@delegance/claude-autopilot 1.9.0 → 2.1.0

package/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## [2.1.0] — 2026-04-22
+
+### Added
+- **Risk-weighted file ordering** (`src/core/chunking/risk-ranker.ts`) — ranks files before sending to LLM: protected paths (score 100) → auth/security (80) → payment/billing (70) → core logic (50) → config files (40) → everything else (30) → tests (10) → docs (5); ensures most sensitive code appears at the start of the LLM's context window
+- `BuildChunksInput.protectedPaths` — passed from config through review-phase to ranker so glob patterns from `protectedPaths:` config key are respected
+- 9 new tests for `rankByRisk` — **224 total**
+
+## [2.0.0] — 2026-04-22
+
+### Added
+- **`autopilot ci`** — opinionated single-command CI entrypoint; defaults to `--post-comments`, `--format sarif`, and base ref from `GITHUB_BASE_REF`/`CI_MERGE_REQUEST_TARGET_BRANCH_NAME`/`HEAD~1`; supports `--base`, `--output`, `--no-post-comments`
+- **`.github/actions/ci/action.yml`** — composite GitHub Actions action; accepts `anthropic-api-key`, `openai-api-key`, `gemini-api-key`, `groq-api-key`, `base-ref`, `config`, `sarif-output`, `post-comments` inputs; runs `npx autopilot ci`, uploads SARIF via `codeql-action/upload-sarif@v3`
+- **Updated `skills/autopilot.md`** — complete rewrite covering all adapters, auto-detection, `--post-comments`, `ci` command, action.yml usage
+
 ## [1.9.0] — 2026-04-22
 
 ### Added

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@delegance/claude-autopilot",
-  "version": "1.9.0",
+  "version": "2.1.0",
   "type": "module",
   "description": "Claude Code automation pipeline: spec → plan → implement → validate → PR",
   "keywords": [

package/skills/autopilot.md

@@ -5,138 +5,153 @@ description: Run the @delegance/claude-autopilot code review pipeline — static
 
 # autopilot — Code Review Pipeline
 
-Runs static rules, optional LLM review (Codex), and impact-aware snapshot regression tests on git-changed files. Outputs findings inline and optionally as SARIF for GitHub Code Scanning.
+Runs static rules, optional LLM review, and impact-aware snapshot regression on git-changed files. Auto-detects stack, protected paths, and test command from the project. Outputs findings inline and optionally as SARIF for GitHub Code Scanning.
 
 ## When to Use
 
-- Before creating a PR (catch issues before review)
-- After completing a feature branch (validate the full changeset)
-- Inside a CI pipeline step (use `--format sarif --output results.sarif`)
-- Anytime `validate` is called in a dev pipeline
+- Before creating a PR: `npx autopilot run --base main`
+- Inside CI: `npx autopilot ci` (one-command, posts PR comment + SARIF)
+- Dev loop: `npx autopilot watch`
+- First setup: `npx autopilot setup && npx autopilot doctor`
 
 ## Prerequisites
 
-Run `npx autopilot doctor` once per project setup to verify:
-- Node 22+, tsx, gh CLI authenticated, claude CLI, OPENAI_API_KEY, git user config
+```bash
+npx autopilot doctor   # checks Node 22+, tsx, gh CLI, API key, git config
+```
 
 ## Commands
 
-### Run pipeline on changed files
+### `run` — pipeline on git-changed files
 
 ```bash
-# Diff against HEAD~1 (default — last commit)
-npx autopilot run
-
-# Diff against a branch (typical pre-PR use)
-npx autopilot run --base main
-
-# Explicit file list (skip git detection)
-npx autopilot run --files src/foo.ts,src/bar.ts
-
-# Dry run — show what would run, no execution
-npx autopilot run --dry-run
-
-# SARIF output for GitHub Code Scanning
+npx autopilot run                          # diff HEAD~1 (default)
+npx autopilot run --base main              # diff against branch
+npx autopilot run --files src/a.ts,src/b.ts  # explicit files
+npx autopilot run --dry-run                # show what would run
+npx autopilot run --post-comments          # post/update summary on open PR
 npx autopilot run --format sarif --output autopilot.sarif
 ```
 
-### Zero-prompt setup (new project)
+### `ci` — opinionated CI entrypoint
 
 ```bash
-npx autopilot setup
+npx autopilot ci          # base=GITHUB_BASE_REF, post-comments=true, sarif written
+npx autopilot ci --base develop
+npx autopilot ci --no-post-comments
+npx autopilot ci --output results.sarif
 ```
 
-Auto-detects project type (Go, Rails, FastAPI, T3, Next.js+Supabase), writes `autopilot.config.yaml`, installs pre-push hook, runs doctor.
+Equivalent to `run --base <ref> --post-comments --format sarif --output <path>`. Base ref resolves from `GITHUB_BASE_REF` → `CI_MERGE_REQUEST_TARGET_BRANCH_NAME` → `HEAD~1`.
 
-### Check prerequisites
+### `setup` — zero-prompt first run
 
 ```bash
-npx autopilot doctor
+npx autopilot setup         # auto-detect stack, write config, install hook
+npx autopilot setup --force # overwrite existing config
 ```
 
-Exits 1 if blockers found. Safe to re-run anytime.
+Auto-detects: Go, Rails, FastAPI, T3, Next.js+Supabase. Runs doctor at end.
 
