@catladder/pipeline 3.14.1 → 3.15.0

package/dist/constants.js

@@ -4,5 +4,5 @@ Object.defineProperty(exports, "__esModule", {
   value: true
 });
 exports.DOCKER_REGISTRY = exports.PIPELINE_IMAGE_TAG = void 0;
-exports.PIPELINE_IMAGE_TAG = "v3-14-1-9dff16f0" || "latest";
+exports.PIPELINE_IMAGE_TAG = "v3-15-0-a13103cb" || "latest";
 exports.DOCKER_REGISTRY = "git.panter.ch:5001/catladder/catladder" || "git.panter.ch:5001/catladder/catladder";

package/dist/pipeline/agent/createAgentContext.d.ts

@@ -1,5 +1,22 @@
 import type { Config } from "../../types";
-import type { AgentContext } from "../../types/context";
+export declare class AgentContext {
+  private readonly agentName;
+  private readonly config;
+  constructor(agentName: string, config: Config);
+  readonly type = "agent";
+  get name(): string;
+  get agentConfig(): import("../../types").AgentConfig;
+  get agentUser(): {
+    username: string;
+    userId: string;
+  };
+  get reviews(): {
+    byUser: Record<string, {
+      automatic: boolean;
+    }> | "all-automatic";
+  };
+  get fullConfig(): Config;
+}
 export declare const createAgentContext: (ctx: {
   agentName: string;
   config: Config;

package/dist/pipeline/agent/createAgentContext.js

@@ -118,23 +118,70 @@ var __generator = this && this.__generator || function (thisArg, body) {
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
-exports.createAgentContext = void 0;
-var createAgentContext = function (ctx) {
-  return __awaiter(void 0, void 0, void 0, function () {
-    var agentConfig;
-    var _a;
-    return __generator(this, function (_b) {
-      agentConfig = (_a = ctx.config.agents) === null || _a === void 0 ? void 0 : _a[ctx.agentName];
+exports.createAgentContext = exports.AgentContext = void 0;
+var AgentContext = /** @class */function () {
+  function AgentContext(agentName, config) {
+    this.agentName = agentName;
+    this.config = config;
+    this.type = "agent";
+  }
+  Object.defineProperty(AgentContext.prototype, "name", {
+    get: function () {
+      return this.agentName;
+    },
+    enumerable: false,
+    configurable: true
+  });
+  Object.defineProperty(AgentContext.prototype, "agentConfig", {
+    get: function () {
+      var _a;
+      var agentConfig = (_a = this.config.agents) === null || _a === void 0 ? void 0 : _a[this.agentName];
       if (!agentConfig) {
-        throw new Error("Agent ".concat(ctx.agentName, " not found in config"));
+        throw new Error("Agent ".concat(this.agentName, " not found in config"));
       }
-      return [2 /*return*/, {
-        type: "agent",
-        name: ctx.agentName,
-        //env: ctx.env,
-        fullConfig: ctx.config,
-        agentConfig: agentConfig
-      }];
+      return agentConfig;
+    },
+    enumerable: false,
+    configurable: true
+  });
+  Object.defineProperty(AgentContext.prototype, "agentUser", {
+    get: function () {
+      var _a, _b, _c, _d;
+      return {
+        username: (_b = (_a = this.agentConfig.agentUser) === null || _a === void 0 ? void 0 : _a.username) !== null && _b !== void 0 ? _b : "agent.claude",
+        userId: (_d = (_c = this.agentConfig.agentUser) === null || _c === void 0 ? void 0 : _c.userId) !== null && _d !== void 0 ? _d : "$DEFAULT_AGENT_USER_ID"
+      };
+    },
+    enumerable: false,
+    configurable: true
+  });
+  Object.defineProperty(AgentContext.prototype, "reviews", {
+    get: function () {
+      var _a;
+      var _b, _c;
+      return {
+        byUser: (_c = (_b = this.agentConfig.reviews) === null || _b === void 0 ? void 0 : _b.byUser) !== null && _c !== void 0 ? _c : (_a = {}, _a[this.agentUser.username] = {
+          automatic: true
+        }, _a)
+      };
+    },
+    enumerable: false,
+    configurable: true
+  });
+  Object.defineProperty(AgentContext.prototype, "fullConfig", {
+    get: function () {
+      return this.config;
+    },
+    enumerable: false,
+    configurable: true
+  });
+  return AgentContext;
+}();
+exports.AgentContext = AgentContext;
+var createAgentContext = function (ctx) {
+  return __awaiter(void 0, void 0, void 0, function () {
+    return __generator(this, function (_a) {
+      return [2 /*return*/, new AgentContext(ctx.agentName, ctx.config)];
     });
   });
 };

