DEV Community: Ali Abbas The latest articles on DEV Community by Ali Abbas (@ali_abbas_d8086e0f96d8173). https://dev.to/ali_abbas_d8086e0f96d8173 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3763730%2F0af94c69-0eb2-4b0a-9684-4438180165ed.jpg DEV Community: Ali Abbas https://dev.to/ali_abbas_d8086e0f96d8173 en Stop Repeating Yourself: How to Automate Architectural Context in GitHub PRs Ali Abbas Sat, 14 Feb 2026 10:07:42 +0000 https://dev.to/ali_abbas_d8086e0f96d8173/stop-repeating-yourself-how-to-automate-architectural-context-in-github-prs-4cgd https://dev.to/ali_abbas_d8086e0f96d8173/stop-repeating-yourself-how-to-automate-architectural-context-in-github-prs-4cgd <p>We've all been there. You're reviewing a pull request from a junior developer, and for what feels like the tenth time this month, you're typing out the same comment: </p> <p><em>"Hey, we don't use <code>console.log</code> in production code—please use our structured logger."</em></p> <p>The dev apologizes, updates the code, and you approve the PR. Two weeks later, a different developer makes the exact same mistake. Rinse and repeat.</p> <p>Sound familiar?</p> <h2> The Real Problem: The Documentation-Implementation Gap </h2> <p>Here's the thing: <strong>your team's architectural decisions live in documents that nobody reads, while the actual work happens in code.</strong></p> <p>You probably have an Architecture Decision Record (ADR) somewhere that clearly states: "We use Winston for structured logging, not console.log." It's documented. It's in Confluence. It might even be in your repository's <code>/docs</code> folder.</p> <p>But let's be honest—when was the last time a developer actively searched through ADRs before writing code?</p> <p>The problem isn't your team. The problem is expecting humans to remember and enforce dozens of architectural constraints manually. That's not scalable, and it leads to:</p> <ul> <li> <strong>Review fatigue</strong>: Senior devs waste time repeating the same feedback</li> <li> <strong>Inconsistent codebases</strong>: Some violations slip through when reviewers are tired</li> <li> <strong>Slower onboarding</strong>: New team members learn by making mistakes instead of prevention</li> <li> <strong>Context switching</strong>: Developers have to context-switch between code and documentation</li> </ul> <p>What if there was a better way?</p> <h2> The Solution: Context-as-Code </h2> <p>Instead of keeping architectural decisions in separate documentation, what if we could <strong>encode them directly into our development workflow</strong>?</p> <p>This is the concept of "Context-as-Code"—taking your team's architectural decisions and automating their enforcement at the exact moment they matter: during pull requests.</p> <p>Think of it like this: instead of a senior developer manually checking every PR for violations, you create automated rules that check for you. The PR author gets immediate feedback, learns the constraint, and your reviewers can focus on actual architecture and logic instead of style guide enforcement.</p> <h2> Enter Decision Guardian </h2> <p><a href="https://github.com/DecispherHQ/decision-guardian" rel="noopener noreferrer">Decision Guardian</a> is a GitHub Action that bridges this gap. It automatically surfaces architectural decisions and critical context when Pull Requests modify protected files. Instead of relying on tribal knowledge, Decision Guardian proactively alerts teams when changes touch sensitive code.</p> <p>Here's what makes it powerful:</p> <ul> <li> <strong>Automated context surfacing</strong>: Automatically posts PR comments when protected files change</li> <li> <strong>Markdown-based decisions</strong>: Write decisions in simple markdown format</li> <li> <strong>Flexible file matching</strong>: Supports glob patterns and advanced rule evaluation</li> <li> <strong>Non-blocking</strong>: Configurable to either block merges or just warn</li> <li> <strong>Zero external calls</strong>: Runs entirely within your GitHub Actions runner—no data leaves GitHub</li> </ul> <p>Let's dive into what this looks like in practice.</p> <h2> The Cool Stuff: Deep Dive into Features </h2> <h3> Simple File-Based Decisions </h3> <p>The core concept is beautifully simple: you write architectural decisions in markdown and link them to file patterns. When someone opens a PR that touches those files, they automatically see the context.</p> <p>Here's a basic example for protecting your database configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="c">&lt;!-- DECISION-DB-001 --&gt;</span> <span class="gu">## Decision: Connection Pool Size</span> <span class="gs">**Status**</span>: Active <span class="gs">**Date**</span>: 2024-01-15 <span class="gs">**Severity**</span>: Critical <span class="gs">**Files**</span>: <span class="p">-</span> <span class="sb">`src/db/pool.ts`</span> <span class="p">-</span> <span class="sb">`config/database.yml`</span> <span class="gu">### Context</span> Pool size fixed at 20 connections to prevent exhaustion. Tested with production load (5K req/s). Higher values caused connection leaks under sustained traffic. <span class="gs">**Do not modify without load testing.**</span> <span class="p"> --- </span></code></pre> </div> <p>That's it! When someone modifies <code>src/db/pool.ts</code> or <code>config/database.yml</code>, this decision automatically appears as a comment on their PR.</p> <h3> Advanced Rules with Regex </h3> <p>For more sophisticated scenarios, you can embed JSON-based rules directly in your markdown to detect patterns in code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="c">&lt;!-- DECISION-SEC-001 --&gt;</span> <span class="gu">## Decision: No Hardcoded Credentials</span> <span class="gs">**Status**</span>: Active <span class="gs">**Date**</span>: 2024-02-01 <span class="gs">**Severity**</span>: Critical <span class="gs">**Rules**</span>: <span class="se">\`\`\`</span>json { "type": "file", "pattern": "src/<span class="ge">**</span>/<span class="err">*</span>.{ts,js}", "exclude": "<span class="ge">**</span>/<span class="err">*</span>.test.{ts,js}", "content_rules": [ { "mode": "regex", "pattern": "(password|api<span class="p">[</span><span class="nv">_-]?key|secret)\\s*[=:]\\s*['\"</span><span class="p">][</span><span class="ss">^'\"</span><span class="p">]</span>+['<span class="se">\"</span>]", "flags": "i" } ] } <span class="se">\`\`\`</span> <span class="gu">### Context</span> Detects hardcoded credentials. Use environment variables or AWS Secrets Manager instead. <span class="p"> --- </span></code></pre> </div> <p>This rule will trigger when someone adds code like <code>const password = "secret123"</code> in a JavaScript/TypeScript file.</p> <h3> JSONPath for Configuration Files </h3> <p>You can also use JSONPath to validate specific values in JSON files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="c">&lt;!-- DECISION-API-002 --&gt;</span> <span class="gu">## Decision: API Rate Limit Configuration</span> <span class="gs">**Status**</span>: Active <span class="gs">**Date**</span>: 2024-03-10 <span class="gs">**Severity**</span>: Warning <span class="gs">**Rules**</span>: <span class="se">\`\`\`</span>json { "type": "file", "pattern": "config/api.json", "content_rules": [ { "mode": "json_path", "path": "$.rateLimit.maxRequests", "expected": 100 } ] } <span class="se">\`\`\`</span> <span class="gu">### Context</span> Rate limit must stay at 100 requests/minute. Changes can: <span class="p">-</span> Block legitimate users (too strict) <span class="p">-</span> Allow abuse (too loose) Before modifying, test with production traffic patterns. <span class="p"> --- </span></code></pre> </div> <h2> Setting This Up (It's Easier Than You Think) </h2> <p>The beauty of Decision Guardian is its simplicity. No complex YAML configuration files—just markdown documents.</p> <h3> Step 1: Create Your Decisions File </h3> <p>Create <code>.decispher/decisions.md</code> in your repository:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="c">&lt;!-- DECISION-DB-001 --&gt;</span> <span class="gu">## Decision: Database Choice for Billing</span> <span class="gs">**Status**</span>: Active <span class="gs">**Date**</span>: 2024-03-15 <span class="gs">**Severity**</span>: Critical <span class="gs">**Files**</span>: <span class="p">-</span> <span class="sb">`src/db/pool.ts`</span> <span class="p">-</span> <span class="sb">`config/database.{yml,yaml}`</span> <span class="gu">### Context</span> We chose Postgres over MongoDB because billing requires ACID compliance. MongoDB doesn't guarantee consistency for financial transactions. <span class="gs">**Alternatives rejected:**</span> <span class="p">-</span> MongoDB: No ACID guarantees <span class="p">-</span> Redis: Added unnecessary complexity <span class="gs">**Related:**</span> <span class="p">-</span> <span class="p">[</span><span class="nv">Slack thread</span><span class="p">](</span><span class="sx">https://your-workspace.slack.com/archives/...</span><span class="p">)</span> <span class="p">-</span> <span class="p">[</span><span class="nv">Architecture review</span><span class="p">](</span><span class="sx">https://your-docs.com/...</span><span class="p">)</span> <span class="p"> --- </span></code></pre> </div> <h3> Step 2: Add the GitHub Action </h3> <p>Create <code>.github/workflows/decision-guardian.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Decision Guardian</span> <span class="na">on</span><span class="pi">:</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">pull-requests</span><span class="pi">:</span> <span class="s">write</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">check</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">DecispherHQ/decision-guardian@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">token</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">decision_file</span><span class="pi">:</span> <span class="s1">'</span><span class="s">.decispher/decisions.md'</span> <span class="na">fail_on_critical</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <h3> Step 3: Test It Out </h3> <p>Create a test PR that modifies <code>src/db/pool.ts</code> and watch Decision Guardian automatically comment with the full context from <code>DECISION-DB-001</code>.</p> <p>That's really it. No complex configuration files, no YAML sprawl—just markdown documents with your decisions.</p> <h2> What Makes This Different </h2> <p>You might be thinking: "Isn't this just like CODEOWNERS or linting?"</p> <p>Not quite. Here's the key difference:</p> <ul> <li> <strong>CODEOWNERS</strong> assigns reviewers but doesn't explain <em>why</em> review matters</li> <li> <strong>Linting</strong> catches syntax errors but not architectural violations </li> <li> <strong>Decision Guardian</strong> provides <em>context</em> at the exact moment it's needed</li> </ul> <p>When someone modifies your database connection pool, they don't just get an error—they get the full story: what the decision was, why it was made, what was tested, and who to talk to if they really need to change it.</p> <h2> Real-World Scenarios </h2> <p>Here are some practical examples of decisions teams protect with Decision Guardian:</p> <p><strong>Security patterns:</strong></p> <ul> <li>No hardcoded credentials</li> <li>Required authentication middleware</li> <li>Specific encryption algorithms</li> </ul> <p><strong>Performance constraints:</strong></p> <ul> <li>Database connection pool limits</li> <li>API rate limiting configurations</li> <li>Cache invalidation strategies</li> </ul> <p><strong>Architecture boundaries:</strong></p> <ul> <li>Microservice communication patterns</li> <li>Dependency injection requirements</li> <li>Database access patterns</li> </ul> <p><strong>Business logic:</strong></p> <ul> <li>Payment processing flows</li> <li>Data retention policies</li> <li>Feature flag configurations</li> </ul> <h2> Real-World Impact </h2> <p>After implementing Decision Guardian, teams typically see:</p> <ul> <li> <strong>Faster reviews</strong>: Senior developers spend less time on repetitive feedback</li> <li> <strong>Better onboarding</strong>: New developers learn architectural constraints immediately</li> <li> <strong>Consistent codebases</strong>: Violations get caught automatically, not sporadically</li> <li> <strong>Living documentation</strong>: ADRs become actionable, not just informational</li> <li> <strong>Knowledge preservation</strong>: Critical context survives even when team members leave</li> </ul> <p>The real win isn't just catching violations—it's <em>educating</em> developers about why those violations matter. Each PR comment becomes a teaching moment.</p> <h2> Getting Started </h2> <p>The easiest way to start is to identify the top 3-5 architectural decisions you find yourself repeating in code reviews. Document them in markdown format, link them to the relevant files, and let Decision Guardian handle the rest.</p> <p>Start small:</p> <ol> <li>Pick one decision that causes the most friction</li> <li>Document it in <code>.decispher/decisions.md</code> </li> <li>Add the GitHub Action</li> <li>Observe what happens over the next week</li> </ol> <p>You can always expand from there.</p> <h2> Conclusion: Bridge the Gap </h2> <p>Decision Guardian represents a shift in how we think about documentation. Instead of static documents that live separately from our code, we can embed our architectural knowledge directly into the development workflow—right where developers need it.