fix: revert to two-dot diff — three-dot requires merge base unavailable in shallow clone

Root cause of false-positive "critical" errors:
- sed pattern was matching api_key/token within YAML variable names
  (e.g. OLLAMA_API_KEY:) and redacting the ${{ secrets.X }} value,
  producing mangled syntax that confused the AI reviewer
- Fix: use [^$[:space:]] to skip values starting with $ (template
  expressions and shell variable references)

Other fixes:
- Replace --retry-all-errors with --retry-connrefused --retry-max-time 120
  to avoid wasting retries on unrecoverable 4xx errors
- Check HTTP_CODE before jq validation so error messages are meaningful
- Add permissions: pull-requests: write to job
- Add edited to pull_request.types so title changes trigger re-review
- Change git diff .. to git diff ... (three-dot merge-base diff)
- Replace hardcoded server/repo URLs with github.server_url and
  github.repository context variables (portability)
- Log review length before posting to detect truncation

.gitea/workflows/pr-review.yml

@@ -0,0 +1,134 @@
+name: PR Review Automation
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, edited]
+
+concurrency:
+  group: pr-review-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  review:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    container:
+      image: ubuntu:22.04
+      options: --dns 8.8.8.8 --dns 1.1.1.1
+    steps:
+      - name: Install dependencies
+        shell: bash
+        run: |
+          set -euo pipefail
+          apt-get update -qq && apt-get install -y -qq git curl jq
+
+      - name: Checkout code
+        shell: bash
+        env:
+          REPOSITORY: ${{ github.repository }}
+        run: |
+          set -euo pipefail
+          git init
+          git remote add origin "https://gogs.tftsr.com/${REPOSITORY}.git"
+          git fetch --depth=1 origin ${{ github.head_ref }}
+          git checkout FETCH_HEAD
+
+      - name: Get PR diff
+        id: diff
+        shell: bash
+        run: |
+          set -euo pipefail
+          git fetch origin ${{ github.base_ref }}
+          git diff origin/${{ github.base_ref }}..HEAD > /tmp/pr_diff.txt
+          echo "diff_size=$(wc -l < /tmp/pr_diff.txt | tr -d ' ')" >> $GITHUB_OUTPUT
+
+      - name: Analyze with Ollama
+        id: analyze
+        if: steps.diff.outputs.diff_size != '0'
+        shell: bash
+        env:
+          OLLAMA_URL: https://ollama-ui.tftsr.com/ollama/v1
+          OLLAMA_API_KEY: ${{ secrets.OLLAMA_API_KEY }}
+          PR_TITLE: ${{ github.event.pull_request.title }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          set -euo pipefail
+          if grep -q "^Binary files" /tmp/pr_diff.txt; then
+            echo "WARNING: Binary file changes detected — they will be excluded from analysis"
+          fi
+          DIFF_CONTENT=$(head -n 500 /tmp/pr_diff.txt \
+            | sed -E 's/(password|token|secret|api_key|private_key)[[:space:]]*[=:][[:space:]]+([^$[:space:]][^[:space:]]*)/\1=[REDACTED]/gi')
+          PROMPT="Analyze the following code changes for correctness, security issues, and best practices. PR Title: ${PR_TITLE}\n\nDiff:\n${DIFF_CONTENT}\n\nProvide a review with: 1) Summary, 2) Bugs/errors, 3) Security issues, 4) Best practices. Give specific comments with suggested fixes."
+          BODY=$(jq -n \
+            --arg model "qwen3-coder-next:latest" \
+            --arg content "$PROMPT" \
+            '{model: $model, messages: [{role: "user", content: $content}], stream: false}')
