ocak 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f3ade72c57a02f3647218543b060295454aec639d90ba261b4fe9b88fa05f1bf
-  data.tar.gz: 86decb5ce7099d43214859b82f3b12fc7d55b5cdf3d1d57a30ed38dc7c74a957
+  metadata.gz: 0f09506ff0c348c7f0822da37268c614ea209b9ca8edb643b7a4619df96113a3
+  data.tar.gz: 90a52276424ab7f2dbaa19643ca22ffde525460089d7f2b3f97670c638b43f2b
 SHA512:
-  metadata.gz: 6ba522815876568e13b9453cdbd943a873c2ad28cee59a6c92d99b6dc62ccfeeadac57a2a2815b95f834b7c7173ffb2baf40107dcdfabc2cc74cf3d04446ad2d
-  data.tar.gz: 9b4d7d602aa8c2c213d64bbf75a5d9c5dfecb01952d327140c268f32474aaa02e3664f6b29cd60c9eee45fa1ac97e6f5012b9bbac51d54b1de68d40c34291a64
+  metadata.gz: 04fd822b0fc96ae9f845d97c431a40552c081d56475925069c2158685d126fb816ef87ddd9946b041c2bf624e9e6676a92c2ab30da2b8d10128eebb7a133a57b
+  data.tar.gz: 111a2c5c925cbad3919f65a92ed3d0d16c88acfd934d0e8d1baf97b21d966a53822129255f28f1941b692bd03eb455eff8ca186555d9e78b2cce189085f53853

data/lib/ocak/agent_generator.rb

@@ -109,7 +109,7 @@ module Ocak
         agent_path = File.join(output_dir, "#{output_name}.md")
         current_content = File.read(agent_path)
 
-        prompt = build_enhancement_prompt(agent, current_content, context)
+        prompt = build_enhancement_prompt(current_content, context)
         result = run_claude_prompt(prompt)
 
         if result && !result.strip.empty? && result.include?('---')
@@ -131,7 +131,7 @@ module Ocak
       parts.join("\n\n")
     end
 
-    def build_enhancement_prompt(_agent, template_content, context)
+    def build_enhancement_prompt(template_content, context)
       <<~PROMPT
         You are customizing a Claude Code agent for a specific project.
 

data/lib/ocak/commands/hiz.rb

@@ -6,16 +6,13 @@ require_relative '../config'
 require_relative '../claude_runner'
 require_relative '../git_utils'
 require_relative '../issue_fetcher'
-require_relative '../verification'
-require_relative '../planner'
+require_relative '../pipeline_executor'
 require_relative '../step_comments'
 require_relative '../logger'
 
 module Ocak
   module Commands
     class Hiz < Dry::CLI::Command
-      include Verification
-      include Planner
       include StepComments
 
       desc 'Fast-mode: implement an issue with Sonnet, create a PR (no merge)'
@@ -26,17 +23,10 @@ module Ocak
       option :verbose, type: :boolean, default: false, desc: 'Increase log detail'
       option :quiet, type: :boolean, default: false, desc: 'Suppress non-error output'
 
-      STEP_MODELS = {
-        'implementer' => 'sonnet',
-        'reviewer' => 'haiku',
-        'security-reviewer' => 'sonnet'
-      }.freeze
-
-      IMPLEMENT_STEP = { agent: 'implementer', role: 'implement' }.freeze
-
-      REVIEW_STEPS = [
-        { agent: 'reviewer',          role: 'review' },
-        { agent: 'security-reviewer', role: 'security' }
+      HIZ_STEPS = [
+        { agent: 'implementer', role: 'implement', model: 'sonnet' },
+        { agent: 'reviewer', role: 'review', model: 'haiku', parallel: true },
+        { agent: 'security-reviewer', role: 'security', model: 'sonnet', parallel: true }
       ].freeze
 
       HizState = Struct.new(:issues, :total_cost, :steps_run, :review_results)
@@ -50,7 +40,7 @@ module Ocak
           return
         end
 