</p> <p>This doesn't replace code review—it enhances it. Your senior developers can focus on architectural discussions, design patterns, and business logic instead of catching the same violations over and over.</p> <p>If you're tired of repeating yourself in PR comments, give Decision Guardian a try. It's open source, free to use, and might just save your team hundreds of hours.</p> <h2> Resources </h2> <ul> <li> <strong>Website</strong>: <a href="https://decision-guardian.decispher.com/" rel="noopener noreferrer">https://decision-guardian.decispher.com/</a> </li> <li> <strong>Documentation</strong>: <a href="https://decision-guardian.decispher.com/docs" rel="noopener noreferrer">https://decision-guardian.decispher.com/docs</a> </li> <li> <strong>GitHub Repository</strong>: <a href="https://github.com/DecispherHQ/decision-guardian" rel="noopener noreferrer">https://github.com/DecispherHQ/decision-guardian</a> </li> <li> <strong>GitHub Marketplace</strong>: <a href="https://github.com/marketplace/actions/decision-guardian" rel="noopener noreferrer">Decision Guardian Action</a> </li> </ul> <p><em>Have you tried automating architectural decisions in your workflow? What challenges have you faced with keeping documentation and code in sync? Let me know in the comments!</em></p> webdev ai programming tutorial How I Addressed the Real Pain Behind ADRs Enforcement? Ali Abbas Tue, 10 Feb 2026 12:45:03 +0000 https://dev.to/ali_abbas_d8086e0f96d8173/how-i-addressed-the-real-pain-behind-adrs-enforcement-21g https://dev.to/ali_abbas_d8086e0f96d8173/how-i-addressed-the-real-pain-behind-adrs-enforcement-21g <h2> Description </h2> <p>Technical deep-dive on building a GitHub Action that prevents institutional amnesia by surfacing past architectural decisions on Pull Requests</p> <p>I spent 3 years building systems. During that time, I watched teams waste months repeatedly debating architectural decisions they'd already made. We use ADRs in our company, but enforcement is inconsistent - only senior devs remember to update them.</p> <p>So I built <a href="https://github.com/DecispherHQ/decision-guardian" rel="noopener noreferrer">Decision Guardian</a> - a GitHub Action that surfaces past architectural decisions directly on Pull Requests.</p> <p>Here's how I did it, and the technical challenges I solved along the way.</p> <h2> The Solution: Decision Guardian </h2> <p>Decision Guardian is a GitHub Action that:</p> <ol> <li> <strong>Parses</strong> architectural decisions from markdown files</li> <li> <strong>Matches</strong> them against PR file changes</li> <li> <strong>Surfaces</strong> relevant context automatically as a comment</li> </ol> <p>Example decision file (<code>.decispher/decisions.md</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="c">&lt;!-- DECISION-DB-001 --&gt;</span> <span class="gu">## Decision: Database Choice for Billing</span> <span class="gs">**Status**</span>: Active <span class="gs">**Date**</span>: 2024-03-15 <span class="gs">**Severity**</span>: Critical <span class="gs">**Files**</span>: <span class="p">-</span> <span class="sb">`src/db/pool.ts`</span> <span class="p">-</span> <span class="sb">`config/database.yml`</span> <span class="gu">### Context</span> We chose Postgres over MongoDB because billing requires ACID compliance for financial transactions. <span class="gs">**Alternatives rejected:**</span> <span class="p">-</span> MongoDB: No ACID guarantees <span class="p">-</span> Redis: Added unnecessary complexity <span class="gs">**Before modifying:**</span> Consult with @tech-lead <span class="p"> --- </span></code></pre> </div> <p>When someone opens a PR touching <code>src/db/pool.ts</code>, <a href="https://github.com/DecispherHQ/decision-guardian/blob/main/documentation/demo.gif" rel="noopener noreferrer">Decision Guardian reacts</a>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fi.ibb.co%2F7J6Y4nBg%2Fdemo-ezgif-com-optimize.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fi.ibb.co%2F7J6Y4nBg%2Fdemo-ezgif-com-optimize.gif" alt="Decision Guardian Demo" width="640" height="268"></a></p> <h2> Technical Challenge #1: Pattern Matching at Scale </h2> <h3> The Naive Approach (O(N×M)) </h3> <p>My first implementation was simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// For each file in PR</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">file</span> <span class="k">of</span> <span class="nx">prFiles</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Check against every decision</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">decision</span> <span class="k">of</span> <span class="nx">decisions</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">decision</span><span class="p">.</span><span class="nx">files</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">file</span><span class="p">.</span><span class="nx">path</span><span class="p">))</span> <span class="p">{</span> <span class="nx">matches</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">decision</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Problem:</strong> With 100 files and 500 decisions = <strong>50,000 comparisons</strong></p> <p>On a large PR (3000 files), this took <strong>12+ seconds</strong> and sometimes hit GitHub Actions timeout.</p> <h3> The Solution: Prefix Trie </h3> <p>I built a <strong>prefix trie</strong> to index decisions by file patterns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">TrieNode</span> <span class="p">{</span> <span class="nl">children</span><span class="p">:</span> <span class="nb">Map</span><span class="p">;</span> <span class="nl">decisions</span><span class="p">:</span> <span class="nx">Decision</span><span class="p">[];</span> <span class="nl">wildcardDecisions</span><span class="p">:</span> <span class="nx">Decision</span><span class="p">[];</span> <span class="p">}</span> <span class="kd">class</span> <span class="nc">PatternTrie</span> <span class="p">{</span> <span class="k">private</span> <span class="nx">root</span><span class="p">:</span> <span class="nx">TrieNode</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">decisions</span><span class="p">:</span> <span class="nx">Decision</span><span class="p">[])</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">root</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">createNode</span><span class="p">();</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">decision</span> <span class="k">of</span> <span class="nx">decisions</span><span class="p">)</span> <span class="p">{</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">pattern</span> <span class="k">of</span> <span class="nx">decision</span><span class="p">.</span><span class="nx">files</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">insert</span><span class="p">(</span><span class="nx">pattern</span><span class="p">,</span> <span class="nx">decision</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">private</span> <span class="nf">createNode</span><span class="p">():</span> <span class="nx">TrieNode</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">children</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Map</span><span class="p">(),</span> <span class="na">decisions</span><span class="p">:</span> <span class="p">[],</span> <span class="na">wildcardDecisions</span><span class="p">:</span> <span class="p">[],</span> <span class="p">};</span> <span class="p">}</span> <span class="k">private</span> <span class="nf">insert</span><span class="p">(</span><span class="nx">pattern</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">decision</span><span class="p">:</span> <span class="nx">Decision</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">parts</span> <span class="o">=</span> <span class="nx">pattern</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nf">insertRecursive</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">root</span><span class="p">,</span> <span class="nx">parts</span><span class="p">,</span> <span class="nx">decision</span><span class="p">);</span> <span class="p">}</span> <span class="k">private</span> <span class="nf">insertRecursive</span><span class="p">(</span><span class="nx">node</span><span class="p">:</span> <span class="nx">TrieNode</span><span class="p">,</span> <span class="nx">parts</span><span class="p">:</span> <span class="kr">string</span><span class="p">[],</span> <span class="nx">decision</span><span class="p">:</span> <span class="nx">Decision</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">parts</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="nx">node</span><span class="p">.</span><span class="nx">decisions</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">decision</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">part</span> <span class="o">=</span> <span class="nx">parts</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">remaining</span> <span class="o">=</span> <span class="nx">parts</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="c1">// Handle wildcards specially</span> <span class="k">if </span><span class="p">(</span><span class="nx">part</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">**</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">node</span><span class="p">.</span><span class="nx">wildcardDecisions</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">decision</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">remaining</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">insertRecursive</span><span class="p">(</span><span class="nx">node</span><span class="p">,</span> <span class="nx">remaining</span><span class="p">,</span> <span class="nx">decision</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Handle glob patterns</span> <span class="k">if </span><span class="p">(</span> <span class="nx">part</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="nx">part</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">?</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="nx">part</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">{</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="nx">part</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">}</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="nx">part</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">[</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="nx">part</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">]</span><span class="dl">'</span><span class="p">)</span> <span class="p">)</span> <span class="p">{</span> <span class="nx">node</span><span class="p">.</span><span class="nx">wildcardDecisions</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">decision</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Exact match - traverse deeper</span> <span class="kd">let</span> <span class="nx">child</span> <span class="o">=</span> <span class="nx">node</span><span class="p">.</span><span class="nx">children</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">part</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">child</span><span class="p">)</span> <span class="p">{</span> <span class="nx">child</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">createNode</span><span class="p">();</span> <span class="nx">node</span><span class="p">.</span><span class="nx">children</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">part</span><span class="p">,</span> <span class="nx">child</span><span class="p">);</span> <span class="p">}</span> <span class="k">this</span><span class="p">.</span><span class="nf">insertRecursive</span><span class="p">(</span><span class="nx">child</span><span class="p">,</span> <span class="nx">remaining</span><span class="p">,</span> <span class="nx">decision</span><span class="p">);</span> <span class="p">}</span> <span class="cm">/** * Returns a set of unique decisions that *might* match the given file path. */</span> <span class="nf">findCandidates</span><span class="p">(</span><span class="nx">file</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Set</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">parts</span> <span class="o">=</span> <span class="nx">file</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">candidates</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Set</span><span class="p">();</span> <span class="k">this</span><span class="p">.</span><span class="nf">collectCandidates</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">root</span><span class="p">,</span> <span class="nx">parts</span><span class="p">,</span> <span class="nx">candidates</span><span class="p">);</span> <span class="k">return</span> <span class="nx">candidates</span><span class="p">;</span> <span class="p">}</span> <span class="k">private</span> <span class="nf">collectCandidates</span><span class="p">(</span><span class="nx">node</span><span class="p">:</span> <span class="nx">TrieNode</span><span class="p">,</span> <span class="nx">parts</span><span class="p">:</span> <span class="kr">string</span><span class="p">[],</span> <span class="nx">candidates</span><span class="p">:</span> <span class="nb">Set</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="c1">// Collect wildcard matches at this level</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">decision</span> <span class="k">of</span> <span class="nx">node</span><span class="p">.