@delegance/claude-autopilot 1.8.0 → 2.0.0

package/CHANGELOG.md

@@ -1,5 +1,38 @@
 # Changelog
 
+## [2.0.0] — 2026-04-22
+
+### Added
+- **`autopilot ci`** — opinionated single-command CI entrypoint; defaults to `--post-comments`, `--format sarif`, and base ref from `GITHUB_BASE_REF`/`CI_MERGE_REQUEST_TARGET_BRANCH_NAME`/`HEAD~1`; supports `--base`, `--output`, `--no-post-comments`
+- **`.github/actions/ci/action.yml`** — composite GitHub Actions action; accepts `anthropic-api-key`, `openai-api-key`, `gemini-api-key`, `groq-api-key`, `base-ref`, `config`, `sarif-output`, `post-comments` inputs; runs `npx autopilot ci`, uploads SARIF via `codeql-action/upload-sarif@v3`
+- **Updated `skills/autopilot.md`** — complete rewrite covering all adapters, auto-detection, `--post-comments`, `ci` command, action.yml usage
+
+## [1.9.0] — 2026-04-22
+
+### Added
+- **`--post-comments` flag on `run`** — posts a formatted markdown summary to the open PR after the pipeline; edits existing autopilot comment on re-runs instead of creating a new one (tracked via `<!-- autopilot-review -->` marker)
+- **`detectPrNumber()`** — reads `PR_NUMBER`/`GH_PR_NUMBER`/`GITHUB_PR_NUMBER` env vars (CI) or falls back to `gh pr view` (local)
+- **`formatComment()`** — status badge, context line, phase table, critical/warning findings with `file:line`, notes in `<details>`, cost footer
+- 10 new formatter tests — **215 total**
+
+## [1.8.0] — 2026-04-22
+
+### Added
+- **Shared `parseReviewOutput()`** (`src/adapters/review-engine/parse-output.ts`) — extracts `file:line` attribution from review finding bodies; used by all five adapters; eliminates ~100 lines of duplicated parser code
+
+### Fixed
+- `hardcoded-secrets` false positive on route object keys containing `password` (e.g. `forgot_password: '/forgot-password'`)
+
+## [1.7.2] — 2026-04-22
+
+### Fixed
+- `hardcoded-secrets` rule no longer fires on route path values (values starting with `/`)
+
+## [1.7.1] — 2026-04-22
+
+### Added
+- Detection logging: `auto-detected:` line in run output shows stack, protected paths, and test command when inferred; git context (branch + last commit) shown on every run
+
 ## [1.7.0] — 2026-04-22
 
 ### Added

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@delegance/claude-autopilot",
-  "version": "1.8.0",
+  "version": "2.0.0",
   "type": "module",
   "description": "Claude Code automation pipeline: spec → plan → implement → validate → PR",
   "keywords": [

package/skills/autopilot.md

@@ -5,138 +5,153 @@ description: Run the @delegance/claude-autopilot code review pipeline — static
 
 # autopilot — Code Review Pipeline
 
-Runs static rules, optional LLM review (Codex), and impact-aware snapshot regression tests on git-changed files. Outputs findings inline and optionally as SARIF for GitHub Code Scanning.
+Runs static rules, optional LLM review, and impact-aware snapshot regression on git-changed files. Auto-detects stack, protected paths, and test command from the project. Outputs findings inline and optionally as SARIF for GitHub Code Scanning.
 
 ## When to Use
 
-- Before creating a PR (catch issues before review)
-- After completing a feature branch (validate the full changeset)
-- Inside a CI pipeline step (use `--format sarif --output results.sarif`)
-- Anytime `validate` is called in a dev pipeline
+- Before creating a PR: `npx autopilot run --base main`
+- Inside CI: `npx autopilot ci` (one-command, posts PR comment + SARIF)
+- Dev loop: `npx autopilot watch`
+- First setup: `npx autopilot setup && npx autopilot doctor`
 
 ## Prerequisites
 
-Run `npx autopilot doctor` once per project setup to verify:
-- Node 22+, tsx, gh CLI authenticated, claude CLI, OPENAI_API_KEY, git user config
+```bash
+npx autopilot doctor   # checks Node 22+, tsx, gh CLI, API key, git config
+```
 
