Add sprint-report workflow with structured intake prompt

[bobbravo2]

Configure the sprint health report workflow for 1-2 turn agentic efficiency. The startup prompt gathers all required context (data source, team, audience, format, assumptions) upfront so the agent can produce a complete report without back-and-forth.

Made-with: Cursor

[coderabbitai]

Walkthrough

Adds a new Sprint Health Report workflow template: ambient.json configuration, three agent personas, five slash-command docs, an HTML report template, and comprehensive field/reference and README documentation for generating sprint health reports from Jira data.

Changes

Cohort / File(s)	Summary
Workflow Configuration workflows/sprint-report/.ambient/ambient.json	New ambient.json defining the Sprint Health Report workflow: metadata, systemPrompt, startupPrompt, ingestion guidance, metrics/anti-pattern rules, output mapping for Markdown/HTML reports.
Agent Personas workflows/sprint-report/.claude/agents/example-architect.md, workflows/sprint-report/.claude/agents/example-engineer.md, workflows/sprint-report/.claude/agents/example-product-manager.md	Three persona definitions (architect, engineer, product manager) with roles, responsibilities, communication style, triggers, tools, principles, and example artifacts.
Command Documentation workflows/sprint-report/.claude/commands/init.md, .../analyze.md, .../plan.md, .../execute.md, .../verify.md	Five command guides (/init, /analyze, /plan, /execute, /verify) detailing purpose, steps, prerequisites, outputs, templates, and artifact locations for workflow operations.
Templates & Report Layout workflows/sprint-report/templates/report.html	New, fully featured HTML report template with CSS, JS interactions, KPI panels, dimension analyses, anti-patterns, appendix table, and print/export behavior.
Reference & Documentation workflows/sprint-report/FIELD_REFERENCE.md, workflows/sprint-report/README.md	Comprehensive ambient.json field reference and a detailed README describing workflow contents, usage, directory layout, examples, and integration instructions.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant User as User
participant ACP as Ambient Code Platform
participant Agent as Workflow Agent
participant Jira as Jira / CSV
participant Template as Report Template Renderer

User->>ACP: invoke /init or /analyze or /plan
ACP->>Agent: pass startupPrompt + inputs
Agent->>Jira: request data (CSV export or JQL) / accept CSV
Jira-->>Agent: return issue data (CSV/JSON)
Agent->>Template: generate report content (Markdown/HTML)
Template-->>ACP: rendered HTML/MD artifact saved to artifacts/
ACP-->>User: provide report links / artifacts

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Add sprint-report workflow with structured intake prompt' accurately and concisely describes the main change: introducing a new sprint-report workflow with a structured startup prompt for efficient agentic interaction.
Description check	✅ Passed	The description explains the workflow configuration purpose, the startup prompt's role in gathering required context upfront, and its goal of enabling efficient single-turn report generation, which directly relates to the changeset content.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/sprint-report

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can scan for known vulnerabilities in your dependencies using OSV Scanner.

OSV Scanner will automatically detect and report security vulnerabilities in your project's dependencies. No additional configuration is required.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@workflows/sprint-report/FIELD_REFERENCE.md`:
- Around line 348-424: The "Complete Example" JSON contains unsupported fields
(hooks, environment, settings, metadata, and other non-processed entries) that
will produce non-functional configs; edit the example to remove those
unsupported keys and retain only the supported top-level fields (e.g., keep
"name", "description", "systemPrompt", "startupPrompt", and "results") so the
example becomes a minimal working configuration—locate the block labeled
"Complete Example" and update the JSON accordingly by deleting "hooks",
"environment", "settings", "metadata" (and any other non-processed entries)
while preserving "systemPrompt"/"startupPrompt"/"results" entries as shown.
- Around line 76-345: The FIELD_REFERENCE.md optional-fields section lists
fields (version, author, repository, tags, icon, displayName, license,
dependencies, environment, hooks, settings, metadata) that the platform does not
implement; update the document to avoid misleading users by either removing
these undocumented fields or clearly annotating each as "not implemented /
reserved for future use" (preferably add a one-line note next to each field
header and a short paragraph at the top of the Optional Fields section
referencing the canonical schema and the platform's implemented list: name,
description, systemPrompt, startupPrompt, results); ensure the wording mentions
the canonical schema behavior "Extra fields are ignored" and keep the results
field documentation unchanged.

In `@workflows/sprint-report/README.md`:
- Line 420: Update the "**Last Updated**: 2025-11-13" line in the README to the
actual modification date for this change (e.g., the PR date or today's date) so
the header reflects the current state; locate the literal "**Last Updated**:
2025-11-13" string and replace the date portion with the correct ISO date.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: b06bb2df-be35-4579-bd68-be2d62db3a4b

📥 Commits

Reviewing files that changed from the base of the PR and between 583f127 and cc7c1ce.

📒 Files selected for processing (12)

• workflows/sprint-report/.ambient/ambient.json
• workflows/sprint-report/.claude/agents/example-architect.md
• workflows/sprint-report/.claude/agents/example-engineer.md
• workflows/sprint-report/.claude/agents/example-product-manager.md
• workflows/sprint-report/.claude/commands/analyze.md
• workflows/sprint-report/.claude/commands/execute.md
• workflows/sprint-report/.claude/commands/init.md
• workflows/sprint-report/.claude/commands/plan.md
• workflows/sprint-report/.claude/commands/verify.md
• workflows/sprint-report/FIELD_REFERENCE.md
• workflows/sprint-report/README.md
• workflows/sprint-report/SPRINT ANALYZER.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify which fields the platform actually uses from ambient.json

echo "=== Checking platform adapter for ambient.json field usage ==="
rg -n "ambient" --type py -C5 | head -100

echo ""
echo "=== Searching for any usage of hooks, environment, settings, metadata fields ==="
rg -n "(hooks|environment|settings|metadata)" --type py -C3 | grep -i ambient || echo "No usage found"

Repository: ambient-code/workflows

Length of output: 540

---

🏁 Script executed:

#!/bin/bash
# Explore repository structure
echo "=== Repository structure ==="
ls -la
echo ""
echo "=== Find FIELD_REFERENCE.md and AMBIENT_JSON_SCHEMA.md ==="
find . -name "*FIELD_REFERENCE*" -o -name "*AMBIENT_JSON_SCHEMA*" -o -name "*.md" | head -20

Repository: ambient-code/workflows

Length of output: 1963

---

🏁 Script executed:

#!/bin/bash
echo "=== Search for FIELD_REFERENCE.md ==="
find ./workflows -name "*FIELD_REFERENCE*"

echo ""
echo "=== List contents of workflows/sprint-report ==="
ls -la ./workflows/sprint-report/ 2>/dev/null || echo "Directory not found"

echo ""
echo "=== List all directories in workflows ==="
ls -la ./workflows/

Repository: ambient-code/workflows

Length of output: 1421

---

🏁 Script executed:

#!/bin/bash
echo "=== Check size of AMBIENT_JSON_SCHEMA.md ==="
wc -l ./AMBIENT_JSON_SCHEMA.md

echo ""
echo "=== Read AMBIENT_JSON_SCHEMA.md ==="
cat -n ./AMBIENT_JSON_SCHEMA.md

echo ""
echo "=== Check size of FIELD_REFERENCE.md ==="
wc -l ./workflows/sprint-report/FIELD_REFERENCE.md

Repository: ambient-code/workflows

Length of output: 15971

---

🏁 Script executed:

#!/bin/bash
echo "=== Read FIELD_REFERENCE.md (lines 76-345 as mentioned in review) ==="
sed -n '76,345p' ./workflows/sprint-report/FIELD_REFERENCE.md | cat -n

echo ""
echo "=== Full file to count all fields ==="
wc -l ./workflows/sprint-report/FIELD_REFERENCE.md
cat -n ./workflows/sprint-report/FIELD_REFERENCE.md

Repository: ambient-code/workflows

Length of output: 22370

---

Documentation describes 12 fields the platform does not implement.

