnectionClient.java:92` | Medium · Pattern | Same misleading error message as VaultClient — any unexpected exception reports "credentials must not be empty" |
<details><summary>Advisory (Low / Info) — 2 items</summary>
| File:Line | Severity · Category | Finding |
|-----------|---------------------|---------|
| `src/main/java/com/skyflow/utils/HttpUtility.java:88` | Info · Pattern | `new Throwable(description)` is constructed purely to carry the description string into the four-arg constructor, but that string is unused (it does not end up in `getMessage()`). Even after the blocking fix is applied, the `Throwable` parameter is redundant in this code path. |
| `src/main/java/com/skyflow/VaultClient.java:942` | Low · Pattern | The original `throw new RuntimeException(e)` that this replaces was itself a violation (wrapping in RuntimeException instead of SkyflowException). The replacement is correct in type but the error message should use a generic `ErrorMessage.ErrorOccurred` and preserve the original exception as a cause rather than discarding it. |
</details>
```json:inline
[{ "path": "src/main/java/com/skyflow/utils/HttpUtility.java", "line": 88, "severity": "High", "category": "Correctness", "comment": "The four-arg SkyflowException constructor called here (`new SkyflowException(httpCode, new Throwable(description), responseHeaders, \"{}\")`) never populates `this.message`. Inside the constructor, `setResponseBody(\"{}\", ...)` parses `{}` without throwing, finds `responseBody.get(\"error\") == null`, and returns without calling `setMessage()`. As a result `getMessage()` returns null for any HTTP error response that has no body — silently breaking every caller that displays `e.getMessage()`.\n\nFix — use the two-arg constructor that assigns the message directly:\n```java\nthrow new SkyflowException(httpCode, appendRequestId(ErrorMessage.ErrorOccurred.getMessage(), requestID));\n```\nThis sets `this.httpCode`, `this.message`, `this.httpStatus`, and `this.details` correctly." }]
…le strip) - Output spec: require each part to be a top-level block at the left margin with blank lines around tables/<details>; forbid emitting the parts as a markdown numbered list (tables and <details> nested in list items do not render on GitHub) — likely cause of the broken formatting. - Workflow: make the preamble strip line-based and tolerant of a decorated verdict (e.g. **REQUEST CHANGES**) instead of only a bare line-start match. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
✅ Gitleaks Findings: No secrets detected. Safe to proceed! |
|
Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging. |
There was a problem hiding this comment.
AI Code Review
REQUEST CHANGES — SkyflowException(httpCode, new Throwable(description), responseHeaders, "{}") leaves getMessage() returning null on the no-body error path, and the generic catch in prioritiseCredentials uses a misleading EmptyCredentials message that misrepresents non-credentials exceptions as credential validation failures.
| File:Line | Severity · Category | Finding |
|---|---|---|
| HttpUtility.java:88 | High · Correctness | getMessage() returns null: SkyflowException(httpCode, new Throwable(description), responseHeaders, "{}") calls setResponseBody("{}", …) which finds no "error" key and never calls setMessage(), leaving this.message = null |
| VaultClient.java:942 | Medium · Correctness | Generic Exception catch uses EmptyCredentials message — misrepresents any non-credentials exception (e.g. NullPointerException, ClassCastException) as a credentials validation failure; also uses SERVER_ERROR (500) for what the rest of the method treats as a client-side error |
| ConnectionClient.java:92 | Medium · Correctness | Same misleading EmptyCredentials / SERVER_ERROR for generic catch as VaultClient.java:942 |
Advisory (Low / Info) — 2 items
| File:Line | Severity · Category | Finding |
|---|---|---|
| VaultClient.java:942 | Info · Pattern | synchronized on setBearerToken() locks on this, but prioritiseCredentials() (also called from non-synchronized updateConnectionConfig) mutates finalCredentials/token without the lock — synchronising only setBearerToken does not fully protect all mutations of shared state |
| ConnectionClient.java:92 | Info · Pattern | Same partial-synchronisation note as VaultClient.java — prioritiseCredentials() is called unsynchronised from updateConnectionConfig |
java\nthrow new SkyflowException(description);\n" }, { "path": "src/main/java/com/skyflow/VaultClient.java", "line": 942, "severity": "Medium", "category": "Correctness", "comment": "The generic `catch (Exception e)` in `prioritiseCredentials()` now throws `SkyflowException(ErrorCode.SERVER_ERROR.getCode(), ErrorMessage.EmptyCredentials.getMessage())`. Two problems:\n1. `EmptyCredentials` says \"Invalid credentials. Credentials must not be empty.\" — this message is wrong for exceptions that are not related to credentials (e.g. a `NullPointerException` or `ClassCastException` in the Dotenv path). The original exception cause is also swallowed, making debugging harder.\n2. `ErrorCode.SERVER_ERROR` is 500, but `EmptyCredentials` is categorised under Validation errors (400) everywhere else in the SDK.\n\nFix: Use a generic server-error message that preserves the original cause:\njava\n} catch (Exception e) {\n throw new SkyflowException(ErrorCode.SERVER_ERROR.getCode(),\n ErrorMessage.ErrorOccurred.getMessage());\n}\n```\nOr re-wrap preserving the original: new SkyflowException(e.getMessage(), e)."
},
{
"path": "src/main/java/com/skyflow/ConnectionClient.java",
"line": 92,
"severity": "Medium",
"category": "Correctness",
"comment": "Same issue as VaultClient.java:942 — generic `catch (Exception e)` throws `EmptyCredentials` which misleadingly describes all non-SkyflowException failures as a credentials-validation problem. Fix: use `ErrorMessage.ErrorOccurred` (or a suitable generic message) and preserve the original cause."
}
]
…ktick fence) The model put ```java code fences inside the JSON "comment" values, which broke the non-greedy ```json:inline``` extraction regex (it stopped at the first inner ``` ). Result: the JSON dumped into the visible comment AND inline comments stopped (the truncated JSON failed to parse -> empty array). - code-review.md: emit the inline block inside an HTML comment sentinel (<!-- ai-review-inline [...] -->) which never renders even if parsing fails; forbid triple backticks / code fences inside the "comment" field. - claude-pr-review.yml: extract from the HTML sentinel (backtick-proof), keep a legacy ```json:inline fallback, and defensively strip any stray block to end-of-text so a malformed block can never leak into the summary. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
✅ Gitleaks Findings: No secrets detected. Safe to proceed! |
|
Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging. |
There was a problem hiding this comment.
AI Code Review
REQUEST CHANGES — the no-error-body path in HttpUtility.java results in getMessage() returning "{}" instead of the error description, and the generic-exception catch in both VaultClient and ConnectionClient uses a misleading EmptyCredentials message.
| File:Line | Severity · Category | Finding |
|---|---|---|
| HttpUtility.java:88 | High · Correctness | getMessage() returns "{}" on the no-body path: description from appendRequestId is never stored because setResponseBody("{}", …) does not find an "error" key, and the catch-block fallback uses responseBody = "{}" as the message |
| VaultClient.java:942 | Medium · Pattern | Generic Exception catch uses ErrorMessage.EmptyCredentials — misleads callers into thinking credentials are empty when the actual cause could be any unexpected runtime error |
| ConnectionClient.java:92 | Medium · Pattern | Same misleading ErrorMessage.EmptyCredentials on generic Exception catch |
Advisory (Low / Info) — 1 items
| File:Line | Severity · Category | Finding |
|---|---|---|
| VaultClient.java, ConnectionClient.java | Info · Pattern | synchronized on setBearerToken() locks on the instance, which is correct for single-instance use; consider a doc comment explaining the thread-safety contract so future maintainers don't accidentally remove it |
| String description = appendRequestId("replace with description", requestID); | ||
| throw new SkyflowException(description); | ||
| String description = appendRequestId(ErrorMessage.ErrorOccurred.getMessage(), requestID); | ||
| throw new SkyflowException(httpCode, new Throwable(description), responseHeaders, "{}"); |
There was a problem hiding this comment.
High · Correctness: The description built by appendRequestId(ErrorMessage.ErrorOccurred.getMessage(), requestID) is never surfaced to callers. SkyflowException(httpCode, new Throwable(description), responseHeaders, "{}") passes "{}" as the response body. Inside the constructor, setResponseBody("{}", …) parses {}, finds no "error" key, and skips all message setters. The outer catch fallback then assigns this.message = responseBody = "{}", so getMessage() returns the literal string "{}" instead of the intended error description. Fix: pass the description as the response body, e.g. construct a minimal JSON envelope "{\"error\":{\"message\":\"" + description + "\"}}", or use the SkyflowException(String message) constructor directly since there is no parseable server body in this branch.
| throw e; | ||
| } catch (Exception e) { | ||
| throw new RuntimeException(e); | ||
| throw new SkyflowException(ErrorCode.SERVER_ERROR.getCode(), ErrorMessage.EmptyCredentials.getMessage()); |
There was a problem hiding this comment.