 ## Commands
 
-### Run pipeline on changed files
+### `run` — pipeline on git-changed files
 
 ```bash
-# Diff against HEAD~1 (default — last commit)
-npx autopilot run
-
-# Diff against a branch (typical pre-PR use)
-npx autopilot run --base main
-
-# Explicit file list (skip git detection)
-npx autopilot run --files src/foo.ts,src/bar.ts
-
-# Dry run — show what would run, no execution
-npx autopilot run --dry-run
-
-# SARIF output for GitHub Code Scanning
+npx autopilot run                          # diff HEAD~1 (default)
+npx autopilot run --base main              # diff against branch
+npx autopilot run --files src/a.ts,src/b.ts  # explicit files
+npx autopilot run --dry-run                # show what would run
+npx autopilot run --post-comments          # post/update summary on open PR
 npx autopilot run --format sarif --output autopilot.sarif
 ```
 
-### Zero-prompt setup (new project)
+### `ci` — opinionated CI entrypoint
 
 ```bash
-npx autopilot setup
+npx autopilot ci          # base=GITHUB_BASE_REF, post-comments=true, sarif written
+npx autopilot ci --base develop
+npx autopilot ci --no-post-comments
+npx autopilot ci --output results.sarif
 ```
 
-Auto-detects project type (Go, Rails, FastAPI, T3, Next.js+Supabase), writes `autopilot.config.yaml`, installs pre-push hook, runs doctor.
+Equivalent to `run --base <ref> --post-comments --format sarif --output <path>`. Base ref resolves from `GITHUB_BASE_REF` → `CI_MERGE_REQUEST_TARGET_BRANCH_NAME` → `HEAD~1`.
 
-### Check prerequisites
+### `setup` — zero-prompt first run
 
 ```bash
-npx autopilot doctor
+npx autopilot setup         # auto-detect stack, write config, install hook
+npx autopilot setup --force # overwrite existing config
 ```
 
-Exits 1 if blockers found. Safe to re-run anytime.
+Auto-detects: Go, Rails, FastAPI, T3, Next.js+Supabase. Runs doctor at end.
 
-### Watch mode (dev loop)
+### `watch` — dev loop
 
 ```bash
-npx autopilot watch              # re-run on every file save
+npx autopilot watch
 npx autopilot watch --debounce 500
 ```
 
-### Snapshot regression testing
+### `autoregress` — snapshot regression
 
 ```bash
-# Generate baselines for changed files (requires OPENAI_API_KEY)
-npx autopilot autoregress generate
-
-# Run only impact-selected snapshots (default — fast)
-npx autopilot autoregress run
-
-# Run all snapshots
-npx autopilot autoregress run --all
-
-# Show diffs vs baselines
-npx autopilot autoregress diff
-
-# Overwrite baselines after intentional behavior change
-npx autopilot autoregress update
+npx autopilot autoregress generate   # create baselines for changed files
+npx autopilot autoregress run        # run impact-selected snapshots
+npx autopilot autoregress run --all  # run all snapshots
+npx autopilot autoregress diff       # show diffs vs baselines
+npx autopilot autoregress update     # overwrite baselines after intentional change
 ```
 
-### Pre-push git hook
+### `hook` — pre-push git hook
 
 ```bash
-npx autopilot hook install       # write .git/hooks/pre-push
+npx autopilot hook install
 npx autopilot hook uninstall
 npx autopilot hook status
 ```
 
+## LLM Review Adapters
+
+Configure via `reviewEngine.adapter` in `autopilot.config.yaml`:
+
+| Adapter | Key env var | Notes |
+|---------|-------------|-------|
+| `auto` | any | Picks available provider; prefers the one already used in code |
+| `claude` | `ANTHROPIC_API_KEY` | Claude Opus 4.7 |
+| `gemini` | `GEMINI_API_KEY` or `GOOGLE_API_KEY` | Gemini 2.5 Pro, 1M context |
+| `codex` | `OPENAI_API_KEY` | gpt-5.3-codex via responses API |
+| `openai-compatible` | configurable | Any OpenAI-API endpoint (Groq, Ollama, Together) |
+
+`auto` priority order: Anthropic → Gemini → OpenAI → Groq. When multiple keys are present, `auto` scans the project source files and prefers the provider already referenced most.
+
+## Auto-Detection
+
+When config fields are absent, `autopilot run` fills them in automatically:
+
+- **stack** — parsed from `package.json`, `go.mod`, `Cargo.toml`, `requirements.txt`, `Gemfile`; injected into review prompt
+- **protectedPaths** — migration dirs (`data/deltas/`, `migrations/`, `prisma/migrations/`, etc.), schema files, infra dirs (`terraform/`, `.github/workflows/`)
+- **testCommand** — re-detected at run time from project files; set `testCommand: null` to disable explicitly
+- **git context** — branch + last commit injected as `Change context: branch: X | last commit: Y`
+
+Detection lines are printed dim after the file count: `auto-detected: stack: Next.js + Supabase | protected: data/deltas/** ...`
+
 ## Interpreting Results
 
-**Exit code 0** — no findings, or only warnings. Safe to proceed.
+**Exit code 0** — pass or warnings only. Safe to proceed.
+**Exit code 1** — blocking findings. Fix before merging.
 
-**Exit code 1** — one or more blocking findings. Fix before merging.
+Finding severities: `critical` blocks merge, `warning` should fix, `note` informational.
 
-**Finding severities:**
-- `error` — blocks merge (hardcoded secrets, npm audit Critical/High, failed tests)
-- `warning` — should fix, won't block
-- `info` — informational
+PR comment (via `--post-comments` or `ci`): status badge, phase table, critical/warning findings, cost footer. Edits existing comment on re-runs (tracked via `<!-- autopilot-review -->` marker).
 
-**SARIF output** — upload to GitHub Code Scanning with `github/codeql-action/upload-sarif@v3` for inline PR annotations.
+SARIF output: upload with `github/codeql-action/upload-sarif@v3` for inline PR diff annotations. Also auto-emits `::error`/`::warning` annotations when `GITHUB_ACTIONS=true`.
 
 ## Config (`autopilot.config.yaml`)
 
 ```yaml
 configVersion: 1
 reviewEngine:
-  adapter: codex         # LLM review via OpenAI (requires OPENAI_API_KEY)
-testCommand: npm test
-protectedPaths:
-  - src/core/**
+  adapter: auto         # auto, claude, gemini, codex, openai-compatible
+testCommand: npm test   # null to disable
+protectedPaths:         # auto-detected if omitted
+  - data/deltas/**
+  - .github/workflows/**
 staticRules:
   - hardcoded-secrets
   - npm-audit
+  - package-lock-sync
+  - console-log
+  - todo-fixme
+  - large-file
+  - missing-tests
 ```
 
-Full schema and preset defaults: `node_modules/@delegance/claude-autopilot/presets/<name>/autopilot.config.yaml`
+Preset defaults at: `node_modules/@delegance/claude-autopilot/presets/<name>/autopilot.config.yaml`
 
-## Integration with Development Pipeline
+## GitHub Actions
+
+```yaml
+- uses: axledbetter/claude-autopilot/.github/actions/ci@main
+  with:
+    anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}   # or openai/gemini/groq
+```
+
+Runs `npx autopilot ci`, uploads SARIF, annotates PR diff. All API key inputs optional — whichever is set gets used by `auto`.
 
-In a full spec→PR pipeline, `autopilot run` replaces the validate step:
+## Integration with Development Pipeline
 
 ```bash
-# After implementing feature on branch
+# After implementing feature
 npx autopilot run --base main
 
 # If findings → fix → re-run (max 3 iterations)
 # If clean → push → create PR
 ```
-
-## GitHub Actions
-
-```yaml
-- uses: axledbetter/claude-autopilot/.github/actions/ci@main
-  with:
-    openai-api-key: ${{ secrets.OPENAI_API_KEY }}
-```
-
-Runs the pipeline, uploads SARIF, annotates the PR diff inline.

package/src/cli/ci.ts

@@ -0,0 +1,38 @@
+import { runCommand } from './run.ts';
+
+export interface CiCommandOptions {
+  cwd?: string;
+  configPath?: string;
+  base?: string;
+  postComments?: boolean;
+  sarifOutput?: string;
+}
+
+/**
+ * `autopilot ci` — opinionated single-command CI entrypoint.
+ *
+ * Equivalent to:
+ *   autopilot run --base <ref> --post-comments --format sarif --output <path>
+ *
+ * Defaults:
+ *   base       GITHUB_BASE_REF → HEAD~1
+ *   output     autopilot.sarif
+ *   post-comments  true (skip if no PR detected — run.ts handles gracefully)
+ */
+export async function runCi(options: CiCommandOptions = {}): Promise<number> {
+  const base = options.base
+    ?? process.env.GITHUB_BASE_REF
+    ?? process.env.CI_MERGE_REQUEST_TARGET_BRANCH_NAME  // GitLab
+    ?? 'HEAD~1';
+
+  const sarifOutput = options.sarifOutput ?? 'autopilot.sarif';
+
+  return runCommand({
+    cwd: options.cwd,
+    configPath: options.configPath,
+    base,
+    postComments: options.postComments ?? true,
+    format: 'sarif',
+    outputPath: sarifOutput,
+  });
+}

package/src/cli/index.ts

@@ -14,6 +14,7 @@ import { runCommand } from './run.ts';
 import { runWatch } from './watch.ts';
 import { runSetup } from './setup.ts';
 import { runDoctor } from './preflight.ts';
+import { runCi } from './ci.ts';
 
 const args = process.argv.slice(2);
 
@@ -27,7 +28,7 @@ if (args[0] === '--version' || args[0] === '-v') {
   process.exit(0);
 }
 
-const SUBCOMMANDS = ['init', 'run', 'watch', 'hook', 'autoregress', 'doctor', 'preflight', 'setup', 'help', '--help', '-h'] as const;
+const SUBCOMMANDS = ['init', 'run', 'ci', 'watch', 'hook', 'autoregress', 'doctor', 'preflight', 'setup', 'help', '--help', '-h'] as const;
 const VALUE_FLAGS = ['base', 'config', 'files', 'format', 'output', 'debounce'];
 
 // Detect first non-flag arg as subcommand, default to 'run'
@@ -65,6 +66,7 @@ Options (run):
   --config <path>      Path to config file (default: ./autopilot.config.yaml)
   --files <a,b,c>      Explicit comma-separated file list (skips git detection)
   --dry-run            Show what would run without executing
+  --post-comments      Post/update a summary comment on the open PR
   --format <text|sarif>  Output format (default: text)
   --output <path>        Output file path (required with --format sarif)
 
@@ -118,6 +120,7 @@ switch (subcommand) {
     const config = flag('config');
     const filesArg = flag('files');
     const dryRun = boolFlag('dry-run');
+    const postComments = boolFlag('post-comments');
     const formatArg = flag('format');
     const outputPath = flag('output');
 
@@ -135,6 +138,7 @@ switch (subcommand) {
       configPath: config,
       files: filesArg ? filesArg.split(',').map(f => f.trim()) : undefined,
       dryRun,
+      postComments,
       format: formatArg as 'text' | 'sarif' | undefined,
       outputPath,
     });
@@ -142,6 +146,21 @@ switch (subcommand) {
     break;
   }
 
+  case 'ci': {
+    const base = flag('base');
+    const config = flag('config');
+    const outputPath = flag('output');
+    const noPostComments = boolFlag('no-post-comments');
+    const code = await runCi({
+      configPath: config,
+      base,
+      sarifOutput: outputPath,
+      postComments: noPostComments ? false : undefined,
+    });
+    process.exit(code);
+    break;
+  }
+
   case 'hook': {
     const { runHook } = await import('./hook.ts');
     const hookSub = args[1] ?? 'status';