package/dist/pipeline/agent/createAgentReviewJob.js

@@ -52,13 +52,29 @@ var utils_1 = require("./utils");
 var createAgentReviewJob = function (context) {
   var baseJob = (0, shared_1.createBaseAgentJob)(context);
   var agentUserName = (0, utils_1.getAgentUserName)(context);
+  var rules = context.reviews.byUser === "all-automatic" ? [__assign(__assign({}, rules_1.RULE_IS_MERGE_REQUEST), {
+    when: "always"
+  })] : Object.entries(context.reviews.byUser).filter(function (_a) {
+    var _b = __read(_a, 2),
+      _ = _b[0],
+      automatic = _b[1].automatic;
+    return automatic;
+  }).map(function (_a) {
+    var _b = __read(_a, 1),
+      username = _b[0];
+    return {
+      // GITLAB_USER_LOGIN is the username of the user who created the pipeline
+      if: "".concat(rules_1.RULE_IS_MERGE_REQUEST.if, " && $GITLAB_USER_LOGIN == \"").concat(username, "\""),
+      when: "always"
+    };
+  });
   return __assign(__assign({}, baseJob), {
     name: context.name + "-agent-review",
-    rules: [__assign(__assign({}, rules_1.RULE_IS_MERGE_REQUEST), {
-      when: "always"
+    rules: __spreadArray(__spreadArray([], __read(rules), false), [__assign(__assign({}, rules_1.RULE_IS_MERGE_REQUEST), {
+      when: "manual"
     }), {
       when: "never"
-    }],
+    }], false),
     script: __spreadArray(__spreadArray([], __read(shared_1.baseSetupScript), false), __read((0, shared_1.callClaude)({
       prompt: (0, prompts_1.getMergeRequestPrompt)({
         agentUserName: agentUserName

package/dist/pipeline/agent/prompts.d.ts

@@ -1,10 +1,6 @@
 type Ctx = {
   agentUserName: string;
 };
-export declare const getEventPrompt: ({
-  agentUserName
-}: Ctx) => string;
-export declare const getMergeRequestPrompt: ({
-  agentUserName
-}: Ctx) => string;
+export declare const getEventPrompt: (ctx: Ctx) => string;
+export declare const getMergeRequestPrompt: (ctx: Ctx) => string;
 export {};

package/dist/pipeline/agent/prompts.js

@@ -1,9 +1,13 @@
 "use strict";
 
+// prompts.ts — MCP-only, DRY, review-first-then-push, CI logic, self-mention guard,
+// event prompt supports review-on-demand via manual "agent-review" job or fallback MR review.
+// Prevents double-runs: event-triggered work cancels any running "agent-review" job on the same MR.
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
 exports.getMergeRequestPrompt = exports.getEventPrompt = void 0;
+/* ---------- Shared blocks ---------- */
 var header = function () {
   return "\nProject ID: $CI_PROJECT_ID\nGitLab Host: $CI_SERVER_URL\n";
 };
@@ -13,54 +17,64 @@ var identity = function (_a) {
 };
 var goldenRules = function (_a) {
   var agentUserName = _a.agentUserName;
-  return "\n## Golden Rules\n- Use the `gitlab-mcp` tool for ALL GitLab actions. If a needed action is missing, use GitLab REST/GraphQL API directly as a fallback.\n- NEVER mention yourself (\"@".concat(agentUserName, "\").\n- NEVER push to main/default or any protected branch. Always create a new branch and open a Merge Request (MR).\n- Do not create an MR for a **closed** issue.\n- Keep actions minimal and idempotent. Avoid duplicate comments or duplicate MRs.\n- Use ONE stable `source_branch` per run; do not regenerate its name later.\n");
+  return "\n## Golden Rules\n- Use the `gitlab-mcp` tool for ALL GitLab actions. Do not call any other APIs.\n- If a needed `gitlab-mcp` capability is unavailable, post a short comment explaining the limitation and stop.\n- NEVER mention yourself (\"@".concat(agentUserName, "\") anywhere (comments, descriptions, titles, commit messages).\n- NEVER push to main/default or any protected branch. Always create a new branch and open a Merge Request (MR).\n- Always assign yourself as the assignee of any MR you create.\n- Do not create an MR for a **closed** issue.\n- Keep actions minimal and idempotent. Avoid duplicate comments or duplicate MRs.\n- Use ONE stable `source_branch` per run; do not regenerate its name later.\n");
+};
+var selfMentionGuard = function (_a) {
+  var agentUserName = _a.agentUserName;
+  return "\n## Self-mention Guard (mandatory preflight for ALL writes)\nBefore ANY call that writes text (comment/create/update MR/issue/commit message), sanitize the text:\n\n- Remove all occurrences of your own handle:\n  - Match case-insensitively: `/@?".concat(agentUserName, "\\b/gi`\n  - Also strip variants inside parentheses or brackets if present.\n- Do NOT replace with another token; simply remove the self @-mention.\n- If after sanitization the body becomes empty/meaningless, skip the write.\n\nAdditionally:\n- If the last actor/author of the target item is you (\"").concat(agentUserName, "\"), **do not** post an acknowledgement comment (avoid loops on your own events).\n- To assign yourself, use the MCP assignee field(s). Do **not** mention yourself in the body to indicate assignment.\n");
 };
 var commentGuidelines = function () {
-  return "\n## Comment Guidelines (flexible, not verbatim)\n- Keep tone professional, friendly, and concise.\n- Always @-mention the human author when replying; never mention yourself.\n- Acknowledgements: confirm you saw the request and you\u2019ll handle it.\n- MR updates: acknowledge feedback and say you\u2019ll apply/have applied the change.\n- Q&A: answer directly first; add context/links only if useful.\n- Avoid repeating identical boilerplate across comments.\n";
+  return "\n## Comment Guidelines (flexible, not verbatim)\n- Professional, friendly, concise.\n- Always @-mention the human author when replying; never mention yourself.\n- Acknowledgements: confirm you saw the request and you\u2019ll handle it.\n- MR updates: acknowledge feedback and say you\u2019ll apply/have applied the change.\n- Q&A: answer directly first; add context/links only if useful.\n- Avoid repeating identical boilerplate across comments.\n";
 };
-var mcpAndApi = function () {
-  return "\n## Tools & API (MCP-first, REST/GraphQL fallback)\nUse these `gitlab-mcp` capabilities when available (names illustrative\u2014match the actual tool schema):\n\n- **Comments**\n  - `gitlab-mcp.comment.create({ project_id: $CI_PROJECT_ID, target: \"issue\"|\"mr\", iid, body })`\n\n- **Branch**\n  - `gitlab-mcp.branch.create({ project_id: $CI_PROJECT_ID, from: \"<default_branch>\", name: \"<source_branch>\" })`\n\n- **Commits & push**\n  - `gitlab-mcp.commit.push({ project_id: $CI_PROJECT_ID, branch: \"<source_branch>\", message, files: [{ path, content | patch }] })`\n\n- **Merge Requests**\n  - `gitlab-mcp.merge_request.create({ project_id: $CI_PROJECT_ID, source_branch, target_branch: \"<default_branch>\", title, description, assign_to_self: true })`\n  - `gitlab-mcp.merge_request.update({ project_id: $CI_PROJECT_ID, mr_iid, ... })`\n  - `gitlab-mcp.merge_request.rebase({ project_id: $CI_PROJECT_ID, mr_iid, onto: \"<default_branch>\" })`\n\n- **Read/verify**\n  - `gitlab-mcp.project.get({ project_id: $CI_PROJECT_ID })` \u2192 default branch\n  - `gitlab-mcp.repo.compare({ project_id: $CI_PROJECT_ID, from: \"<default_branch>\", to: \"<source_branch>\" })`\n  - `gitlab-mcp.repo.branch.get({ project_id: $CI_PROJECT_ID, name: \"<source_branch>\" })`\n  - `gitlab-mcp.repo.commits.list({ project_id: $CI_PROJECT_ID, ref_name: \"<source_branch>\", per_page: 1 })`\n\n### Fallback: Direct GitLab API\nIf MCP lacks an operation, call GitLab\u2019s REST/GraphQL API directly.\n\n- **Authentication**  \n  Use the environment variable `GITLAB_PERSONAL_ACCESS_TOKEN`.  \n  Send it in the HTTP header:\n  ```\n  Private-Token: $GITLAB_PERSONAL_ACCESS_TOKEN\n  ```\n\n- **Host & project variables**\n  - API base URL: `$CI_SERVER_URL/api/v4`\n  - Project ID: `$CI_PROJECT_ID`\n\n- **Examples**\n  - Get project (default branch):  \n    `GET $CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID`\n  - Get/create branch:  \n    `GET|POST $CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/repository/branches`\n  - Compare refs:  \n    `GET $CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/repository/compare?from=<default>&to=<source>`\n  - List commits:  \n    `GET $CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/repository/commits?ref_name=<branch>&per_page=1`\n  - Create comment on issue/MR:  \n    `POST $CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/issues/:iid/notes`  \n    `POST $CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/merge_requests/:iid/notes`\n  - Create MR:  \n    `POST $CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/merge_requests`\n  - Get MR changes:  \n    `GET $CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/merge_requests/:iid/changes`\n";
+/* Exact tool names from @zereight/mcp-gitlab (lean, indicative signatures) */
+var mcpOnly = function () {
+  return "\n## gitlab-mcp Operations (exact tool names; indicative params)\n\n- **Comments / Notes**\n  - create_note({ projectId, targetType: \"issue\"|\"merge_request\", iid, body })\n  - create_issue_note({ projectId, issueIid, body })\n  - create_merge_request_note({ projectId, mergeRequestIid, body })\n  - update_issue_note({ projectId, issueIid, noteId, body })\n  - update_merge_request_note({ projectId, mergeRequestIid, noteId, body })\n  - mr_discussions({ projectId, mergeRequestIid })\n\n- **Issues**\n  - create_issue({ projectId, title, description, assigneeUsernames?: string[] })\n  - list_issues({ projectId, state?: \"opened\"|\"closed\", scope?: \"all\"|... })\n\n- **Branch & Files**\n  - create_branch({ projectId, branchName, ref })                 // ref = default branch or SHA\n  - push_files({ projectId, branch, commitMessage, files: [{ filePath, content }] })\n  - create_or_update_file({ projectId, branch, filePath, content, commitMessage })\n  - get_file_contents({ projectId, ref, path })\n  - get_branch_diffs({ projectId, from, to })                      // compare refs\n\n- **Merge Requests**\n  - create_merge_request({ projectId, sourceBranch, targetBranch, title, description, assigneeUsernames?: string[] })\n  - get_merge_request({ projectId, mergeRequestIid? , branchName? })\n  - get_merge_request_diffs({ projectId, mergeRequestIid? , branchName? })\n  - list_merge_request_diffs({ projectId, mergeRequestIid? , branchName?, page?, perPage? })\n  - update_merge_request({ projectId, mergeRequestIid? , branchName?, title?, description?, draft?, assigneeUsernames? })\n  - merge_merge_request(...)  // **Do NOT use** (never merge)\n\n- **Pipelines / Jobs**  (requires env USE_PIPELINE=true)\n  - list_pipeline_jobs({ projectId, pipelineId })\n  - get_pipeline_job_output({ projectId, pipelineId, jobId })\n  - retry_pipeline({ projectId, pipelineId })\n  - retry_pipeline_job({ projectId, jobId })\n  - play_pipeline_job({ projectId, jobId })\n  - cancel_pipeline_job({ projectId, jobId })\n";
 };
 var outputDiscipline = function (_a) {
   var agentUserName = _a.agentUserName;