-        logger = build_logger(issue_number)
+        @logger = logger = build_logger(issue_number)
         watch_formatter = options[:watch] ? WatchFormatter.new : nil
         claude = ClaudeRunner.new(config: @config, logger: logger, watch: watch_formatter)
         issues = IssueFetcher.new(config: @config, logger: logger)
@@ -78,130 +68,70 @@ module Ocak
         start_time = Process.clock_gettime(Process::CLOCK_MONOTONIC)
         chdir = @config.project_dir
 
+        issues.transition(issue_number, from: @config.label_ready, to: @config.label_in_progress)
         post_hiz_start_comment(issue_number, state: state)
-        branch = create_branch(issue_number, chdir)
-
-        failure = run_agents(issue_number, claude: claude, logger: logger, chdir: chdir, state: state)
-        if failure
-          duration = (Process.clock_gettime(Process::CLOCK_MONOTONIC) - start_time).round
-          post_hiz_summary_comment(issue_number, duration, success: false, failed_phase: failure[:phase],
-                                                           state: state)
-          handle_failure(issue_number, failure[:phase], failure[:output], issues: state.issues, logger: logger)
+        begin
+          branch = create_branch(issue_number, chdir)
+        rescue RuntimeError => e
+          fail_pipeline(issue_number, 'create-branch', e.message,
+                        start_time: start_time, state: state, logger: logger)
           return
         end
 
-        verification_failure = run_final_verification_step(issue_number, claude: claude, logger: logger,
-                                                                         chdir: chdir, state: state)
-        if verification_failure
-          duration = (Process.clock_gettime(Process::CLOCK_MONOTONIC) - start_time).round
-          post_hiz_summary_comment(issue_number, duration, success: false, failed_phase: 'final-verify',
-                                                           state: state)
-          handle_failure(issue_number, 'final-verify', verification_failure[:output],
-                         issues: state.issues, logger: logger)
+        executor = PipelineExecutor.new(config: @config, issues: issues)
+        result = executor.run_pipeline(
+          issue_number, logger: logger, claude: claude, chdir: chdir,
+                        steps: HIZ_STEPS, verification_model: 'sonnet',
+                        post_start_comment: false, post_summary_comment: false
+        )
+
+        state.total_cost = result[:total_cost] || 0.0
+        state.steps_run = result[:steps_run] || 0
+        state.steps_run += 1 if verification_ran?(result)
+
+        unless result[:success]
+          fail_pipeline(issue_number, result[:phase], result[:output],
+                        start_time: start_time, state: state, logger: logger, branch: branch)
           return
         end
 
+        state.review_results = extract_review_results(result[:step_results])
+
         duration = (Process.clock_gettime(Process::CLOCK_MONOTONIC) - start_time).round
         post_hiz_summary_comment(issue_number, duration, success: true, state: state)
         push_and_create_pr(issue_number, branch, logger: logger, chdir: chdir, state: state)
       end
 
-      def run_agents(issue_number, claude:, logger:, chdir:, state:)
-        result = run_step(IMPLEMENT_STEP, issue_number, claude: claude, logger: logger, chdir: chdir, state: state)
-        state.steps_run += 1
-        state.total_cost += result.cost_usd.to_f
-        unless result.success?
-          logger.error("Implementation failed for issue ##{issue_number}")
-          return { phase: 'implement', output: result.output }
-        end
+      def verification_ran?(result)
+        (@config.test_command || @config.lint_check_command) &&
+          (result[:success] || result[:phase] == 'final-verify')
+      end
 
-        state.review_results = run_reviews_in_parallel(issue_number, claude: claude, logger: logger,
-                                                                     chdir: chdir, state: state)
-        nil
+      def extract_review_results(step_results)
+        return {} unless step_results
+
+        step_results.select do |_role, r|
+          r&.blocking_findings? || r&.warnings?
+        end
       end
 
       def create_branch(issue_number, chdir)
         branch = "hiz/issue-#{issue_number}-#{SecureRandom.hex(4)}"
+        raise "Unsafe branch name: #{branch}" unless GitUtils.safe_branch_name?(branch)
+
         _, stderr, status = Open3.capture3('git', 'checkout', '-b', branch, chdir: chdir)
         raise "Failed to create branch #{branch}: #{stderr}" unless status.success?
 
         branch
       end
 
-      def run_reviews_in_parallel(issue_number, claude:, logger:, chdir:, state:)
-        threads = REVIEW_STEPS.map do |step|
-          Thread.new do
-            run_step(step, issue_number, claude: claude, logger: logger, chdir: chdir, state: state)
-          rescue StandardError => e
-            logger.error("#{step[:role]} thread failed: #{e.message}")
-            nil
-          end
-        end
-
-        results = {}
-        threads.each_with_index do |thread, i|
-          result = thread.value
-          step = REVIEW_STEPS[i]
-          if result
-            state.steps_run += 1
-            state.total_cost += result.cost_usd.to_f
-            results[step[:role]] = result if result.blocking_findings? || result.warnings?
-          end
-          next if result.nil? || result.success?
-
-          logger.warn("#{step[:role]} reported issues but continuing")
-        end
-        results
-      end
-
-      def run_step(step, issue_number, claude:, logger:, chdir:, state:)
-        agent = step[:agent]
-        role = step[:role]
-        model = STEP_MODELS[agent]
-        logger.info("--- Phase: #{role} (#{agent}) [#{model}] ---")
-        post_step_comment(issue_number, "\u{1F504} **Phase: #{role}** (#{agent})", state: state)
-        prompt = build_step_prompt(role, issue_number, nil)
-        result = claude.run_agent(agent, prompt, chdir: chdir, model: model)
-        post_step_completion_comment(issue_number, role, result, state: state)
-        result
-      end
-
-      def run_final_verification_step(issue_number, claude:, logger:, chdir:, state:)
-        return nil unless @config.test_command || @config.lint_check_command
-
-        logger.info('--- Final verification ---')
-        post_step_comment(issue_number, "\u{1F504} **Phase: final-verify** (verification)", state: state)
-        result = run_final_checks(logger, chdir: chdir)
-
-        unless result[:success]
-          logger.warn('Final checks failed, attempting fix...')
-          post_step_comment(issue_number,
-                            "\u{26A0}\u{FE0F} **Final verification failed** \u2014 attempting auto-fix...",
-                            state: state)
-          fix_prompt = "Fix these test/lint failures:\n\n" \
-                       "<verification_output>\n#{result[:output]}\n</verification_output>"
-          claude.run_agent('implementer', fix_prompt,
-                           chdir: chdir, model: STEP_MODELS['implementer'])
-          result = run_final_checks(logger, chdir: chdir)
-        end
-
-        state.steps_run += 1
-        if result[:success]
-          post_step_comment(issue_number, "\u{2705} **Phase: final-verify** completed", state: state)
-          nil
-        else
-          post_step_comment(issue_number, "\u{274C} **Phase: final-verify** failed", state: state)
-          { success: false, phase: 'final-verify', output: result[:output] }
-        end
-      end
-
       def push_and_create_pr(issue_number, branch, logger:, chdir:, state:)
         commit_changes(issue_number, chdir, logger: logger)
 
         _, stderr, status = Open3.capture3('git', 'push', '-u', 'origin', branch, chdir: chdir)
         unless status.success?
           logger.error("Push failed: #{stderr}")
-          handle_failure(issue_number, 'push', stderr, issues: state.issues, logger: logger)
+          handle_failure(issue_number, 'push', stderr, issues: state.issues, logger: logger, branch: branch)
           return
         end
 
@@ -224,7 +154,7 @@ module Ocak
           puts "PR created: #{pr_url}"
         else
           logger.error("PR creation failed: #{stderr}")
-          handle_failure(issue_number, 'pr-create', stderr, issues: state.issues, logger: logger)
+          handle_failure(issue_number, 'pr-create', stderr, issues: state.issues, logger: logger, branch: branch)
         end
       end
 
