cicaddy-github 0.7.1__tar.gz → 0.8.0__tar.gz

{cicaddy_github-0.7.1 → cicaddy_github-0.8.0}/.agents/skills/cicaddy-action/SKILL.md

@@ -127,10 +127,12 @@ can reference them as bash variables (`INPUT_AI_PROVIDER`, `INPUT_AI_API_KEY`, e
 | `task_prompt` | No | Inline task prompt |
 | `post_pr_comment` | No | Post results as PR comment (default: `false`) |
 | `submit_review` | No | Submit formal PR review with APPROVE/REQUEST_CHANGES (default: `false`) |
+| `inline_review_comments` | No | Post AI findings as inline comments on PR diff lines (default: `false`) |
 | `run_govulncheck` | No | Run govulncheck for vulnerability reachability analysis (default: `false`) |
 | `dep_review_severity_threshold` | No | Minimum semver bump to analyze: `minor` or `major` (default: `minor`) |
 | `delegation_mode` | No | `none` (default) or `auto` for sub-agent delegation |
 | `max_sub_agents` | No | Max concurrent sub-agents, 1-10 (default: `3`) |
+| `delegation_verify_findings` | No | Verify sub-agent findings against codebase (default: `false`) |
 | `github_token` | No | GitHub token (default: `${{ github.token }}`) |
 | `mcp_servers_config` | No | JSON array of MCP server configs |
 | `slack_webhook_url` | No | Slack webhook URL |
@@ -196,6 +198,8 @@ github = "cicaddy_github.plugin:validate"
 - `github_token`, `github_repository`, `github_ref`, `github_event_name`
 - `github_sha`, `github_run_id`, `github_pr_number`
 - `post_pr_comment` (bool)
+- `submit_review` (bool)
+- `inline_review_comments` (bool)
 
 All loaded from environment variables via `load_settings()`.
 
@@ -233,7 +237,7 @@ the `safe-to-review` label. The label is auto-removed on new pushes to prevent
 TOCTOU bypasses.
 
 ```yaml
-- uses: redhat-community-ai-tools/cicaddy-action@v0.7.1
+- uses: redhat-community-ai-tools/cicaddy-action@v0.8.0
   with:
     ai_provider: gemini
     ai_model: gemini-3.5-flash
@@ -329,11 +333,13 @@ cicaddy-action v0.5.0+ supports AI-powered sub-agent delegation via cicaddy>=0.8
 **Action Inputs:**
 - `delegation_mode`: `none` (default) or `auto`
 - `max_sub_agents`: 1-10 (default: `3`)
+- `delegation_verify_findings`: `false` (default) — verify findings against codebase
 
 **Environment Variables:**
 - `DELEGATION_MODE`: `none` or `auto`
 - `MAX_SUB_AGENTS`: 1-10 (default: `3`)
-- `SUB_AGENT_MAX_ITERS`: 1-15 (default: `10`)
+- `SUB_AGENT_MAX_ITERS`: 1-15 (default: `5`)
+- `DELEGATION_VERIFY_FINDINGS`: verify findings against codebase (`true`/`false`)
 - `DELEGATION_AGENTS_DIR`: `.agents/delegation` (custom agent YAML directory)
 - `DELEGATION_AGENTS`: JSON array for inline custom agents
 - `TRIAGE_PROMPT`: Custom triage instructions

{cicaddy_github-0.7.1 → cicaddy_github-0.8.0}/.github/workflows/pr-review.yml

@@ -49,7 +49,7 @@ jobs:
           fi
 
       - name: AI Code Review
-        uses: redhat-community-ai-tools/cicaddy-action@v0.7.1
+        uses: redhat-community-ai-tools/cicaddy-action@v0.8.0
         id: review
         with:
           ai_provider: gemini
@@ -57,7 +57,12 @@ jobs:
           ai_api_key: ${{ secrets.AI_API_KEY }}
           task_file: tasks/pr_review.yml
           post_pr_comment: 'true'
+          # submit_review and inline_review_comments intentionally omitted —
+          # this workflow uses pull_request_target for fork PR support, and
+          # formal reviews should not be combined with pull_request_target.
+          # See docs/providers.md#submit_review-and-fork-pull-requests
           delegation_mode: auto
+          delegation_verify_findings: 'true'
           mcp_servers_config: ${{ steps.mcp.outputs.config }}
         env:
           ANALYSIS_FOCUS: "general"

{cicaddy_github-0.7.1 → cicaddy_github-0.8.0}/AGENTS.md

@@ -102,7 +102,7 @@ The cicaddy-github plugin provides:
 | `DELEGATION_AGENTS` | (empty) | JSON config for inline custom sub-agent definitions |
 | `TRIAGE_PROMPT` | (empty) | Custom triage instructions |
 
-Action inputs: `delegation_mode`, `max_sub_agents`
+Action inputs: `delegation_mode`, `max_sub_agents`, `delegation_verify_findings`
 CLI flags: `--delegation-mode auto --max-sub-agents 2`
 
 See cicaddy's [sub-agent delegation docs](https://github.com/waynesun09/cicaddy/blob/main/docs/sub-agent-delegation.md) for built-in agents, custom YAML format, and tool filtering.
@@ -124,12 +124,16 @@ All inputs use **underscores** (not hyphens) for Docker container compatibility:
 | `task_prompt` | No | Inline task prompt |
 | `post_pr_comment` | No | Post results as PR comment (default: `false`) |
 | `submit_review` | No | Submit formal PR review with APPROVE/REQUEST_CHANGES (default: `false`) |
+| `inline_review_comments` | No | Post AI findings as inline comments on PR diff lines (default: `false`) |
 | `github_token` | No | GitHub token (default: `${{ github.token }}`) |
 | `mcp_servers_config` | No | JSON array of MCP server configs |
 | `slack_webhook_url` | No | Slack webhook URL |
 | `report_template` | No | Custom HTML report template path |
+| `run_govulncheck` | No | Run govulncheck for vulnerability reachability analysis (default: `false`) |
+| `dep_review_severity_threshold` | No | Minimum semver bump to analyze: `minor` or `major` (default: `minor`) |
 | `delegation_mode` | No | `none` (default) or `auto` for sub-agent delegation |
 | `max_sub_agents` | No | Max concurrent sub-agents, 1-10 (default: `3`) |
+| `delegation_verify_findings` | No | Verify sub-agent findings against codebase (default: `false`) |
 
 *Not required if provider-specific key is set via `env:`.
 

{cicaddy_github-0.7.1 → cicaddy_github-0.8.0}/PKG-INFO

@@ -1,12 +1,12 @@
 Metadata-Version: 2.4
 Name: cicaddy-github
-Version: 0.7.1
+Version: 0.8.0
 Summary: GitHub Actions plugin for cicaddy AI agent framework
 Project-URL: Homepage, https://github.com/redhat-community-ai-tools/cicaddy-action
 Project-URL: Repository, https://github.com/redhat-community-ai-tools/cicaddy-action.git
 Project-URL: Issues, https://github.com/redhat-community-ai-tools/cicaddy-action/issues
 Author: Wayne Sun
-License: Apache-2.0
+License-Expression: Apache-2.0
 License-File: LICENSE
 Requires-Python: >=3.11
 Requires-Dist: cicaddy>=0.11.0
@@ -95,8 +95,10 @@ jobs:
           google_cloud_project: ${{ vars.GCP_PROJECT_ID }}
           task_file: tasks/pr_review.yml
           post_pr_comment: 'true'
-        env:
-          DELEGATION_MODE: auto
+          submit_review: 'true'
+          inline_review_comments: 'true'
+          delegation_mode: auto
+          delegation_verify_findings: 'true'
 ```
 
 > **Fork PRs**: The `pull_request` event cannot mint OIDC tokens for PRs
@@ -215,12 +217,42 @@ SA key fallback, and an authentication method comparison table.
