gauthierdmn
diff --git a/‎app/AGENTS.md‎
Lines changed: 8 additions & 1 deletion b/‎app/AGENTS.md‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎app/nominal_code/commands/webhook/job.py‎
Lines changed: 2 additions & 3 deletions b/‎app/nominal_code/commands/webhook/job.py‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎app/nominal_code/commands/webhook/result.py‎
Lines changed: 22 additions & 0 deletions b/‎app/nominal_code/commands/webhook/result.py‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎app/nominal_code/commands/webhook/server.py‎
Lines changed: 30 additions & 23 deletions b/‎app/nominal_code/commands/webhook/server.py‎
Lines changed: 30 additions & 23 deletions
diff --git a/‎app/nominal_code/config/__init__.py‎
Lines changed: 8 additions & 8 deletions b/‎app/nominal_code/config/__init__.py‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎app/nominal_code/config/settings.py‎ ‎app/nominal_code/config/config.py‎app/nominal_code/config/settings.py renamed to app/nominal_code/config/config.py
Lines changed: 2 additions & 2 deletions b/‎app/nominal_code/config/settings.py‎ ‎app/nominal_code/config/config.py‎app/nominal_code/config/settings.py renamed to app/nominal_code/config/config.py
Lines changed: 2 additions & 2 deletions
diff --git a/‎app/nominal_code/config/kubernetes.py‎
Lines changed: 0 additions & 11 deletions b/‎app/nominal_code/config/kubernetes.py‎
Lines changed: 0 additions & 11 deletions
diff --git a/‎app/nominal_code/config/loader.py‎
Lines changed: 7 additions & 5 deletions b/‎app/nominal_code/config/loader.py‎
Lines changed: 7 additions & 5 deletions
@@ -5,6 +5,7 @@ AI-powered code review bot that monitors GitHub PRs and GitLab MRs. When a user
 ## Architecture
 
 - **Async-first** — built on aiohttp + asyncio; all I/O (HTTP, git, agent) is non-blocking.
+- **Two-layer config** — mutable `*Settings` models (`config/models.py`) parse YAML/env vars; `loader.py` transforms them into frozen `*Config` models (`config/config.py`, `config/kubernetes.py`) that application code consumes. See `docs/architecture.md` for details.
 - **Protocol-based platforms** — GitHub and GitLab implement the same `Platform` / `ReviewerPlatform` protocols, making it easy to add new providers.
 - **Per-PR job serialisation** — `JobQueue` protocol with two implementations (`AsyncioJobQueue` for in-process, `RedisJobQueue` for Kubernetes) guarantees only one agent job runs per PR at a time, preventing race conditions on the same workspace.
 - **Multi-turn conversations** — `ConversationStore` maps (platform, repo, PR, bot) to conversation IDs and message histories so conversations resume across comments.
@@ -85,7 +86,13 @@ The dispatcher in `agent/invoke.py` routes based on the agent config type (`CliA
 ```
 nominal_code/
 ├── main.py              # Entry point: dispatches to webhook server, CLI, or CI
-├── config.py            # Frozen dataclass config loaded from env vars / files
+├── config/
+│   ├── models.py        # Mutable *Settings models (YAML/env input layer)
+│   ├── config.py        # Frozen *Config models (application output layer)
+│   ├── loader.py        # Settings → Config transformation with validation
+│   ├── policies.py      # FilteringPolicy and RoutingPolicy (frozen)
+│   ├── agent.py         # AgentConfig, CliAgentConfig, ApiAgentConfig
+│   └── kubernetes.py    # KubernetesConfig (frozen)
 ├── models.py            # Shared enums (EventType, BotType, FileStatus) and dataclasses (ReviewFinding, AgentReview, ChangedFile)
 ├── commands/            # Entry points: CLI review, CI mode, webhook server, K8s job runner
 │   ├── webhook/         # Webhook server (server.py), helpers, mention extraction, K8s job runner (job.py)
 
@@ -56,10 +56,9 @@ async def run_job_main() -> int:
 
         return 1
 
-    redis = config.webhook.redis if config.webhook is not None else None
     conversation_store: ConversationStore = build_conversation_store(
-        redis_url=redis.url if redis is not None else "",
-        redis_key_ttl_seconds=redis.key_ttl_seconds if redis is not None else 86400,
+        redis_url=_env.str("REDIS_URL", ""),
+        redis_key_ttl_seconds=int(_env.str("REDIS_KEY_TTL_SECONDS", "86400")),
     )
 
     platform_name: PlatformName = PlatformName(job.event.platform)
 
@@ -0,0 +1,22 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+
+
+@dataclass(frozen=True)
+class DispatchResult:
+    """
+    Framework-agnostic result from webhook dispatch functions.
+
+    Replaces direct ``web.Response`` returns so that dispatch logic is
+    decoupled from any specific HTTP framework.
+
+    Attributes:
+        status (str): Semantic status string (e.g. ``"accepted"``,
+            ``"ignored"``, ``"no_mention"``, ``"unauthorized"``).
+        http_status (int): Suggested HTTP status code for the caller
+            to use when building the actual response.
+    """
+
+    status: str
+    http_status: int = 200
@@ -10,9 +10,10 @@
 from aiohttp import web
 
 from nominal_code.commands.webhook.helpers import acknowledge_event, extract_mention
+from nominal_code.commands.webhook.result import DispatchResult
 from nominal_code.config import Config, load_config
+from nominal_code.config.config import WebhookConfig
 from nominal_code.config.policies import FilteringPolicy, RoutingPolicy
-from nominal_code.config.settings import WebhookConfig
 from nominal_code.jobs.payload import JobPayload
 from nominal_code.jobs.runner import build_runner
 from nominal_code.models import COMMENT_EVENT_TYPES, BotType
@@ -24,6 +25,7 @@
     PullRequestEvent,
     ReviewerPlatform,
 )
+
 if TYPE_CHECKING:
     from nominal_code.jobs.runner.base import JobRunner
 
@@ -217,7 +219,7 @@ async def dispatch_lifecycle_event(
     runner: JobRunner,
     namespace: str = "",
     extra_env: dict[str, str] | None = None,
-) -> web.Response:
+) -> DispatchResult:
     """
     Dispatch a lifecycle event to the reviewer bot.
 
@@ -235,17 +237,17 @@ async def dispatch_lifecycle_event(
         extra_env (dict[str, str] | None): Additional env vars for the job container.
 
     Returns:
-        web.Response: The HTTP response.
+        DispatchResult: The dispatch result.
     """
 
     if not routing.reviewer_bot_username:
-        return web.json_response({"status": "ignored"})
+        return DispatchResult(status="ignored")
 
     if not isinstance(event, LifecycleEvent):
-        return web.json_response({"status": "ignored"})
+        return DispatchResult(status="ignored")
 
     if not isinstance(platform, ReviewerPlatform):
-        return web.json_response({"status": "ignored"})
+        return DispatchResult(status="ignored")
 
     await acknowledge_event(
         event=event,
@@ -263,7 +265,7 @@ async def dispatch_lifecycle_event(
 
     await runner.enqueue(job)
 
-    return web.json_response({"status": "accepted"})
+    return DispatchResult(status="accepted")
 
 
 async def dispatch_comment_event(
@@ -274,7 +276,7 @@ async def dispatch_comment_event(
     runner: JobRunner,
     namespace: str = "",
     extra_env: dict[str, str] | None = None,
-) -> web.Response:
+) -> DispatchResult:
     """
     Dispatch a comment event to the appropriate bot.
 
@@ -293,14 +295,14 @@ async def dispatch_comment_event(
         extra_env (dict[str, str] | None): Additional env vars for the job container.
 
     Returns:
-        web.Response: The HTTP response.
+        DispatchResult: The dispatch result.
     """
 
     if event.event_type not in COMMENT_EVENT_TYPES:
-        return web.json_response({"status": "ignored"})
+        return DispatchResult(status="ignored")
 
     if not isinstance(event, CommentEvent):
-        return web.json_response({"status": "ignored"})
+        return DispatchResult(status="ignored")
 
     comment_event: CommentEvent = event
 
@@ -328,7 +330,7 @@ async def dispatch_comment_event(
         mention_prompt = reviewer_prompt
 
     else:
-        return web.json_response({"status": "no_mention"})
+        return DispatchResult(status="no_mention")
 
     proceed: bool = await acknowledge_event(
         event=comment_event,
@@ -338,7 +340,7 @@ async def dispatch_comment_event(
     )
 
     if not proceed:
-        return web.json_response({"status": "unauthorized"})
+        return DispatchResult(status="unauthorized", http_status=403)
 
     mentioned_event: CommentEvent = replace(
         comment_event,
@@ -354,7 +356,7 @@ async def dispatch_comment_event(
 
     await runner.enqueue(job)
 
-    return web.json_response({"status": "accepted"})
+    return DispatchResult(status="accepted")
 
 
 async def _handle_health(request: web.Request) -> web.Response:
@@ -421,15 +423,15 @@ async def _handle_webhook(
 
         body: bytes = await request.read()
 
-        if not platform.verify_webhook(request=request, body=body):
+        if not platform.verify_webhook(headers=request.headers, body=body):
             logger.warning("Invalid webhook signature for %s", platform_name)
 
             return web.Response(status=401, text="Invalid signature")
 
         await platform.authenticate(webhook_body=body)
 
         event: CommentEvent | LifecycleEvent | None = platform.parse_event(
-            request=request,
+            headers=request.headers,
             body=body,
         )
 
@@ -442,20 +444,25 @@ async def _handle_webhook(
