@delegance/claude-autopilot 1.7.2 → 1.9.0

package/CHANGELOG.md

@@ -1,5 +1,31 @@
 # Changelog
 
+## [1.9.0] — 2026-04-22
+
+### Added
+- **`--post-comments` flag on `run`** — posts a formatted markdown summary to the open PR after the pipeline; edits existing autopilot comment on re-runs instead of creating a new one (tracked via `<!-- autopilot-review -->` marker)
+- **`detectPrNumber()`** — reads `PR_NUMBER`/`GH_PR_NUMBER`/`GITHUB_PR_NUMBER` env vars (CI) or falls back to `gh pr view` (local)
+- **`formatComment()`** — status badge, context line, phase table, critical/warning findings with `file:line`, notes in `<details>`, cost footer
+- 10 new formatter tests — **215 total**
+
+## [1.8.0] — 2026-04-22
+
+### Added
+- **Shared `parseReviewOutput()`** (`src/adapters/review-engine/parse-output.ts`) — extracts `file:line` attribution from review finding bodies; used by all five adapters; eliminates ~100 lines of duplicated parser code
+
+### Fixed
+- `hardcoded-secrets` false positive on route object keys containing `password` (e.g. `forgot_password: '/forgot-password'`)
+
+## [1.7.2] — 2026-04-22
+
+### Fixed
+- `hardcoded-secrets` rule no longer fires on route path values (values starting with `/`)
+
+## [1.7.1] — 2026-04-22
+
+### Added
+- Detection logging: `auto-detected:` line in run output shows stack, protected paths, and test command when inferred; git context (branch + last commit) shown on every run
+
 ## [1.7.0] — 2026-04-22
 
 ### Added

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@delegance/claude-autopilot",
-  "version": "1.7.2",
+  "version": "1.9.0",
   "type": "module",
   "description": "Claude Code automation pipeline: spec → plan → implement → validate → PR",
   "keywords": [

package/src/adapters/review-engine/claude.ts

@@ -1,8 +1,8 @@
 import Anthropic from '@anthropic-ai/sdk';
-import type { Finding } from '../../core/findings/types.ts';
 import { AutopilotError } from '../../core/errors.ts';
 import type { Capabilities } from '../base.ts';
 import type { ReviewEngine, ReviewInput, ReviewOutput } from './types.ts';
+import { parseReviewOutput } from './parse-output.ts';
 
 const DEFAULT_MODEL = 'claude-opus-4-7';
 const MAX_OUTPUT_TOKENS = 4096;
@@ -90,7 +90,7 @@ export const claudeAdapter: ReviewEngine = {
       : undefined;
 
     return {
-      findings: parseClaudeOutput(rawOutput),
+      findings: parseReviewOutput(rawOutput, 'claude'),
       rawOutput,
       usage: response.usage
         ? { input: response.usage.input_tokens, output: response.usage.output_tokens, costUSD }
@@ -100,28 +100,3 @@ export const claudeAdapter: ReviewEngine = {
 };
 
 export default claudeAdapter;
-
-function parseClaudeOutput(output: string): Finding[] {
-  const findings: Finding[] = [];
-  const regex = /### \[(CRITICAL|WARNING|NOTE)\]\s*(.+?)(?=\n### \[|## Review Summary|$)/gs;
-  let match: RegExpExecArray | null;
-  while ((match = regex.exec(output)) !== null) {
-    const severity = match[1]!.toLowerCase() as Finding['severity'];
-    const body = match[2]!.trim();
-    const titleEnd = body.indexOf('\n');
-    const title = (titleEnd > 0 ? body.slice(0, titleEnd) : body).trim();
-    const suggestion = body.match(/\*\*Suggestion:\*\*\s*(.+)/s)?.[1]?.trim();
-    findings.push({
-      id: `claude-${findings.length}`,
-      source: 'review-engine',
-      severity,
-      category: 'claude-review',
-      file: '<unspecified>',
-      message: title,
-      suggestion,
-      protectedPath: false,
-      createdAt: new Date().toISOString(),
-    });
-  }
-  return findings;
-}

package/src/adapters/review-engine/codex.ts

@@ -1,5 +1,5 @@
 import OpenAI from 'openai';
-import type { Finding } from '../../core/findings/types.ts';
+import { parseReviewOutput } from './parse-output.ts';
 import { AutopilotError } from '../../core/errors.ts';
 import type { Capabilities } from '../base.ts';
 import type { ReviewEngine, ReviewInput, ReviewOutput } from './types.ts';
@@ -74,7 +74,7 @@ export const codexAdapter: ReviewEngine = {
 
     const rawOutput = response.output_text ?? '';
     return {
-      findings: parseCodexOutput(rawOutput),
+      findings: parseReviewOutput(rawOutput, 'codex'),
       rawOutput,
       usage: response.usage ? { input: response.usage.input_tokens, output: response.usage.output_tokens } : undefined,
     };
@@ -82,28 +82,3 @@ export const codexAdapter: ReviewEngine = {
 };
 
 export default codexAdapter;
-
-function parseCodexOutput(output: string): Finding[] {
-  const findings: Finding[] = [];
-  const regex = /### \[(CRITICAL|WARNING|NOTE)\]\s*(.+?)(?=\n### \[|## Review Summary|$)/gs;
-  let match: RegExpExecArray | null;
-  while ((match = regex.exec(output)) !== null) {
-    const severity = match[1]!.toLowerCase() as Finding['severity'];
-    const body = match[2]!.trim();
-    const titleEnd = body.indexOf('\n');
-    const title = (titleEnd > 0 ? body.slice(0, titleEnd) : body).trim();
-    const suggestion = body.match(/\*\*Suggestion:\*\*\s*(.+)/s)?.[1]?.trim();
-    findings.push({
-      id: `codex-${findings.length}`,
-      source: 'review-engine',
-      severity,
-      category: 'codex-review',
-      file: '<unspecified>',
-      message: title,
-      suggestion,
-      protectedPath: false,
-      createdAt: new Date().toISOString(),
-    });
-  }
-  return findings;
-}

package/src/adapters/review-engine/gemini.ts

@@ -1,5 +1,5 @@
 import { GoogleGenerativeAI } from '@google/generative-ai';
-import type { Finding } from '../../core/findings/types.ts';
+import { parseReviewOutput } from './parse-output.ts';
 import { AutopilotError } from '../../core/errors.ts';
 import type { Capabilities } from '../base.ts';
 import type { ReviewEngine, ReviewInput, ReviewOutput } from './types.ts';
@@ -95,7 +95,7 @@ export const geminiAdapter: ReviewEngine = {
       : undefined;
 
     return {
-      findings: parseGeminiOutput(rawOutput),
+      findings: parseReviewOutput(rawOutput, 'gemini'),
       rawOutput,
       usage: usage
         ? { input: usage.promptTokenCount, output: usage.candidatesTokenCount, costUSD }
@@ -105,28 +105,3 @@ export const geminiAdapter: ReviewEngine = {
 };
 
 export default geminiAdapter;
-
-function parseGeminiOutput(output: string): Finding[] {
-  const findings: Finding[] = [];
-  const regex = /### \[(CRITICAL|WARNING|NOTE)\]\s*(.+?)(?=\n### \[|## Review Summary|$)/gs;
-  let match: RegExpExecArray | null;
-  while ((match = regex.exec(output)) !== null) {
-    const severity = match[1]!.toLowerCase() as Finding['severity'];
-    const body = match[2]!.trim();
-    const titleEnd = body.indexOf('\n');
-    const title = (titleEnd > 0 ? body.slice(0, titleEnd) : body).trim();
-    const suggestion = body.match(/\*\*Suggestion:\*\*\s*(.+)/s)?.[1]?.trim();
-    findings.push({
-      id: `gemini-${findings.length}`,
-      source: 'review-engine',
-      severity,
-      category: 'gemini-review',
-      file: '<unspecified>',
-      message: title,
-      suggestion,
-      protectedPath: false,
-      createdAt: new Date().toISOString(),
-    });
-  }
-  return findings;
-}

package/src/adapters/review-engine/openai-compatible.ts

@@ -1,5 +1,5 @@
 import OpenAI from 'openai';
-import type { Finding } from '../../core/findings/types.ts';
+import { parseReviewOutput } from './parse-output.ts';
 import { AutopilotError } from '../../core/errors.ts';
 import type { Capabilities } from '../base.ts';
 import type { ReviewEngine, ReviewInput, ReviewOutput } from './types.ts';
@@ -90,7 +90,7 @@ export const openaiCompatibleAdapter: ReviewEngine = {
 
     const rawOutput = response.choices[0]?.message.content ?? '';
     return {
-      findings: parseOutput(rawOutput),
+      findings: parseReviewOutput(rawOutput, 'openai-compatible'),
       rawOutput,
       usage: response.usage
         ? { input: response.usage.prompt_tokens, output: response.usage.completion_tokens }
@@ -100,28 +100,3 @@ export const openaiCompatibleAdapter: ReviewEngine = {
 };
 
 export default openaiCompatibleAdapter;
-
-function parseOutput(output: string): Finding[] {
-  const findings: Finding[] = [];
-  const regex = /### \[(CRITICAL|WARNING|NOTE)\]\s*(.+?)(?=\n### \[|## Review Summary|$)/gs;
-  let match: RegExpExecArray | null;
-  while ((match = regex.exec(output)) !== null) {
-    const severity = match[1]!.toLowerCase() as Finding['severity'];
-    const body = match[2]!.trim();
-    const titleEnd = body.indexOf('\n');
-    const title = (titleEnd > 0 ? body.slice(0, titleEnd) : body).trim();
-    const suggestion = body.match(/\*\*Suggestion:\*\*\s*(.+)/s)?.[1]?.trim();
-    findings.push({
-      id: `openai-compatible-${findings.length}`,
-      source: 'review-engine',
-      severity,
-      category: 'openai-compatible-review',
-      file: '<unspecified>',
-      message: title,
-      suggestion,
-      protectedPath: false,
-      createdAt: new Date().toISOString(),
-    });
-  }
-  return findings;
-}

package/src/adapters/review-engine/parse-output.ts

@@ -0,0 +1,48 @@
+import type { Finding } from '../../core/findings/types.ts';
+
+// Matches "path/to/file.ts:42", "`path/to/file.ts`", or bare filenames with common extensions
+const FILE_REF = /(?:`([^`]+\.[a-z]{1,6})`|(\b[\w./\-]+\.[a-z]{1,6})(?::(\d+))?)/;
+
+function extractFileRef(text: string): { file: string; line?: number } {
+  const m = text.match(FILE_REF);
+  if (!m) return { file: '<unspecified>' };
+  const raw = (m[1] ?? m[2])!;
+  // Skip version strings (v1.2.3) and bare dotfile extensions with no path separator
+  if (/^v?\d/.test(raw) || (!raw.includes('/') && raw.startsWith('.') && raw.split('.').length === 2)) {
+    return { file: '<unspecified>' };
+  }
+  const line = m[3] ? parseInt(m[3], 10) : undefined;
+  return { file: raw, line };
+}
+
+/**
+ * Parses the structured [CRITICAL|WARNING|NOTE] markdown format
+ * produced by all review engine adapters. Extracts file:line references
+ * from the finding body when present.
+ */
+export function parseReviewOutput(output: string, idPrefix: string): Finding[] {
+  const findings: Finding[] = [];
+  const regex = /### \[(CRITICAL|WARNING|NOTE)\]\s*(.+?)(?=\n### \[|## Review Summary|$)/gs;
+  let match: RegExpExecArray | null;
+  while ((match = regex.exec(output)) !== null) {
+    const severity = match[1]!.toLowerCase() as Finding['severity'];
+    const body = match[2]!.trim();
+    const titleEnd = body.indexOf('\n');
+    const title = (titleEnd > 0 ? body.slice(0, titleEnd) : body).trim();
+    const suggestion = body.match(/\*\*Suggestion:\*\*\s*(.+)/s)?.[1]?.trim();
+    const { file, line } = extractFileRef(body);
+    findings.push({
+      id: `${idPrefix}-${findings.length}`,
+      source: 'review-engine',
+      severity,
+      category: 'review-engine',
+      file,
+      line,
+      message: title,
+      suggestion,
+      protectedPath: false,
+      createdAt: new Date().toISOString(),
+    });
+  }
+  return findings;
+}

package/src/cli/index.ts

@@ -65,6 +65,7 @@ Options (run):
   --config <path>      Path to config file (default: ./autopilot.config.yaml)
   --files <a,b,c>      Explicit comma-separated file list (skips git detection)
   --dry-run            Show what would run without executing
+  --post-comments      Post/update a summary comment on the open PR
   --format <text|sarif>  Output format (default: text)
   --output <path>        Output file path (required with --format sarif)
 
@@ -118,6 +119,7 @@ switch (subcommand) {
     const config = flag('config');
     const filesArg = flag('files');
     const dryRun = boolFlag('dry-run');
+    const postComments = boolFlag('post-comments');
     const formatArg = flag('format');
     const outputPath = flag('output');
 
@@ -135,6 +137,7 @@ switch (subcommand) {
       configPath: config,
       files: filesArg ? filesArg.split(',').map(f => f.trim()) : undefined,
       dryRun,
+      postComments,
       format: formatArg as 'text' | 'sarif' | undefined,
       outputPath,
     });

package/src/cli/pr-comment.ts

@@ -0,0 +1,137 @@
+import { runSafe } from '../core/shell.ts';
+import type { RunResult } from '../core/pipeline/run.ts';
+import type { AutopilotConfig } from '../core/config/types.ts';
+import type { GitContext } from '../core/detect/git-context.ts';
+import { readFileSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const COMMENT_MARKER = '<!-- autopilot-review -->';
+
+function readVersion(): string {
+  try {
+    const pkgPath = join(dirname(fileURLToPath(import.meta.url)), '../../package.json');
+    return (JSON.parse(readFileSync(pkgPath, 'utf8')) as { version: string }).version;
+  } catch { return 'unknown'; }
+}
+
+/** Detect the current open PR number via gh CLI or CI env vars. */
+export function detectPrNumber(cwd: string): number | null {
+  // CI env vars set by GitHub Actions
+  const fromEnv = process.env.PR_NUMBER ?? process.env.GH_PR_NUMBER ?? process.env.GITHUB_PR_NUMBER;
+  if (fromEnv && /^\d+$/.test(fromEnv)) return parseInt(fromEnv, 10);
+
+  // gh CLI — works locally and in CI when gh is authenticated
+  const raw = runSafe('gh', ['pr', 'view', '--json', 'number', '--jq', '.number'], { cwd });
+  if (raw) {
+    const n = parseInt(raw.trim(), 10);
+    if (!isNaN(n)) return n;
+  }
+  return null;
+}
+
+/** Find the ID of a previously-posted autopilot comment, if any. */
+function findExistingCommentId(pr: number, cwd: string): number | null {
+  const raw = runSafe('gh', ['api', `repos/{owner}/{repo}/issues/${pr}/comments`,
+    '--jq', `[.[] | select(.body | startswith("${COMMENT_MARKER}")) | .id] | first`], { cwd });
+  if (!raw) return null;
+  const n = parseInt(raw.trim(), 10);
+  return isNaN(n) ? null : n;
+}
+
+/** Format a RunResult into a markdown PR comment. */
+export function formatComment(
+  result: RunResult,
+  config: AutopilotConfig,
+  gitCtx: GitContext,
+  touchedFileCount: number,
+): string {
+  const statusIcon = result.status === 'pass' ? '✅' : result.status === 'warn' ? '⚠️' : '❌';
+  const statusLabel = result.status === 'pass' ? 'Passed' : result.status === 'warn' ? 'Passed with warnings' : 'Failed';
+
+  const lines: string[] = [
+    COMMENT_MARKER,
+    `## ${statusIcon} Autopilot Review — ${statusLabel}`,
+    '',
+  ];
+
+  // Context line
+  const ctx: string[] = [];
+  if (config.stack) ctx.push(`**Stack:** ${config.stack}`);
+  if (gitCtx.branch) ctx.push(`**Branch:** \`${gitCtx.branch}\``);
+  if (gitCtx.commitMessage) ctx.push(`**Commit:** ${gitCtx.commitMessage}`);
+  ctx.push(`**Files reviewed:** ${touchedFileCount}`);
+  lines.push(ctx.join(' · '), '');
+
+  // Phase table
+  lines.push('| Phase | Status | Findings |');
+  lines.push('|---|:---:|:---:|');
+  for (const phase of result.phases) {
+    const icon = phase.status === 'pass' ? '✅' : phase.status === 'skip' ? '—' :
+                 phase.status === 'warn' ? '⚠️' : '❌';
+    lines.push(`| ${phase.phase} | ${icon} | ${phase.findings.length} |`);
+  }
+  lines.push('');
+
+  // Findings by severity
+  const critical = result.allFindings.filter(f => f.severity === 'critical');
+  const warnings = result.allFindings.filter(f => f.severity === 'warning');
+  const notes    = result.allFindings.filter(f => f.severity === 'note');
+
+  if (critical.length > 0) {
+    lines.push('### 🚨 Critical');
+    for (const f of critical) {
+      const loc = f.file !== '<unspecified>' ? `\`${f.file}${f.line ? `:${f.line}` : ''}\` — ` : '';
+      lines.push(`- ${loc}${f.message}`);
+      if (f.suggestion) lines.push(`  > ${f.suggestion}`);
+    }
+    lines.push('');
+  }
+
+  if (warnings.length > 0) {
+    lines.push('### ⚠️ Warnings');
+    for (const f of warnings) {
+      const loc = f.file !== '<unspecified>' ? `\`${f.file}${f.line ? `:${f.line}` : ''}\` — ` : '';
+      lines.push(`- ${loc}${f.message}`);
+      if (f.suggestion) lines.push(`  > ${f.suggestion}`);
+    }
+    lines.push('');
+  }
+
+  if (notes.length > 0) {
+    lines.push('<details><summary>Notes</summary>\n');
+    for (const f of notes) {
+      const loc = f.file !== '<unspecified>' ? `\`${f.file}${f.line ? `:${f.line}` : ''}\` — ` : '';
+      lines.push(`- ${loc}${f.message}`);
+    }
+    lines.push('\n</details>\n');
+  }
+
+  if (result.totalCostUSD !== undefined) {
+    lines.push(`*Cost: $${result.totalCostUSD.toFixed(4)} · ${result.durationMs}ms · [@delegance/claude-autopilot](https://github.com/axledbetter/claude-autopilot) v${readVersion()}*`);
+  } else {
+    lines.push(`*${result.durationMs}ms · [@delegance/claude-autopilot](https://github.com/axledbetter/claude-autopilot) v${readVersion()}*`);
+  }
+
+  return lines.join('\n');
+}
+
+/** Post or update the autopilot comment on the given PR. */
+export async function postPrComment(
+  pr: number,
+  body: string,
+  cwd: string,
+): Promise<{ action: 'created' | 'updated'; url: string | null }> {
+  const existingId = findExistingCommentId(pr, cwd);
+
+  if (existingId) {
+    runSafe('gh', ['api', `repos/{owner}/{repo}/issues/comments/${existingId}`,
+      '--method', 'PATCH', '--field', `body=${body}`], { cwd });
+    return { action: 'updated', url: null };
+  }
+
+  const raw = runSafe('gh', ['pr', 'comment', String(pr), '--body', body], { cwd });
+  // gh outputs the comment URL on success
+  const url = raw?.trim() ?? null;
+  return { action: 'created', url };
+}