</span><span class="nx">wildcardDecisions</span><span class="p">)</span> <span class="p">{</span> <span class="nx">candidates</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="nx">decision</span><span class="p">);</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">parts</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Reached the end - collect exact matches</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">decision</span> <span class="k">of</span> <span class="nx">node</span><span class="p">.</span><span class="nx">decisions</span><span class="p">)</span> <span class="p">{</span> <span class="nx">candidates</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="nx">decision</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">part</span> <span class="o">=</span> <span class="nx">parts</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">child</span> <span class="o">=</span> <span class="nx">node</span><span class="p">.</span><span class="nx">children</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">part</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">child</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">collectCandidates</span><span class="p">(</span><span class="nx">child</span><span class="p">,</span> <span class="nx">parts</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="nx">candidates</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Performance improvement:</strong></p> <ul> <li> <strong>Before:</strong> O(N×M) → 12 seconds for 3000 files</li> <li> <strong>After:</strong> O(M × log D) → <strong>2.8 seconds</strong> for same PR</li> </ul> <p>That's a <strong>4.3x speedup</strong> on large PRs.</p> <h2> Technical Challenge #2: Security (ReDoS Protection) </h2> <h3> The Problem </h3> <p>Users can define custom patterns using regex:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"file"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pattern"</span><span class="p">:</span><span class="w"> </span><span class="s2">"src/**/*.ts"</span><span class="p">,</span><span class="w"> </span><span class="nl">"content_rules"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nl">"mode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"regex"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pattern"</span><span class="p">:</span><span class="w"> </span><span class="s2">"(a+)+b"</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">⚠️</span><span class="w"> </span><span class="err">Evil</span><span class="w"> </span><span class="err">regex</span><span class="w"> </span><span class="p">}]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>That pattern <code>(a+)+b</code> is vulnerable to <strong>ReDoS</strong> (Regular Expression Denial of Service).</p> <p>When tested against <code>aaaaaaaaaaaaaaaaaaaa</code> (no 'b'), it creates exponential backtracking:</p> <ul> <li>20 'a's: ~1 second</li> <li>25 'a's: ~30 seconds</li> <li>30 'a's: <strong>freeze forever</strong> </li> </ul> <p><strong>This could DOS the entire GitHub Action.</strong></p> <h3> The Solution: Multi-Layer Protection </h3> <p><strong>Layer 1: Safe-Regex Check</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">safeRegex</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">safe-regex</span><span class="dl">'</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">validatePattern</span><span class="p">(</span><span class="nx">pattern</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">safeRegex</span><span class="p">(</span><span class="nx">pattern</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Unsafe regex pattern: </span><span class="p">${</span><span class="nx">pattern</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Layer 2: VM Sandbox with Timeout</strong></p> <p>Even safe-regex can miss some cases, so I added a VM sandbox:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">vm</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">vm</span><span class="dl">'</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">runRegexWithTimeout</span><span class="p">(</span><span class="nx">pattern</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">flags</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">text</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">timeoutMs</span><span class="p">:</span> <span class="kr">number</span><span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">sandbox</span> <span class="o">=</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="nx">sandbox</span><span class="p">.</span><span class="nx">result</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="nx">sandbox</span><span class="p">.</span><span class="nx">text</span> <span class="o">=</span> <span class="nc">String</span><span class="p">(</span><span class="nx">text</span><span class="p">);</span> <span class="nx">sandbox</span><span class="p">.</span><span class="nx">pattern</span> <span class="o">=</span> <span class="nc">String</span><span class="p">(</span><span class="nx">pattern</span><span class="p">);</span> <span class="nx">sandbox</span><span class="p">.</span><span class="nx">flags</span> <span class="o">=</span> <span class="nc">String</span><span class="p">(</span><span class="nx">flags</span> <span class="o">||</span> <span class="dl">''</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">context</span> <span class="o">=</span> <span class="nx">vm</span><span class="p">.</span><span class="nf">createContext</span><span class="p">(</span><span class="nx">sandbox</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">RegexSandbox</span><span class="dl">'</span><span class="p">,</span> <span class="na">codeGeneration</span><span class="p">:</span> <span class="p">{</span> <span class="na">strings</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">wasm</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">code</span> <span class="o">=</span> <span class="s2">` 'use strict'; try { const regex = new RegExp(pattern, flags); result = regex.test(text); } catch (e) { result = false; } `</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">vm</span><span class="p">.</span><span class="nf">runInContext</span><span class="p">(</span><span class="nx">code</span><span class="p">,</span> <span class="nx">context</span><span class="p">,</span> <span class="p">{</span> <span class="na">timeout</span><span class="p">:</span> <span class="nx">timeoutMs</span><span class="p">,</span> <span class="na">displayErrors</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="nc">Boolean</span><span class="p">(</span><span class="nx">sandbox</span><span class="p">.</span><span class="nx">result</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Key security features:</strong></p> <ul> <li>✅ <strong>Isolated VM context</strong> - No access to Node.js globals or filesystem</li> <li>✅ <strong>Hard timeout</strong> - Kills execution after 5 seconds</li> <li>✅ <strong>No code generation</strong> - Prevents <code>eval()</code> and WebAssembly escapes</li> <li>✅ <strong>String coercion</strong> - Prevents prototype pollution</li> </ul> <p><strong>Layer 3: Input Size Limits</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">MAX_CONTENT_SIZE</span> <span class="o">=</span> <span class="mi">1</span><span class="nx">_000_000</span><span class="p">;</span> <span class="c1">// 1MB</span> <span class="kd">const</span> <span class="nx">MAX_REGEX_LENGTH</span> <span class="o">=</span> <span class="mi">1000</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">content</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="nx">MAX_CONTENT_SIZE</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Content too large for regex matching</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">pattern</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="nx">MAX_REGEX_LENGTH</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Regex pattern too long</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h4> Layer 4: Result Caching </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">crypto</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">ContentMatchers</span> <span class="p">{</span> <span class="k">private</span> <span class="nx">resultCache</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Map</span><span class="p">();</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">MAX_CACHE_SIZE</span> <span class="o">=</span> <span class="mi">500</span><span class="p">;</span> <span class="k">private</span> <span class="nf">createCacheKey</span><span class="p">(</span><span class="nx">pattern</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">flags</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">content</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">contentHash</span> <span class="o">=</span> <span class="nx">crypto</span> <span class="p">.</span><span class="nf">createHash</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha256</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">content</span><span class="p">)</span> <span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">substring</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">16</span><span class="p">);</span> <span class="k">return</span> <span class="s2">`</span><span class="p">${</span><span class="nx">pattern</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">flags</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">contentHash</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">matchRegex</span><span class="p">(</span><span class="nx">rule</span><span class="p">:</span> <span class="nx">ContentRule</span><span class="p">,</span> <span class="nx">fileDiff</span><span class="p">:</span> <span class="nx">FileDiff</span><span class="p">):</span> <span class="nb">Promise</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">changedContent</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">getChangedLines</span><span class="p">(</span><span class="nx">fileDiff</span><span class="p">.</span><span class="nx">patch</span><span class="p">).</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="se">\n</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">cacheKey</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">createCacheKey</span><span class="p">(</span><span class="nx">rule</span><span class="p">.</span><span class="nx">pattern</span><span class="o">!</span><span class="p">,</span> <span class="nx">rule</span><span class="p">.</span><span class="nx">flags</span> <span class="o">||</span> <span class="dl">''</span><span class="p">,</span> <span class="nx">changedContent</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">cached</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">resultCache</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">cacheKey</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">cached</span> <span class="o">!==</span> <span class="kc">undefined</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">matched</span><span class="p">:</span> <span class="nx">cached</span><span class="p">,</span> <span class="na">matchedPatterns</span><span class="p">:</span> <span class="nx">cached</span> <span class="p">?</span> <span class="p">[</span><span class="nx">rule</span><span class="p">.</span><span class="nx">pattern</span><span class="o">!</span><span class="p">]</span> <span class="p">:</span> <span class="p">[]</span> <span class="p">};</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">matched</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">runRegexWithTimeout</span><span class="p">(</span> <span class="nx">rule</span><span class="p">.</span><span class="nx">pattern</span><span class="o">!</span><span class="p">,</span> <span class="nx">rule</span><span class="p">.</span><span class="nx">flags</span><span class="p">,</span> <span class="nx">changedContent</span><span class="p">,</span> <span class="mi">5000</span> <span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nf">updateCache</span><span class="p">(</span><span class="nx">cacheKey</span><span class="p">,</span> <span class="nx">matched</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">matched</span><span class="p">,</span> <span class="na">matchedPatterns</span><span class="p">:</span> <span class="nx">matched</span> <span class="p">?</span> <span class="p">[</span><span class="nx">rule</span><span class="p">.</span><span class="nx">pattern</span><span class="o">!</span><span class="p">]</span> <span class="p">:</span> <span class="p">[]</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">matched</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">matchedPatterns</span><span class="p">:</span> <span class="p">[]</span> <span class="p">};</span> <span class="p">}</span> <span class="p">}</span> <span class="k">private</span> <span class="nf">updateCache</span><span class="p">(</span><span class="nx">key</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">value</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">resultCache</span><span class="p">.</span><span class="nx">size</span> <span class="o">&gt;=</span> <span class="k">this</span><span class="p">.</span><span class="nx">MAX_CACHE_SIZE</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// LRU eviction</span> <span class="kd">const</span> <span class="nx">firstKey</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">resultCache</span><span class="p">.</span><span class="nf">keys</span><span class="p">().</span><span class="nf">next</span><span class="p">().</span><span class="nx">value</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">firstKey</span><span class="p">)</span> <span class="k">this</span><span class="p">.</span><span class="nx">resultCache</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="nx">firstKey</span><span class="p">);</span> <span class="p">}</span> <span class="k">this</span><span class="p">.</span><span class="nx">resultCache</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">value</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Result:</strong> Zero ReDoS vulnerabilities in production. ✅</p> <h2> Technical Challenge #3: Handling Massive PRs </h2> <h3> The Problem </h3> <p>Some PRs modify <strong>3000+ files</strong> (dependency updates, refactors, migrations).</p> <p>GitHub's API returns all changed files, but:</p> <ul> <li>Loading 3000 file diffs into memory → <strong>OOM (Out of Memory)</strong> </li> <li>Processing them serially → <strong>timeout</strong> </li> <li>Posting a comment with all matches → <strong>exceeds GitHub's 65KB limit</strong> </li> </ul> <h3> Solution 1: Streaming Processing </h3> <p>Instead of loading all files at once:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span><span class="o">*</span> <span class="nf">streamFileDiffs</span><span class="p">(</span> <span class="nx">token</span><span class="p">:</span> <span class="kr">string</span> <span class="p">):</span> <span class="nx">AsyncGenerator</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">octokit</span> <span class="o">=</span> <span class="nx">github</span><span class="p">.</span><span class="nf">getOctokit</span><span class="p">(</span><span class="nx">token</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">owner</span><span class="p">,</span> <span class="nx">repo</span><span class="p">,</span> <span class="nx">pull_number</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">github</span><span class="p">.</span><span class="nx">context</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">page</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">MAX_PAGES</span> <span class="o">=</span> <span class="mi">30</span><span class="p">;</span> <span class="k">while </span><span class="p">(</span><span class="nx">page</span> <span class="o">&lt;=</span> <span class="nx">MAX_PAGES</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">octokit</span><span class="p">.</span><span class="nx">rest</span><span class="p">.</span><span class="nx">pulls</span><span class="p">.</span><span class="nf">listFiles</span><span class="p">({</span> <span class="nx">owner</span><span class="p">,</span> <span class="nx">repo</span><span class="p">,</span> <span class="nx">pull_number</span><span class="p">,</span> <span class="na">per_page</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="nx">page</span><span class="p">,</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span><span class="p">)</span> <span class="k">break</span><span class="p">;</span> <span class="k">yield</span> <span class="nx">data</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">f</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">filename</span><span class="p">:</span> <span class="nx">f</span><span class="p">.</span><span class="nx">filename</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">\\</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">),</span> <span class="na">status</span><span class="p">:</span> <span class="nx">f</span><span class="p">.</span><span class="nx">status</span> <span class="k">as</span> <span class="nx">FileDiff</span><span class="p">[</span><span class="dl">'</span><span class="s1">status</span><span class="dl">'</span><span class="p">],</span> <span class="na">additions</span><span class="p">:</span> <span class="nx">f</span><span class="p">.</span><span class="nx">additions</span><span class="p">,</span> <span class="na">deletions</span><span class="p">:</span> <span class="nx">f</span><span class="p">.</span><span class="nx">deletions</span><span class="p">,</span> <span class="na">changes</span><span class="p">:</span> <span class="nx">f</span><span class="p">.</span><span class="nx">changes</span><span class="p">,</span> <span class="na">patch</span><span class="p">:</span> <span class="nx">f</span><span class="p">.</span><span class="nx">patch</span> <span class="o">||</span> <span class="dl">''</span><span class="p">,</span> <span class="na">previous_filename</span><span class="p">:</span> <span class="nx">f</span><span class="p">.</span><span class="nx">previous_filename</span><span class="p">,</span> <span class="p">}));</span> <span class="k">if </span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;</span> <span class="mi">100</span><span class="p">)</span> <span class="k">break</span><span class="p">;</span> <span class="nx">page</span><span class="o">++</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Usage</span> <span class="kd">const</span> <span class="nx">matches</span><span class="p">:</span> <span class="nx">DecisionMatch</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">for</span> <span class="k">await </span><span class="p">(</span><span class="kd">const</span> <span class="nx">batch</span> <span class="k">of</span> <span class="nf">streamFileDiffs</span><span class="p">(</span><span class="nx">token</span><span class="p">))</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">batchMatches</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">matcher</span><span class="p">.</span><span class="nf">findMatchesWithDiffs</span><span class="p">(</span><span class="nx">batch</span><span class="p">);</span> <span class="nx">matches</span><span class="p">.</span><span class="nf">push</span><span class="p">(...</span><span class="nx">batchMatches</span><span class="p">);</span> <span class="nx">core</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="s2">`Processed </span><span class="p">${</span><span class="nx">batch</span><span class="p">.</span><span class="nx">length</span><span class="p">}</span><span class="s2"> files, found </span><span class="p">${</span><span class="nx">matches</span><span class="p">.</span><span class="nx">length</span><span class="p">}</span><span class="s2"> matches so far`</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><strong>Memory usage:</strong></p> <ul> <li>Before: High memory usage for 3000 files → OOM risk</li> <li>After: Constant memory (processes 100 files at a time) → No crashes ✅</li> </ul> <h3> Solution 2: Progressive Truncation </h3> <p>If the comment exceeds GitHub's limit, truncate intelligently:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">truncateComment</span><span class="p">(</span><span class="nx">decisions</span><span class="p">:</span> <span class="nx">Decision</span><span class="p">[],</span> <span class="nx">maxLength</span> <span class="o">=</span> <span class="mi">65000</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">comment</span> <span class="o">=</span> <span class="nf">formatComment</span><span class="p">(</span><span class="nx">decisions</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">comment</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;=</span> <span class="nx">maxLength</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">comment</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Layer 1: Show 20 decisions in detail, summarize rest</span> <span class="nx">comment</span> <span class="o">=</span> <span class="nf">formatComment</span><span class="p">(</span><span class="nx">decisions</span><span class="p">,</span> <span class="p">{</span> <span class="na">detailLimit</span><span class="p">:</span> <span class="mi">20</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">comment</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;=</span> <span class="nx">maxLength</span><span class="p">)</span> <span class="k">return</span> <span class="nx">comment</span><span class="p">;</span> <span class="c1">// Layer 2: Show 10 decisions in detail</span> <span class="nx">comment</span> <span class="o">=</span> <span class="nf">formatComment</span><span class="p">(</span><span class="nx">decisions</span><span class="p">,</span> <span class="p">{</span> <span class="na">detailLimit</span><span class="p">:</span> <span class="mi">10</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">comment</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;=</span> <span class="nx">maxLength</span><span class="p">)</span> <span class="k">return</span> <span class="nx">comment</span><span class="p">;</span> <span class="c1">// Layer 3: Show 5 decisions in detail</span> <span class="nx">comment</span> <span class="o">=</span> <span class="nf">formatComment</span><span class="p">(</span><span class="nx">decisions</span><span class="p">,</span> <span class="p">{</span> <span class="na">detailLimit</span><span class="p">:</span> <span class="mi">5</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">comment</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;=</span> <span class="nx">maxLength</span><span class="p">)</span> <span class="k">return</span> <span class="nx">comment</span><span class="p">;</span> <span class="c1">// Layer 4: Show 2 decisions in detail</span> <span class="nx">comment</span> <span class="o">=</span> <span class="nf">formatComment</span><span class="p">(</span><span class="nx">decisions</span><span class="p">,</span> <span class="p">{</span> <span class="na">detailLimit</span><span class="p">:</span> <span class="mi">2</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">comment</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;=</span> <span class="nx">maxLength</span><span class="p">)</span> <span class="k">return</span> <span class="nx">comment</span><span class="p">;</span> <span class="c1">// Layer 5: Show counts only</span> <span class="nx">comment</span> <span class="o">=</span> <span class="nf">formatCommentCounts</span><span class="p">(</span><span class="nx">decisions</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">comment</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;=</span> <span class="nx">maxLength</span><span class="p">)</span> <span class="k">return</span> <span class="nx">comment</span><span class="p">;</span> <span class="c1">// Layer 6: Hard truncate as last resort</span> <span class="k">return</span> <span class="nf">hardTruncate</span><span class="p">(</span><span class="nx">comment</span><span class="p">,</span> <span class="nx">maxLength</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><strong>Result:</strong> Never hit comment size limit, even with 1000+ matched decisions. ✅</p> <h2> Technical Challenge #4: Idempotent Comments </h2> <h3> The Problem </h3> <p>GitHub Actions can run multiple times for a single PR:</p> <ul> <li>New commit pushed</li> <li>Workflow re-run</li> <li>Manual trigger</li> </ul> <p>Without proper handling:</p> <ul> <li><strong>3 runs = 3 duplicate comments</strong></li> <li>Spams the PR thread</li> <li>Confuses reviewers</li> </ul> <h3> The Solution: Content Hash </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">upsertComment</span><span class="p">(</span> <span class="nx">prNumber</span><span class="p">:</span> <span class="kr">number</span><span class="p">,</span> <span class="nx">content</span><span class="p">:</span> <span class="kr">string</span> <span class="p">):</span> <span class="nb">Promise</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">hash</span> <span class="o">=</span> <span class="nx">crypto</span> <span class="p">.</span><span class="nf">createHash</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha256</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">content</span><span class="p">)</span> <span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">substring</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">16</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">marker</span> <span class="o">=</span> <span class="s2">``</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">hashMarker</span> <span class="o">=</span> <span class="s2">``</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">fullContent</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">marker</span><span class="p">}</span><span class="s2">\n</span><span class="p">${</span><span class="nx">hashMarker</span><span class="p">}</span><span class="s2">\n\n</span><span class="p">${</span><span class="nx">content</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="c1">// Find existing comment</span> <span class="kd">const</span> <span class="nx">comments</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">octokit</span><span class="p">.</span><span class="nx">issues</span><span class="p">.</span><span class="nf">listComments</span><span class="p">({</span> <span class="nx">owner</span><span class="p">,</span> <span class="nx">repo</span><span class="p">,</span> <span class="na">issue_number</span><span class="p">:</span> <span class="nx">prNumber</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">existing</span> <span class="o">=</span> <span class="nx">comments</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="nx">c</span> <span class="o">=&gt;</span> <span class="nx">c</span><span class="p">.