FIELD_REFERENCE.md documents optional fields (version, author, repository, tags, icon, displayName, license, dependencies, environment, hooks, settings, metadata) that are not part of the canonical schema in AMBIENT_JSON_SCHEMA.md. The platform only implements 5 fields: name, description, systemPrompt, startupPrompt, and results. According to AMBIENT_JSON_SCHEMA.md (line 264), "Extra fields are ignored"—these undocumented fields will be silently ignored by the platform, misleading workflow authors into configuring non-functional features.

Recommendations:

1. Remove undocumented fields from FIELD_REFERENCE.md, or
2. Clearly mark them as "reserved for future use" / "not yet implemented", or
3. Implement platform support for these fields first

🧰 Tools

🪛 markdownlint-cli2 (0.21.0)

[warning] 78-78: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 86-86: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 94-94: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 105-105: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 112-112: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 118-118: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 122-122: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 127-127: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 137-137: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 141-141: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 146-146: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 156-156: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 163-163: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 179-179: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 186-186: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 205-205: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 212-212: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 218-218: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 225-225: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 234-234: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 238-238: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 247-247: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 253-253: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 260-260: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 271-271: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 285-285: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 297-297: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 304-304: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 318-318: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 325-325: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@workflows/sprint-report/FIELD_REFERENCE.md` around lines 76 - 345, The
FIELD_REFERENCE.md optional-fields section lists fields (version, author,
repository, tags, icon, displayName, license, dependencies, environment, hooks,
settings, metadata) that the platform does not implement; update the document to
avoid misleading users by either removing these undocumented fields or clearly
annotating each as "not implemented / reserved for future use" (preferably add a
one-line note next to each field header and a short paragraph at the top of the
Optional Fields section referencing the canonical schema and the platform's
implemented list: name, description, systemPrompt, startupPrompt, results);
ensure the wording mentions the canonical schema behavior "Extra fields are
ignored" and keep the results field documentation unchanged.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Complete example includes unsupported fields.

The "Complete Example" section (lines 350-424) demonstrates a full configuration using fields like hooks, environment, settings, and metadata that the platform does not process. Users copying this example will have non-functional configuration.

Consider simplifying the complete example to only include fields that actually work:

Suggested minimal working example

-## Complete Example
+## Complete Example (Supported Fields Only)

 ```json
 {
   "name": "Feature Development Workflow",
   "description": "End-to-end workflow for planning, implementing, and deploying new features with comprehensive testing and documentation.",
-  "version": "2.1.0",
-  "icon": "🚀",
-  "displayName": "🚀 Feature Development",

   "systemPrompt": "You are a feature development assistant specializing in spec-driven development. Follow these phases: 1) Specify requirements, 2) Design solution, 3) Implement with tests, 4) Review and deploy. Use /specify, /design, /implement, /review, /deploy commands. Create artifacts in artifacts/ directory.",

   "startupPrompt": "Welcome to Feature Development Workflow! I'll guide you through:\n1. Requirements specification\n2. Solution design\n3. Implementation with tests\n4. Code review\n5. Deployment\n\nRun /specify [feature-description] to begin.",

   "results": {
     "Requirements": "artifacts/specs/**/*.md",
     "Design Docs": "artifacts/design/**/*.md",
     "Implementation": "artifacts/implementation/**/*",
     "Tests": "artifacts/tests/**/*.test.ts",
     "Documentation": "artifacts/docs/**/*.md"
-  },
-
-  "author": {...},
-  "repository": {...},
-  "tags": [...],
-  "license": "MIT",
-  "dependencies": {...},
-  "environment": {...},
-  "hooks": {...},
-  "settings": {...},
-  "metadata": {...}
+  }
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@workflows/sprint-report/FIELD_REFERENCE.md` around lines 348 - 424, The
"Complete Example" JSON contains unsupported fields (hooks, environment,
settings, metadata, and other non-processed entries) that will produce
non-functional configs; edit the example to remove those unsupported keys and
retain only the supported top-level fields (e.g., keep "name", "description",
"systemPrompt", "startupPrompt", and "results") so the example becomes a minimal
working configuration—locate the block labeled "Complete Example" and update the
JSON accordingly by deleting "hooks", "environment", "settings", "metadata" (and
any other non-processed entries) while preserving
"systemPrompt"/"startupPrompt"/"results" entries as shown.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Update the "Last Updated" date.

The date shows 2025-11-13, which predates the PR creation by several months. Consider updating this to reflect the actual last modification date.

📅 Proposed fix

-**Last Updated**: 2025-11-13
+**Last Updated**: 2026-03-11

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	**Last Updated**: 2025-11-13
	**Last Updated**: 2026-03-11

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@workflows/sprint-report/README.md` at line 420, Update the "**Last Updated**:
2025-11-13" line in the README to the actual modification date for this change
(e.g., the PR date or today's date) so the header reflects the current state;
locate the literal "**Last Updated**: 2025-11-13" string and replace the date
portion with the correct ISO date.

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@workflows/sprint-report/.ambient/ambient.json`:
- Line 4: The template interpolation currently injects Jira-sourced fields
directly into templates (placeholders like {{TEAM_NAME}},
{{DELIVERY_RATE_VALUE}}, and repeating placeholders for issue summaries,
descriptions, assignee names, comments in templates/report.html) which allows
XSS; update the template-rendering/interpolation routine to HTML-escape all
untrusted text fields (escape &, <, >, " and ') before replacing placeholders
and only permit raw HTML for explicitly fixed-format internal values (e.g.,
CSS/JS snippets or controlled KPI numbers). Locate and change the code that
performs placeholder replacement (the template interpolation / render function
used for templates/report.html and any code that maps Jira CSV/query fields to
those placeholders) so every Jira-derived string is run through an HTML-escape
utility before insertion; ensure repeated components (issue rows/cards) also use
the escaped values.

In `@workflows/sprint-report/templates/report.html`:
- Around line 815-817: Update the health-rating thresholds in the report
template so the displayed ranges match the scoring spec: replace the current
"HEALTHY (0–2)", "MODERATE RISK (3–5)", and "HIGH RISK (6+)" labels with
"HEALTHY (0–3)", "MODERATE RISK (4–6)", and "HIGH RISK (7–10)" respectively in
the template lines that contain the literal strings "HEALTHY", "MODERATE RISK",
and "HIGH RISK".
- Line 1217: The anchor tag rendering the issue link (<a href="{{ITEM_URL}}"
target="_blank" class="issue-key">{{ITEM_KEY}}</a>) must include rel="noopener
noreferrer" to prevent tabnabbing; update that anchor in both report templates
so it becomes <a ... target="_blank" rel="noopener noreferrer" ...> (preserve
ITEM_URL, ITEM_KEY and class="issue-key") ensuring both occurrences are changed.
- Around line 1243-1256: The toggleKpiDetail function can throw a TypeError