package/src/cli/run.ts

@@ -37,6 +37,7 @@ import { detectStack } from '../core/detect/stack.ts';
 import { detectProtectedPaths } from '../core/detect/protected-paths.ts';
 import { detectGitContext } from '../core/detect/git-context.ts';
 import { detectProject } from './detector.ts';
+import { detectPrNumber, formatComment, postPrComment } from './pr-comment.ts';
 
 function readToolVersion(): string {
   const pkgPath = path.join(path.dirname(fileURLToPath(import.meta.url)), '../../package.json');
@@ -60,11 +61,12 @@ function fmt(color: keyof typeof C, text: string): string {
 export interface RunCommandOptions {
   cwd?: string;
   configPath?: string;
-  base?: string;       // git base ref (default HEAD~1)
-  files?: string[];    // explicit file list (skips git detection)
-  dryRun?: boolean;    // skip review, print what would run
+  base?: string;        // git base ref (default HEAD~1)
+  files?: string[];     // explicit file list (skips git detection)
+  dryRun?: boolean;     // skip review, print what would run
   format?: 'text' | 'sarif';
   outputPath?: string;
+  postComments?: boolean; // post/update summary comment on the open PR
 }
 
 /**
@@ -189,6 +191,22 @@ export async function runCommand(options: RunCommandOptions = {}): Promise<numbe
     console.log(fmt('dim', `[run] SARIF written to ${options.outputPath}`));
   }
 
+  // Post PR comment if requested
+  if (options.postComments) {
+    const pr = detectPrNumber(cwd);
+    if (!pr) {
+      console.log(fmt('yellow', '  [run] --post-comments: no open PR found — skipping comment'));
+    } else {
+      try {
+        const body = formatComment(result, config, gitCtx, touchedFiles.length);
+        const { action } = await postPrComment(pr, body, cwd);
+        console.log(fmt('dim', `  [run] PR #${pr} comment ${action}`));
+      } catch (err) {
+        console.error(fmt('yellow', `  [run] Failed to post PR comment: ${err instanceof Error ? err.message : String(err)}`));
+      }
+    }
+  }
+
   // Print phase summaries
   for (const phase of result.phases) {
     const icon = phase.status === 'pass' ? fmt('green', '✓') :