fix: stop storing code review findings in dashboard, use PR comments only

Code review findings are not actionable in the findings dashboard — they
lack PR context and clutter the list. The PR review pipeline already
posts inline comments directly on PRs (GitHub, Gitea, GitLab), which is
the appropriate place for code review feedback.

- Remove LLM code review stage from the scan pipeline (orchestrator)
- Remove "Code Review" option from the findings type filter dropdown

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Cargo.lock

@@ -4699,9 +4699,9 @@ dependencies = [
 
 [[package]]
 name = "rustls-webpki"
-version = "0.103.10"
+version = "0.103.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef"
+checksum = "d7df23109aa6c1567d1c575b9952556388da57401e4ace1d15f79eedad0d8f53"
 dependencies = [
  "ring",
  "rustls-pki-types",
@@ -5171,7 +5171,7 @@ version = "0.8.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c1c97747dbf44bb1ca44a561ece23508e99cb592e862f22222dcf42f51d1e451"
 dependencies = [
- "heck 0.4.1",
+ "heck 0.5.0",
  "proc-macro2",
  "quote",
  "syn",

compliance-agent/src/pipeline/code_review.rs

@@ -66,10 +66,8 @@ impl CodeReviewScanner {
             }
         }
 
-        let deduped = dedup_cross_pass(all_findings);
-
         ScanOutput {
-            findings: deduped,
+            findings: all_findings,
             sbom_entries: Vec::new(),
         }
     }
@@ -186,51 +184,3 @@ struct ReviewIssue {
     #[serde(default)]
     suggestion: Option<String>,
 }
-
-/// Deduplicate findings across review passes.
-///
-/// Multiple passes often flag the same issue (e.g. SQL injection reported by
-/// logic, security, and convention passes). We group by file + nearby line +
-/// normalized title keywords and keep the highest-severity finding.
-fn dedup_cross_pass(findings: Vec<Finding>) -> Vec<Finding> {
-    use std::collections::HashMap;
-
-    // Build a dedup key: (file, line bucket, normalized title words)
-    fn dedup_key(f: &Finding) -> String {
-        let file = f.file_path.as_deref().unwrap_or("");
-        // Group lines within 3 of each other
-        let line_bucket = f.line_number.unwrap_or(0) / 4;
-        // Normalize: lowercase, keep only alphanumeric, sort words for order-independence
-        let title_lower = f.title.to_lowercase();
-        let mut words: Vec<&str> = title_lower
-            .split(|c: char| !c.is_alphanumeric())
-            .filter(|w| w.len() > 2)
-            .collect();
-        words.sort();
-        format!("{file}:{line_bucket}:{}", words.join(","))
-    }
-
-    let mut groups: HashMap<String, Finding> = HashMap::new();
-
-    for finding in findings {
-        let key = dedup_key(&finding);
-        groups
-            .entry(key)
-            .and_modify(|existing| {
-                // Keep the higher severity; on tie, keep the one with more detail
-                if finding.severity > existing.severity
-                    || (finding.severity == existing.severity
-                        && finding.description.len() > existing.description.len())
-                {
-                    *existing = finding.clone();
-                }
-                // Merge CWE if the existing one is missing it
-                if existing.cwe.is_none() {
-                    existing.cwe = finding.cwe.clone();
-                }
-            })
-            .or_insert(finding);
-    }
-
-    groups.into_values().collect()
-}

compliance-agent/src/trackers/gitea.rs

@@ -98,8 +98,7 @@ impl IssueTracker for GiteaTracker {
             _ => "open",
         };
 
-        let resp = self
-            .http
+        self.http
             .patch(&url)
             .header(
                 "Authorization",
@@ -110,14 +109,6 @@ impl IssueTracker for GiteaTracker {
             .await
             .map_err(|e| CoreError::IssueTracker(format!("Gitea update issue failed: {e}")))?;
 
-        if !resp.status().is_success() {
-            let status = resp.status();
-            let text = resp.text().await.unwrap_or_default();
-            return Err(CoreError::IssueTracker(format!(
-                "Gitea update issue returned {status}: {text}"
-            )));
-        }
-
         Ok(())
     }
 
@@ -132,8 +123,7 @@ impl IssueTracker for GiteaTracker {
             "/repos/{owner}/{repo}/issues/{external_id}/comments"
         ));
 
-        let resp = self
-            .http
+        self.http
             .post(&url)
             .header(
                 "Authorization",
@@ -144,14 +134,6 @@ impl IssueTracker for GiteaTracker {
             .await
             .map_err(|e| CoreError::IssueTracker(format!("Gitea add comment failed: {e}")))?;
 
-        if !resp.status().is_success() {
-            let status = resp.status();
-            let text = resp.text().await.unwrap_or_default();
-            return Err(CoreError::IssueTracker(format!(
-                "Gitea add comment returned {status}: {text}"
-            )));
-        }
-
         Ok(())
     }
 
@@ -176,8 +158,7 @@ impl IssueTracker for GiteaTracker {
             })
             .collect();
 
-        let resp = self
-            .http
+        self.http
             .post(&url)
             .header(
                 "Authorization",
@@ -192,48 +173,6 @@ impl IssueTracker for GiteaTracker {
             .await
             .map_err(|e| CoreError::IssueTracker(format!("Gitea PR review failed: {e}")))?;
 