-  return "\n## Output Discipline\n- Prefer `gitlab-mcp` tool calls. If unavailable, output direct API requests (endpoint, method, headers, JSON body).\n- Keep comments concise and professional.\n- Never include \"@".concat(agentUserName, "\" in any body.\n");
+  return "\n## Output Discipline\n- Output only `gitlab-mcp` tool calls and plain-text summaries where requested.\n- Keep comments concise and professional.\n- Never include \"@".concat(agentUserName, "\" in any body.\n");
 };
-// --- Event-specific sections ---
+/* ---------- Event (webhook) specific ---------- */
 var eventSelfParse = function () {
-  return "\n## Self-Parse the Raw Payload (no preprocessing available)\nFrom `event_json`, extract:\n- kind: \"issue\" | \"merge_request\" | \"note\"\n- target + iid from URL:\n  - `/-/issues/<n>` \u2192 target=\"issue\", iid=<n>\n  - `/-/merge_requests/<n>` \u2192 target=\"mr\", iid=<n>\n- note_id if present (`#note_<id>`)\n- description/body text, state, author `user_username`, timestamps\n- project id/path; detect default branch via tool/API when needed\n\nIf any key is missing, choose the safest minimal action or briefly explain via a comment.\n";
+  return "\n## Self-Parse the Raw Payload (no preprocessing available)\nFrom `event_json`, extract:\n- kind: \"issue\" | \"merge_request\" | \"note\"\n- target + iid from URL:\n  - `/-/issues/<n>` \u2192 target=\"issue\", iid=<n>\n  - `/-/merge_requests/<n>` \u2192 target=\"mr\", iid=<n>\n- note_id if present (`#note_<id>`)\n- description/body text, state, author `user_username`, timestamps\n- project id/path; detect default branch via `get_merge_request`/context as needed\n\nIf any key is missing, choose the safest minimal action or briefly explain via a comment.\n";
+};
+// NEW: Single-runner guard (event-triggered → existing MR)
+var singleRunnerGuard = function () {
+  return "\n## Single-Runner Guard (event-triggered work on an existing MR)\nBefore entering MR Review Mode from an event:\n\n- **Goal:** Avoid two agents working the same MR. If a **running or pending** CI job whose name **ends with \"agent-review\"** is active for this MR, **cancel** it first.\n\n**Best-effort procedure (MCP-only):**\n1) If `$CI_PIPELINE_ID` is available (this event is executing inside a CI context for the same MR):\n   - Call `list_pipeline_jobs({ projectId: $CI_PROJECT_ID, pipelineId: $CI_PIPELINE_ID })`.\n   - Identify any job where `status` is `\"running\"` or `\"pending\"` **and** `name` **endsWith** `\"agent-review\"`.\n   - For each match, call `cancel_pipeline_job({ projectId: $CI_PROJECT_ID, jobId })`.\n   - Proceed with review immediately after issuing cancellations (do not wait).\n\n2) If `$CI_PIPELINE_ID` is **not** available, or jobs for this MR cannot be listed with available MCP calls:\n   - Post a short MR note stating you are proceeding but **cannot verify/cancel** a running `agent-review` job due to missing capabilities.\n   - Proceed with review.\n\n**Notes:**\n- Keep this guard **idempotent** (safe to run multiple times).\n- This guard only applies to **event-triggered** flows that decide to act on an **existing MR**.\n";
+};
+var reviewOnDemandFromEvents = function () {
+  return "\n## Review-on-Demand (from events)\nIf the issue/note text **asks for a review** (case-insensitive tokens like: \"review\", \"please review\", \"PTAL\", \"needs review\", \"can you look at\", \"LGTM?\"), then:\n\n1) **Check for pipeline review job**\n   - List jobs for the current pipeline `$CI_PIPELINE_ID` via `list_pipeline_jobs`.\n   - If any job has `status = \"manual\"` **and** its `name` ends with \"agent-review\":\n     - Trigger it via `play_pipeline_job({ projectId: $CI_PROJECT_ID, jobId })`.\n     - Post a short comment confirming you triggered the review job (sanitize).\n     - **Stop** further review actions.\n\n2) **If no such job exists, resolve which MR to review**:\n   - If the event target is an MR \u2192 use its `iid`.\n   - Else, parse the text for MR references in order:\n     - `!<iid>` (e.g., `!123`)\n     - `/-/merge_requests/<iid>` in a path or URL\n     - full GitLab MR URL\n   - If no MR can be resolved, reply with a brief comment asking the user to reference an MR (sanitize) and **stop**.\n\n3) **Single-Runner Guard (cancel any running \"agent-review\" job)**   // NEW: Single-runner guard\n   - Execute the **Single-Runner Guard** steps above **before** MR Review Mode.\n\n4) **Enter MR Review Mode**: execute the **MR Review Bundle** below with the resolved `mr_iid`.\n";
