You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

Adversarial Self-Review

Reviewed all 10 files in the diff (1060 lines). Findings:

Verified OK

• All internal cross-references resolve to existing files (HealthController, docker-compose.yml, OBSERVABILITY_BASELINE, FAILURE_INJECTION_DRILLS, MCP_TOOLING_GUIDE, Telemetry/, etc.)
• Scenario templates reference actual codebase structures (health endpoint checks, OpenTelemetry attribute names, docker-compose services, env vars)
• Evidence package from the live rehearsal contains real command outputs and genuine findings
• Label taxonomy in REHEARSAL_BACKOFF_RULES.md is consistent with GITHUB_LABEL_TAXONOMY.md conventions

Findings to note (not blocking)

1. Rehearsal outcome was "Partial" -- none of the injection methods successfully degraded health. The SQLite auto-creation behavior and launchSettings override prevented reaching a 503 state. This is honestly documented as findings, but it means the scenario template's Option A needs a note about --no-launch-profile and Windows-specific path behavior. The evidence is real and valuable (it surfaced gaps), but a future rehearsal should aim for a fully degraded state.

2. rehearsal-finding label does not exist in the repo yet. REHEARSAL_BACKOFF_RULES.md documents how to create it, but it would be cleaner to create it as part of this PR. Low priority -- can be done when the first finding issue is filed.

3. MCP scenario references .mcp.json which may or may not exist depending on the developer's local setup. The scenario handles this with a fallback check (cat .mcp.json 2>/dev/null || echo "No MCP config found"), which is adequate.

4. Evidence template has a nested markdown code fence (template inside a ````markdown` block). This renders correctly on GitHub but could confuse copy-paste if the outer fence delimiters are not recognized. Acceptable tradeoff for having a copyable template.

5. No changes to STATUS.md or IMPLEMENTATION_MASTERPLAN.md. This is a docs-only addition with no behavior changes, so updating those is not required per the Definition of Done ("update docs when reality changes").

Verdict

No blocking issues. The documents are grounded in the actual codebase, cross-references are valid, and the rehearsal evidence is genuine. The "Partial" outcome is a feature, not a bug -- it surfaced real findings about fault injection reliability on this stack.

Adversarial Review of PR #503

What I Verified

• All 10 cross-referenced doc paths (OBSERVABILITY_BASELINE.md, FAILURE_INJECTION_DRILLS.md, DEPLOYMENT_CONTAINERS.md, DEPLOYMENT_HARDENING_MATRIX.md, GITHUB_LABEL_TAXONOMY.md, MCP_TOOLING_GUIDE.md, MCP_OPERATIONS_RUNBOOK.md, EVIDENCE_TEMPLATE.md, .mcp.json, etc.) resolve to existing files in the codebase.
• HealthController.cs exists at the path referenced, routes are /health/live and /health/ready, response structure matches what the scenario templates and rehearsal evidence describe (status, checks.database, checks.queue with depth/totalDepth/captureDepth/threshold, checks.workers with stalenessSeconds/maxStalenessSeconds).
• HealthApiTests.cs has exactly 3 [Fact] tests -- matches the rehearsal evidence "3/3 passing" claim.
• Commit SHA 440a8c9d in the rehearsal evidence matches actual HEAD of main.
• Worker staleness thresholds (QueuePollIntervalSeconds * 3, minimum 30s and 3 minutes for housekeeping) match the code exactly.
• Telemetry metric names (taskdeck.automation.queue.backlog, taskdeck.worker.heartbeat.staleness, taskdeck.correlation_id, taskdeck.request_id, taskdeck.worker.name, taskdeck.llm.request_id) all exist in TaskdeckTelemetry.cs / TaskdeckTelemetryTags.cs.
• CreateLlmRequestDto(string RequestType, string Payload, Guid? BoardId) matches the JSON payload in the queue-flood scenario.
• Auth endpoints POST /api/auth/register and POST /api/auth/login exist in AuthController.cs.
• Observability config keys (EnableOpenTelemetry, EnableConsoleExporter, OtlpEndpoint, ServiceName) match appsettings.json.
• Docker files (deploy/docker-compose.yml, deploy/.env.example, deploy/docker/backend.Dockerfile) exist. Env vars TASKDECK_JWT_SECRET and TASKDECK_PROXY_PORT are present in compose config.
• Telemetry/ directory exists with TaskdeckTelemetry.cs and TaskdeckTelemetryTags.cs.

Issues Found

1. FACTUAL ERROR: TASKDECK_DB_PATH does not exist (deployment-readiness-failure.md, Option B)

File: docs/ops/rehearsal-scenarios/deployment-readiness-failure.md, Option B injection method

The scenario says:

TASKDECK_DB_PATH="/readonly/taskdeck.db" \
docker compose -f deploy/docker-compose.yml ...

TASKDECK_DB_PATH is not defined anywhere in the codebase. The Docker Compose file uses ConnectionStrings__DefaultConnection: Data Source=/app/data/taskdeck.db directly. Someone following this scenario would set an env var that has zero effect, making the injection silently fail. Should be ConnectionStrings__DefaultConnection="Data Source=/readonly/taskdeck.db" or a docker-compose override approach.

2. ACCEPTANCE CRITERIA GAP: Follow-up issues not filed

Issue #150 acceptance criteria states: "Follow-up defects/improvements are filed as linked issues."

The rehearsal evidence lists 3 findings (1x P3 and 1x P4 that warrant issues), but the Follow-Up Issues section says "P3 finding about SQLite auto-creation masking connection errors should be tracked in a future hardening issue" -- no actual issue has been filed. I searched GitHub issues for "rehearsal-finding" and found none.

This is a soft gap -- the backlog rules document allows 2 working days to file -- but the PR body claims the work is complete and references the acceptance criteria. At minimum, the P3 finding (SQLite auto-creation masking) should be filed before merge, or the PR description should acknowledge the outstanding filing.

3. MINOR: Rehearsal evidence missing "Observer" sign-off row

The evidence template requires sign-off from "at least the rehearsal lead" (so technically OK), but the cadence document specifies "Rehearsal lead + one observer minimum" for monthly rehearsals. The evidence only has one participant (@Chris0Jeky) and the observer sign-off row is missing entirely (not present, not "N/A"). For the inaugural rehearsal this is understandable but should be noted.

4. MINOR: Scenario Option B (worker staleness) in degraded-api-health.md is weak

The scenario acknowledges "not practical without code changes" for injecting worker staleness and suggests modifying appsettings.Development.json as a workaround. This means Option B is essentially not executable as a hands-off rehearsal. The rehearsal evidence confirms it was attempted but could not produce a degraded state. Consider adding a more practical injection method (e.g., kill -STOP on the worker thread equivalent, or modifying the staleness threshold to be very small).

5. MINOR: Scenario Option C (queue flood) uses jq -r '.token' and jq -r '.id'

The login and board-creation responses need to actually return JSON with token and id fields at the top level for the jq extraction to work. This is likely correct but not verified -- if the login response wraps the token in a nested object, the scenario script would silently fail.

Overall Assessment

The documentation is well-structured, internally consistent, and deeply grounded in the actual codebase. The rehearsal evidence looks authentic with real timestamps, command outputs, and findings that match what the code would actually produce. Cross-references are thorough and bidirectional.

The TASKDECK_DB_PATH factual error (finding #1) should be fixed before merge. The missing follow-up issue filing (finding #2) should at least be acknowledged.