wip: chore: Integrate custom cr-agent

.cr-agent/config.yaml

@@ -0,0 +1,9 @@
+# Per-SDK overrides for cr-agent's review filtering. Any key here overrides the
+# toolkit default (tools/cr-agent/defaults.yaml); omitted keys are inherited.
+#
+# Per severity: minimum confidence (1–5) a finding must reach to be published,
+# or `off` to drop the whole severity. `max_comments` caps the published count.
+filtering:
+  major: { min_confidence: 3 }
+  minor: { min_confidence: 5 }
+  max_comments: 8

.cr-agent/prompt.md

@@ -0,0 +1 @@
+This is the dd-sdk-ios repository. Pay attention to Swift-specific concerns: ARC ownership, Swift concurrency, and main-thread requirements for UIKit code.

.cr-agent/run.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+# -----------------------------------------------------------
+# Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0.
+# This product includes software developed at Datadog (https://www.datadoghq.com/).
+# Copyright 2019-Present Datadog, Inc.
+# -----------------------------------------------------------
+#
+# Entry point for the `Code Review` CI job.
+# Clones rum-ai-toolkit over HTTPS using a short-lived dd-octo-sts token,
+# mints a second dd-octo-sts token for posting PR comments, then hands off
+# to the toolkit's `review.sh` which runs the `cr-agent`.
+
+set -eo pipefail
+
+# TODO: switch toolkit ref to `main` before merging to develop.
+TOOLKIT_REF="ncreated/feat/cr-agent"
+TOOLKIT_DIR="$CI_PROJECT_DIR/.rum-ai-toolkit"
+
+echo "▸ Minting rum-ai-toolkit clone token via dd-octo-sts..."
+TOOLKIT_TOKEN=$(dd-octo-sts --disable-tracing token \
+    --scope DataDog/rum-ai-toolkit --policy dd-sdk-ios.gitlab.clone)
+
+echo "▸ Cloning rum-ai-toolkit ($TOOLKIT_REF)..."
+git clone --depth 1 --branch "$TOOLKIT_REF" \
+    "https://x-access-token:${TOOLKIT_TOKEN}@github.com/DataDog/rum-ai-toolkit.git" "$TOOLKIT_DIR"
+
+# Clone token no longer needed after clone; revoke it explicitly (least privilege).
+dd-octo-sts --disable-tracing revoke -t "$TOOLKIT_TOKEN"
+
+echo "▸ Installing cr-agent venv..."
+make -C "$TOOLKIT_DIR/tools/cr-agent" install
+
+echo "▸ Minting GitHub token via dd-octo-sts (policy: self.cr-agent)..."
+GITHUB_TOKEN=$(dd-octo-sts --disable-tracing token --scope DataDog/dd-sdk-ios --policy self.cr-agent)
+export GITHUB_TOKEN
+trap 'dd-octo-sts --disable-tracing revoke -t "$GITHUB_TOKEN"' EXIT
+
+echo "▸ Handing off to review.sh..."
+exec "$TOOLKIT_DIR/tools/cr-agent/review.sh"

.gitignore

@@ -30,3 +30,7 @@ artifacts/
 
 # GSD planning files (local only)
 .planning/
+
+# RUM AI Toolkit:
+.rum-ai-toolkit/
+.cr-agent/sessions/

.gitlab-ci.yml

@@ -121,14 +121,29 @@ Build Dependencies:
 
 Lint:
   stage: lint
-  rules: 
+  rules:
     - !reference [.test-pipeline-job, rules]
     - !reference [.benchmark-pipeline-job, rules]
   script:
     - make clean repo-setup ENV=ci
     - make lint license-check
     - make rum-models-verify sr-models-verify
 
+Code Review:
+  stage: lint
+  allow_failure: true
+  rules:
+    - if: '$CI_COMMIT_BRANCH != $DEVELOP_BRANCH && $CI_COMMIT_BRANCH != $MAIN_BRANCH'
+  id_tokens:
+    <<: *dd-octo-sts-id-token
+  artifacts:
+    paths:
+      - .cr-agent/sessions/
+    when: always
+    expire_in: 1 week
+  script:
+    - ./.cr-agent/run.sh
+
 API Surface Verify:
   stage: lint
   rules: