@delegance/claude-autopilot 1.8.0 → 1.9.0

package/CHANGELOG.md

@@ -1,5 +1,31 @@
 # Changelog
 
+## [1.9.0] — 2026-04-22
+
+### Added
+- **`--post-comments` flag on `run`** — posts a formatted markdown summary to the open PR after the pipeline; edits existing autopilot comment on re-runs instead of creating a new one (tracked via `<!-- autopilot-review -->` marker)
+- **`detectPrNumber()`** — reads `PR_NUMBER`/`GH_PR_NUMBER`/`GITHUB_PR_NUMBER` env vars (CI) or falls back to `gh pr view` (local)
+- **`formatComment()`** — status badge, context line, phase table, critical/warning findings with `file:line`, notes in `<details>`, cost footer
+- 10 new formatter tests — **215 total**
+
+## [1.8.0] — 2026-04-22
+
+### Added
+- **Shared `parseReviewOutput()`** (`src/adapters/review-engine/parse-output.ts`) — extracts `file:line` attribution from review finding bodies; used by all five adapters; eliminates ~100 lines of duplicated parser code
+
+### Fixed
+- `hardcoded-secrets` false positive on route object keys containing `password` (e.g. `forgot_password: '/forgot-password'`)
+
+## [1.7.2] — 2026-04-22
+
+### Fixed
+- `hardcoded-secrets` rule no longer fires on route path values (values starting with `/`)
+
+## [1.7.1] — 2026-04-22
+
+### Added
+- Detection logging: `auto-detected:` line in run output shows stack, protected paths, and test command when inferred; git context (branch + last commit) shown on every run
+
 ## [1.7.0] — 2026-04-22
 
 ### Added

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@delegance/claude-autopilot",
-  "version": "1.8.0",
+  "version": "1.9.0",
   "type": "module",
   "description": "Claude Code automation pipeline: spec → plan → implement → validate → PR",
   "keywords": [

package/src/cli/index.ts

@@ -65,6 +65,7 @@ Options (run):
   --config <path>      Path to config file (default: ./autopilot.config.yaml)
   --files <a,b,c>      Explicit comma-separated file list (skips git detection)
   --dry-run            Show what would run without executing
+  --post-comments      Post/update a summary comment on the open PR
   --format <text|sarif>  Output format (default: text)
   --output <path>        Output file path (required with --format sarif)
 
@@ -118,6 +119,7 @@ switch (subcommand) {
     const config = flag('config');
     const filesArg = flag('files');
     const dryRun = boolFlag('dry-run');
+    const postComments = boolFlag('post-comments');
     const formatArg = flag('format');
     const outputPath = flag('output');
 
@@ -135,6 +137,7 @@ switch (subcommand) {
       configPath: config,
       files: filesArg ? filesArg.split(',').map(f => f.trim()) : undefined,
       dryRun,
+      postComments,
       format: formatArg as 'text' | 'sarif' | undefined,
       outputPath,
     });

package/src/cli/pr-comment.ts

@@ -0,0 +1,137 @@
+import { runSafe } from '../core/shell.ts';
+import type { RunResult } from '../core/pipeline/run.ts';
+import type { AutopilotConfig } from '../core/config/types.ts';
+import type { GitContext } from '../core/detect/git-context.ts';
+import { readFileSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const COMMENT_MARKER = '<!-- autopilot-review -->';
+
+function readVersion(): string {
+  try {
+    const pkgPath = join(dirname(fileURLToPath(import.meta.url)), '../../package.json');
+    return (JSON.parse(readFileSync(pkgPath, 'utf8')) as { version: string }).version;
+  } catch { return 'unknown'; }
+}
+
+/** Detect the current open PR number via gh CLI or CI env vars. */
+export function detectPrNumber(cwd: string): number | null {
+  // CI env vars set by GitHub Actions
+  const fromEnv = process.env.PR_NUMBER ?? process.env.GH_PR_NUMBER ?? process.env.GITHUB_PR_NUMBER;
+  if (fromEnv && /^\d+$/.test(fromEnv)) return parseInt(fromEnv, 10);
+
+  // gh CLI — works locally and in CI when gh is authenticated
+  const raw = runSafe('gh', ['pr', 'view', '--json', 'number', '--jq', '.number'], { cwd });
+  if (raw) {
+    const n = parseInt(raw.trim(), 10);
+    if (!isNaN(n)) return n;
+  }
+  return null;
+}
+
+/** Find the ID of a previously-posted autopilot comment, if any. */
+function findExistingCommentId(pr: number, cwd: string): number | null {
+  const raw = runSafe('gh', ['api', `repos/{owner}/{repo}/issues/${pr}/comments`,
+    '--jq', `[.[] | select(.body | startswith("${COMMENT_MARKER}")) | .id] | first`], { cwd });
+  if (!raw) return null;
+  const n = parseInt(raw.trim(), 10);
+  return isNaN(n) ? null : n;
+}
+
+/** Format a RunResult into a markdown PR comment. */
+export function formatComment(
+  result: RunResult,
+  config: AutopilotConfig,
+  gitCtx: GitContext,
+  touchedFileCount: number,
+): string {
+  const statusIcon = result.status === 'pass' ? '✅' : result.status === 'warn' ? '⚠️' : '❌';
+  const statusLabel = result.status === 'pass' ? 'Passed' : result.status === 'warn' ? 'Passed with warnings' : 'Failed';
+
+  const lines: string[] = [
+    COMMENT_MARKER,
+    `## ${statusIcon} Autopilot Review — ${statusLabel}`,
+    '',
+  ];
+
+  // Context line
+  const ctx: string[] = [];
+  if (config.stack) ctx.push(`**Stack:** ${config.stack}`);
+  if (gitCtx.branch) ctx.push(`**Branch:** \`${gitCtx.branch}\``);
+  if (gitCtx.commitMessage) ctx.push(`**Commit:** ${gitCtx.commitMessage}`);
+  ctx.push(`**Files reviewed:** ${touchedFileCount}`);
+  lines.push(ctx.join(' · '), '');
+
+  // Phase table
+  lines.push('| Phase | Status | Findings |');
+  lines.push('|---|:---:|:---:|');
+  for (const phase of result.phases) {
+    const icon = phase.status === 'pass' ? '✅' : phase.status === 'skip' ? '—' :
+                 phase.status === 'warn' ? '⚠️' : '❌';
+    lines.push(`| ${phase.phase} | ${icon} | ${phase.findings.length} |`);
+  }
+  lines.push('');
+
+  // Findings by severity
+  const critical = result.allFindings.filter(f => f.severity === 'critical');
+  const warnings = result.allFindings.filter(f => f.severity === 'warning');
+  const notes    = result.allFindings.filter(f => f.severity === 'note');
+
+  if (critical.length > 0) {
+    lines.push('### 🚨 Critical');
+    for (const f of critical) {
+      const loc = f.file !== '<unspecified>' ? `\`${f.file}${f.line ? `:${f.line}` : ''}\` — ` : '';
+      lines.push(`- ${loc}${f.message}`);
+      if (f.suggestion) lines.push(`  > ${f.suggestion}`);
+    }
+    lines.push('');
+  }
+
+  if (warnings.length > 0) {
+    lines.push('### ⚠️ Warnings');
+    for (const f of warnings) {
+      const loc = f.file !== '<unspecified>' ? `\`${f.file}${f.line ? `:${f.line}` : ''}\` — ` : '';
+      lines.push(`- ${loc}${f.message}`);
+      if (f.suggestion) lines.push(`  > ${f.suggestion}`);
+    }
+    lines.push('');
+  }
+
+  if (notes.length > 0) {
+    lines.push('<details><summary>Notes</summary>\n');
+    for (const f of notes) {
+      const loc = f.file !== '<unspecified>' ? `\`${f.file}${f.line ? `:${f.line}` : ''}\` — ` : '';
+      lines.push(`- ${loc}${f.message}`);
+    }
+    lines.push('\n</details>\n');
+  }
+
+  if (result.totalCostUSD !== undefined) {
+    lines.push(`*Cost: $${result.totalCostUSD.toFixed(4)} · ${result.durationMs}ms · [@delegance/claude-autopilot](https://github.com/axledbetter/claude-autopilot) v${readVersion()}*`);
+  } else {
+    lines.push(`*${result.durationMs}ms · [@delegance/claude-autopilot](https://github.com/axledbetter/claude-autopilot) v${readVersion()}*`);
+  }
+
+  return lines.join('\n');
+}
+
+/** Post or update the autopilot comment on the given PR. */
+export async function postPrComment(
+  pr: number,
+  body: string,
+  cwd: string,
+): Promise<{ action: 'created' | 'updated'; url: string | null }> {
+  const existingId = findExistingCommentId(pr, cwd);
+
+  if (existingId) {
+    runSafe('gh', ['api', `repos/{owner}/{repo}/issues/comments/${existingId}`,
+      '--method', 'PATCH', '--field', `body=${body}`], { cwd });
+    return { action: 'updated', url: null };
+  }
+
+  const raw = runSafe('gh', ['pr', 'comment', String(pr), '--body', body], { cwd });
+  // gh outputs the comment URL on success
+  const url = raw?.trim() ?? null;
+  return { action: 'created', url };
+}