 };
-var eventWorkflow = function () {
-  return "\n## High-Reliability Workflow (sequence + postconditions)\nFollow this order for any change work:\n\n1) **Acknowledge** with a short comment on the issue/MR thread.\n2) **Discover default branch** (e.g., \"main\") via MCP or API.\n3) **Create a working branch** from default (stable name, e.g., `fix/issue-<iid>-<slug>` or `feat/issue-<iid>-<slug>`).\n4) **Write changes \u2192 commit \u2192 push to remote branch.**\n5) **Verify push landed**:\n   - Fetch latest commit on `source_branch`; record its short SHA.\n   - Compare default vs `source_branch` and ensure `diffs.length > 0`.\n6) **Create or update MR** ONLY if there is a non-empty diff.\n   - Include `Closes #<issue_iid>` in MR description when applicable.\n   - Assign yourself to the MR.\n7) **Follow-up comment** with branch name, commit short SHA, files changed count, and MR link.\n8) **If verification fails**:\n   - Do NOT create the MR.\n   - Comment the exact failure and retry once with a fresh branch name. If still failing, comment and stop.\n\nFor Q&A-only (no code changes), just post a concise, helpful answer on the same issue/MR.\n";
+/** Regular event workflow for non-review work */
+var eventWorkflow = function (_a) {
+  var agentUserName = _a.agentUserName;
+  return "\n## High-Reliability Workflow (sequence + postconditions)\nFollow this order for any change work:\n\n1) **Acknowledge** with a short comment on the issue/MR thread (`create_note`), **unless the last actor is you**.\n2) **Discover default branch** (e.g., \"main\") \u2014 infer from repo/MR context if needed.\n3) **Create a working branch** from default (stable name, e.g., `fix/issue-<iid>-<slug>` or `feat/issue-<iid>-<slug>`) via `create_branch`.\n4) **Write changes \u2192 commit \u2192 push to remote branch** via `push_files` (or `create_or_update_file`).\n5) **Verify push landed**:\n   - Fetch latest state (optional: `get_file_contents`/log) and capture a short SHA from the branch head if exposed by the host.\n   - Compare default vs `source_branch` via `get_branch_diffs({ from: \"<default>\", to: \"<source>\" })` and ensure there are diffs.\n6) **Create or update MR** ONLY if there is a non-empty diff via `create_merge_request`.\n   - Include `Closes #<issue_iid>` in MR description when applicable.\n   - **Assign the MR to yourself**: `assigneeUsernames: [\"".concat(agentUserName, "\"]`.\n7) **Follow-up comment** with branch name, any commit short SHA you can obtain, files changed count (approx by diffs), and MR link via `create_note`, **unless the last actor is you**.\n8) **If verification fails**:\n   - Do NOT create the MR.\n   - Comment the exact failure and retry once with a fresh branch name. If still failing, comment and stop.\n\nFor Q&A-only (no code changes), just post a concise, helpful answer on the same issue/MR (sanitize first).\n");
 };
-// --- MR-specific sections ---
+/* ---------- MR-review specific (shared with both prompts) ---------- */
 var mrScope = function (_a) {
   var agentUserName = _a.agentUserName;
-  return "\n## Identity & Scope\n- Your GitLab username is \"".concat(agentUserName, "\".\n- This prompt runs in the context of ONE MR (no webhook).\n- You may review, comment, rebase, and push updates **to the MR's source branch**.\n- You must **never merge** the MR yourself.\n");
+  return "\n## Identity & Scope\n- Your GitLab username is \"".concat(agentUserName, "\".\n- This prompt runs in the context of ONE MR.\n- You may review, comment, and push updates **to the MR's source branch**.\n- You must **never merge** the MR yourself.\n");
 };
 var mrWorkflow = function () {
-  return "\n## High-Reliability Review Workflow\nFollow this sequence with verification at each step:\n\n1) **Collect context**\n   - Get MR metadata (source_branch, target_branch, state, draft/WIP).\n   - Fetch the full changeset/diffs and open discussions (notes, threads, unresolved discussions).\n   - Read existing reviews/comments to avoid duplication.\n   - (Optional) Fetch recent CI pipeline(s) for this MR SHA/branch).\n\n2) **Code review**\n   - Identify required changes (bugs, tests, style, security, perf, docs).\n   - If no meaningful changes are needed:\n     - Post a concise review comment summarizing findings.\n     - Ask for review by a **recent active human contributor** (not you).\n\n3) **If changes are needed**\n   - Post a short acknowledgment comment on the MR.\n   - **Rebase** the MR onto the target/default branch (resolve trivial conflicts).\n   - Implement minimal, safe changes; keep commits small and clear.\n   - **Push** to the MR's **source_branch**.\n   - **Verify push landed** (latest commit short SHA; compare target vs source shows diffs > 0).\n   - Comment summarizing what changed and why.\n\n4) **CI pipeline**\n   - Check pipeline status for the new commit on the MR branch.\n   - Retry/re-run if allowed on flaky failures; fix minimal issues; push again if needed.\n   - If still failing, comment with failure summary and next steps.\n\n5) **Assign human reviewer if ready**\n   - If discussions are resolved and CI is passing (or running), request review from a recent active human contributor (not you).\n\n6) **Stdout summary**\n   - Print concise summary: commits pushed (short SHAs), files changed count, discussions resolved/left, CI status, and requested reviewers.\n";
+  return "\n## High-Reliability Review Workflow\nFollow this sequence with verification at each step:\n\n1) **Collect context**\n   - Get MR metadata via `get_merge_request({ projectId: $CI_PROJECT_ID, mergeRequestIid })`.\n   - Fetch the full changeset/diffs via `get_merge_request_diffs` (or `list_merge_request_diffs`) and open discussions via `mr_discussions`.\n   - Read existing notes to avoid duplication.\n\n2) **Code review**\n   - Identify required changes (bugs, tests, style, security, perf, docs).\n   - Always **post your review comments first** using `create_merge_request_note` (ack + concrete notes). Sanitize before sending.\n   - Set an internal intent flag:\n     - `will_push_changes = true` if you will modify code/config.\n     - `will_push_changes = false` if it\u2019s commentary-only.\n\n3) **Implement changes after review is posted (only if `will_push_changes = true`)**\n   - If needed, create the working branch from the target/default (or use existing MR source branch).\n   - Apply minimal, safe changes; keep commits small and clear.\n   - **Push** to the MR's **source branch** via `push_files` (or `create_or_update_file`).\n   - **Verify push landed** using `get_branch_diffs({ from: \"<target_branch>\", to: \"<source_branch>\" })` and ensure there are diffs.\n   - Post a follow-up MR note summarizing what changed and why (sanitize).\n";
 };
-var fallbackApiAuth = function () {
-  return "\n## Fallback API Auth (if MCP lacks a method)\n- Base URL: `$CI_SERVER_URL/api/v4`\n- Project: `$CI_PROJECT_ID`\n- Header: `Private-Token: $GITLAB_PERSONAL_ACCESS_TOKEN`\n";
+var ciInspection = function () {
+  return "\n4) **CI jobs (current pipeline focus: diagnose first, retry only when useful)**\n   - Inspect jobs for the **current pipeline**: `$CI_PIPELINE_ID` via `list_pipeline_jobs`.\n   - Consider **only** jobs with `status = \"failed\"` and `allow_failure = false`.\n   - For each such job:\n     1. Retrieve details (id, name, stage, status, allow_failure, web_url).\n     2. Fetch job output via `get_pipeline_job_output({ projectId: $CI_PROJECT_ID, pipelineId: $CI_PIPELINE_ID, jobId })`.\n     3. **Classify the failure**:\n        - **Code-related (do not retry):** compiler/type/lint/test/build script errors.\n        - **Likely transient (may retry):** network/timeouts/infra/cache/artifacts/5xx/429/etc.\n     4. **Decision**:\n        - If `will_push_changes = true`:\n          - **Do not retry** current pipeline (upcoming push will trigger a new one).\n          - Post an MR note: brief diagnosis per failed job; note a new pipeline will validate the fix (sanitize).\n        - If `will_push_changes = false`:\n          - If transient \u21D2 `retry_pipeline_job({ projectId: $CI_PROJECT_ID, jobId })` (or `retry_pipeline` if job-level retry not available).  \n            Post a note stating you retried and why (sanitize).\n          - If code-related \u21D2 do not retry; post a note with diagnosis and suggested fix (sanitize).\n   - Retry-once policy: at most **one** retry per job in this run.\n\n5) **Assign human reviewer if ready**\n   - If discussions are resolved and blocking CI issues are addressed or clearly triaged, request review from a recent active human contributor (not you), if supported by your environment.\n\n6) **Stdout summary**\n   - Print concise summary: branch used, files changed count (approx by diffs), discussions resolved/left, **blocking failed jobs (names + stages)** with classification (code vs transient), which jobs were retried (if any), and requested reviewers.\n";