@@ -247,41 +177,43 @@ module Ocak
         body
       end
 
-      def handle_failure(issue_number, phase, output, issues:, logger:)
-        logger.error("Issue ##{issue_number} failed at phase: #{phase}")
-        issues.comment(issue_number,
-                       "Hiz (fast mode) failed at phase: #{phase}\n\n```\n#{output.to_s[0..1000]}\n```")
-        warn "Issue ##{issue_number} failed at phase: #{phase}"
-        _, stderr, status = Open3.capture3('git', 'checkout', 'main', chdir: @config.project_dir)
-        logger.warn("Cleanup checkout to main failed: #{stderr}") unless status.success?
+      def fail_pipeline(issue_number, phase, output, start_time:, state:, logger:, branch: nil) # rubocop:disable Metrics/ParameterLists
+        duration = (Process.clock_gettime(Process::CLOCK_MONOTONIC) - start_time).round
+        post_hiz_summary_comment(issue_number, duration, success: false, failed_phase: phase, state: state)
+        handle_failure(issue_number, phase, output, issues: state.issues, logger: logger, branch: branch)
       end
 
-      def build_logger(issue_number)
-        PipelineLogger.new(log_dir: File.join(@config.project_dir, @config.log_dir), issue_number: issue_number)
+      def handle_failure(issue_number, phase, output, issues:, logger:, branch: nil)
+        logger.error("Issue ##{issue_number} failed at phase: #{phase}")
+        issues.transition(issue_number, from: @config.label_in_progress, to: @config.label_failed)
+        begin
+          sanitized = output.to_s[0..1000].gsub('```', "'''")
+          issues.comment(issue_number,
+                         "Hiz (fast mode) failed at phase: #{phase}\n\n```\n#{sanitized}\n```")
+        rescue StandardError
+          nil
+        end
+        warn "Issue ##{issue_number} failed at phase: #{phase}"
+        GitUtils.checkout_main(chdir: @config.project_dir, logger: logger)
+        delete_branch(branch, logger: logger) if branch
       end
 
-      def post_step_comment(issue_number, body, state:)
-        state.issues&.comment(issue_number, body)
-      rescue StandardError
-        nil
+      def delete_branch(branch, logger:)
+        _, stderr, status = Open3.capture3('git', 'branch', '-D', branch, chdir: @config.project_dir)
+        logger.warn("Failed to delete branch #{branch}: #{stderr}") unless status.success?
+      rescue StandardError => e
+        logger.warn("Error deleting branch #{branch}: #{e.message}")
       end
 
-      def post_step_completion_comment(issue_number, role, result, state:)
-        duration = (result.duration_ms.to_f / 1000).round
-        cost = format('%.3f', result.cost_usd.to_f)
-        if result.success?
-          post_step_comment(issue_number, "\u{2705} **Phase: #{role}** completed \u2014 #{duration}s | $#{cost}",
-                            state: state)
-        else
-          post_step_comment(issue_number, "\u{274C} **Phase: #{role}** failed \u2014 #{duration}s | $#{cost}",
-                            state: state)
-        end
+      def build_logger(issue_number)
+        PipelineLogger.new(log_dir: File.join(@config.project_dir, @config.log_dir), issue_number: issue_number)
       end
 
       def post_hiz_start_comment(issue_number, state:)
         steps = "implement \u2192 review \u2225 security"
         steps += " \u2192 verify" if @config.test_command || @config.lint_check_command
-        post_step_comment(issue_number, "\u{1F680} **Hiz (fast mode) started** \u2014 #{steps}", state: state)
+        post_step_comment(issue_number, "\u{1F680} **Hiz (fast mode) started** \u2014 #{steps}",
+                          issues: state.issues)
       end
 
       def post_hiz_summary_comment(issue_number, duration, success:, state:, failed_phase: nil)
@@ -292,12 +224,12 @@ module Ocak
           post_step_comment(issue_number,
                             "\u{2705} **Pipeline complete** \u2014 #{state.steps_run}/#{total} steps run " \
                             "| 0 skipped | $#{cost} total | #{duration}s",
-                            state: state)
+                            issues: state.issues)
         else
           post_step_comment(issue_number,
                             "\u{274C} **Pipeline failed** at phase: #{failed_phase} \u2014 " \
                             "#{state.steps_run}/#{total} steps completed | $#{cost} total",
-                            state: state)
+                            issues: state.issues)
         end
       end
     end

data/lib/ocak/commands/init.rb

@@ -85,7 +85,12 @@ module Ocak
 
       def update_settings(project_dir, stack)
         settings_path = File.join(project_dir, '.claude', 'settings.json')
-        existing = File.exist?(settings_path) ? JSON.parse(File.read(settings_path)) : {}
+        existing = begin
+          File.exist?(settings_path) ? JSON.parse(File.read(settings_path)) : {}
+        rescue JSON::ParserError
+          puts '  Warning: .claude/settings.json is not valid JSON, creating fresh'
+          {}
+        end
 
         merge_permissions(existing, stack)
         merge_hooks(existing)
@@ -211,11 +216,7 @@ module Ocak
       end
 
       def init_logger
-        @init_logger ||= Object.new.tap do |l|
-          def l.info(msg)
-            puts "  #{msg}"
-          end
-        end
+        @init_logger ||= Struct.new(:_) { def info(msg) = puts("  #{msg}") }.new
       end
     end
   end

data/lib/ocak/commands/resume.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require_relative '../config'
+require_relative '../failure_reporting'
 require_relative '../git_utils'
 require_relative '../pipeline_runner'
 require_relative '../pipeline_state'
@@ -13,6 +14,8 @@ require_relative '../logger'
 module Ocak
   module Commands
     class Resume < Dry::CLI::Command
+      include FailureReporting
+
       desc 'Resume a failed pipeline from the last successful step'
 
       argument :issue, type: :integer, required: true, desc: 'Issue number to resume'
@@ -93,10 +96,7 @@ module Ocak
         if result[:success]
           attempt_merge(ctx)
         else
-          ctx[:issues].transition(ctx[:issue_number], from: ctx[:config].label_in_progress,
-                                                      to: ctx[:config].label_failed)
-          ctx[:issues].comment(ctx[:issue_number],
-                               "Pipeline failed at phase: #{result[:phase]}\n\n```\n#{result[:output][0..1000]}\n```")
+          report_pipeline_failure(ctx[:issue_number], result, issues: ctx[:issues], config: ctx[:config])
           warn "Issue ##{ctx[:issue_number]} failed again at phase: #{result[:phase]}"
         end
       end

data/lib/ocak/config.rb

@@ -34,12 +34,17 @@ module Ocak
     def format_command = dig(:stack, :format_command)
     def setup_command  = dig(:stack, :setup_command)
 
-    # Returns the lint command with auto-fix flags stripped, suitable for check-only verification.
+    # Returns the lint command suitable for check-only verification.
+    # Uses explicit lint_check_command config if provided; otherwise strips known fix flags from lint_command.
     def lint_check_command
+      explicit = dig(:stack, :lint_check_command)
+      return explicit if explicit && !explicit.empty?
+
       cmd = lint_command
       return nil unless cmd
 
-      cmd.gsub(/\s+(?:-A|--fix|--write|--allow-dirty)\b/, '').strip
+      # Longer --fix-* variants must precede --fix in the alternation due to \b matching after 'fix'
+      cmd.gsub(/\s+(?:-A|--fix-dry-run|--fix-type\s+\S+|--unsafe-fix|--fix|--write|--allow-dirty)\b/, '').strip
     end
 
     def security_commands
@@ -49,8 +54,15 @@ module Ocak
     # Pipeline
     def max_parallel  = @overrides[:max_parallel] || dig(:pipeline, :max_parallel) || 5
     def poll_interval = @overrides[:poll_interval] || dig(:pipeline, :poll_interval) || 60
-    def worktree_dir  = dig(:pipeline, :worktree_dir) || '.claude/worktrees'
-    def log_dir       = dig(:pipeline, :log_dir) || 'logs/pipeline'
+
+    def worktree_dir
+      validate_path(dig(:pipeline, :worktree_dir) || '.claude/worktrees')
+    end
+
+    def log_dir
+      validate_path(dig(:pipeline, :log_dir) || 'logs/pipeline')
+    end
+
     def cost_budget   = dig(:pipeline, :cost_budget)
     def manual_review = @overrides[:manual_review] || dig(:pipeline, :manual_review) || false
     def audit_mode    = @overrides[:audit_mode] || dig(:pipeline, :audit_mode) || false
@@ -80,13 +92,20 @@ module Ocak
     # Agent paths
     def agent_path(name)
       custom = dig(:agents, name.to_sym)
-      return File.join(@project_dir, custom) if custom
+      return File.join(@project_dir, validate_path(custom)) if custom
 