</span><span class="nx">body</span><span class="p">?.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">decision-guardian-v1</span><span class="dl">'</span><span class="p">)</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">existing</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">existingHash</span> <span class="o">=</span> <span class="nx">existing</span><span class="p">.</span><span class="nx">body</span><span class="p">?.</span><span class="nf">match</span><span class="p">(</span><span class="sr">/hash:</span><span class="se">([</span><span class="sr">a-f0-9-</span><span class="se">]</span><span class="sr">+</span><span class="se">)</span><span class="sr">/</span><span class="p">)?.[</span><span class="mi">1</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="nx">existingHash</span> <span class="o">===</span> <span class="nx">hash</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Comment unchanged, skipping update</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Update existing comment</span> <span class="k">await</span> <span class="nx">octokit</span><span class="p">.</span><span class="nx">issues</span><span class="p">.</span><span class="nf">updateComment</span><span class="p">({</span> <span class="nx">owner</span><span class="p">,</span> <span class="nx">repo</span><span class="p">,</span> <span class="na">comment_id</span><span class="p">:</span> <span class="nx">existing</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">fullContent</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c1">// Create new comment</span> <span class="k">await</span> <span class="nx">octokit</span><span class="p">.</span><span class="nx">issues</span><span class="p">.</span><span class="nf">createComment</span><span class="p">({</span> <span class="nx">owner</span><span class="p">,</span> <span class="nx">repo</span><span class="p">,</span> <span class="na">issue_number</span><span class="p">:</span> <span class="nx">prNumber</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">fullContent</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Result:</strong></p> <p>✅ Single comment per PR<br><br> ✅ Updates in-place when decisions change<br><br> ✅ No spam, no duplicates</p> <h2> Architecture Overview </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌────────────────────────────────────────────────────┐ │ DECISION GUARDIAN │ ├────────────────────────────────────────────────────┤ │ │ │ ┌──────────────────────────────────────────────┐ │ │ │ DECISION PARSER (AST-based) │ │ │ │ - Markdown parsing with remark │ │ │ │ - JSON rule extraction &amp; validation │ │ │ └──────────────────────────────────────────────┘ │ │ ↓ │ │ ┌──────────────────────────────────────────────┐ │ │ │ DECISION INDEX (Prefix Trie) │ │ │ │ - O(log n) file lookup │ │ │ │ - Wildcard pattern optimization │ │ │ └──────────────────────────────────────────────┘ │ │ ↓ │ │ ┌──────────────────────────────────────────────┐ │ │ │ FILE MATCHER (Rule Evaluator) │ │ │ │ - Glob pattern matching │ │ │ │ - Content diff analysis │ │ │ │ - ReDoS protection │ │ │ └──────────────────────────────────────────────┘ │ │ ↓ │ │ ┌──────────────────────────────────────────────┐ │ │ │ COMMENT MANAGER (Idempotent) │ │ │ │ - Hash-based update detection │ │ │ │ - Progressive truncation │ │ │ │ - Retry with exponential backoff │ │ │ └──────────────────────────────────────────────┘ │ │ │ └────────────────────────────────────────────────────┘ </code></pre> </div> <p><strong>High-level flow:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>PR Created → Parse Decisions → Match Files → Post Comment → Check Status </code></pre> </div> <p><strong>Key components:</strong></p> <ul> <li> <strong>Parser</strong> (<code>parser.ts</code>): Markdown → structured data</li> <li> <strong>Matcher</strong> (<code>matcher.ts</code>): Trie-based file matching</li> <li> <strong>Rule Evaluator</strong> (<code>rule-evaluator.ts</code>): Advanced rules</li> <li> <strong>Comment Manager</strong> (<code>comment.ts</code>): Idempotent PR comments</li> </ul> <h2> Lessons Learned </h2> <h3> 1. Performance matters from day 1 </h3> <p>I could have shipped with the O(N×M) algorithm and optimized later.</p> <p>But teams with large PRs would have hit timeouts immediately and never come back.</p> <p><strong>Lesson:</strong> Build for scale early, especially in tools that run on every PR.</p> <h3> 2. Security is not optional </h3> <p>The ReDoS vulnerability wasn't theoretical - during testing, a user accidentally created a pattern that froze the action for 5 minutes.</p> <p><strong>Lesson:</strong> Validate all user input, especially anything that can loop or recurse.</p> <h3> 3. Idempotency prevents pain </h3> <p>Early versions created duplicate comments. Users reported it as "spammy" and disabled the action.</p> <p>Adding content hashing fixed this and improved adoption.</p> <p><strong>Lesson:</strong> Make actions side-effect-free and repeatable.</p> <h3> 4. Documentation &gt; features </h3> <p>I spent 60% of development time on README, examples, and error messages.</p> <p>Users still ask "how do I use this?" constantly.</p> <p><strong>Lesson:</strong> You can never document enough.</p> <h2> Try It Yourself </h2> <p><strong>Install:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">DecispherHQ/decision-guardian@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">token</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> </code></pre> </div> <p><strong>Example decision:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code> <span class="gu">## Decision: Database Choice</span> <span class="gs">**Status**</span>: Active <span class="gs">**Date**</span>: 2024-03-15 <span class="gs">**Files**</span>: <span class="sb">`src/db/**`</span> <span class="gu">### Context</span> We chose Postgres for ACID compliance. Rejected: MongoDB (no ACID), Redis (complexity) </code></pre> </div> <p><strong>Links:</strong></p> <ul> <li> <strong>GitHub:</strong> <a href="https://github.com/DecispherHQ/decision-guardian" rel="noopener noreferrer">https://github.com/DecispherHQ/decision-guardian</a> </li> <li> <strong>Docs:</strong> <a href="https://decision-guardian.decispher.com" rel="noopener noreferrer">https://decision-guardian.decispher.com</a> </li> <li> <strong>Marketplace:</strong> <a href="https://github.com/marketplace/actions/decision-guardian" rel="noopener noreferrer">https://github.com/marketplace/actions/decision-guardian</a> </li> </ul> <h2> What's Next? </h2> <p><strong>Short-term:</strong></p> <ul> <li>GitLab/Bitbucket support (if demand exists)</li> <li>Decision templates</li> </ul> <p><strong>Long-term:</strong></p> <ul> <li>VS Code extension (show decisions inline)</li> <li>Analytics dashboard</li> <li>Cross-repository rules</li> </ul> <p>Want to contribute? <a href="https://github.com/DecispherHQ/decision-guardian/issues" rel="noopener noreferrer">Open an issue</a> or <a href="https://github.com/DecispherHQ/decision-guardian/discussions" rel="noopener noreferrer">start a discussion</a>.</p> <h2> Conclusion </h2> <p>Decision Guardian is free, open source (MIT), and takes 2 minutes to set up.</p> <p>What architectural decisions does your team repeatedly debate?</p> <p>Drop a comment - I'd love to hear your stories.</p> <p><strong>Made with ❤️ by <a href="https://github.com/gr8-alizaidi" rel="noopener noreferrer">Ali Abbas</a></strong></p> opensource github programming productivity How I Addressed the Real Pain Behind ADRs Enforcement Ali Abbas Tue, 10 Feb 2026 12:42:39 +0000 https://dev.to/ali_abbas_d8086e0f96d8173/how-i-addressed-the-real-pain-behind-adrs-enforcement-42d9 https://dev.to/ali_abbas_d8086e0f96d8173/how-i-addressed-the-real-pain-behind-adrs-enforcement-42d9 <h2> Description </h2> <p>Technical deep-dive on building a GitHub Action that prevents institutional amnesia by surfacing past architectural decisions on Pull Requests</p> <p>I spent 3 years building systems. During that time, I watched teams waste months repeatedly debating architectural decisions they'd already made. We use ADRs in our company, but enforcement is inconsistent - only senior devs remember to update them.</p> <p>So I built <a href="https://github.com/DecispherHQ/decision-guardian" rel="noopener noreferrer">Decision Guardian</a> - a GitHub Action that surfaces past architectural decisions directly on Pull Requests.</p> <p>Here's how I did it, and the technical challenges I solved along the way.</p> <h2> The Solution: Decision Guardian </h2> <p>Decision Guardian is a GitHub Action that:</p> <ol> <li> <strong>Parses</strong> architectural decisions from markdown files</li> <li> <strong>Matches</strong> them against PR file changes</li> <li> <strong>Surfaces</strong> relevant context automatically as a comment</li> </ol> <p>Example decision file (<code>.decispher/decisions.md</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="c">&lt;!-- DECISION-DB-001 --&gt;</span> <span class="gu">## Decision: Database Choice for Billing</span> <span class="gs">**Status**</span>: Active <span class="gs">**Date**</span>: 2024-03-15 <span class="gs">**Severity**</span>: Critical <span class="gs">**Files**</span>: <span class="p">-</span> <span class="sb">`src/db/pool.ts`</span> <span class="p">-</span> <span class="sb">`config/database.yml`</span> <span class="gu">### Context</span> We chose Postgres over MongoDB because billing requires ACID compliance for financial transactions. <span class="gs">**Alternatives rejected:**</span> <span class="p">-</span> MongoDB: No ACID guarantees <span class="p">-</span> Redis: Added unnecessary complexity <span class="gs">**Before modifying:**</span> Consult with @tech-lead <span class="p"> --- </span></code></pre> </div> <p>When someone opens a PR touching <code>src/db/pool.ts</code>, <a href="https://github.com/DecispherHQ/decision-guardian/blob/main/documentation/demo.gif" rel="noopener noreferrer">Decision Guardian reacts</a>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fi.ibb.co%2F7J6Y4nBg%2Fdemo-ezgif-com-optimize.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fi.ibb.co%2F7J6Y4nBg%2Fdemo-ezgif-com-optimize.gif" alt="Decision Guardian Demo" width="640" height="268"></a></p> <h2> Technical Challenge #1: Pattern Matching at Scale </h2> <h3> The Naive Approach (O(N×M)) </h3> <p>My first implementation was simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// For each file in PR</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">file</span> <span class="k">of</span> <span class="nx">prFiles</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Check against every decision</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">decision</span> <span class="k">of</span> <span class="nx">decisions</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">decision</span><span class="p">.</span><span class="nx">files</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">file</span><span class="p">.</span><span class="nx">path</span><span class="p">))</span> <span class="p">{</span> <span class="nx">matches</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">decision</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Problem:</strong> With 100 files and 500 decisions = <strong>50,000 comparisons</strong></p> <p>On a large PR (3000 files), this took <strong>12+ seconds</strong> and sometimes hit GitHub Actions timeout.</p> <h3> The Solution: Prefix Trie </h3> <p>I built a <strong>prefix trie</strong> to index decisions by file patterns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">TrieNode</span> <span class="p">{</span> <span class="nl">children</span><span class="p">:</span> <span class="nb">Map</span><span class="p">;</span> <span class="nl">decisions</span><span class="p">:</span> <span class="nx">Decision</span><span class="p">[];</span> <span class="nl">wildcardDecisions</span><span class="p">:</span> <span class="nx">Decision</span><span class="p">[];</span> <span class="p">}</span> <span class="kd">class</span> <span class="nc">PatternTrie</span> <span class="p">{</span> <span class="k">private</span> <span class="nx">root</span><span class="p">:</span> <span class="nx">TrieNode</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">decisions</span><span class="p">:</span> <span class="nx">Decision</span><span class="p">[])</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">root</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">createNode</span><span class="p">();</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">decision</span> <span class="k">of</span> <span class="nx">decisions</span><span class="p">)</span> <span class="p">{</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">pattern</span> <span class="k">of</span> <span class="nx">decision</span><span class="p">.