because card (from document.querySelector('[data-kpi="' + kpiId + '"]')) may be
null for certain kpiId values like "health-rating"; update toggleKpiDetail to
null-check both panel and card before using classList: if panel is missing, do
nothing (or return); when removing/adding classes, only call classList methods
if the element exists; specifically guard before calling
panel.classList.contains, panel.classList.add, and card.classList.add to prevent
null dereference.
- Line 238: Replace undefined CSS custom properties --bg-card and --text-primary
with the existing defined tokens to fix invalid declarations: change occurrences
of var(--bg-card) to an appropriate defined background token (e.g., var(--bg) or
var(--bg-alt) depending on intended contrast) and change var(--text-primary) to
one of the defined text tokens (e.g., var(--text) or var(--text-secondary));
update the background and color declarations in the template where these
variables are used so they reference --bg | --bg-alt and --text |
--text-secondary | --text-muted consistently.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 76967547-bee3-4645-89a4-fc383362dab2

📥 Commits

Reviewing files that changed from the base of the PR and between cc7c1ce and 3d05e78.

📒 Files selected for processing (2)

• workflows/sprint-report/.ambient/ambient.json
• workflows/sprint-report/templates/report.html

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, check if the file exists and get its location
find . -name "ambient.json" -path "*/sprint-report/*" 2>/dev/null | head -20

Repository: ambient-code/workflows

Length of output: 113

---

🏁 Script executed:

# Check for template files
find . -name "report.html" -o -name "*template*" | head -20

Repository: ambient-code/workflows

Length of output: 1018

---

🏁 Script executed:

# Check the overall structure of the sprint-report workflow
ls -la workflows/sprint-report/ 2>/dev/null || echo "Directory not found"

Repository: ambient-code/workflows

Length of output: 492

---

🏁 Script executed:

# Read the ambient.json file
cat -n workflows/sprint-report/.ambient/ambient.json

Repository: ambient-code/workflows

Length of output: 7486

---

🏁 Script executed:

# Read the template file to see how placeholders are used
cat -n workflows/sprint-report/templates/report.html | head -100

Repository: ambient-code/workflows

Length of output: 2874

---

🏁 Script executed:

# Continue reading the template to see how placeholders are used
cat -n workflows/sprint-report/templates/report.html | sed -n '100,200p'

Repository: ambient-code/workflows

Length of output: 2976

---

🏁 Script executed:

# Search for all placeholder patterns in the template
grep -n "{{" workflows/sprint-report/templates/report.html | head -40

Repository: ambient-code/workflows

Length of output: 3488

---

🏁 Script executed:

# Check if there's any escaping logic or mention of HTML escaping in the template
grep -i "escap\|sanitiz\|html" workflows/sprint-report/templates/report.html | head -20

Repository: ambient-code/workflows

Length of output: 106

---

🏁 Script executed:

# Check if there are any other instructional files or examples
find workflows/sprint-report -type f | xargs ls -la

Repository: ambient-code/workflows

Length of output: 1272

---

🏁 Script executed:

# Check the README to see if there's security guidance
cat workflows/sprint-report/README.md | head -100

Repository: ambient-code/workflows

Length of output: 3432

---

🏁 Script executed:

# Get a broader view of the template to see data field examples
grep -A2 "{{TEAM_NAME}}\|{{HEALTH_RATING}}\|{{DELIVERY_RATE" workflows/sprint-report/templates/report.html | head -30

Repository: ambient-code/workflows

Length of output: 970

---

Add mandatory HTML escaping for Jira-sourced data before template interpolation.

The systemPrompt instructs the agent to replace all {{PLACEHOLDER}} markers with values from Jira sprint data (summaries, descriptions, assignee names, comments). Currently, no escaping guidance exists. This allows XSS injection—malicious markup in Jira fields will execute when reports are opened or shared.

Require that untrusted text fields ({{TEAM_NAME}}, {{DELIVERY_RATE_VALUE}}, issue summaries, descriptions, assignee names, comments, etc.) are HTML-escaped (&, <, >, ", ') before interpolation. Only allow raw HTML for explicitly fixed-format internal values.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@workflows/sprint-report/.ambient/ambient.json` at line 4, The template
interpolation currently injects Jira-sourced fields directly into templates
(placeholders like {{TEAM_NAME}}, {{DELIVERY_RATE_VALUE}}, and repeating
placeholders for issue summaries, descriptions, assignee names, comments in
templates/report.html) which allows XSS; update the
template-rendering/interpolation routine to HTML-escape all untrusted text
fields (escape &, <, >, " and ') before replacing placeholders and only permit
raw HTML for explicitly fixed-format internal values (e.g., CSS/JS snippets or
controlled KPI numbers). Locate and change the code that performs placeholder
replacement (the template interpolation / render function used for
templates/report.html and any code that maps Jira CSV/query fields to those
placeholders) so every Jira-derived string is run through an HTML-escape utility
before insertion; ensure repeated components (issue rows/cards) also use the
escaped values.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

cat -n workflows/sprint-report/templates/report.html | sed -n '230,270p'

Repository: ambient-code/workflows

Length of output: 1392

---

🏁 Script executed:

rg '(--bg-card|--text-primary|--bg\b|--text\b)' --type css --type html --type js

Repository: ambient-code/workflows

Length of output: 4023

---

Replace undefined CSS custom properties with defined ones.

var(--bg-card) and var(--text-primary) are not defined; only --bg, --bg-alt, --text, --text-secondary, and --text-muted exist. This causes invalid declarations and styling inconsistency.

Proposed fix

-    background: var(--bg-card);
+    background: var(--bg);
@@
-    color: var(--text-primary);
+    color: var(--text);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@workflows/sprint-report/templates/report.html` at line 238, Replace undefined
CSS custom properties --bg-card and --text-primary with the existing defined
tokens to fix invalid declarations: change occurrences of var(--bg-card) to an
appropriate defined background token (e.g., var(--bg) or var(--bg-alt) depending
on intended contrast) and change var(--text-primary) to one of the defined text
tokens (e.g., var(--text) or var(--text-secondary)); update the background and
color declarations in the template where these variables are used so they
reference --bg | --bg-alt and --text | --text-secondary | --text-muted
consistently.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's find and read the template file
find . -name "report.html" -path "*/sprint-report/*" | head -5

Repository: ambient-code/workflows

Length of output: 113

---

🏁 Script executed:

# Find the ambient.json file
find . -name "ambient.json" -path "*/sprint-report/*" | head -5

Repository: ambient-code/workflows

Length of output: 113

---

🏁 Script executed:

# Read lines around 815-817 from report.html
sed -n '810,820p' ./workflows/sprint-report/templates/report.html

Repository: ambient-code/workflows

Length of output: 862

---

🏁 Script executed:

# Read ambient.json to find health threshold definitions
cat ./workflows/sprint-report/.ambient/ambient.json

Repository: ambient-code/workflows

Length of output: 7416

---

Align health-rating thresholds with workflow scoring spec.

The template displays HEALTHY (0–2), MODERATE RISK (3–5), HIGH RISK (6+), but the scoring specification in workflows/sprint-report/.ambient/ambient.json defines 0–3, 4–6, 7–10. Update the thresholds in the template to match the spec.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@workflows/sprint-report/templates/report.html` around lines 815 - 817, Update
the health-rating thresholds in the report template so the displayed ranges
match the scoring spec: replace the current "HEALTHY (0–2)", "MODERATE RISK
(3–5)", and "HIGH RISK (6+)" labels with "HEALTHY (0–3)", "MODERATE RISK (4–6)",
and "HIGH RISK (7–10)" respectively in the template lines that contain the
literal strings "HEALTHY", "MODERATE RISK", and "HIGH RISK".

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, verify the file exists and check the line in question
if [ -f "workflows/sprint-report/templates/report.html" ]; then
    echo "=== File exists ==="
    # Get context around line 1217
    sed -n '1210,1225p' "workflows/sprint-report/templates/report.html" | cat -n
else
    echo "File not found at specified path"
    # Try to find it
    find . -name "report.html" -type f
fi

Repository: ambient-code/workflows

Length of output: 1089

---

🏁 Script executed:

# Search for all target="_blank" occurrences in the report.html file to identify instances without rel
rg 'target="_blank"' "workflows/sprint-report/templates/report.html" -n

Repository: ambient-code/workflows

Length of output: 163

---

🏁 Script executed:

# Search for target="_blank" links across the entire codebase to understand scope
rg 'target="_blank"' --type html -c

Repository: ambient-code/workflows

Length of output: 154

---

🏁 Script executed:

# Check for target="_blank" links in the triage report template to see if they have rel attributes
rg 'target="_blank"' "workflows/triage/templates/report.html" -n -A 0 -B 0

Repository: ambient-code/workflows

Length of output: 169

---

🏁 Script executed:

# Search for target="_blank" links across all HTML/template files and check which ones lack rel attributes
rg 'target="_blank"' --type html -n | grep -v 'rel=' | head -20