       File.join(@project_dir, '.claude', 'agents', "#{name.to_s.tr('_', '-')}.md")
     end
 
     private
 
+    def validate_path(relative)
+      expanded = File.expand_path(File.join(@project_dir, relative))
+      return relative if expanded.start_with?("#{@project_dir}/") || expanded == @project_dir
+
+      raise ConfigError, "Path '#{relative}' escapes project directory"
+    end
+
     def dig(*keys)
       keys.reduce(@data) { |h, k| h.is_a?(Hash) ? h[k] : nil }
     end

data/lib/ocak/failure_reporting.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module Ocak
+  # Shared pipeline failure reporting — label transition + comment posting.
+  # Included by PipelineRunner and Commands::Resume.
+  module FailureReporting
+    def report_pipeline_failure(issue_number, result, issues:, config:)
+      issues.transition(issue_number, from: config.label_in_progress, to: config.label_failed)
+      sanitized = result[:output][0..1000].to_s.gsub('```', "'''")
+      issues.comment(issue_number,
+                     "Pipeline failed at phase: #{result[:phase]}\n\n```\n#{sanitized}\n```")
+    rescue StandardError
+      nil
+    end
+  end
+end

data/lib/ocak/git_utils.rb

@@ -38,5 +38,14 @@ module Ocak
 
       true
     end
+
+    # Checks out the main branch. Intended for cleanup/ensure blocks.
+    # Rescues all errors so it never crashes the caller.
+    def self.checkout_main(chdir:, logger: nil)
+      _, stderr, status = Open3.capture3('git', 'checkout', 'main', chdir: chdir)
+      logger&.warn("Cleanup checkout to main failed: #{stderr}") unless status.success?
+    rescue StandardError => e
+      logger&.warn("Cleanup checkout to main error: #{e.message}")
+    end
   end
 end

data/lib/ocak/issue_fetcher.rb

@@ -20,13 +20,12 @@ module Ocak
     end
 
     def fetch_ready
-      stdout, _, status = Open3.capture3(
-        'gh', 'issue', 'list',
+      stdout, _, status = run_gh(
+        'issue', 'list',
         '--label', @config.label_ready,
         '--state', 'open',
         '--json', 'number,title,body,labels,author',
-        '--limit', '50',
-        chdir: @config.project_dir
+        '--limit', '50'
       )
       return [] unless status.success?
 
@@ -57,13 +56,12 @@ module Ocak
     end
 
     def fetch_reready_prs
-      stdout, _, status = Open3.capture3(
-        'gh', 'pr', 'list',
+      stdout, _, status = run_gh(
+        'pr', 'list',
         '--label', @config.label_reready,
         '--state', 'open',
         '--json', 'number,title,body,headRefName,labels',
-        '--limit', '20',
-        chdir: @config.project_dir
+        '--limit', '20'
       )
       return [] unless status.success?
 
@@ -74,10 +72,9 @@ module Ocak
     end
 
     def fetch_pr_comments(pr_number)
-      stdout, _, status = Open3.capture3(
-        'gh', 'pr', 'view', pr_number.to_s,
-        '--json', 'comments,reviews',
-        chdir: @config.project_dir
+      stdout, _, status = run_gh(
+        'pr', 'view', pr_number.to_s,
+        '--json', 'comments,reviews'
       )
       return { comments: [], reviews: [] } unless status.success?
 
