@_mustachio/ai-review-agent 0.1.0

package/README.md

@@ -0,0 +1,213 @@
+# @_mustachio/ai-review-agent
+
+AI-powered pull request code review agent. Works as a CLI tool, npm library, or GitHub Action. Supports GitHub and Bitbucket.
+
+## Features
+
+- **Inline comments** on specific lines of the PR diff
+- **Hunk-aware context** — reads code surrounding changed lines, not just the diff
+- **Diff chunking** — splits large PRs into parallel review chunks
+- **Custom rules** — point at a file or directory of coding standards (SOLID, CLEAN, etc.)
+- **Configurable prompt** — bring your own review prompt template
+- **Multi-platform** — GitHub Actions and Bitbucket Pipelines
+- **JSON output** — use `--output-only` for scripting and custom integrations
+- **Prompt injection mitigation** — PR metadata wrapped in delimiters
+- **Stale review cleanup** — dismisses/deletes previous AI reviews on new commits
+- **Binary file detection** — skips images, compiled files, etc.
+
+## Quick Start
+
+### npx (any CI or local)
+
+```bash
+npx @_mustachio/ai-review-agent \
+  --platform github \
+  --token $GH_TOKEN \
+  --rules ./docs/standards/
+```
+
+### GitHub Actions
+
+```yaml
+name: AI Code Review
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  review:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: read
+    env:
+      GH_TOKEN: ${{ github.token }}
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '24'
+
+      - uses: ./packages/ai-review-agent
+        with:
+          severity-threshold: 'blocking'
+          rules: docs/standards/standards.md
+          opencode-config: ${{ github.workspace }}/.github/opencode.json
+```
+
+When published, replace `uses: ./packages/ai-review-agent` with:
+
+```yaml
+      - uses: the-human-mustachio/ai-review-agent@v1
+```
+
+### Bitbucket Pipelines
+
+```yaml
+pipelines:
+  pull-requests:
+    '**':
+      - step:
+          name: AI Code Review
+          script:
+            - npx @_mustachio/ai-review-agent --rules ./docs/standards/ --severity-threshold blocking
+          # BB_TOKEN must be set as a secured repository variable
+          # with pullrequest:write and repository:write scopes
+```
+
+### Local / JSON Output
+
+```bash
+# Just get the review as JSON (no comments posted)
+npx @_mustachio/ai-review-agent \
+  --output-only \
+  --base-branch main \
+  --rules ./standards/
+```
+
+## CLI Options
+
+```
+PLATFORMS:
+  --platform <name>         github, bitbucket (auto-detected if omitted)
+  --token <token>           API token (or set GH_TOKEN / BB_TOKEN env var)
+
+PR METADATA (auto-detected in CI):
+  --pr-number <n>           PR number
+  --pr-title <title>        PR title
+  --pr-author <author>      PR author
+  --pr-body <body>          PR description
+  --base-branch <branch>    Base branch (default: main)
+
+REVIEW OPTIONS:
+  --prompt <path>           Custom prompt template
+  --rules <path>            Rules file or directory
+  --exclude <patterns>      Comma-separated exclude globs
+  --max-diff-size <n>       Max diff chars per chunk (default: 100000)
+  --severity-threshold <s>  Fail threshold: blocking, warning, info
+  --opencode-version <v>    Pinned opencode-ai version (default: 0.2.21)
+  --opencode-config <path>  OpenCode config file
+  --api-key <key>           AI provider API key
+  --post-review <bool>      Post approve/request-changes (default: true)
+
+OUTPUT:
+  --output-only             Print JSON to stdout, exit 0 (approved) or 1 (rejected)
+  --help                    Show help
+```
+
+## GitHub Action Inputs
+
+| Input | Description | Default |
+|-------|-------------|---------|
+| `api-key` | AI provider API key (optional if set in env) | |
+| `severity-threshold` | Fail threshold: `blocking`, `warning`, `info` | `blocking` |
+| `prompt` | Path to custom prompt template | built-in |
+| `post-review` | Post approve/request-changes review | `true` |
+| `max-diff-size` | Max diff size per chunk (chars) | `100000` |
+| `exclude-patterns` | Comma-separated exclude globs | |
+| `opencode-config` | Path to OpenCode config file | |
+| `rules` | Path to rules file or directory | |
+| `opencode-version` | Pinned opencode-ai version | `0.2.21` |
+
+## Custom Rules
+
+Point `--rules` at a single file or a directory:
+
+```bash
+# Single file
+--rules docs/standards/standards.md
+
+# Directory (all files concatenated with headers)
+--rules .github/review-rules/
+```
+
+Example rules directory:
+
+```
+.github/review-rules/
+  SOLID.md
+  CLEAN.md
+  security.md
+  testing.md
+```
+
+Each file's content is injected into the review prompt as evaluation criteria.
+
+## Output Format
+
+The review JSON (from `--output-only` or the internal pipeline):
+
+```json
+{
+  "approve": false,
+  "summary": "PR introduces a clean architecture violation.",
+  "issues": [
+    {
+      "severity": "blocking",
+      "message": "Core imports from infra — violates dependency rule",
+      "file": "packages/core/src/organization/organization.usecase.ts",
+      "line": 3,
+      "endLine": 4
+    }
+  ],
+  "recommendation": "Remove the infra import and use a repository port."
+}
+```
+
+## Platform Differences
+
+| Capability | GitHub | Bitbucket |
+|---|---|---|
+| Inline comments | PR review API | Individual comment API |
+| Block merge | `REQUEST_CHANGES` review | Build status `FAILED` |
+| Allow merge | `APPROVE` review | Build status `SUCCESSFUL` + approve |
+| Stale cleanup | Dismiss previous reviews | Delete previous comments |
+| Auth token | Automatic `GITHUB_TOKEN` | Manual `BB_TOKEN` (secured variable) |
+| PR metadata | From event payload | Fetched via API |
+
+## Library Usage
+
+```js
+const { runFullReview } = require('@_mustachio/ai-review-agent');
+
+const review = await runFullReview({
+  baseBranch: 'main',
+  prTitle: 'Add feature X',
+  prAuthor: 'dev',
+  prBody: 'Description here',
+  prNumber: 42,
+  rulesPath: './standards.md',
+});
+
+console.log(review.approve);  // true/false
+console.log(review.issues);   // [{severity, message, file, line}]
+```
+
+## License
+
+MIT