Repository: ambient-code/workflows

Length of output: 352

---

🏁 Script executed:

# Get line count of both report.html files to understand their scope
wc -l "workflows/sprint-report/templates/report.html" "workflows/triage/templates/report.html"

Repository: ambient-code/workflows

Length of output: 174

---

Add rel to target="_blank" links.

The template links opening in new tabs must include rel="noopener noreferrer" to prevent opener-based tabnabbing attacks.

Update both occurrences:

• workflows/sprint-report/templates/report.html line 1217
• workflows/triage/templates/report.html line 529

Example fix for sprint-report

-<td><a href="{{ITEM_URL}}" target="_blank" class="issue-key">{{ITEM_KEY}}</a></td>
+<td><a href="{{ITEM_URL}}" target="_blank" rel="noopener noreferrer" class="issue-key">{{ITEM_KEY}}</a></td>

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	<td><a href="{{ITEM_URL}}" target="_blank" class="issue-key">{{ITEM_KEY}}</a></td>
	<td><a href="{{ITEM_URL}}" target="_blank" rel="noopener noreferrer" class="issue-key">{{ITEM_KEY}}</a></td>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@workflows/sprint-report/templates/report.html` at line 1217, The anchor tag
rendering the issue link (<a href="{{ITEM_URL}}" target="_blank"
class="issue-key">{{ITEM_KEY}}</a>) must include rel="noopener noreferrer" to
prevent tabnabbing; update that anchor in both report templates so it becomes <a
... target="_blank" rel="noopener noreferrer" ...> (preserve ITEM_URL, ITEM_KEY
and class="issue-key") ensuring both occurrences are changed.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# Read the specific lines mentioned in the review
sed -n '1243,1256p' workflows/sprint-report/templates/report.html

Repository: ambient-code/workflows

Length of output: 603

---

🏁 Script executed:

# Search for KPI card elements with data-kpi attributes
rg 'data-kpi=' workflows/sprint-report/templates/report.html -A 1 -B 1

Repository: ambient-code/workflows

Length of output: 1612

---

🏁 Script executed:

# Search for all toggleKpiDetail calls to see which KPI IDs are referenced
rg 'toggleKpiDetail' workflows/sprint-report/templates/report.html

Repository: ambient-code/workflows

Length of output: 947

---

🏁 Script executed:

# Search for detail panel elements to see which exist
rg 'kpi-detail' workflows/sprint-report/templates/report.html | grep -i 'id='

Repository: ambient-code/workflows

Length of output: 453

---

Prevent null dereference in toggleKpiDetail — health-rating card is missing.

The function is called with 'health-rating' but the corresponding KPI card element with data-kpi="health-rating" does not exist. This causes card to be null on line 1255, throwing a TypeError when attempting card.classList.add('selected').

Proposed fix

 function toggleKpiDetail(kpiId) {
   var panel = document.getElementById('kpi-detail-' + kpiId);
   var card = document.querySelector('[data-kpi="' + kpiId + '"]');
+  if (!panel) return;
   var wasActive = panel.classList.contains('active');
@@
   if (!wasActive) {
     panel.classList.add('active');
-    card.classList.add('selected');
+    if (card) card.classList.add('selected');
   }
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	function toggleKpiDetail(kpiId) {
	var panel = document.getElementById('kpi-detail-' + kpiId);
	var card = document.querySelector('[data-kpi="' + kpiId + '"]');
	var wasActive = panel.classList.contains('active');
	document.querySelectorAll('.kpi-detail.active').forEach(function(p) {
	p.classList.remove('active');
	});
	document.querySelectorAll('.kpi-card.selected').forEach(function(c) {
	c.classList.remove('selected');
	});
	if (!wasActive) {
	panel.classList.add('active');
	card.classList.add('selected');
	}
	function toggleKpiDetail(kpiId) {
	var panel = document.getElementById('kpi-detail-' + kpiId);
	var card = document.querySelector('[data-kpi="' + kpiId + '"]');
	if (!panel) return;
	var wasActive = panel.classList.contains('active');
	document.querySelectorAll('.kpi-detail.active').forEach(function(p) {
	p.classList.remove('active');
	});
	document.querySelectorAll('.kpi-card.selected').forEach(function(c) {
	c.classList.remove('selected');
	});
	if (!wasActive) {
	panel.classList.add('active');
	if (card) card.classList.add('selected');
	}
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@workflows/sprint-report/templates/report.html` around lines 1243 - 1256, The
toggleKpiDetail function can throw a TypeError because card (from
document.querySelector('[data-kpi="' + kpiId + '"]')) may be null for certain
kpiId values like "health-rating"; update toggleKpiDetail to null-check both
panel and card before using classList: if panel is missing, do nothing (or
return); when removing/adding classes, only call classList methods if the
element exists; specifically guard before calling panel.classList.contains,
panel.classList.add, and card.classList.add to prevent null dereference.