defenseunicorns · kitplummer · Apr 7, 2026
diff --git a/.github/workflows/qa-review.yml b/.github/workflows/qa-review.yml
@@ -0,0 +1,62 @@
+name: QA Review
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  qa-review:
+    name: Peat QA Review
+    if: ${{ !github.event.pull_request.draft }}
+    runs-on: peat-arm64-linux-gb10
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check for existing review
+        id: check
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          SHORT_SHA="${{ github.event.pull_request.head.sha }}"
+          SHORT_SHA="${SHORT_SHA:0:7}"
+          echo "short_sha=${SHORT_SHA}" >> "$GITHUB_OUTPUT"
+          EXISTING=$(gh pr view "${{ github.event.pull_request.number }}" --json comments --jq \
+            ".comments[] | select(.body | contains(\"Peat QA Review (SHA: ${SHORT_SHA})\")) | .id" 2>/dev/null || true)
+          if [ -n "$EXISTING" ]; then
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Review PR with Claude Code
+        if: steps.check.outputs.skip != 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cat <<'PROMPT' | claude -p --allowedTools 'Bash(gh pr diff *),Bash(gh pr view *),Bash(gh pr review *)'
+          You are the QA review agent for the Peat Protocol ecosystem, reviewing the peat-mesh repo.
+
+          Review PR #${{ github.event.pull_request.number }} in ${{ github.repository }} (HEAD: ${{ steps.check.outputs.short_sha }}).
+
+          Steps:
+          1. Run: gh pr diff ${{ github.event.pull_request.number }}
+          2. Run: gh pr view ${{ github.event.pull_request.number }}
+          3. Review the diff against these criteria:
+             - Transport: must not break Automerge sync semantics or Iroh peer discovery
+             - Peer discovery: changes to DHT or mDNS must preserve existing discovery contracts
+             - E2E encryption: Ed25519/X25519/ChaCha20/HMAC-SHA256 — flag any deviation or plaintext substitution as [BLOCKER]
+             - Membership/certificates: changes must preserve tactical trust model (ADR-0006)
+             - Consumer interface adapters: changes must not break SDK integration contracts
+             - Performance: flag anything likely to increase convergence latency >20% or bandwidth beyond baselines
+             - Check changes against ADR decisions in docs/adr/
+          4. Post findings with: gh pr review ${{ github.event.pull_request.number }} --comment --body 'YOUR_REVIEW'
+             Start the body with: ## Peat QA Review (SHA: ${{ steps.check.outputs.short_sha }})
+             Use severity tags: [BLOCKER], [WARNING], [SUGGESTION]
+             NEVER approve or request-changes — comment only.
+          PROMPT