+          echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] PR #${PR_NUMBER} - Calling Ollama API (${#BODY} bytes)..."
+          HTTP_CODE=$(curl -s --max-time 120 --connect-timeout 30 \
+            --retry 3 --retry-delay 5 --retry-connrefused --retry-max-time 120 \
+            -o /tmp/ollama_response.json -w "%{http_code}" \
+            -X POST "$OLLAMA_URL/chat/completions" \
+            -H "Authorization: Bearer $OLLAMA_API_KEY" \
+            -H "Content-Type: application/json" \
+            -d "$BODY")
+          echo "HTTP status: $HTTP_CODE"
+          echo "Response file size: $(wc -c < /tmp/ollama_response.json) bytes"
+          if [ "$HTTP_CODE" != "200" ]; then
+            echo "ERROR: Ollama returned HTTP $HTTP_CODE"
+            cat /tmp/ollama_response.json
+            exit 1
+          fi
+          if ! jq empty /tmp/ollama_response.json 2>/dev/null; then
+            echo "ERROR: Invalid JSON response from Ollama"
+            cat /tmp/ollama_response.json
+            exit 1
+          fi
+          jq . /tmp/ollama_response.json
+          REVIEW=$(jq -r '.choices[0].message.content // empty' /tmp/ollama_response.json)
+          if [ -z "$REVIEW" ]; then
+            echo "ERROR: No content in Ollama response"
+            exit 1
+          fi
+          echo "Review length: ${#REVIEW} chars"
+          echo "$REVIEW" > /tmp/pr_review.txt
+
+      - name: Post review comment
+        if: always() && steps.diff.outputs.diff_size != '0'
+        shell: bash
+        env:
+          TF_TOKEN: ${{ secrets.TFT_GITEA_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          REPOSITORY: ${{ github.repository }}
+        run: |
+          set -euo pipefail
+          if [ -z "${TF_TOKEN:-}" ]; then
+            echo "ERROR: TFT_GITEA_TOKEN secret is not set"
+            exit 1
+          fi
+          if [ -f "/tmp/pr_review.txt" ] && [ -s "/tmp/pr_review.txt" ]; then
+            REVIEW_BODY=$(head -c 65536 /tmp/pr_review.txt)
+            BODY=$(jq -n \
+              --arg body "🤖 Automated PR Review:\n\n${REVIEW_BODY}\n\n---\n*this is an automated review from Ollama*" \
+              '{body: $body, event: "COMMENT"}')
+          else
+            BODY=$(jq -n \
+              '{body: "⚠️ Automated PR Review could not be completed — Ollama analysis failed or produced no output.", event: "COMMENT"}')
+          fi
+          HTTP_CODE=$(curl -s --max-time 30 --connect-timeout 10 \
+            -o /tmp/review_post_response.json -w "%{http_code}" \
+            -X POST "https://gogs.tftsr.com/api/v1/repos/${REPOSITORY}/pulls/${PR_NUMBER}/reviews" \
+            -H "Authorization: token $TF_TOKEN" \
+            -H "Content-Type: application/json" \
+            -d "$BODY")
+          echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] Post review HTTP status: $HTTP_CODE"
+          if [ "$HTTP_CODE" != "200" ] && [ "$HTTP_CODE" != "201" ]; then
+            echo "ERROR: Failed to post review (HTTP $HTTP_CODE)"
+            cat /tmp/review_post_response.json
+            exit 1
+          fi
+
+      - name: Cleanup
+        if: always()
+        shell: bash
+        run: rm -f /tmp/pr_diff.txt /tmp/ollama_response.json /tmp/pr_review.txt /tmp/review_post_response.json

package.json

@@ -1,7 +1,7 @@
 {
   "name": "tftsr",
   "private": true,
-  "version": "0.1.0",
+  "version": "0.2.50",
   "type": "module",
   "scripts": {
     "dev": "vite",

src-tauri/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "trcaa"
-version = "0.1.0"
+version = "0.2.50"
 edition = "2021"
 