package/action.yml

@@ -0,0 +1,57 @@
+name: 'AI Code Review'
+description: 'AI-powered PR code review using OpenCode'
+branding:
+  icon: 'eye'
+  color: 'purple'
+
+inputs:
+  api-key:
+    description: 'API key for the AI provider (e.g. Anthropic, OpenAI). Optional if already set in environment.'
+    required: false
+    default: ''
+  severity-threshold:
+    description: 'Minimum severity to block merge (blocking, warning, info)'
+    required: false
+    default: 'blocking'
+  prompt:
+    description: 'Path to a custom prompt template file'
+    required: false
+    default: ''
+  post-review:
+    description: 'Whether to post a PR review (approve/request-changes) in addition to a comment'
+    required: false
+    default: 'true'
+  max-diff-size:
+    description: 'Maximum diff size in characters before truncation (default: 100000)'
+    required: false
+    default: '100000'
+  exclude-patterns:
+    description: 'Comma-separated glob patterns of files to exclude from the diff (e.g. "*.lock,dist/**")'
+    required: false
+    default: ''
+  opencode-config:
+    description: 'Path to OpenCode config file'
+    required: false
+    default: ''
+  rules:
+    description: 'Path to a file or directory of review rules. If a directory, all files are loaded and concatenated. Rules are injected into the prompt as evaluation criteria.'
+    required: false
+    default: ''
+  opencode-version:
+    description: 'Pinned version of opencode-ai to install (default: 0.2.21)'
+    required: false
+    default: '0.2.21'
+
+outputs:
+  approved:
+    description: 'Whether the review approved the PR (true/false)'
+  summary:
+    description: 'Review summary text'
+  issues-count:
+    description: 'Total number of issues found'
+  blocking-count:
+    description: 'Number of blocking issues found'
+
+runs:
+  using: 'node24'
+  main: 'dist/index.js'