</span><span class="nx">files</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">insert</span><span class="p">(</span><span class="nx">pattern</span><span class="p">,</span> <span class="nx">decision</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">private</span> <span class="nf">createNode</span><span class="p">():</span> <span class="nx">TrieNode</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">children</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Map</span><span class="p">(),</span> <span class="na">decisions</span><span class="p">:</span> <span class="p">[],</span> <span class="na">wildcardDecisions</span><span class="p">:</span> <span class="p">[],</span> <span class="p">};</span> <span class="p">}</span> <span class="k">private</span> <span class="nf">insert</span><span class="p">(</span><span class="nx">pattern</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">decision</span><span class="p">:</span> <span class="nx">Decision</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">parts</span> <span class="o">=</span> <span class="nx">pattern</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nf">insertRecursive</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">root</span><span class="p">,</span> <span class="nx">parts</span><span class="p">,</span> <span class="nx">decision</span><span class="p">);</span> <span class="p">}</span> <span class="k">private</span> <span class="nf">insertRecursive</span><span class="p">(</span><span class="nx">node</span><span class="p">:</span> <span class="nx">TrieNode</span><span class="p">,</span> <span class="nx">parts</span><span class="p">:</span> <span class="kr">string</span><span class="p">[],</span> <span class="nx">decision</span><span class="p">:</span> <span class="nx">Decision</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">parts</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="nx">node</span><span class="p">.</span><span class="nx">decisions</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">decision</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">part</span> <span class="o">=</span> <span class="nx">parts</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">remaining</span> <span class="o">=</span> <span class="nx">parts</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="c1">// Handle wildcards specially</span> <span class="k">if </span><span class="p">(</span><span class="nx">part</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">**</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">node</span><span class="p">.</span><span class="nx">wildcardDecisions</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">decision</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">remaining</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">insertRecursive</span><span class="p">(</span><span class="nx">node</span><span class="p">,</span> <span class="nx">remaining</span><span class="p">,</span> <span class="nx">decision</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Handle glob patterns</span> <span class="k">if </span><span class="p">(</span> <span class="nx">part</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="nx">part</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">?</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="nx">part</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">{</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="nx">part</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">}</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="nx">part</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">[</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="nx">part</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">]</span><span class="dl">'</span><span class="p">)</span> <span class="p">)</span> <span class="p">{</span> <span class="nx">node</span><span class="p">.</span><span class="nx">wildcardDecisions</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">decision</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Exact match - traverse deeper</span> <span class="kd">let</span> <span class="nx">child</span> <span class="o">=</span> <span class="nx">node</span><span class="p">.</span><span class="nx">children</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">part</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">child</span><span class="p">)</span> <span class="p">{</span> <span class="nx">child</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">createNode</span><span class="p">();</span> <span class="nx">node</span><span class="p">.</span><span class="nx">children</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">part</span><span class="p">,</span> <span class="nx">child</span><span class="p">);</span> <span class="p">}</span> <span class="k">this</span><span class="p">.</span><span class="nf">insertRecursive</span><span class="p">(</span><span class="nx">child</span><span class="p">,</span> <span class="nx">remaining</span><span class="p">,</span> <span class="nx">decision</span><span class="p">);</span> <span class="p">}</span> <span class="cm">/** * Returns a set of unique decisions that *might* match the given file path. */</span> <span class="nf">findCandidates</span><span class="p">(</span><span class="nx">file</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Set</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">parts</span> <span class="o">=</span> <span class="nx">file</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">candidates</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Set</span><span class="p">();</span> <span class="k">this</span><span class="p">.</span><span class="nf">collectCandidates</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">root</span><span class="p">,</span> <span class="nx">parts</span><span class="p">,</span> <span class="nx">candidates</span><span class="p">);</span> <span class="k">return</span> <span class="nx">candidates</span><span class="p">;</span> <span class="p">}</span> <span class="k">private</span> <span class="nf">collectCandidates</span><span class="p">(</span><span class="nx">node</span><span class="p">:</span> <span class="nx">TrieNode</span><span class="p">,</span> <span class="nx">parts</span><span class="p">:</span> <span class="kr">string</span><span class="p">[],</span> <span class="nx">candidates</span><span class="p">:</span> <span class="nb">Set</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="c1">// Collect wildcard matches at this level</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">decision</span> <span class="k">of</span> <span class="nx">node</span><span class="p">.</span><span class="nx">wildcardDecisions</span><span class="p">)</span> <span class="p">{</span> <span class="nx">candidates</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="nx">decision</span><span class="p">);</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">parts</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Reached the end - collect exact matches</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">decision</span> <span class="k">of</span> <span class="nx">node</span><span class="p">.</span><span class="nx">decisions</span><span class="p">)</span> <span class="p">{</span> <span class="nx">candidates</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="nx">decision</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">part</span> <span class="o">=</span> <span class="nx">parts</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">child</span> <span class="o">=</span> <span class="nx">node</span><span class="p">.</span><span class="nx">children</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">part</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">child</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">collectCandidates</span><span class="p">(</span><span class="nx">child</span><span class="p">,</span> <span class="nx">parts</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="nx">candidates</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Performance improvement:</strong></p> <ul> <li> <strong>Before:</strong> O(N×M) → 12 seconds for 3000 files</li> <li> <strong>After:</strong> O(M × log D) → <strong>2.8 seconds</strong> for same PR</li> </ul> <p>That's a <strong>4.3x speedup</strong> on large PRs.</p> <h2> Technical Challenge #2: Security (ReDoS Protection) </h2> <h3> The Problem </h3> <p>Users can define custom patterns using regex:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"file"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pattern"</span><span class="p">:</span><span class="w"> </span><span class="s2">"src/**/*.ts"</span><span class="p">,</span><span class="w"> </span><span class="nl">"content_rules"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nl">"mode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"regex"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pattern"</span><span class="p">:</span><span class="w"> </span><span class="s2">"(a+)+b"</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">⚠️</span><span class="w"> </span><span class="err">Evil</span><span class="w"> </span><span class="err">regex</span><span class="w"> </span><span class="p">}]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>That pattern <code>(a+)+b</code> is vulnerable to <strong>ReDoS</strong> (Regular Expression Denial of Service).</p> <p>When tested against <code>aaaaaaaaaaaaaaaaaaaa</code> (no 'b'), it creates exponential backtracking:</p> <ul> <li>20 'a's: ~1 second</li> <li>25 'a's: ~30 seconds</li> <li>30 'a's: <strong>freeze forever</strong> </li> </ul> <p><strong>This could DOS the entire GitHub Action.</strong></p> <h3> The Solution: Multi-Layer Protection </h3> <p><strong>Layer 1: Safe-Regex Check</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">safeRegex</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">safe-regex</span><span class="dl">'</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">validatePattern</span><span class="p">(</span><span class="nx">pattern</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">safeRegex</span><span class="p">(</span><span class="nx">pattern</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Unsafe regex pattern: </span><span class="p">${</span><span class="nx">pattern</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Layer 2: VM Sandbox with Timeout</strong></p> <p>Even safe-regex can miss some cases, so I added a VM sandbox:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">vm</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">vm</span><span class="dl">'</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">runRegexWithTimeout</span><span class="p">(</span><span class="nx">pattern</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">flags</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">text</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">timeoutMs</span><span class="p">:</span> <span class="kr">number</span><span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">sandbox</span> <span class="o">=</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="nx">sandbox</span><span class="p">.</span><span class="nx">result</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="nx">sandbox</span><span class="p">.</span><span class="nx">text</span> <span class="o">=</span> <span class="nc">String</span><span class="p">(</span><span class="nx">text</span><span class="p">);</span> <span class="nx">sandbox</span><span class="p">.</span><span class="nx">pattern</span> <span class="o">=</span> <span class="nc">String</span><span class="p">(</span><span class="nx">pattern</span><span class="p">);</span> <span class="nx">sandbox</span><span class="p">.</span><span class="nx">flags</span> <span class="o">=</span> <span class="nc">String</span><span class="p">(</span><span class="nx">flags</span> <span class="o">||</span> <span class="dl">''</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">context</span> <span class="o">=</span> <span class="nx">vm</span><span class="p">.</span><span class="nf">createContext</span><span class="p">(</span><span class="nx">sandbox</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">RegexSandbox</span><span class="dl">'</span><span class="p">,</span> <span class="na">codeGeneration</span><span class="p">:</span> <span class="p">{</span> <span class="na">strings</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">wasm</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">code</span> <span class="o">=</span> <span class="s2">` 'use strict'; try { const regex = new RegExp(pattern, flags); result = regex.test(text); } catch (e) { result = false; } `</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">vm</span><span class="p">.</span><span class="nf">runInContext</span><span class="p">(</span><span class="nx">code</span><span class="p">,</span> <span class="nx">context</span><span class="p">,</span> <span class="p">{</span> <span class="na">timeout</span><span class="p">:</span> <span class="nx">timeoutMs</span><span class="p">,</span> <span class="na">displayErrors</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="nc">Boolean</span><span class="p">(</span><span class="nx">sandbox</span><span class="p">.