 | `slack_webhook_url` | No | Slack webhook URL for notifications |
 | `post_pr_comment` | No | Post results as PR comment (default: `false`) |
 | `submit_review` | No | Submit formal PR review with APPROVE/REQUEST_CHANGES (default: `false`) |
+| `inline_review_comments` | No | Post AI findings as inline comments on PR diff lines (default: `false`) |
 | `run_govulncheck` | No | Run govulncheck for vulnerability reachability analysis (default: `false`) |
 | `dep_review_severity_threshold` | No | Minimum semver bump to analyze: `minor` or `major` (default: `minor`) |
 | `delegation_mode` | No | Enable AI-powered sub-agent delegation: `none` (default) or `auto` |
 | `max_sub_agents` | No | Maximum concurrent sub-agents, 1-10 (default: `3`) |
+| `delegation_verify_findings` | No | Verify sub-agent findings against codebase to reduce false positives (default: `false`) |
 | `github_token` | No | GitHub token (default: `${{ github.token }}`) |
 
+### Review Output Options
+
+The action supports three independent review output options that control how results appear on a PR. All three default to `false` and can be combined:
+
+| Option | What it does |
+|--------|-------------|
+| `post_pr_comment` | Posts (or updates) a bot comment on the PR with the full review summary. On subsequent runs the same comment is updated in place. |
+| `submit_review` | Submits a formal GitHub review (APPROVE / REQUEST_CHANGES / COMMENT) based on the AI analysis. |
+| `inline_review_comments` | Attaches AI findings as inline comments on the exact diff lines. Requires `submit_review: 'true'` since inline comments are part of the GitHub review. |
+
+**Recommended combinations:**
+
+```yaml
+# Summary comment only (simplest)
+post_pr_comment: 'true'
+
+# Summary comment + inline diff comments (recommended for most teams)
+post_pr_comment: 'true'
+submit_review: 'true'
+inline_review_comments: 'true'
+
+# Formal review with inline comments, no standalone comment
+submit_review: 'true'
+inline_review_comments: 'true'
+```
+
+> **Note:** `inline_review_comments` works best with `submit_review: 'true'` and `delegation_mode: auto`. Delegation produces structured findings with file/line info that inline comments need. Without `submit_review`, inline comments are posted as a `COMMENT` review (no approval/rejection verdict).
+
 ## Outputs
 
 | Output | Description |
@@ -271,6 +303,8 @@ GITHUB_PR_NUMBER=42
 
 # Agent Settings
 POST_PR_COMMENT=true
+SUBMIT_REVIEW=true
+INLINE_REVIEW_COMMENTS=true
 ENABLE_LOCAL_TOOLS=true
 LOCAL_TOOLS_WORKING_DIR=.
 
@@ -326,9 +360,12 @@ uv run cicaddy validate --env-file .env.my-review
 | `GITHUB_EVENT_NAME` | No | Set to `pull_request` for auto-detection (optional if `GITHUB_PR_NUMBER` is set) |
 | `GITHUB_PR_NUMBER` | Yes | PR number to review |
 | `POST_PR_COMMENT` | No | Post results as PR comment (`true`/`false`) |
+| `SUBMIT_REVIEW` | No | Submit formal PR review with APPROVE/REQUEST_CHANGES (`true`/`false`) |
+| `INLINE_REVIEW_COMMENTS` | No | Post AI findings as inline comments on PR diff lines (`true`/`false`) |
 | `AGENT_TASKS` | No | Agent task type (e.g. `go_dep_review` for Go dependency analysis) |
 | `DELEGATION_MODE` | No | `auto` for AI-powered sub-agent delegation, `none` for single-agent (default: `none`) |
 | `MAX_SUB_AGENTS` | No | Max concurrent sub-agents for delegation, 1-10 (default: `3`) |
+| `DELEGATION_VERIFY_FINDINGS` | No | Verify sub-agent findings against codebase to reduce false positives (`true`/`false`) |
 | `SUB_AGENT_MAX_ITERS` | No | Max iterations per sub-agent, 1-15 (default: `5`) |
 | `AI_TASK_FILE` | No | Path to DSPy YAML task file for custom workflows |
 | `RUN_GOVULNCHECK` | No | Run govulncheck for reachability analysis (`true`/`false`) |

{cicaddy_github-0.7.1 → cicaddy_github-0.8.0}/README.md

@@ -75,8 +75,10 @@ jobs:
           google_cloud_project: ${{ vars.GCP_PROJECT_ID }}
           task_file: tasks/pr_review.yml
           post_pr_comment: 'true'
-        env:
-          DELEGATION_MODE: auto
+          submit_review: 'true'
+          inline_review_comments: 'true'
+          delegation_mode: auto
+          delegation_verify_findings: 'true'
 ```
 
 > **Fork PRs**: The `pull_request` event cannot mint OIDC tokens for PRs
@@ -195,12 +197,42 @@ SA key fallback, and an authentication method comparison table.