package/bin/cli.js

@@ -0,0 +1,161 @@
+#!/usr/bin/env node
+
+const { runFullReview, shouldFailForThreshold, countBySeverity } = require('../src/core/engine');
+const githubPlatform = require('../src/platforms/github');
+const bitbucketPlatform = require('../src/platforms/bitbucket');
+
+const PLATFORMS = {
+  github: githubPlatform,
+  bitbucket: bitbucketPlatform,
+};
+
+async function main() {
+  const args = parseArgs(process.argv.slice(2));
+
+  if (args.help) {
+    printUsage();
+    process.exit(0);
+  }
+
+  const log = console.log;
+
+  // Detect or use specified platform
+  let platformName = args.platform;
+  if (!platformName && !args['output-only']) {
+    for (const [name, platform] of Object.entries(PLATFORMS)) {
+      if (platform.detect()) {
+        platformName = name;
+        log(`Auto-detected platform: ${name}`);
+        break;
+      }
+    }
+  }
+
+  // Get PR metadata — from platform or CLI args
+  let prMeta;
+  if (platformName && !args['output-only']) {
+    const platform = PLATFORMS[platformName];
+    if (!platform) {
+      console.error(`Unknown platform: ${platformName}. Supported: ${Object.keys(PLATFORMS).join(', ')}`);
+      process.exit(1);
+    }
+    const token = args.token || process.env.GH_TOKEN || process.env.GITHUB_TOKEN || process.env.BB_TOKEN || process.env.BITBUCKET_TOKEN;
+    prMeta = await platform.getPrMetadata(token);
+  } else {
+    // Manual mode — require CLI args
+    prMeta = {
+      prNumber: args['pr-number'] || '0',
+      prTitle: args['pr-title'] || '',
+      prAuthor: args['pr-author'] || '',
+      prBody: args['pr-body'] || '',
+      baseBranch: args['base-branch'] || 'main',
+    };
+  }
+
+  // Run the review
+  const review = await runFullReview({
+    baseBranch: prMeta.baseBranch,
+    prTitle: prMeta.prTitle,
+    prAuthor: prMeta.prAuthor,
+    prBody: prMeta.prBody,
+    prNumber: prMeta.prNumber,
+    promptPath: args.prompt || undefined,
+    rulesPath: args.rules || undefined,
+    excludePatterns: args.exclude || '',
+    maxDiffSize: parseInt(args['max-diff-size'] || '100000', 10),
+    opencodeVersion: args['opencode-version'] || undefined,
+    opencodeConfig: args['opencode-config'] || undefined,
+    apiKey: args['api-key'] || undefined,
+    log,
+  });
+
+  // Output JSON if requested
+  if (args['output-only']) {
+    console.log(JSON.stringify(review, null, 2));
+    process.exit(review.approve ? 0 : 1);
+  }
+
+  // Post to platform
+  const token = args.token || process.env.GH_TOKEN || process.env.GITHUB_TOKEN || process.env.BB_TOKEN || process.env.BITBUCKET_TOKEN;
+  if (!token) {
+    console.error('Error: No token provided. Use --token or set GH_TOKEN / BB_TOKEN env var.');
+    process.exit(1);
+  }
+
+  const platform = PLATFORMS[platformName];
+  await platform.postReview(review, {
+    prNumber: prMeta.prNumber,
+    token,
+    postReview: args['post-review'] !== 'false',
+    log,
+  });
+
+  // Check threshold
+  const threshold = args['severity-threshold'] || 'blocking';
+  const fail = shouldFailForThreshold(review, threshold);
+  if (fail) {
+    console.error(fail);
+    process.exit(1);
+  }
+
+  const blockingCount = countBySeverity(review.issues, 'blocking');
+  log(`Review complete. Approved: ${review.approve}. Issues: ${review.issues.length} (${blockingCount} blocking).`);
+}
+
+function parseArgs(argv) {
+  const args = {};
+  for (let i = 0; i < argv.length; i++) {
+    const arg = argv[i];
+    if (arg.startsWith('--')) {
+      const key = arg.slice(2);
+      const next = argv[i + 1];
+      if (!next || next.startsWith('--')) {
+        args[key] = true;
+      } else {
+        args[key] = next;
+        i++;
+      }
+    }
+  }
+  return args;
+}
+
+function printUsage() {
+  console.log(`
+ai-review-agent - AI-powered code review for pull requests
+
+USAGE:
+  ai-review-agent [options]
+
+PLATFORMS:
+  --platform <name>       Platform to use: github, bitbucket (auto-detected if omitted)
+  --token <token>         API token for posting reviews (or set GH_TOKEN / BB_TOKEN env var)
+
+PR METADATA (auto-detected in CI, required for --output-only):
+  --pr-number <n>         PR number
+  --pr-title <title>      PR title
+  --pr-author <author>    PR author
+  --pr-body <body>        PR description
+  --base-branch <branch>  Base branch (default: main)
+
+REVIEW OPTIONS:
+  --prompt <path>         Path to custom prompt template
+  --rules <path>          Path to rules file or directory
+  --exclude <patterns>    Comma-separated glob patterns to exclude
+  --max-diff-size <n>     Max diff size in chars (default: 100000)
+  --severity-threshold <s> Fail threshold: blocking, warning, info (default: blocking)
+  --opencode-version <v>  Pinned opencode-ai version
+  --opencode-config <path> Path to OpenCode config file
+  --api-key <key>         API key for AI provider
+  --post-review <bool>    Post approve/request-changes review (default: true)
+
+OUTPUT:
+  --output-only           Print JSON review to stdout and exit (no platform posting)
+  --help                  Show this help
+`);
+}
+
+main().catch((err) => {
+  console.error(`Fatal: ${err.message}`);
+  process.exit(1);
+});

