feat: add CodeRabbit integration for AI-powered code review

Full-stack integration following the Jira pattern and PR #1307 conventions.
Implements infrastructure for ADR-0008 (automated inner-loop review).

Backend (Go):
- Auth handlers: connect, status, disconnect, test (K8s Secret storage)
- API key validation against CodeRabbit health API with error differentiation
  (401/403 = invalid key, 5xx = upstream error)
- Runtime credential endpoint with RBAC for session pods
- Unified integrations status includes CodeRabbit
- 16 Ginkgo tests

Frontend (Next.js + React):
- Informational-first connection card: public repos free via GitHub App,
  API key collapsed under "Private repository access" with billing warning
- API client layer + React Query hooks with dual cache invalidation
- 4 Next.js proxy routes
- Wired into IntegrationsClient grid and session integrations panel

Runner (Python):
- fetch_coderabbit_credentials via shared _fetch_credential helper
- CODERABBIT_API_KEY injected into session env via asyncio.gather
- Cleared on turn completion

Pre-commit hook:
- Runs coderabbit review --agent on staged changes
- Supports both CODERABBIT_API_KEY env and cr auth login session
- CLI reads env var directly (no --api-key in process listing)
- Skips gracefully when CLI/auth/changes unavailable

CI + Testing:
- GHA smoke test: validates config, runs live review, tests hook behavior
  (actions pinned to SHAs, permissions scoped)
- Integration test script: 9/9 passing against dev cluster

Docs:
- Starlight guide: public vs private repos, local dev, session flow
- ADR-0008: automated code reviews via inner-loop + Mergify
- PR #1307 impact analysis

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Ambient Code Bot

.github/workflows/coderabbit-smoke-test.yml

@@ -0,0 +1,129 @@
+name: CodeRabbit Integration Smoke Test
+
+# Validates the CodeRabbit integration works end-to-end:
+# - CLI installs and authenticates
+# - Can review files against the real CodeRabbit API
+# - Config file (.coderabbit.yaml) is valid
+
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - '.coderabbit.yaml'
+      - 'components/backend/handlers/coderabbit_auth.go'
+      - 'components/backend/handlers/integration_validation.go'
+      - 'components/frontend/src/components/coderabbit-connection-card.tsx'
+      - 'components/runners/ambient-runner/ambient_runner/platform/auth.py'
+      - 'scripts/pre-commit/coderabbit-review.sh'
+      - '.github/workflows/coderabbit-smoke-test.yml'
+
+  workflow_dispatch:
+
+  schedule:
+    - cron: '0 6 * * 1' # Weekly Monday 6am UTC
+
+permissions:
+  contents: read
+
+concurrency:
+  group: coderabbit-smoke-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  smoke-test:
+    name: CodeRabbit Smoke Test
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Set up Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        with:
+          node-version: '20'
+
+      - name: Install CodeRabbit CLI
+        run: npm install -g coderabbit
+
+      - name: Verify CLI installed
+        run: |
+          coderabbit --version
+          echo "CLI binary: $(which coderabbit)"
+
+      - name: Validate .coderabbit.yaml schema
+        run: |
+          echo "=== Validating .coderabbit.yaml ==="
+          python3 -c "
+          import yaml, sys
+          with open('.coderabbit.yaml') as f:
+              config = yaml.safe_load(f)
+          assert 'reviews' in config, 'Missing reviews section'
+          assert 'language' in config, 'Missing language field'
+          print(f'Config valid: {len(config)} top-level keys')
+          print(f'Reviews profile: {config[\"reviews\"].get(\"profile\", \"not set\")}')
+          print(f'Auto review: {config[\"reviews\"].get(\"auto_review\", {}).get(\"enabled\", False)}')
+          print(f'Tools configured: {len(config[\"reviews\"].get(\"tools\", {}))}')
+          "
+          echo "PASSED: .coderabbit.yaml is valid"
+
+      - name: Run CodeRabbit review on config file
+        env:
+          CODERABBIT_API_KEY: ${{ secrets.CODERABBIT_API_KEY }}
+        run: |
+          echo "=== Running CodeRabbit review against real API ==="
+
+          # Skip if no API key (fork PRs, missing secret)
+          if [ -z "$CODERABBIT_API_KEY" ]; then
+            echo "CODERABBIT_API_KEY not set - skipping live review"
+            echo "This is expected for fork PRs or when the secret is not configured"
+            exit 0
+          fi
+
+          # Review the config file itself using agent mode for structured output
+          EXIT_CODE=0
+          OUTPUT=$(coderabbit review \
+            --agent \
+            --files .coderabbit.yaml \
+            --api-key "$CODERABBIT_API_KEY" \
+            2>&1) || EXIT_CODE=$?
+
+          echo "$OUTPUT"
+
+          # Auth errors are fatal
+          if echo "$OUTPUT" | grep -qiE "unauthorized|forbidden|invalid.*key"; then
+            echo "FAILED: CodeRabbit API key appears invalid"
+            exit 1
+          fi
+
+          # Non-zero exit from CLI is a real failure
+          if [ "$EXIT_CODE" -ne 0 ]; then
+            echo "FAILED: coderabbit review exited $EXIT_CODE"
+            exit 1
+          fi
+
+          echo "PASSED: CodeRabbit API responded successfully"
+
+      - name: Verify pre-commit hook skips gracefully
+        run: |
+          echo "=== Testing pre-commit hook graceful skip ==="
+          unset CODERABBIT_API_KEY
+
+          chmod +x scripts/pre-commit/coderabbit-review.sh
+          OUTPUT=$(scripts/pre-commit/coderabbit-review.sh 2>&1)
+          EXIT_CODE=$?
+
+          echo "$OUTPUT"
+
+          if [ "$EXIT_CODE" -ne 0 ]; then
+            echo "FAILED: Hook should exit 0 when skipping"
+            exit 1
+          fi
+
+          if ! echo "$OUTPUT" | grep -qiE "not found|not set|skipping"; then
+            echo "FAILED: Hook should print a skip message"
+            exit 1
+          fi
+
+          echo "PASSED: Pre-commit hook skips gracefully"

.pre-commit-config.yaml

@@ -63,6 +63,17 @@ repos:
         files: ^components/frontend/.*\.(ts|tsx|js|jsx)$
         pass_filenames: true
 
+  # ── CodeRabbit review ──────────────────────────────────────────────────
+  - repo: local
+    hooks:
+      - id: coderabbit-review
+        name: coderabbit review
+        entry: scripts/pre-commit/coderabbit-review.sh
+        language: script
+        always_run: true
+        pass_filenames: false
+        stages: [pre-commit]
+
   # ── Branch protection ────────────────────────────────────────────────
   - repo: local
     hooks: