@delegance/claude-autopilot 1.0.0-alpha.4 → 1.0.0-alpha.5

package/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## 1.0.0-alpha.5 (2026-04-21)
+
+### New Features
+
+- **`--format sarif --output <path>`** on `autopilot run` — serialises `RunResult` to SARIF 2.1.0; deduplicates rules by category; normalises URIs to repo-relative forward-slash; always emits `results: []` even on error so `upload-sarif` never fails on a missing file
+- **Auto GitHub Actions annotations** — when `GITHUB_ACTIONS=true`, `emitAnnotations()` fires after every run and writes `::error`/`::warning`/`::notice` workflow commands to stdout; GitHub renders these as inline annotations on the PR diff
+- **`src/formatters/`** — pure formatter modules (`sarif.ts`, `github-annotations.ts`) with full command-injection encoding (`%`, `\r`, `\n`, `:`, `,`) for annotation properties and data
+- **`action.yml`** composite action — checkout → setup-node@v4 → npx autopilot run → upload-sarif@v3; inputs: `version`, `config`, `sarif-output`, `openai-api-key`; upload step runs `if: always()` so findings surface even when run exits 1
+- 21 new formatter tests (11 SARIF + 10 annotations) → **95 total**
+
 ## 1.0.0-alpha.4 (2026-04-21)
 
 ### New Features

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@delegance/claude-autopilot",
-  "version": "1.0.0-alpha.4",
+  "version": "1.0.0-alpha.5",
   "type": "module",
   "description": "Claude Code automation pipeline: spec → plan → implement → validate → PR",
   "keywords": ["claude", "autopilot", "ai", "pipeline", "code-review", "cli"],

package/src/cli/index.ts

@@ -17,7 +17,7 @@ import { runWatch } from './watch.ts';
 const args = process.argv.slice(2);
 
 const SUBCOMMANDS = ['init', 'run', 'preflight', 'help', '--help', '-h'] as const;
-const VALUE_FLAGS = ['base', 'config', 'files'];
+const VALUE_FLAGS = ['base', 'config', 'files', 'format', 'output', 'debounce'];
 
 // Detect first non-flag arg as subcommand, default to 'run'
 const subcommand = (args[0] && !args[0].startsWith('--')) ? args[0] : 'run';
@@ -53,6 +53,8 @@ Options (run):
   --config <path>      Path to config file (default: ./autopilot.config.yaml)
   --files <a,b,c>      Explicit comma-separated file list (skips git detection)
   --dry-run            Show what would run without executing
+  --format <text|sarif>  Output format (default: text)
+  --output <path>        Output file path (required with --format sarif)
 
 Options (watch):
   --config <path>      Path to config file (default: ./autopilot.config.yaml)
@@ -92,12 +94,25 @@ switch (subcommand) {
     const config = flag('config');
     const filesArg = flag('files');
     const dryRun = boolFlag('dry-run');
+    const formatArg = flag('format');
+    const outputPath = flag('output');
+
+    if (formatArg && formatArg !== 'text' && formatArg !== 'sarif') {
+      console.error(`\x1b[31m[autopilot] --format must be "text" or "sarif"\x1b[0m`);
+      process.exit(1);
+    }
+    if (formatArg === 'sarif' && !outputPath) {
+      console.error(`\x1b[31m[autopilot] --format sarif requires --output <path>\x1b[0m`);
+      process.exit(1);
+    }
 
     const code = await runCommand({
       base,
       configPath: config,
       files: filesArg ? filesArg.split(',').map(f => f.trim()) : undefined,
       dryRun,
+      format: formatArg as 'text' | 'sarif' | undefined,
+      outputPath,
     });
     process.exit(code);
     break;

package/src/cli/run.ts

@@ -10,6 +10,14 @@ import { resolveGitTouchedFiles } from '../core/git/touched-files.ts';
 import type { RunInput } from '../core/pipeline/run.ts';
 import type { ReviewEngine } from '../adapters/review-engine/types.ts';
 import type { AutopilotConfig } from '../core/config/types.ts';
+import { fileURLToPath } from 'node:url';
+import { toSarif } from '../formatters/sarif.ts';
+import { emitAnnotations } from '../formatters/github-annotations.ts';
+
+function readToolVersion(): string {
+  const pkgPath = path.join(path.dirname(fileURLToPath(import.meta.url)), '../../package.json');
+  return (JSON.parse(fs.readFileSync(pkgPath, 'utf8')) as { version: string }).version;
+}
 
 const C = {
   reset: '\x1b[0m',
@@ -31,6 +39,8 @@ export interface RunCommandOptions {
   base?: string;       // git base ref (default HEAD~1)
   files?: string[];    // explicit file list (skips git detection)
   dryRun?: boolean;    // skip review, print what would run
+  format?: 'text' | 'sarif';
+  outputPath?: string;
 }
 
 /**
@@ -109,6 +119,17 @@ export async function runCommand(options: RunCommandOptions = {}): Promise<numbe
   console.log('');
   const result = await runAutopilot(input);
 
+  // emitAnnotations is a no-op unless GITHUB_ACTIONS=true
+  emitAnnotations(result.allFindings);
+
+  // Write SARIF output if requested
+  if (options.format === 'sarif' && options.outputPath) {
+    const sarif = toSarif(result, { toolVersion: readToolVersion(), cwd });
+    fs.mkdirSync(path.dirname(path.resolve(options.outputPath)), { recursive: true });
+    fs.writeFileSync(options.outputPath, JSON.stringify(sarif, null, 2), 'utf8');
+    console.log(fmt('dim', `[run] SARIF written to ${options.outputPath}`));
+  }
+
   // Print phase summaries
   for (const phase of result.phases) {
     const icon = phase.status === 'pass' ? fmt('green', '✓') :

package/src/formatters/github-annotations.ts

@@ -0,0 +1,36 @@
+import type { Finding } from '../core/findings/types.ts';
+
+export function encodeAnnotationProperty(s: string): string {
+  return s
+    .replace(/%/g, '%25')
+    .replace(/\r/g, '%0D')
+    .replace(/\n/g, '%0A')
+    .replace(/:/g, '%3A')
+    .replace(/,/g, '%2C');
+}
+
+export function encodeAnnotationData(s: string): string {
+  return s
+    .replace(/%/g, '%25')
+    .replace(/\r/g, '%0D')
+    .replace(/\n/g, '%0A');
+}
+
+function severityToCommand(s: Finding['severity']): 'error' | 'warning' | 'notice' {
+  if (s === 'critical') return 'error';
+  if (s === 'warning') return 'warning';
+  return 'notice';
+}
+
+export function emitAnnotations(findings: Finding[]): void {
+  if (process.env.GITHUB_ACTIONS !== 'true') return;
+  for (const f of findings) {
+    const cmd = severityToCommand(f.severity);
+    const props: string[] = [`file=${encodeAnnotationProperty(f.file)}`];
+    if (f.line !== undefined) {
+      props.push(`line=${f.line}`, `endLine=${f.line}`);
+    }
+    props.push(`title=${encodeAnnotationProperty(f.category)}`);
+    process.stdout.write(`::${cmd} ${props.join(',')}::${encodeAnnotationData(f.message)}\n`);
+  }
+}

package/src/formatters/index.ts

@@ -0,0 +1,3 @@
+export { toSarif, normalizeSarifUri } from './sarif.ts';
+export type { SarifLog } from './sarif.ts';
+export { emitAnnotations, encodeAnnotationProperty, encodeAnnotationData } from './github-annotations.ts';

package/src/formatters/sarif.ts

@@ -0,0 +1,103 @@
+import * as path from 'node:path';
+import type { RunResult } from '../core/pipeline/run.ts';
+import type { Finding } from '../core/findings/types.ts';
+
+interface SarifLog {
+  $schema: string;
+  version: '2.1.0';
+  runs: SarifRun[];
+}
+interface SarifRun {
+  tool: { driver: SarifDriver };
+  results: SarifResult[];
+}
+interface SarifDriver {
+  name: string;
+  version: string;
+  informationUri: string;
+  rules: SarifRule[];
+}
+interface SarifRule {
+  id: string;
+  name: string;
+  shortDescription: { text: string };
+}
+interface SarifResult {
+  ruleId: string;
+  level: 'error' | 'warning' | 'note';
+  message: { text: string };
+  locations: SarifLocation[];
+  fixes?: Array<{ description: { text: string } }>;
+}
+interface SarifLocation {
+  physicalLocation: {
+    artifactLocation: { uri: string; uriBaseId: string };
+    region?: { startLine: number };
+  };
+}
+
+export type { SarifLog };
+
+export function normalizeSarifUri(file: string, cwd: string): string {
+  let rel = path.isAbsolute(file) ? path.relative(cwd, file) : file;
+  rel = rel.replace(/\\/g, '/');
+  if (rel.startsWith('./')) rel = rel.slice(2);
+  if (rel.startsWith('../')) rel = file.replace(/\\/g, '/');
+  return rel;
+}
+
+function severityToLevel(s: Finding['severity']): 'error' | 'warning' | 'note' {
+  if (s === 'critical') return 'error';
+  if (s === 'warning') return 'warning';
+  return 'note';
+}
+
+export function toSarif(
+  result: RunResult,
+  opts: { toolVersion: string; cwd?: string },
+): SarifLog {
+  const cwd = opts.cwd ?? process.cwd();
+
+  const rulesMap = new Map<string, SarifRule>();
+  for (const f of result.allFindings) {
+    if (!rulesMap.has(f.category)) {
+      rulesMap.set(f.category, {
+        id: f.category,
+        name: f.category,
+        shortDescription: { text: f.category },
+      });
+    }
+  }
+
+  const results: SarifResult[] = result.allFindings.map(f => {
+    const r: SarifResult = {
+      ruleId: f.category,
+      level: severityToLevel(f.severity),
+      message: { text: f.message },
+      locations: [{
+        physicalLocation: {
+          artifactLocation: { uri: normalizeSarifUri(f.file, cwd), uriBaseId: '%SRCROOT%' },
+          ...(f.line !== undefined ? { region: { startLine: f.line } } : {}),
+        },
+      }],
+    };
+    if (f.suggestion) r.fixes = [{ description: { text: f.suggestion } }];
+    return r;
+  });
+
+  return {
+    $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+    version: '2.1.0',
+    runs: [{
+      tool: {
+        driver: {
+          name: 'claude-autopilot',
+          version: opts.toolVersion,
+          informationUri: 'https://github.com/axledbetter/claude-autopilot',
+          rules: [...rulesMap.values()],
+        },
+      },
+      results,
+    }],
+  };
+}