</span><span class="nx">result</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Key security features:</strong></p> <ul> <li>✅ <strong>Isolated VM context</strong> - No access to Node.js globals or filesystem</li> <li>✅ <strong>Hard timeout</strong> - Kills execution after 5 seconds</li> <li>✅ <strong>No code generation</strong> - Prevents <code>eval()</code> and WebAssembly escapes</li> <li>✅ <strong>String coercion</strong> - Prevents prototype pollution</li> </ul> <p><strong>Layer 3: Input Size Limits</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">MAX_CONTENT_SIZE</span> <span class="o">=</span> <span class="mi">1</span><span class="nx">_000_000</span><span class="p">;</span> <span class="c1">// 1MB</span> <span class="kd">const</span> <span class="nx">MAX_REGEX_LENGTH</span> <span class="o">=</span> <span class="mi">1000</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">content</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="nx">MAX_CONTENT_SIZE</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Content too large for regex matching</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">pattern</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="nx">MAX_REGEX_LENGTH</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Regex pattern too long</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h4> Layer 4: Result Caching </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">crypto</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">ContentMatchers</span> <span class="p">{</span> <span class="k">private</span> <span class="nx">resultCache</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Map</span><span class="p">();</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">MAX_CACHE_SIZE</span> <span class="o">=</span> <span class="mi">500</span><span class="p">;</span> <span class="k">private</span> <span class="nf">createCacheKey</span><span class="p">(</span><span class="nx">pattern</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">flags</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">content</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">contentHash</span> <span class="o">=</span> <span class="nx">crypto</span> <span class="p">.</span><span class="nf">createHash</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha256</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">content</span><span class="p">)</span> <span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">substring</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">16</span><span class="p">);</span> <span class="k">return</span> <span class="s2">`</span><span class="p">${</span><span class="nx">pattern</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">flags</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">contentHash</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">matchRegex</span><span class="p">(</span><span class="nx">rule</span><span class="p">:</span> <span class="nx">ContentRule</span><span class="p">,</span> <span class="nx">fileDiff</span><span class="p">:</span> <span class="nx">FileDiff</span><span class="p">):</span> <span class="nb">Promise</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">changedContent</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">getChangedLines</span><span class="p">(</span><span class="nx">fileDiff</span><span class="p">.</span><span class="nx">patch</span><span class="p">).</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="se">\n</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">cacheKey</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">createCacheKey</span><span class="p">(</span><span class="nx">rule</span><span class="p">.</span><span class="nx">pattern</span><span class="o">!</span><span class="p">,</span> <span class="nx">rule</span><span class="p">.</span><span class="nx">flags</span> <span class="o">||</span> <span class="dl">''</span><span class="p">,</span> <span class="nx">changedContent</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">cached</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">resultCache</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">cacheKey</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">cached</span> <span class="o">!==</span> <span class="kc">undefined</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">matched</span><span class="p">:</span> <span class="nx">cached</span><span class="p">,</span> <span class="na">matchedPatterns</span><span class="p">:</span> <span class="nx">cached</span> <span class="p">?</span> <span class="p">[</span><span class="nx">rule</span><span class="p">.</span><span class="nx">pattern</span><span class="o">!</span><span class="p">]</span> <span class="p">:</span> <span class="p">[]</span> <span class="p">};</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">matched</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">runRegexWithTimeout</span><span class="p">(</span> <span class="nx">rule</span><span class="p">.</span><span class="nx">pattern</span><span class="o">!</span><span class="p">,</span> <span class="nx">rule</span><span class="p">.</span><span class="nx">flags</span><span class="p">,</span> <span class="nx">changedContent</span><span class="p">,</span> <span class="mi">5000</span> <span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nf">updateCache</span><span class="p">(</span><span class="nx">cacheKey</span><span class="p">,</span> <span class="nx">matched</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">matched</span><span class="p">,</span> <span class="na">matchedPatterns</span><span class="p">:</span> <span class="nx">matched</span> <span class="p">?</span> <span class="p">[</span><span class="nx">rule</span><span class="p">.</span><span class="nx">pattern</span><span class="o">!</span><span class="p">]</span> <span class="p">:</span> <span class="p">[]</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">matched</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">matchedPatterns</span><span class="p">:</span> <span class="p">[]</span> <span class="p">};</span> <span class="p">}</span> <span class="p">}</span> <span class="k">private</span> <span class="nf">updateCache</span><span class="p">(</span><span class="nx">key</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">value</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">resultCache</span><span class="p">.</span><span class="nx">size</span> <span class="o">&gt;=</span> <span class="k">this</span><span class="p">.</span><span class="nx">MAX_CACHE_SIZE</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// LRU eviction</span> <span class="kd">const</span> <span class="nx">firstKey</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">resultCache</span><span class="p">.</span><span class="nf">keys</span><span class="p">().</span><span class="nf">next</span><span class="p">().</span><span class="nx">value</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">firstKey</span><span class="p">)</span> <span class="k">this</span><span class="p">.</span><span class="nx">resultCache</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="nx">firstKey</span><span class="p">);</span> <span class="p">}</span> <span class="k">this</span><span class="p">.</span><span class="nx">resultCache</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">value</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Result:</strong> Zero ReDoS vulnerabilities in production. ✅</p> <h2> Technical Challenge #3: Handling Massive PRs </h2> <h3> The Problem </h3> <p>Some PRs modify <strong>3000+ files</strong> (dependency updates, refactors, migrations).</p> <p>GitHub's API returns all changed files, but:</p> <ul> <li>Loading 3000 file diffs into memory → <strong>OOM (Out of Memory)</strong> </li> <li>Processing them serially → <strong>timeout</strong> </li> <li>Posting a comment with all matches → <strong>exceeds GitHub's 65KB limit</strong> </li> </ul> <h3> Solution 1: Streaming Processing </h3> <p>Instead of loading all files at once:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span><span class="o">*</span> <span class="nf">streamFileDiffs</span><span class="p">(</span> <span class="nx">token</span><span class="p">:</span> <span class="kr">string</span> <span class="p">):</span> <span class="nx">AsyncGenerator</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">octokit</span> <span class="o">=</span> <span class="nx">github</span><span class="p">.</span><span class="nf">getOctokit</span><span class="p">(</span><span class="nx">token</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">owner</span><span class="p">,</span> <span class="nx">repo</span><span class="p">,</span> <span class="nx">pull_number</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">github</span><span class="p">.</span><span class="nx">context</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">page</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">MAX_PAGES</span> <span class="o">=</span> <span class="mi">30</span><span class="p">;</span> <span class="k">while </span><span class="p">(</span><span class="nx">page</span> <span class="o">&lt;=</span> <span class="nx">MAX_PAGES</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">octokit</span><span class="p">.</span><span class="nx">rest</span><span class="p">.</span><span class="nx">pulls</span><span class="p">.</span><span class="nf">listFiles</span><span class="p">({</span> <span class="nx">owner</span><span class="p">,</span> <span class="nx">repo</span><span class="p">,</span> <span class="nx">pull_number</span><span class="p">,</span> <span class="na">per_page</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="nx">page</span><span class="p">,</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span><span class="p">)</span> <span class="k">break</span><span class="p">;</span> <span class="k">yield</span> <span class="nx">data</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">f</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">filename</span><span class="p">:</span> <span class="nx">f</span><span class="p">.</span><span class="nx">filename</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">\\</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">),</span> <span class="na">status</span><span class="p">:</span> <span class="nx">f</span><span class="p">.</span><span class="nx">status</span> <span class="k">as</span> <span class="nx">FileDiff</span><span class="p">[</span><span class="dl">'</span><span class="s1">status</span><span class="dl">'</span><span class="p">],</span> <span class="na">additions</span><span class="p">:</span> <span class="nx">f</span><span class="p">.</span><span class="nx">additions</span><span class="p">,</span> <span class="na">deletions</span><span class="p">:</span> <span class="nx">f</span><span class="p">.</span><span class="nx">deletions</span><span class="p">,</span> <span class="na">changes</span><span class="p">:</span> <span class="nx">f</span><span class="p">.</span><span class="nx">changes</span><span class="p">,</span> <span class="na">patch</span><span class="p">:</span> <span class="nx">f</span><span class="p">.</span><span class="nx">patch</span> <span class="o">||</span> <span class="dl">''</span><span class="p">,</span> <span class="na">previous_filename</span><span class="p">:</span> <span class="nx">f</span><span class="p">.</span><span class="nx">previous_filename</span><span class="p">,</span> <span class="p">}));</span> <span class="k">if </span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;</span> <span class="mi">100</span><span class="p">)</span> <span class="k">break</span><span class="p">;</span> <span class="nx">page</span><span class="o">++</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Usage</span> <span class="kd">const</span> <span class="nx">matches</span><span class="p">:</span> <span class="nx">DecisionMatch</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">for</span> <span class="k">await </span><span class="p">(</span><span class="kd">const</span> <span class="nx">batch</span> <span class="k">of</span> <span class="nf">streamFileDiffs</span><span class="p">(</span><span class="nx">token</span><span class="p">))</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">batchMatches</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">matcher</span><span class="p">.</span><span class="nf">findMatchesWithDiffs</span><span class="p">(</span><span class="nx">batch</span><span class="p">);</span> <span class="nx">matches</span><span class="p">.</span><span class="nf">push</span><span class="p">(...</span><span class="nx">batchMatches</span><span class="p">);</span> <span class="nx">core</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="s2">`Processed </span><span class="p">${</span><span class="nx">batch</span><span class="p">.</span><span class="nx">length</span><span class="p">}</span><span class="s2"> files, found </span><span class="p">${</span><span class="nx">matches</span><span class="p">.</span><span class="nx">length</span><span class="p">}</span><span class="s2"> matches so far`</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><strong>Memory usage:</strong></p> <ul> <li>Before: High memory usage for 3000 files → OOM risk</li> <li>After: Constant memory (processes 100 files at a time) → No crashes ✅</li> </ul> <h3> Solution 2: Progressive Truncation </h3> <p>If the comment exceeds GitHub's limit, truncate intelligently:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">truncateComment</span><span class="p">(</span><span class="nx">decisions</span><span class="p">:</span> <span class="nx">Decision</span><span class="p">[],</span> <span class="nx">maxLength</span> <span class="o">=</span> <span class="mi">65000</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">comment</span> <span class="o">=</span> <span class="nf">formatComment</span><span class="p">(</span><span class="nx">decisions</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">comment</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;=</span> <span class="nx">maxLength</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">comment</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Layer 1: Show 20 decisions in detail, summarize rest</span> <span class="nx">comment</span> <span class="o">=</span> <span class="nf">formatComment</span><span class="p">(</span><span class="nx">decisions</span><span class="p">,</span> <span class="p">{</span> <span class="na">detailLimit</span><span class="p">:</span> <span class="mi">20</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">comment</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;=</span> <span class="nx">maxLength</span><span class="p">)</span> <span class="k">return</span> <span class="nx">comment</span><span class="p">;</span> <span class="c1">// Layer 2: Show 10 decisions in detail</span> <span class="nx">comment</span> <span class="o">=</span> <span class="nf">formatComment</span><span class="p">(</span><span class="nx">decisions</span><span class="p">,</span> <span class="p">{</span> <span class="na">detailLimit</span><span class="p">:</span> <span class="mi">10</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">comment</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;=</span> <span class="nx">maxLength</span><span class="p">)</span> <span class="k">return</span> <span class="nx">comment</span><span class="p">;</span> <span class="c1">// Layer 3: Show 5 decisions in detail</span> <span class="nx">comment</span> <span class="o">=</span> <span class="nf">formatComment</span><span class="p">(</span><span class="nx">decisions</span><span class="p">,</span> <span class="p">{</span> <span class="na">detailLimit</span><span class="p">:</span> <span class="mi">5</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">comment</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;=</span> <span class="nx">maxLength</span><span class="p">)</span> <span class="k">return</span> <span class="nx">comment</span><span class="p">;</span> <span class="c1">// Layer 4: Show 2 decisions in detail</span> <span class="nx">comment</span> <span class="o">=</span> <span class="nf">formatComment</span><span class="p">(</span><span class="nx">decisions</span><span class="p">,</span> <span class="p">{</span> <span class="na">detailLimit</span><span class="p">:</span> <span class="mi">2</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">comment</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;=</span> <span class="nx">maxLength</span><span class="p">)</span> <span class="k">return</span> <span class="nx">comment</span><span class="p">;</span> <span class="c1">// Layer 5: Show counts only</span> <span class="nx">comment</span> <span class="o">=</span> <span class="nf">formatCommentCounts</span><span class="p">(</span><span class="nx">decisions</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">comment</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;=</span> <span class="nx">maxLength</span><span class="p">)</span> <span class="k">return</span> <span class="nx">comment</span><span class="p">;</span> <span class="c1">// Layer 6: Hard truncate as last resort</span> <span class="k">return</span> <span class="nf">hardTruncate</span><span class="p">(</span><span class="nx">comment</span><span class="p">,</span> <span class="nx">maxLength</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><strong>Result:</strong> Never hit comment size limit, even with 1000+ matched decisions. ✅</p> <h2> Technical Challenge #4: Idempotent Comments </h2> <h3> The Problem </h3> <p>GitHub Actions can run multiple times for a single PR:</p> <ul> <li>New commit pushed</li> <li>Workflow re-run</li> <li>Manual trigger</li> </ul> <p>Without proper handling:</p> <ul> <li><strong>3 runs = 3 duplicate comments</strong></li> <li>Spams the PR thread</li> <li>Confuses reviewers</li> </ul> <h3> The Solution: Content Hash </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">upsertComment</span><span class="p">(</span> <span class="nx">prNumber</span><span class="p">:</span> <span class="kr">number</span><span class="p">,</span> <span class="nx">content</span><span class="p">:</span> <span class="kr">string</span> <span class="p">):</span> <span class="nb">Promise</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">hash</span> <span class="o">=</span> <span class="nx">crypto</span> <span class="p">.</span><span class="nf">createHash</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha256</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">content</span><span class="p">)</span> <span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">substring</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">16</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">marker</span> <span class="o">=</span> <span class="s2">``</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">hashMarker</span> <span class="o">=</span> <span class="s2">``</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">fullContent</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">marker</span><span class="p">}</span><span class="s2">\n</span><span class="p">${</span><span class="nx">hashMarker</span><span class="p">}</span><span class="s2">\n\n</span><span class="p">${</span><span class="nx">content</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="c1">// Find existing comment</span> <span class="kd">const</span> <span class="nx">comments</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">octokit</span><span class="p">.</span><span class="nx">issues</span><span class="p">.</span><span class="nf">listComments</span><span class="p">({</span> <span class="nx">owner</span><span class="p">,</span> <span class="nx">repo</span><span class="p">,</span> <span class="na">issue_number</span><span class="p">:</span> <span class="nx">prNumber</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">existing</span> <span class="o">=</span> <span class="nx">comments</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="nx">c</span> <span class="o">=&gt;</span> <span class="nx">c</span><span class="p">.</span><span class="nx">body</span><span class="p">?.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">decision-guardian-v1</span><span class="dl">'</span><span class="p">)</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">existing</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">existingHash</span> <span class="o">=</span> <span class="nx">existing</span><span class="p">.</span><span class="nx">body</span><span class="p">?.</span><span class="nf">match</span><span class="p">(</span><span class="sr">/hash:</span><span class="se">([</span><span class="sr">a-f0-9-</span><span class="se">]</span><span class="sr">+</span><span class="se">)</span><span class="sr">/</span><span class="p">)?.[</span><span class="mi">1</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="nx">existingHash</span> <span class="o">===</span> <span class="nx">hash</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Comment unchanged, skipping update</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Update existing comment</span> <span class="k">await</span> <span class="nx">octokit</span><span class="p">.</span><span class="nx">issues</span><span class="p">.</span><span class="nf">updateComment</span><span class="p">({</span> <span class="nx">owner</span><span class="p">,</span> <span class="nx">repo</span><span class="p">,</span> <span class="na">comment_id</span><span class="p">:</span> <span class="nx">existing</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">fullContent</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c1">// Create new comment</span> <span class="k">await</span> <span class="nx">octokit</span><span class="p">.</span><span class="nx">issues</span><span class="p">.</span><span class="nf">createComment</span><span class="p">({</span> <span class="nx">owner</span><span class="p">,</span> <span class="nx">repo</span><span class="p">,</span> <span class="na">issue_number</span><span class="p">:</span> <span class="nx">prNumber</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">fullContent</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Result:</strong></p> <p>✅ Single comment per PR<br><br> ✅ Updates in-place when decisions change<br><br> ✅ No spam, no duplicates</p> <h2> Architecture Overview </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌────────────────────────────────────────────────────┐ │ DECISION GUARDIAN │ ├────────────────────────────────────────────────────┤ │ │ │ ┌──────────────────────────────────────────────┐ │ │ │ DECISION PARSER (AST-based) │ │ │ │ - Markdown parsing with remark │ │ │ │ - JSON rule extraction &amp; validation │ │ │ └──────────────────────────────────────────────┘ │ │ ↓ │ │ ┌──────────────────────────────────────────────┐ │ │ │ DECISION INDEX (Prefix Trie) │ │ │ │ - O(log n) file lookup │ │ │ │ - Wildcard pattern optimization │ │ │ └──────────────────────────────────────────────┘ │ │ ↓ │ │ ┌──────────────────────────────────────────────┐ │ │ │ FILE MATCHER (Rule Evaluator) │ │ │ │ - Glob pattern matching │ │ │ │ - Content diff analysis │ │ │ │ - ReDoS protection │ │ │ └──────────────────────────────────────────────┘ │ │ ↓ │ │ ┌──────────────────────────────────────────────┐ │ │ │ COMMENT MANAGER (Idempotent) │ │ │ │ - Hash-based update detection │ │ │ │ - Progressive truncation │ │ │ │ - Retry with exponential backoff │ │ │ └──────────────────────────────────────────────┘ │ │ │ └────────────────────────────────────────────────────┘ </code></pre> </div> <p><strong>High-level flow:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>PR Created → Parse Decisions → Match Files → Post Comment → Check Status </code></pre> </div> <p><strong>Key components:</strong></p> <ul> <li> <strong>Parser</strong> (<code>parser.ts</code>): Markdown → structured data</li> <li> <strong>Matcher</strong> (<code>matcher.ts</code>): Trie-based file matching</li> <li> <strong>Rule Evaluator</strong> (<code>rule-evaluator.ts</code>): Advanced rules</li> <li> <strong>Comment Manager</strong> (<code>comment.ts</code>): Idempotent PR comments</li> </ul> <h2> Lessons Learned </h2> <h3> 1. Performance matters from day 1 </h3> <p>I could have shipped with the O(N×M) algorithm and optimized later.</p> <p>But teams with large PRs would have hit timeouts immediately and never come back.</p> <p><strong>Lesson:</strong> Build for scale early, especially in tools that run on every PR.</p> <h3> 2. Security is not optional </h3> <p>The ReDoS vulnerability wasn't theoretical - during testing, a user accidentally created a pattern that froze the action for 5 minutes.</p> <p><strong>Lesson:</strong> Validate all user input, especially anything that can loop or recurse.</p> <h3> 3. Idempotency prevents pain </h3> <p>Early versions created duplicate comments. Users reported it as "spammy" and disabled the action.</p> <p>Adding content hashing fixed this and improved adoption.</p> <p><strong>Lesson:</strong> Make actions side-effect-free and repeatable.</p> <h3> 4. Documentation &gt; features </h3> <p>I spent 60% of development time on README, examples, and error messages.</p> <p>Users still ask "how do I use this?" constantly.</p> <p><strong>Lesson:</strong> You can never document enough.</p> <h2> Try It Yourself </h2> <p><strong>Install:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">DecispherHQ/decision-guardian@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">token</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> </code></pre> </div> <p><strong>Example decision:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code> <span class="gu">## Decision: Database Choice</span> <span class="gs">**Status**</span>: Active <span class="gs">**Date**</span>: 2024-03-15 <span class="gs">**Files**</span>: <span class="sb">`src/db/**`</span> <span class="gu">### Context</span> We chose Postgres for ACID compliance. Rejected: MongoDB (no ACID), Redis (complexity) </code></pre> </div> <p><strong>Links:</strong></p> <ul> <li> <strong>GitHub:</strong> <a href="https://github.com/DecispherHQ/decision-guardian" rel="noopener noreferrer">https://github.com/DecispherHQ/decision-guardian</a> </li> <li> <strong>Docs:</strong> <a href="https://decision-guardian.decispher.com" rel="noopener noreferrer">https://decision-guardian.decispher.com</a> </li> <li> <strong>Marketplace:</strong> <a href="https://github.com/marketplace/actions/decision-guardian" rel="noopener noreferrer">https://github.com/marketplace/actions/decision-guardian</a> </li> </ul> <h2> What's Next? </h2> <p><strong>Short-term:</strong></p> <ul> <li>GitLab/Bitbucket support (if demand exists)</li> <li>Decision templates</li> </ul> <p><strong>Long-term:</strong></p> <ul> <li>VS Code extension (show decisions inline)</li> <li>Analytics dashboard</li> <li>Cross-repository rules</li> </ul> <p>Want to contribute? Open an issue or start a discussion.</p> <h2> Conclusion </h2> <p>Decision Guardian is free, open source (MIT), and takes 2 minutes to set up.</p> <p>What architectural decisions does your team repeatedly debate?</p> <p>Drop a comment - I'd love to hear your stories.</p> <p><strong>Made with ❤️ by <a href="https://github.com/gr8-alizaidi" rel="noopener noreferrer">Ali Abbas</a></strong></p> opensource github programming productivity