Medium · Pattern: Catching Exception and rethrowing with ErrorMessage.EmptyCredentials ("Invalid credentials. Credentials must not be empty.") misrepresents any generic runtime failure as a credentials problem. Use a more appropriate message such as ErrorMessage.ErrorOccurred or introduce a dedicated SERVER_ERROR message so callers can distinguish credential errors from unexpected failures.
| throw e; | ||
| } catch (Exception e) { | ||
| throw new RuntimeException(e); | ||
| throw new SkyflowException(ErrorCode.SERVER_ERROR.getCode(), ErrorMessage.EmptyCredentials.getMessage()); |
There was a problem hiding this comment.
Medium · Pattern: Same issue as VaultClient.java: catching Exception and rethrowing with ErrorMessage.EmptyCredentials misrepresents any unexpected runtime error as an empty-credentials error. Use ErrorMessage.ErrorOccurred or a dedicated message for unexpected server-side failures.
…kyflowapi/skyflow-java into devesh/SK-2832-claude-setup-v2
|
✅ Gitleaks Findings: No secrets detected. Safe to proceed! |
|
Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging. |
Cancel superseded review runs via concurrency so only the latest commit is reviewed. Diff from the bot's last-reviewed commit (commit_id) instead of the PR base, falling back to a full review on first run, rebase, or manual dispatch. Stay silent when the incremental verdict is a bare APPROVE, so clean follow-up commits don't repost comments. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
✅ Gitleaks Findings: No secrets detected. Safe to proceed! |
|
Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging. |
There was a problem hiding this comment.
AI Code Review
APPROVE WITH FIXES — all three changed files are sample-only additions/edits with no blocking defects; three advisory items found.
| File:Line | Severity · Category | Finding |
|---|---|---|
| samples/src/main/java/com/example/vault/DetokenizeExample.java:11 | Low · Smell | DetokenizeRecordResponse import is only referenced in commented-out code — unused import |
| samples/src/main/java/com/example/vault/GetExample.java:60 | Info · Naming | Comment references deprecated downloadURL(true) — prefer downloadUrl(true) per SDK naming convention |
| samples/src/main/java/com/example/detect/ReidentifyTextExample.java:85 | Info · Security | System.out.println prints the full reidentified response which contains restored PII values; users copying this sample may inadvertently log sensitive data in production |
- Verdict: state theme/count only; never enumerate/restate findings (the table already lists them) — was duplicating the whole table in the rationale. - Blocking table: Finding cell must be a terse identifier (<=~12 words); full detail lives only in the inline comment, never repeated in the table. - Collapse the same issue across multiple files into one row (locations comma-separated) instead of near-duplicate rows; inline block still emits one entry per location. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
✅ Gitleaks Findings: No secrets detected. Safe to proceed! |
|
Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging. |
There was a problem hiding this comment.
AI Code Review
All findings are Low/Info — no blocking issues. Verdict: APPROVE WITH FIXES.
APPROVE WITH FIXES — 1 unused import and 1 stack-trace call in the new sample file.
| File:Line | Severity · Category | Finding |
|---|---|---|
| DetokenizeExample.java:11 | Low · Smell | Unused import DetokenizeRecordResponse — referenced only in commented-out code |
| ReidentifyTextExample.java:92 | Low · Pattern | e.printStackTrace() exposes full stack trace — use e.getMessage() |
Advisory (Low / Info) — 2 items
| File:Line | Severity · Category | Finding |
|---|---|---|
| samples/src/main/java/com/example/vault/DetokenizeExample.java:11 | Low · Smell | Import DetokenizeRecordResponse added by this PR is unused in live code — it appears only inside commented-out blocks; either uncomment the example or remove the import |
| samples/src/main/java/com/example/detect/ReidentifyTextExample.java:92 | Low · Pattern | e.printStackTrace() in a sample catch block surfaces a full JVM stack trace; prefer System.err.println(e.getMessage()) to match the error-handling guidance shown in other samples |
3 participants
incremental claude setup changes