 | `slack_webhook_url` | No | Slack webhook URL for notifications |
 | `post_pr_comment` | No | Post results as PR comment (default: `false`) |
 | `submit_review` | No | Submit formal PR review with APPROVE/REQUEST_CHANGES (default: `false`) |
+| `inline_review_comments` | No | Post AI findings as inline comments on PR diff lines (default: `false`) |
 | `run_govulncheck` | No | Run govulncheck for vulnerability reachability analysis (default: `false`) |
 | `dep_review_severity_threshold` | No | Minimum semver bump to analyze: `minor` or `major` (default: `minor`) |
 | `delegation_mode` | No | Enable AI-powered sub-agent delegation: `none` (default) or `auto` |
 | `max_sub_agents` | No | Maximum concurrent sub-agents, 1-10 (default: `3`) |
+| `delegation_verify_findings` | No | Verify sub-agent findings against codebase to reduce false positives (default: `false`) |
 | `github_token` | No | GitHub token (default: `${{ github.token }}`) |
 
+### Review Output Options
+
+The action supports three independent review output options that control how results appear on a PR. All three default to `false` and can be combined:
+
+| Option | What it does |
+|--------|-------------|
+| `post_pr_comment` | Posts (or updates) a bot comment on the PR with the full review summary. On subsequent runs the same comment is updated in place. |
+| `submit_review` | Submits a formal GitHub review (APPROVE / REQUEST_CHANGES / COMMENT) based on the AI analysis. |
+| `inline_review_comments` | Attaches AI findings as inline comments on the exact diff lines. Requires `submit_review: 'true'` since inline comments are part of the GitHub review. |
+
+**Recommended combinations:**
+
+```yaml
+# Summary comment only (simplest)
+post_pr_comment: 'true'
+
+# Summary comment + inline diff comments (recommended for most teams)
+post_pr_comment: 'true'
+submit_review: 'true'
+inline_review_comments: 'true'
+
+# Formal review with inline comments, no standalone comment
+submit_review: 'true'
+inline_review_comments: 'true'
+```
+
+> **Note:** `inline_review_comments` works best with `submit_review: 'true'` and `delegation_mode: auto`. Delegation produces structured findings with file/line info that inline comments need. Without `submit_review`, inline comments are posted as a `COMMENT` review (no approval/rejection verdict).
+
 ## Outputs
 
 | Output | Description |
@@ -251,6 +283,8 @@ GITHUB_PR_NUMBER=42
 
 # Agent Settings
 POST_PR_COMMENT=true
+SUBMIT_REVIEW=true
+INLINE_REVIEW_COMMENTS=true
 ENABLE_LOCAL_TOOLS=true
 LOCAL_TOOLS_WORKING_DIR=.
 
@@ -306,9 +340,12 @@ uv run cicaddy validate --env-file .env.my-review
 | `GITHUB_EVENT_NAME` | No | Set to `pull_request` for auto-detection (optional if `GITHUB_PR_NUMBER` is set) |
 | `GITHUB_PR_NUMBER` | Yes | PR number to review |
 | `POST_PR_COMMENT` | No | Post results as PR comment (`true`/`false`) |
+| `SUBMIT_REVIEW` | No | Submit formal PR review with APPROVE/REQUEST_CHANGES (`true`/`false`) |
+| `INLINE_REVIEW_COMMENTS` | No | Post AI findings as inline comments on PR diff lines (`true`/`false`) |
 | `AGENT_TASKS` | No | Agent task type (e.g. `go_dep_review` for Go dependency analysis) |
 | `DELEGATION_MODE` | No | `auto` for AI-powered sub-agent delegation, `none` for single-agent (default: `none`) |
 | `MAX_SUB_AGENTS` | No | Max concurrent sub-agents for delegation, 1-10 (default: `3`) |
+| `DELEGATION_VERIFY_FINDINGS` | No | Verify sub-agent findings against codebase to reduce false positives (`true`/`false`) |
 | `SUB_AGENT_MAX_ITERS` | No | Max iterations per sub-agent, 1-15 (default: `5`) |
 | `AI_TASK_FILE` | No | Path to DSPy YAML task file for custom workflows |
 | `RUN_GOVULNCHECK` | No | Run govulncheck for reachability analysis (`true`/`false`) |

{cicaddy_github-0.7.1 → cicaddy_github-0.8.0}/action.yml

@@ -50,6 +50,10 @@ inputs:
     description: 'Submit a formal PR review with APPROVE or REQUEST_CHANGES based on AI analysis (requires github-token with pull-requests: write)'
     required: false
     default: 'false'
+  inline_review_comments:
+    description: 'Post AI findings as inline comments on PR diff lines. Best used with submit_review and delegation_mode=auto for structured findings. (requires github-token with pull-requests: write)'
+    required: false
+    default: 'false'
   run_govulncheck:
     description: 'Run govulncheck for vulnerability reachability analysis (requires Go and govulncheck installed)'
     required: false
@@ -66,6 +70,10 @@ inputs:
     description: 'Maximum concurrent sub-agents for delegation (1-10, default: 3)'
     required: false
     default: '3'
+  delegation_verify_findings:
+    description: 'Verify each sub-agent finding against the actual codebase via a lightweight AI check to reduce false positives (default: false)'
+    required: false
+    default: 'false'
   github_token:
     description: 'GitHub token for API access'
     required: false

{cicaddy_github-0.7.1 → cicaddy_github-0.8.0}/entrypoint.sh

@@ -109,10 +109,12 @@ export SLACK_WEBHOOK_URL="${INPUT_SLACK_WEBHOOK_URL}"
 export GITHUB_TOKEN="${INPUT_GITHUB_TOKEN:-$GITHUB_TOKEN}"
 export POST_PR_COMMENT="${INPUT_POST_PR_COMMENT:-false}"
 export SUBMIT_REVIEW="${INPUT_SUBMIT_REVIEW:-false}"
+export INLINE_REVIEW_COMMENTS="${INPUT_INLINE_REVIEW_COMMENTS:-false}"
 export RUN_GOVULNCHECK="${INPUT_RUN_GOVULNCHECK:-false}"
 export DEP_REVIEW_SEVERITY_THRESHOLD="${INPUT_DEP_REVIEW_SEVERITY_THRESHOLD:-minor}"
 export DELEGATION_MODE="${INPUT_DELEGATION_MODE:-none}"
 export MAX_SUB_AGENTS="${INPUT_MAX_SUB_AGENTS:-3}"
+export DELEGATION_VERIFY_FINDINGS="${INPUT_DELEGATION_VERIFY_FINDINGS:-false}"
 
 # Validate MAX_SUB_AGENTS is a number
 if [[ -n "${MAX_SUB_AGENTS}" ]] && ! [[ "${MAX_SUB_AGENTS}" =~ ^[0-9]+$ ]]; then

{cicaddy_github-0.7.1 → cicaddy_github-0.8.0}/pyproject.toml

@@ -4,11 +4,11 @@ build-backend = "hatchling.build"
 
 [project]
 name = "cicaddy-github"
-version = "0.7.1"
+version = "0.8.0"
 description = "GitHub Actions plugin for cicaddy AI agent framework"
 readme = "README.md"
 requires-python = ">=3.11"
-license = {text = "Apache-2.0"}
+license = "Apache-2.0"
 authors = [{name = "Wayne Sun"}]
 dependencies = [
     "cicaddy>=0.11.0",

{cicaddy_github-0.7.1 → cicaddy_github-0.8.0}/src/cicaddy_github/__init__.py

@@ -1,3 +1,3 @@
 """cicaddy-github: GitHub Actions plugin for cicaddy AI agent framework."""
 
-__version__ = "0.7.1"
+__version__ = "0.8.0"

{cicaddy_github-0.7.1 → cicaddy_github-0.8.0}/src/cicaddy_github/config/settings.py

@@ -66,6 +66,11 @@ class Settings(CoreSettings):
         validation_alias=AliasChoices("SUBMIT_REVIEW"),
         description="Whether to submit a formal PR review (APPROVE or REQUEST_CHANGES)",
     )
+    inline_review_comments: bool = Field(
+        default=False,
+        validation_alias=AliasChoices("INLINE_REVIEW_COMMENTS"),
+        description="Post findings as inline comments on PR diff lines.",
+    )
     run_govulncheck: bool = Field(
         default=False,
         validation_alias=AliasChoices("RUN_GOVULNCHECK"),
@@ -115,6 +120,11 @@ def load_settings() -> Settings:
     if submit_review:
         env_data["submit_review"] = submit_review.lower() in ("true", "1", "yes")
 
+    # Inline review comments flag
+    inline_review = os.getenv("INLINE_REVIEW_COMMENTS", "").strip()
+    if inline_review:
+        env_data["inline_review_comments"] = inline_review.lower() in ("true", "1", "yes")
+
     # Dep review configuration
     run_govulncheck = os.getenv("RUN_GOVULNCHECK", "").strip()
     if run_govulncheck:

{cicaddy_github-0.7.1 → cicaddy_github-0.8.0}/src/cicaddy_github/github_integration/agents.py

@@ -1,5 +1,6 @@
 """GitHub AI Agents for PR review and task execution."""