package/src/cli/run.ts

@@ -37,6 +37,7 @@ import { detectStack } from '../core/detect/stack.ts';
 import { detectProtectedPaths } from '../core/detect/protected-paths.ts';
 import { detectGitContext } from '../core/detect/git-context.ts';
 import { detectProject } from './detector.ts';
+import { detectPrNumber, formatComment, postPrComment } from './pr-comment.ts';
 
 function readToolVersion(): string {
   const pkgPath = path.join(path.dirname(fileURLToPath(import.meta.url)), '../../package.json');
@@ -60,11 +61,12 @@ function fmt(color: keyof typeof C, text: string): string {
 export interface RunCommandOptions {
   cwd?: string;
   configPath?: string;
-  base?: string;       // git base ref (default HEAD~1)
-  files?: string[];    // explicit file list (skips git detection)
-  dryRun?: boolean;    // skip review, print what would run
+  base?: string;        // git base ref (default HEAD~1)
+  files?: string[];     // explicit file list (skips git detection)
+  dryRun?: boolean;     // skip review, print what would run
   format?: 'text' | 'sarif';
   outputPath?: string;
+  postComments?: boolean; // post/update summary comment on the open PR
 }
 
 /**
@@ -189,6 +191,22 @@ export async function runCommand(options: RunCommandOptions = {}): Promise<numbe
     console.log(fmt('dim', `[run] SARIF written to ${options.outputPath}`));
   }
 
+  // Post PR comment if requested
+  if (options.postComments) {
+    const pr = detectPrNumber(cwd);
+    if (!pr) {
+      console.log(fmt('yellow', '  [run] --post-comments: no open PR found — skipping comment'));
+    } else {
+      try {
+        const body = formatComment(result, config, gitCtx, touchedFiles.length);
+        const { action } = await postPrComment(pr, body, cwd);
+        console.log(fmt('dim', `  [run] PR #${pr} comment ${action}`));
+      } catch (err) {
+        console.error(fmt('yellow', `  [run] Failed to post PR comment: ${err instanceof Error ? err.message : String(err)}`));
+      }
+    }
+  }
+
   // Print phase summaries
   for (const phase of result.phases) {
     const icon = phase.status === 'pass' ? fmt('green', '✓') :