package/src/cli/pr-comment.ts

@@ -0,0 +1,137 @@
+import { runSafe } from '../core/shell.ts';
+import type { RunResult } from '../core/pipeline/run.ts';
+import type { AutopilotConfig } from '../core/config/types.ts';
+import type { GitContext } from '../core/detect/git-context.ts';
+import { readFileSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const COMMENT_MARKER = '<!-- autopilot-review -->';
+
+function readVersion(): string {
+  try {
+    const pkgPath = join(dirname(fileURLToPath(import.meta.url)), '../../package.json');
+    return (JSON.parse(readFileSync(pkgPath, 'utf8')) as { version: string }).version;
+  } catch { return 'unknown'; }
+}
+
+/** Detect the current open PR number via gh CLI or CI env vars. */
+export function detectPrNumber(cwd: string): number | null {
+  // CI env vars set by GitHub Actions
+  const fromEnv = process.env.PR_NUMBER ?? process.env.GH_PR_NUMBER ?? process.env.GITHUB_PR_NUMBER;
+  if (fromEnv && /^\d+$/.test(fromEnv)) return parseInt(fromEnv, 10);
+
+  // gh CLI — works locally and in CI when gh is authenticated
+  const raw = runSafe('gh', ['pr', 'view', '--json', 'number', '--jq', '.number'], { cwd });
+  if (raw) {
+    const n = parseInt(raw.trim(), 10);
+    if (!isNaN(n)) return n;
+  }
+  return null;
+}
+
+/** Find the ID of a previously-posted autopilot comment, if any. */
+function findExistingCommentId(pr: number, cwd: string): number | null {
+  const raw = runSafe('gh', ['api', `repos/{owner}/{repo}/issues/${pr}/comments`,
+    '--jq', `[.[] | select(.body | startswith("${COMMENT_MARKER}")) | .id] | first`], { cwd });
+  if (!raw) return null;
+  const n = parseInt(raw.trim(), 10);
+  return isNaN(n) ? null : n;
+}
+
+/** Format a RunResult into a markdown PR comment. */
+export function formatComment(
+  result: RunResult,
+  config: AutopilotConfig,
+  gitCtx: GitContext,
+  touchedFileCount: number,
+): string {
+  const statusIcon = result.status === 'pass' ? '✅' : result.status === 'warn' ? '⚠️' : '❌';
+  const statusLabel = result.status === 'pass' ? 'Passed' : result.status === 'warn' ? 'Passed with warnings' : 'Failed';
+
+  const lines: string[] = [
+    COMMENT_MARKER,
+    `## ${statusIcon} Autopilot Review — ${statusLabel}`,
+    '',
+  ];
+
+  // Context line
+  const ctx: string[] = [];
+  if (config.stack) ctx.push(`**Stack:** ${config.stack}`);
+  if (gitCtx.branch) ctx.push(`**Branch:** \`${gitCtx.branch}\``);
+  if (gitCtx.commitMessage) ctx.push(`**Commit:** ${gitCtx.commitMessage}`);
+  ctx.push(`**Files reviewed:** ${touchedFileCount}`);
+  lines.push(ctx.join(' · '), '');
+
+  // Phase table
+  lines.push('| Phase | Status | Findings |');
+  lines.push('|---|:---:|:---:|');
+  for (const phase of result.phases) {
+    const icon = phase.status === 'pass' ? '✅' : phase.status === 'skip' ? '—' :
+                 phase.status === 'warn' ? '⚠️' : '❌';
+    lines.push(`| ${phase.phase} | ${icon} | ${phase.findings.length} |`);
+  }
+  lines.push('');
+
+  // Findings by severity
+  const critical = result.allFindings.filter(f => f.severity === 'critical');
+  const warnings = result.allFindings.filter(f => f.severity === 'warning');
+  const notes    = result.allFindings.filter(f => f.severity === 'note');
+
+  if (critical.length > 0) {
+    lines.push('### 🚨 Critical');
+    for (const f of critical) {
+      const loc = f.file !== '<unspecified>' ? `\`${f.file}${f.line ? `:${f.line}` : ''}\` — ` : '';
+      lines.push(`- ${loc}${f.message}`);
+      if (f.suggestion) lines.push(`  > ${f.suggestion}`);
+    }
+    lines.push('');
+  }
+
+  if (warnings.length > 0) {
+    lines.push('### ⚠️ Warnings');
+    for (const f of warnings) {
+      const loc = f.file !== '<unspecified>' ? `\`${f.file}${f.line ? `:${f.line}` : ''}\` — ` : '';
+      lines.push(`- ${loc}${f.message}`);
+      if (f.suggestion) lines.push(`  > ${f.suggestion}`);
+    }
+    lines.push('');
+  }
+
+  if (notes.length > 0) {
+    lines.push('<details><summary>Notes</summary>\n');
+    for (const f of notes) {
+      const loc = f.file !== '<unspecified>' ? `\`${f.file}${f.line ? `:${f.line}` : ''}\` — ` : '';
+      lines.push(`- ${loc}${f.message}`);
+    }
+    lines.push('\n</details>\n');
+  }
+
+  if (result.totalCostUSD !== undefined) {
+    lines.push(`*Cost: $${result.totalCostUSD.toFixed(4)} · ${result.durationMs}ms · [@delegance/claude-autopilot](https://github.com/axledbetter/claude-autopilot) v${readVersion()}*`);
+  } else {
+    lines.push(`*${result.durationMs}ms · [@delegance/claude-autopilot](https://github.com/axledbetter/claude-autopilot) v${readVersion()}*`);
+  }
+
+  return lines.join('\n');
+}
+
+/** Post or update the autopilot comment on the given PR. */
+export async function postPrComment(
+  pr: number,
+  body: string,
+  cwd: string,
+): Promise<{ action: 'created' | 'updated'; url: string | null }> {
+  const existingId = findExistingCommentId(pr, cwd);
+
+  if (existingId) {
+    runSafe('gh', ['api', `repos/{owner}/{repo}/issues/comments/${existingId}`,
+      '--method', 'PATCH', '--field', `body=${body}`], { cwd });
+    return { action: 'updated', url: null };
+  }
+
+  const raw = runSafe('gh', ['pr', 'comment', String(pr), '--body', body], { cwd });
+  // gh outputs the comment URL on success
+  const url = raw?.trim() ?? null;
+  return { action: 'created', url };
+}

package/src/cli/run.ts

@@ -37,6 +37,7 @@ import { detectStack } from '../core/detect/stack.ts';
 import { detectProtectedPaths } from '../core/detect/protected-paths.ts';
 import { detectGitContext } from '../core/detect/git-context.ts';
 import { detectProject } from './detector.ts';
+import { detectPrNumber, formatComment, postPrComment } from './pr-comment.ts';
 
 function readToolVersion(): string {
   const pkgPath = path.join(path.dirname(fileURLToPath(import.meta.url)), '../../package.json');
@@ -60,11 +61,12 @@ function fmt(color: keyof typeof C, text: string): string {
 export interface RunCommandOptions {
   cwd?: string;
   configPath?: string;
-  base?: string;       // git base ref (default HEAD~1)
-  files?: string[];    // explicit file list (skips git detection)
-  dryRun?: boolean;    // skip review, print what would run
+  base?: string;        // git base ref (default HEAD~1)
+  files?: string[];     // explicit file list (skips git detection)
+  dryRun?: boolean;     // skip review, print what would run
   format?: 'text' | 'sarif';
   outputPath?: string;
+  postComments?: boolean; // post/update summary comment on the open PR
 }
 
 /**
@@ -189,6 +191,22 @@ export async function runCommand(options: RunCommandOptions = {}): Promise<numbe
     console.log(fmt('dim', `[run] SARIF written to ${options.outputPath}`));
   }
 
+  // Post PR comment if requested
+  if (options.postComments) {
+    const pr = detectPrNumber(cwd);
+    if (!pr) {
+      console.log(fmt('yellow', '  [run] --post-comments: no open PR found — skipping comment'));
+    } else {
+      try {
+        const body = formatComment(result, config, gitCtx, touchedFiles.length);
+        const { action } = await postPrComment(pr, body, cwd);
+        console.log(fmt('dim', `  [run] PR #${pr} comment ${action}`));
+      } catch (err) {
+        console.error(fmt('yellow', `  [run] Failed to post PR comment: ${err instanceof Error ? err.message : String(err)}`));
+      }
+    }
+  }
+
   // Print phase summaries
   for (const phase of result.phases) {
     const icon = phase.status === 'pass' ? fmt('green', '✓') :