 
+import html
 import os
 import re
 import textwrap
@@ -346,7 +347,7 @@ Please provide your comprehensive analysis in markdown format.
             )
 
         # Post PR comment if enabled (updates existing bot comment in-place)
-        post_comment = getattr(self.settings, "post_pr_comment", False)
+        post_comment = self.settings.post_pr_comment
         if post_comment and self.platform_analyzer and self.pr_number:
             try:
                 comment = self._format_pr_comment(analysis_result)
@@ -360,9 +361,17 @@ Please provide your comprehensive analysis in markdown format.
                 )
                 logger.debug("PR comment post traceback:", exc_info=True)
 
-        # Submit formal PR review if enabled
-        submit_review = getattr(self.settings, "submit_review", False)
-        if submit_review and self.platform_analyzer and self.pr_number:
+        # Check if inline review comments will handle the formal review
+        inline_enabled = self.settings.inline_review_comments
+        findings = analysis_result.get("findings") or []
+        inline_findings = [f for f in findings if f.get("line") and f.get("file")]
+        inline_will_post = (
+            inline_enabled and inline_findings and self.platform_analyzer and self.pr_number
+        )
+
+        # Submit formal PR review if enabled — skip when inline review will handle it
+        submit_review = self.settings.submit_review
+        if submit_review and self.platform_analyzer and self.pr_number and not inline_will_post:
             try:
                 ai_text = analysis_result.get("ai_analysis", "")
                 verdict = extract_review_verdict(ai_text)
@@ -377,9 +386,190 @@ Please provide your comprehensive analysis in markdown format.
                 )
                 logger.debug("PR review submit traceback:", exc_info=True)
 
+        # Post inline review comments if enabled
+        if inline_enabled:
+            if not findings:
+                logger.warning(
+                    "INLINE_REVIEW_COMMENTS is enabled but no structured findings "
+                    "were produced. Inline comments require DELEGATION_MODE=auto."
+                )
+            skipped = len(findings) - len(inline_findings)
+            logger.info(
+                f"Inline review for PR #{self.pr_number}: "
+                f"{len(inline_findings)} findings with line+file, "
+                f"{skipped} without (total {len(findings)})"
+            )
+        if inline_will_post:
+            try:
+                await self._post_inline_review(analysis_result, inline_findings)
+            except Exception as e:
+                logger.error(
+                    f"Failed to post inline review: {self.leak_detector.sanitize_text(str(e))}"
+                )
+                logger.debug("Inline review post traceback:", exc_info=True)
+                # Fallback: submit standalone review since inline failed
+                if submit_review and self.platform_analyzer:
+                    try:
+                        ai_text = analysis_result.get("ai_analysis", "")
+                        verdict = extract_review_verdict(ai_text)
+                        review_body = self._format_review_body(analysis_result)
+                        await self.platform_analyzer.submit_pr_review(
+                            int(self.pr_number), review_body, event=verdict
+                        )
+                        logger.info(f"Submitted fallback {verdict} review on PR #{self.pr_number}")
+                    except Exception as fallback_e:
+                        logger.error(
+                            f"Fallback review also failed: "
+                            f"{self.leak_detector.sanitize_text(str(fallback_e))}"
+                        )
+
         # Send Slack notification using parent class
         await super().send_notifications(report, analysis_result)
 
+    @staticmethod
+    def _format_inline_comment(finding: dict, leak_detector: Any = None) -> str:
+        """Format a finding dict into a markdown inline comment body.
+
+        Args:
+            finding: Finding dict with severity, message, and optional
+                suggestion and agent_source fields.
+            leak_detector: Optional leak detector to sanitize secrets.
+
+        Returns:
+            Formatted markdown string for the inline comment.