@@ -96,16 +93,12 @@ module Ocak
 
     def pr_transition(pr_number, remove_label: nil, add_label: nil)
       if remove_label
-        _, _, status = Open3.capture3('gh', 'pr', 'edit', pr_number.to_s,
-                                      '--remove-label', remove_label,
-                                      chdir: @config.project_dir)
+        _, _, status = run_gh('pr', 'edit', pr_number.to_s, '--remove-label', remove_label)
         return false unless status.success?
       end
 
       if add_label
-        _, _, status = Open3.capture3('gh', 'pr', 'edit', pr_number.to_s,
-                                      '--add-label', add_label,
-                                      chdir: @config.project_dir)
+        _, _, status = run_gh('pr', 'edit', pr_number.to_s, '--add-label', add_label)
         return false unless status.success?
       end
 
@@ -113,9 +106,7 @@ module Ocak
     end
 
     def pr_comment(pr_number, body)
-      _, _, status = Open3.capture3('gh', 'pr', 'comment', pr_number.to_s,
-                                    '--body', body,
-                                    chdir: @config.project_dir)
+      _, _, status = run_gh('pr', 'comment', pr_number.to_s, '--body', body)
       status.success?
     end
 
@@ -125,17 +116,15 @@ module Ocak
 
     def ensure_label(label)
       color = LABEL_COLORS.fetch(label, 'ededed')
-      Open3.capture3('gh', 'label', 'create', label, '--force', '--color', color,
-                     chdir: @config.project_dir) # --force: update if exists
-    rescue StandardError => e
+      run_gh('label', 'create', label, '--force', '--color', color) # --force: update if exists
+    rescue Errno::ENOENT => e
       @logger&.warn("Failed to create label '#{label}': #{e.message}")
     end
 
     def view(issue_number, fields: 'number,title,body,labels')
-      stdout, _, status = Open3.capture3(
-        'gh', 'issue', 'view', issue_number.to_s,
-        '--json', fields,
-        chdir: @config.project_dir
+      stdout, _, status = run_gh(
+        'issue', 'view', issue_number.to_s,
+        '--json', fields
       )
       return nil unless status.success?
 
@@ -155,20 +144,14 @@ module Ocak
       authors = allowed_authors
       author_login = issue.dig('author', 'login')
 
-      if authors.any? && authors.include?(author_login)
-        check_comment_requirement(issue)
-      elsif authors.empty?
-        # Default: current user only
-        if author_login == current_user
-          check_comment_requirement(issue)
-        else
-          @logger&.warn("Skipping issue ##{issue['number']}: author '#{author_login}' not in allowed list")
-          false
-        end
-      else
-        @logger&.warn("Skipping issue ##{issue['number']}: author '#{author_login}' not in allowed list")
-        false
+      if authors.empty?
+        return check_comment_requirement(issue) if author_login == current_user
+      elsif authors.include?(author_login)
+        return check_comment_requirement(issue)
       end
+
+      @logger&.warn("Skipping issue ##{issue['number']}: author '#{author_login}' not in allowed list")
+      false
     end
 
     def check_comment_requirement(issue)
@@ -191,10 +174,9 @@ module Ocak
     end
 
     def fetch_comments(issue_number)
-      stdout, _, status = Open3.capture3(
-        'gh', 'issue', 'view', issue_number.to_s,
-        '--json', 'comments',
-        chdir: @config.project_dir
+      stdout, _, status = run_gh(
+        'issue', 'view', issue_number.to_s,
+        '--json', 'comments'
       )
       return [] unless status.success?
 
@@ -209,10 +191,21 @@ module Ocak
     end
 
     def current_user
-      @current_user ||= begin
+      return @current_user if defined?(@current_user_resolved)
+
+      2.times do |attempt|
         stdout, _, status = Open3.capture3('gh', 'api', 'user', '--jq', '.login')
-        status.success? ? stdout.strip : nil
+        if status.success?
+          @current_user = stdout.strip
+          @current_user_resolved = true
+          return @current_user
+        end
+
+        @logger&.warn("Could not determine current user via 'gh api user' (attempt #{attempt + 1}/2)")
+        sleep(1) if attempt.zero?
       end
+
+      nil
     end
 
     def run_gh(*)