package/dist/default.txt

@@ -0,0 +1,41 @@
+You are an expert code reviewer. All context is provided below — do NOT use any tools, do NOT read any files, do NOT explore the codebase.
+
+Respond with ONLY valid JSON (no markdown, no code blocks, no extra text).
+
+Schema:
+{
+  "approve": boolean,
+  "summary": "1-2 sentence overview",
+  "issues": [
+    {
+      "severity": "blocking" | "warning" | "info",
+      "message": "concise description under 120 chars",
+      "file": "path/to/file.ts",
+      "line": 42,
+      "endLine": 45
+    }
+  ],
+  "recommendation": "brief next steps"
+}
+
+Rules:
+- approve=true only if NO blocking issues
+- blocking = bugs, security issues, breaking changes
+- warning = code quality, missing tests, improvements
+- info = minor suggestions, style nits
+- "file" must be an exact path from the diff header (e.g. the "b/" path)
+- "line" must be a line number from the diff's @@ hunk headers (the "+" side)
+- "endLine" is optional, only include if the issue spans multiple lines
+- Maximum 10 issues total
+- Some files (lockfiles, build artifacts, the review action itself) are intentionally excluded. Do NOT flag missing files unless the diff has broken imports.
+
+{{RULES}}
+
+PR Title: {{PR_TITLE}}
+Author: {{PR_AUTHOR}}
+Description: {{PR_BODY}}
+
+{{CONTEXT}}
+
+Diff:
+{{DIFF}}