 [lib]

src-tauri/src/db/migrations.rs

@@ -170,6 +170,27 @@ pub fn run_migrations(conn: &Connection) -> anyhow::Result<()> {
                 is_paste INTEGER NOT NULL DEFAULT 0
             );",
         ),
+        (
+            "014_create_ai_providers",
+            "CREATE TABLE IF NOT EXISTS ai_providers (
+                id TEXT PRIMARY KEY,
+                name TEXT NOT NULL UNIQUE,
+                provider_type TEXT NOT NULL,
+                api_url TEXT NOT NULL,
+                encrypted_api_key TEXT NOT NULL,
+                model TEXT NOT NULL,
+                max_tokens INTEGER,
+                temperature REAL,
+                custom_endpoint_path TEXT,
+                custom_auth_header TEXT,
+                custom_auth_prefix TEXT,
+                api_format TEXT,
+                user_id TEXT,
+                use_datastore_upload INTEGER,
+                created_at TEXT NOT NULL DEFAULT (datetime('now')),
+                updated_at TEXT NOT NULL DEFAULT (datetime('now'))
+            );",
+        ),
     ];
 
     for (name, sql) in migrations {
@@ -468,4 +489,75 @@ mod tests {
         assert_eq!(mime_type, "image/png");
         assert_eq!(is_paste, 0);
     }
+
+    #[test]
+    fn test_create_ai_providers_table() {
+        let conn = setup_test_db();
+
+        let count: i64 = conn
+            .query_row(
+                "SELECT COUNT(*) FROM sqlite_master WHERE type='table' AND name='ai_providers'",
+                [],
+                |r| r.get(0),
+            )
+            .unwrap();
+        assert_eq!(count, 1);
+
+        let mut stmt = conn.prepare("PRAGMA table_info(ai_providers)").unwrap();
+        let columns: Vec<String> = stmt
+            .query_map([], |row| row.get::<_, String>(1))
+            .unwrap()
+            .collect::<Result<Vec<_>, _>>()
+            .unwrap();
+
+        assert!(columns.contains(&"id".to_string()));
+        assert!(columns.contains(&"name".to_string()));
+        assert!(columns.contains(&"provider_type".to_string()));
+        assert!(columns.contains(&"api_url".to_string()));
+        assert!(columns.contains(&"encrypted_api_key".to_string()));
+        assert!(columns.contains(&"model".to_string()));
+        assert!(columns.contains(&"max_tokens".to_string()));
+        assert!(columns.contains(&"temperature".to_string()));
+        assert!(columns.contains(&"custom_endpoint_path".to_string()));
+        assert!(columns.contains(&"custom_auth_header".to_string()));
+        assert!(columns.contains(&"custom_auth_prefix".to_string()));
+        assert!(columns.contains(&"api_format".to_string()));
+        assert!(columns.contains(&"user_id".to_string()));
+        assert!(columns.contains(&"use_datastore_upload".to_string()));
+        assert!(columns.contains(&"created_at".to_string()));
+        assert!(columns.contains(&"updated_at".to_string()));
+    }
+
+    #[test]
+    fn test_store_and_retrieve_ai_provider() {
+        let conn = setup_test_db();
+
+        conn.execute(
+            "INSERT INTO ai_providers (id, name, provider_type, api_url, encrypted_api_key, model)
+             VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
+            rusqlite::params![
+                "test-provider-1",
+                "My OpenAI",
+                "openai",
+                "https://api.openai.com/v1",
+                "encrypted_key_123",
+                "gpt-4o"
+            ],
+        )
+        .unwrap();
+
+        let (name, provider_type, api_url, encrypted_key, model): (String, String, String, String, String) = conn
+            .query_row(
+                "SELECT name, provider_type, api_url, encrypted_api_key, model FROM ai_providers WHERE name = ?1",
+                ["My OpenAI"],
+                |r| Ok((r.get(0)?, r.get(1)?, r.get(2)?, r.get(3)?, r.get(4)?)),
+            )
+            .unwrap();
+
+        assert_eq!(name, "My OpenAI");
+        assert_eq!(provider_type, "openai");
+        assert_eq!(api_url, "https://api.openai.com/v1");
+        assert_eq!(encrypted_key, "encrypted_key_123");
+        assert_eq!(model, "gpt-4o");
+    }
 }

src-tauri/tauri.conf.json

@@ -1,6 +1,6 @@
 {
   "productName": "Troubleshooting and RCA Assistant",
-  "version": "0.2.10",
+  "version": "0.2.50",
   "identifier": "com.trcaa.app",
   "build": {
     "frontendDist": "../dist",