+        """
+        severity = finding.get("severity", "info").upper()
+        emoji_map = {
+            "CRITICAL": "\U0001f534",
+            "MAJOR": "\U0001f7e0",
+            "MINOR": "\U0001f7e1",
+            "NIT": "\U0001f535",
+        }
+        emoji = emoji_map.get(severity, "ℹ️")
+        message = finding.get("message", "No description provided")
+        suggestion = finding.get("suggestion", "")
+        if leak_detector:
+            message = leak_detector.sanitize_text(message)
+            if suggestion:
+                suggestion = leak_detector.sanitize_text(suggestion)
+        body = f"{emoji} **{severity}**: {message}"
+        if suggestion:
+            body += f"\n\n**Suggestion**: {suggestion}"
+        if finding.get("agent_source"):
+            agent_source = finding["agent_source"]
+            if leak_detector:
+                agent_source = leak_detector.sanitize_text(agent_source)
+            body += f"\n\n<sub>Source: {html.escape(agent_source)}</sub>"
+        return body
+
+    MAX_INLINE_COMMENTS = 25
+
+    async def _post_inline_review(
+        self, analysis_result: dict[str, Any], findings: list[dict]
+    ) -> None:
+        """Post findings as inline review comments on the PR diff.
+
+        Args:
+            analysis_result: Full analysis result dict.
+            findings: Pre-filtered findings that have both file and line.
+        """
+        pr_files = await self.platform_analyzer.get_pr_changed_files(int(self.pr_number))
+
+        # Build patch lookup: file path -> patch string
+        patch_map: dict[str, str | None] = {}
+        for f in pr_files:
+            patch_map[f.filename] = f.patch
+
+        severity_order = {"critical": 0, "major": 1, "minor": 2, "nit": 3}
+        sorted_findings = sorted(
+            findings,
+            key=lambda f: severity_order.get(f.get("severity", "nit").lower(), 4),
+        )
+
+        # Build inline comments, validating each line is in the diff
+        comments: list[dict] = []
+        skipped = 0
+        for finding in sorted_findings:
+            file_path = finding["file"]
+            try:
+                line = int(finding["line"])
+            except (ValueError, TypeError):
+                skipped += 1
+                continue
+            patch = patch_map.get(file_path)
+
+            if patch is None or not GitHubAnalyzer._is_line_in_diff_range(patch, line):
+                skipped += 1
+                continue
+
+            comment: dict[str, Any] = {
+                "path": file_path,
+                "body": self._format_inline_comment(finding, leak_detector=self.leak_detector),
+                "line": line,
+                "side": "RIGHT",
+            }
+            start_line = finding.get("start_line")
+            try:
+                start_line = int(start_line) if start_line else None
+            except (ValueError, TypeError):
+                start_line = None
+            if (
+                start_line
+                and start_line < line
+                and GitHubAnalyzer._is_line_in_diff_range(patch, start_line)
+            ):
+                comment["start_line"] = start_line
+                comment["start_side"] = "RIGHT"
+
+            comments.append(comment)
+            if len(comments) >= self.MAX_INLINE_COMMENTS:
+                truncated = len(sorted_findings) - skipped - self.MAX_INLINE_COMMENTS
+                if truncated > 0:
+                    logger.warning(
+                        f"Capped inline comments at {self.MAX_INLINE_COMMENTS}, "
+                        f"{truncated} lower-severity finding(s) omitted"
+                    )
+                break
+
+        if not comments:
+            logger.info(
+                f"No findings survived diff validation on PR #{self.pr_number}; "
+                "skipping inline review submission"
+            )
+            if self.settings.submit_review and self.platform_analyzer:
+                ai_text = analysis_result.get("ai_analysis", "")
+                verdict = extract_review_verdict(ai_text)
+                review_body = self._format_review_body(analysis_result)
+                await self.platform_analyzer.submit_pr_review(
+                    int(self.pr_number), review_body, event=verdict
+                )
+                logger.info(f"Submitted standalone {verdict} review (no inline comments)")
+            return
+
+        # Determine review event
+        submit_review = self.settings.submit_review
+        if submit_review:
+            ai_text = analysis_result.get("ai_analysis", "")
+            event = extract_review_verdict(ai_text)
+        else:
+            event = "COMMENT"
+
+        # Build review body
+        review_body = self._format_review_body(analysis_result)
+
+        await self.platform_analyzer.submit_review_with_comments(
+            pr_number=int(self.pr_number),
+            body=review_body,
+            comments=comments,
+            event=event,
+        )
+
+        posted = len(comments)
+        logger.info(
+            f"Inline review: {posted} comment(s) posted, {skipped} skipped "
+            f"(not in diff range) on PR #{self.pr_number}"
+        )
+
     def _format_review_body(self, analysis_result: dict[str, Any]) -> str:
         """Format analysis results as a PR review body.