             return web.json_response({"status": filter_reason})
 
         if event.event_type in routing.reviewer_triggers:
-            return await dispatch_lifecycle_event(
+            result: DispatchResult = await dispatch_lifecycle_event(
+                event=event,
+                filtering=filtering,
+                routing=routing,
+                platform=platform,
+                runner=runner,
+            )
+        else:
+            result = await dispatch_comment_event(
                 event=event,
                 filtering=filtering,
                 routing=routing,
                 platform=platform,
                 runner=runner,
             )
 
-        return await dispatch_comment_event(
-            event=event,
-            filtering=filtering,
-            routing=routing,
-            platform=platform,
-            runner=runner,
+        return web.json_response(
+            {"status": result.status},
+            status=result.http_status,
         )
 
     except Exception:
 
@@ -7,14 +7,7 @@
     ProviderConfig,
     resolve_provider_config,
 )
-from nominal_code.config.kubernetes import KubernetesConfig
-from nominal_code.config.loader import (
-    load_config,
-    load_config_for_ci,
-    load_config_for_cli,
-)
-from nominal_code.config.policies import FilteringPolicy, RoutingPolicy
-from nominal_code.config.settings import (
+from nominal_code.config.config import (
     Config,
     PromptsConfig,
     RedisConfig,
@@ -23,6 +16,13 @@
     WorkerConfig,
     WorkspaceConfig,
 )
+from nominal_code.config.kubernetes import KubernetesConfig
+from nominal_code.config.loader import (
+    load_config,
+    load_config_for_ci,
+    load_config_for_cli,
+)
+from nominal_code.config.policies import FilteringPolicy, RoutingPolicy
 
 __all__ = [
     "AgentConfig",
 
@@ -1,7 +1,6 @@
 from __future__ import annotations
 
 import logging
-import tempfile
 from pathlib import Path
 
 from pydantic import BaseModel, ConfigDict
@@ -10,6 +9,7 @@
 from nominal_code.config.kubernetes import KubernetesConfig
 from nominal_code.config.policies import FilteringPolicy, RoutingPolicy
 from nominal_code.models import EventType, ProviderName
+from nominal_code.workspace.git import DEFAULT_BASE_DIR
 
 logger: logging.Logger = logging.getLogger(__name__)
 
@@ -76,7 +76,7 @@ class WorkspaceConfig(BaseModel):
 
     model_config = ConfigDict(frozen=True)
 
-    base_dir: Path = Path(tempfile.gettempdir()) / "nominal-code"
+    base_dir: Path = DEFAULT_BASE_DIR
 
 
 class RedisConfig(BaseModel):
 
@@ -20,13 +20,6 @@ class KubernetesConfig(BaseModel):
         resource_requests_memory (str): Memory request (e.g. ``"512Mi"``).
         resource_limits_cpu (str): CPU limit.
         resource_limits_memory (str): Memory limit.
-        pod_security_enabled (bool): Enable pod security hardening
-            (``securityContext``, ``automountServiceAccountToken``).
-        run_as_user (int): UID to run the container as when security is enabled.
-        read_only_root_filesystem (bool): Mount the root filesystem as
-            read-only when security is enabled.
-        automount_service_account_token (bool): Whether to mount the service
-            account token in job pods.
     """
 
     model_config = ConfigDict(frozen=True)
@@ -43,7 +36,3 @@ class KubernetesConfig(BaseModel):
     resource_requests_memory: str = ""
     resource_limits_cpu: str = ""
     resource_limits_memory: str = ""
-    pod_security_enabled: bool = True
-    run_as_user: int = 1000
-    read_only_root_filesystem: bool = True
-    automount_service_account_token: bool = False
@@ -9,10 +9,7 @@
     ProviderConfig,
     resolve_agent_config,
 )
-from nominal_code.config.kubernetes import KubernetesConfig
-from nominal_code.config.models import AppSettings
-from nominal_code.config.policies import FilteringPolicy, RoutingPolicy
-from nominal_code.config.settings import (
+from nominal_code.config.config import (
     Config,
     PromptsConfig,
     RedisConfig,
@@ -25,6 +22,9 @@
     parse_reviewer_triggers,
     parse_title_tags,
 )
+from nominal_code.config.kubernetes import KubernetesConfig
+from nominal_code.config.models import AppSettings
+from nominal_code.config.policies import FilteringPolicy, RoutingPolicy
 from nominal_code.models import EventType, ProviderName
 
 logger: logging.Logger = logging.getLogger(__name__)
@@ -319,7 +319,9 @@ def load_config_for_ci(
     )
 
 
-def _resolve_kubernetes(settings: AppSettings) -> KubernetesConfig | None:
+def _resolve_kubernetes(
+    settings: AppSettings,
+) -> KubernetesConfig | None:
     """
     Resolve KubernetesConfig from settings when a K8s image is configured.