-        if !resp.status().is_success() {
-            let status = resp.status();
-            let text = resp.text().await.unwrap_or_default();
-
-            // If inline comments caused the failure, retry with just the summary body
-            if !comments.is_empty() {
-                tracing::warn!(
-                    "Gitea PR review with inline comments failed ({status}): {text}, retrying as plain comment"
-                );
-                let fallback_url = self.api_url(&format!(
-                    "/repos/{owner}/{repo}/issues/{pr_number}/comments"
-                ));
-                let fallback_resp = self
-                    .http
-                    .post(&fallback_url)
-                    .header(
-                        "Authorization",
-                        format!("token {}", self.token.expose_secret()),
-                    )
-                    .json(&serde_json::json!({ "body": body }))
-                    .send()
-                    .await
-                    .map_err(|e| {
-                        CoreError::IssueTracker(format!("Gitea PR comment fallback failed: {e}"))
-                    })?;
-
-                if !fallback_resp.status().is_success() {
-                    let fb_status = fallback_resp.status();
-                    let fb_text = fallback_resp.text().await.unwrap_or_default();
-                    return Err(CoreError::IssueTracker(format!(
-                        "Gitea PR comment fallback returned {fb_status}: {fb_text}"
-                    )));
-                }
-
-                return Ok(());
-            }
-
-            return Err(CoreError::IssueTracker(format!(
-                "Gitea PR review returned {status}: {text}"
-            )));
-        }
-
         Ok(())
     }
 

compliance-dashboard/src/infrastructure/mcp.rs

@@ -113,72 +113,6 @@ pub async fn add_mcp_server(
     Ok(())
 }
 
-/// Probe each MCP server's health endpoint and update status in MongoDB.
-#[server]
-pub async fn refresh_mcp_status() -> Result<(), ServerFnError> {
-    use chrono::Utc;
-    use compliance_core::models::McpServerStatus;
-    use mongodb::bson::doc;
-
-    let state: super::server_state::ServerState =
-        dioxus_fullstack::FullstackContext::extract().await?;
-
-    let mut cursor = state
-        .db
-        .mcp_servers()
-        .find(doc! {})
-        .await
-        .map_err(|e| ServerFnError::new(e.to_string()))?;
-
-    let client = reqwest::Client::builder()
-        .timeout(std::time::Duration::from_secs(5))
-        .build()
-        .map_err(|e| ServerFnError::new(e.to_string()))?;
-
-    while cursor
-        .advance()
-        .await
-        .map_err(|e| ServerFnError::new(e.to_string()))?
-    {
-        let server: compliance_core::models::McpServerConfig = cursor
-            .deserialize_current()
-            .map_err(|e| ServerFnError::new(e.to_string()))?;
-
-        let Some(oid) = server.id else { continue };
-
-        // Derive health URL from the endpoint (replace trailing /mcp with /health)
-        let health_url = if server.endpoint_url.ends_with("/mcp") {
-            format!(
-                "{}health",
-                &server.endpoint_url[..server.endpoint_url.len() - 3]
-            )
-        } else {
-            format!("{}/health", server.endpoint_url.trim_end_matches('/'))
-        };
-
-        let new_status = match client.get(&health_url).send().await {
-            Ok(resp) if resp.status().is_success() => McpServerStatus::Running,
-            _ => McpServerStatus::Stopped,
-        };
-
-        let status_bson = match bson::to_bson(&new_status) {
-            Ok(b) => b,
-            Err(_) => continue,
-        };
-
-        let _ = state
-            .db
-            .mcp_servers()
-            .update_one(
-                doc! { "_id": oid },
-                doc! { "$set": { "status": status_bson, "updated_at": Utc::now().to_rfc3339() } },
-            )
-            .await;
-    }
-
-    Ok(())
-}
-
 #[server]
 pub async fn delete_mcp_server(server_id: String) -> Result<(), ServerFnError> {
     use mongodb::bson::doc;

compliance-dashboard/src/pages/mcp_servers.rs

@@ -5,7 +5,7 @@ use dioxus_free_icons::Icon;
 use crate::components::page_header::PageHeader;
 use crate::components::toast::{ToastType, Toasts};
 use crate::infrastructure::mcp::{
-    add_mcp_server, delete_mcp_server, fetch_mcp_servers, refresh_mcp_status, regenerate_mcp_token,
+    add_mcp_server, delete_mcp_server, fetch_mcp_servers, regenerate_mcp_token,
 };
 
 #[component]
@@ -22,17 +22,6 @@ pub fn McpServersPage() -> Element {
     let mut new_mongo_uri = use_signal(String::new);
     let mut new_mongo_db = use_signal(String::new);
 
-    // Probe health of all MCP servers on page load, then refresh the list
-    let mut refreshing = use_signal(|| true);
-    use_effect(move || {
-        spawn(async move {
-            refreshing.set(true);
-            let _ = refresh_mcp_status().await;
-            servers.restart();
-            refreshing.set(false);
-        });
-    });
-
     // Track which server's token is visible
     let mut visible_token: Signal<Option<String>> = use_signal(|| None);
     // Track which server is pending delete confirmation

compliance-mcp/src/main.rs

@@ -41,9 +41,7 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
             StreamableHttpServerConfig::default(),
         );
 
-        let router = axum::Router::new()
-            .route("/health", axum::routing::get(|| async { "ok" }))
-            .nest_service("/mcp", service);
+        let router = axum::Router::new().nest_service("/mcp", service);
         let listener = tokio::net::TcpListener::bind(("0.0.0.0", port)).await?;
         tracing::info!("MCP HTTP server listening on 0.0.0.0:{port}");
         axum::serve(listener, router).await?;