fix(sdd-execute): trigger auto-revise on all failed checks, not just required

[norrietaylor]

Closes #259

Root cause

The check_suite branch in sdd-route-execute resolved required contexts via classic getBranchProtection on the default github.token and treated any error as "no required contexts → do not trigger". That endpoint needs administration:read, which GITHUB_TOKEN lacks, so the path 403'd and was silently dead on many repos; it was also blind to rulesets. Even where it worked, failures on non-required checks never triggered the implicit /revise.

Fix

• .github/actions/sdd-route-execute/action.yml:
  • New input revise-on-checks (all | required), empty default resolves to all. In all mode the protection lookup is skipped; every failure-conclusion check run is actionable after exclusions. Unrecognized values log and fall back to all.
  • New input revise-checks-exclude: comma-separated check-run-name globs (* wildcard, anchored, case-sensitive); matching runs never trigger.
  • required mode fixed: required contexts resolved from repository rulesets (GET /repos/{o}/{r}/rules/branches/{branch}, paginated, plain read token) merged best-effort with classic protection; lookup errors are logged and contribute nothing instead of killing the path.
  • Unchanged: the <!-- sdd-execute:auto-revise-check --> marker budget capped by max-review-iterations, the head-sha staleness guard, PR resolution, directive assembly (check names + run URLs).
• wrappers/sdd-execute-{haiku,sonnet,opus}.yml: map SDD_REVISE_ON_CHECKS / SDD_REVISE_CHECKS_EXCLUDE repo vars (same pattern as max-review-iterations); stale required-only trigger/permissions comments corrected.
• docs/sdd/install.md: two new variables-table rows.

No agent sources or fragments changed; no lock recompile.

Behavior change

Default is all: consumers consuming the action @main get failed-check auto-revise on every failing check with no wrapper update. Worst case for a flaky advisory check is 3 revise runs (existing cap) then a visible needs-human — strictly better than silence. Set SDD_REVISE_ON_CHECKS=required to restore the old scope, SDD_REVISE_CHECKS_EXCLUDE to carve out advisory checks. Needs a release-note line at the next tag.

Acceptance

• check_suite failure on a non-required check on an sdd/ branch triggers implicit /revise within the iteration cap.
• revise-checks-exclude glob suppresses a named check in either mode.
• required mode resolves contexts from rulesets without admin scope.
• YAML parses (action + three wrappers); embedded github-script passes node --check; glob matcher exercised with 12/12 passing cases; wrappers in lockstep; all scripts/test-* validation scripts pass.

🤖 Generated with Claude Code

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 389fc2cb-160c-442f-9173-80cd0b2902aa

📥 Commits

Reviewing files that changed from the base of the PR and between 65e999e and 6d07597.

📒 Files selected for processing (5)

• .github/actions/sdd-route-execute/action.yml
• docs/sdd/install.md
• wrappers/sdd-execute-haiku.yml
• wrappers/sdd-execute-opus.yml
• wrappers/sdd-execute-sonnet.yml

---

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • Enhanced control over automatic code revision triggering: configure whether to trigger on all CI check failures (default) or only on required checks
  • Added ability to exclude specific checks from triggering automatic revisions

• Documentation

  • Updated documentation to describe new configuration variables for controlling automatic revision behavior

Walkthrough

This PR extends the SDD routing action to control check-failure auto-revise behavior via two new inputs: a mode selector (revise-on-checks: all or required) and an exclusion list for check names. The action now defaults to triggering /revise on any failing check (unless excluded), with an option to restrict to required checks only. Required contexts are resolved from both modern repository rulesets and classic branch protection. All three workflow wrappers and the install guide are updated to surface these variables.

Changes

Configurable check-failure revise behavior

Layer / File(s)	Summary
Action input definitions and wiring .github/actions/sdd-route-execute/action.yml	Two new inputs are defined: revise-on-checks (mode: all | required) and revise-checks-exclude (comma-separated globs). Both are wired into the decide step via environment variables.
Check-suite failure handling with mode-driven filtering .github/actions/sdd-route-execute/action.yml	The check_suite completed-failure path is rewritten to support mode-based selection. In all mode, every failing check (after exclusions) is actionable; in required mode, only checks matching required contexts are considered. Required contexts are fetched from repository rulesets and fall back to classic branch protection. Exclusion globs are parsed into regex matchers and applied to skip named checks.
Workflow wrapper configuration updates wrappers/sdd-execute-haiku.yml, wrappers/sdd-execute-opus.yml, wrappers/sdd-execute-sonnet.yml	Each wrapper's route job now passes revise-on-checks and revise-checks-exclude from repository variables (vars.SDD_REVISE_ON_CHECKS, vars.SDD_REVISE_CHECKS_EXCLUDE) into the sdd-route-execute action. Documentation comments clarify the default vs. required mode behavior.
User documentation for revise-on-checks variables docs/sdd/install.md	Added two entries to the Variables table documenting the new SDD_REVISE_ON_CHECKS and SDD_REVISE_CHECKS_EXCLUDE configuration options.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• norrietaylor/spectacles#210: Introduced the original failed-required-check /revise loop; this PR extends that same logic with mode selection and exclusion filtering.

Poem

🐰 A route through the branches, now wisely refined—
Check failures no longer leave devs in a bind!
With all or required, we pick our own way,
And globs filter gossips that lead us astray.
The rulesets are queried, the loops iterate fast.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: extending auto-revise to trigger on all failed checks by default, not just required ones, which is the core objective.
Description check	✅ Passed	The description comprehensively addresses the root cause, the fix, behavior changes, and acceptance criteria, directly relating to the changeset modifications.
Linked Issues check	✅ Passed	The PR fully implements the requirements from issue #259: new revise-on-checks and revise-checks-exclude inputs, ruleset-based required context resolution, default-to-all behavior, and wrapper variable mapping.
Out of Scope Changes check	✅ Passed	All changes align with issue #259 scope: action logic updates, wrapper mappings, and documentation. No unrelated modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/259-revise-all-checks

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}