 };
-// ---------- Public builders ----------
-var getEventPrompt = function (_a) {
+var outputDisciplineMR = function (_a) {
   var agentUserName = _a.agentUserName;
-  return "\nYou are a GitLab assistant bot. You receive ONE raw GitLab webhook JSON payload.\n\n".concat(header(), "\n---\nevent_json:\n$(cat $TRIGGER_PAYLOAD)\n---\n\n").concat(identity({
-    agentUserName: agentUserName
-  }), "\n").concat(goldenRules({
-    agentUserName: agentUserName
-  }), "\n").concat(eventSelfParse(), "\n").concat(eventWorkflow(), "\n").concat(commentGuidelines(), "\n").concat(mcpAndApi(), "\n").concat(outputDiscipline({
-    agentUserName: agentUserName
-  }), "\n");
+  return "\n## Output Discipline (MR)\n- Output only `gitlab-mcp` tool calls and the final plain-text summary.\n- Do **not** merge the MR yourself under any circumstance.\n- Never include \"@".concat(agentUserName, "\" in any body.\n");
+};
+/* ---------- Shared bundle for MR review ---------- */
+var mrReviewBundle = function (ctx) {
+  return "\n## MR Review Mode (execute ONLY when review intent is detected and an MR IID is resolved)\nResolved MR IID: <set this to the resolved `mr_iid` before executing>\n".concat(mrScope(ctx), "\n").concat(mrWorkflow(), "\n").concat(ciInspection(), "\n");
+};
+/* ---------- Public builders ---------- */
+var getEventPrompt = function (ctx) {
+  return "\nYou are a GitLab assistant bot. You receive ONE raw GitLab webhook JSON payload.\n\n".concat(header(), "\n---\nevent_json:\n$(cat $TRIGGER_PAYLOAD)\n---\n\n").concat(identity(ctx), "\n").concat(goldenRules(ctx), "\n").concat(selfMentionGuard(ctx), "\n").concat(eventSelfParse(), "\n").concat(singleRunnerGuard(), "  <!-- NEW: included so the agent can run it when acting on an existing MR -->\n").concat(reviewOnDemandFromEvents(), "\n").concat(mrReviewBundle(ctx), "  <!-- Included so the agent can execute it when review intent is true -->\n").concat(eventWorkflow(ctx), "\n").concat(commentGuidelines(), "\n").concat(mcpOnly(), "\n").concat(outputDiscipline(ctx), "\n");
 };
 exports.getEventPrompt = getEventPrompt;
-var getMergeRequestPrompt = function (_a) {
-  var agentUserName = _a.agentUserName;
-  return "\nYou are a GitLab assistant bot reviewing and updating a single Merge Request (MR).\n\n".concat(header(), "\n---\nmerge_request_iid: $CI_MERGE_REQUEST_IID\ntitle: $CI_MERGE_REQUEST_TITLE\ndescription: $CI_MERGE_REQUEST_DESCRIPTION\n---\n\n").concat(mrScope({
-    agentUserName: agentUserName
-  }), "\n").concat(goldenRules({
-    agentUserName: agentUserName
-  }), "\n").concat(mrWorkflow(), "\n").concat(commentGuidelines(), "\n").concat(mcpAndApi(), "\n").concat(fallbackApiAuth(), "\n## Output Discipline (MR)\n- Prefer `gitlab-mcp` tool calls; if unavailable, provide explicit REST calls (method, url, headers, body).\n- At the end, print a **plain-text** summary to STDOUT including:\n  - `source_branch` and `target_branch`\n  - commits pushed (short SHAs)\n  - number of files changed\n  - CI status/result\n  - reviewers requested (if any)\n- Do **not** merge the MR yourself under any circumstance.\n");
+var getMergeRequestPrompt = function (ctx) {
+  return "\nYou are a GitLab assistant bot reviewing and updating a single Merge Request (MR).\n\n".concat(header(), "\n---\nmerge_request_iid: $CI_MERGE_REQUEST_IID\ntitle: $CI_MERGE_REQUEST_TITLE\ndescription: $CI_MERGE_REQUEST_DESCRIPTION\n---\n\n").concat(mrScope(ctx), "\n").concat(goldenRules(ctx), "\n").concat(selfMentionGuard(ctx), "\n").concat(mrWorkflow(), "\n").concat(ciInspection(), "\n").concat(commentGuidelines(), "\n").concat(mcpOnly(), "\n").concat(outputDisciplineMR(ctx), "\n");
 };
 exports.getMergeRequestPrompt = getMergeRequestPrompt;

package/dist/pipeline/agent/shared.js

@@ -24,6 +24,6 @@ var callClaude = function (_a) {
   var prompt = _a.prompt;
   return ["export PROMPT=\"".concat((0, bashEscape_1.escapeNewlines)((0, bashEscape_1.escapeDoubleQuotes)((0, bashEscape_1.escapeBackTicks)(prompt))), "\""),
   //'echo "$PROMPT"',
-  "claude -p \"$PROMPT\" --permission-mode acceptEdits --allowedTools \"Bash(*) Read(*) Edit(*) Write(*) mcp__gitlab\" --verbose --debug"];
+  "claude -p \"$PROMPT\" --permission-mode acceptEdits --allowedTools \"Bash(*) Bash(git checkout:*) Read(*) Edit(*) Write(*) mcp__gitlab\" --verbose --debug"];
 };
 exports.callClaude = callClaude;