-### Watch mode (dev loop)
+### `watch` — dev loop
 
 ```bash
-npx autopilot watch              # re-run on every file save
+npx autopilot watch
 npx autopilot watch --debounce 500
 ```
 
-### Snapshot regression testing
+### `autoregress` — snapshot regression
 
 ```bash
-# Generate baselines for changed files (requires OPENAI_API_KEY)
-npx autopilot autoregress generate
-
-# Run only impact-selected snapshots (default — fast)
-npx autopilot autoregress run
-
-# Run all snapshots
-npx autopilot autoregress run --all
-
-# Show diffs vs baselines
-npx autopilot autoregress diff
-
-# Overwrite baselines after intentional behavior change
-npx autopilot autoregress update
+npx autopilot autoregress generate   # create baselines for changed files
+npx autopilot autoregress run        # run impact-selected snapshots
+npx autopilot autoregress run --all  # run all snapshots
+npx autopilot autoregress diff       # show diffs vs baselines
+npx autopilot autoregress update     # overwrite baselines after intentional change
 ```
 
-### Pre-push git hook
+### `hook` — pre-push git hook
 
 ```bash
-npx autopilot hook install       # write .git/hooks/pre-push
+npx autopilot hook install
 npx autopilot hook uninstall
 npx autopilot hook status
 ```
 
+## LLM Review Adapters
+
+Configure via `reviewEngine.adapter` in `autopilot.config.yaml`:
+
+| Adapter | Key env var | Notes |
+|---------|-------------|-------|
+| `auto` | any | Picks available provider; prefers the one already used in code |
+| `claude` | `ANTHROPIC_API_KEY` | Claude Opus 4.7 |
+| `gemini` | `GEMINI_API_KEY` or `GOOGLE_API_KEY` | Gemini 2.5 Pro, 1M context |
+| `codex` | `OPENAI_API_KEY` | gpt-5.3-codex via responses API |
+| `openai-compatible` | configurable | Any OpenAI-API endpoint (Groq, Ollama, Together) |
+
+`auto` priority order: Anthropic → Gemini → OpenAI → Groq. When multiple keys are present, `auto` scans the project source files and prefers the provider already referenced most.
+
+## Auto-Detection
+
+When config fields are absent, `autopilot run` fills them in automatically:
+
+- **stack** — parsed from `package.json`, `go.mod`, `Cargo.toml`, `requirements.txt`, `Gemfile`; injected into review prompt
+- **protectedPaths** — migration dirs (`data/deltas/`, `migrations/`, `prisma/migrations/`, etc.), schema files, infra dirs (`terraform/`, `.github/workflows/`)
+- **testCommand** — re-detected at run time from project files; set `testCommand: null` to disable explicitly
+- **git context** — branch + last commit injected as `Change context: branch: X | last commit: Y`
+
+Detection lines are printed dim after the file count: `auto-detected: stack: Next.js + Supabase | protected: data/deltas/** ...`
+
 ## Interpreting Results
 
-**Exit code 0** — no findings, or only warnings. Safe to proceed.
+**Exit code 0** — pass or warnings only. Safe to proceed.
+**Exit code 1** — blocking findings. Fix before merging.
 
-**Exit code 1** — one or more blocking findings. Fix before merging.
+Finding severities: `critical` blocks merge, `warning` should fix, `note` informational.
 
-**Finding severities:**
-- `error` — blocks merge (hardcoded secrets, npm audit Critical/High, failed tests)
-- `warning` — should fix, won't block
-- `info` — informational
+PR comment (via `--post-comments` or `ci`): status badge, phase table, critical/warning findings, cost footer. Edits existing comment on re-runs (tracked via `<!-- autopilot-review -->` marker).
 
-**SARIF output** — upload to GitHub Code Scanning with `github/codeql-action/upload-sarif@v3` for inline PR annotations.
+SARIF output: upload with `github/codeql-action/upload-sarif@v3` for inline PR diff annotations. Also auto-emits `::error`/`::warning` annotations when `GITHUB_ACTIONS=true`.
 
 ## Config (`autopilot.config.yaml`)
 
 ```yaml
 configVersion: 1
 reviewEngine:
-  adapter: codex         # LLM review via OpenAI (requires OPENAI_API_KEY)
-testCommand: npm test
-protectedPaths:
-  - src/core/**
+  adapter: auto         # auto, claude, gemini, codex, openai-compatible
+testCommand: npm test   # null to disable
+protectedPaths:         # auto-detected if omitted
+  - data/deltas/**
+  - .github/workflows/**
 staticRules:
   - hardcoded-secrets
   - npm-audit
+  - package-lock-sync
+  - console-log
+  - todo-fixme
+  - large-file
+  - missing-tests
 ```
 
-Full schema and preset defaults: `node_modules/@delegance/claude-autopilot/presets/<name>/autopilot.config.yaml`
+Preset defaults at: `node_modules/@delegance/claude-autopilot/presets/<name>/autopilot.config.yaml`
 
-## Integration with Development Pipeline
+## GitHub Actions
+
+```yaml
+- uses: axledbetter/claude-autopilot/.github/actions/ci@main
+  with:
+    anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}   # or openai/gemini/groq
+```
+
+Runs `npx autopilot ci`, uploads SARIF, annotates PR diff. All API key inputs optional — whichever is set gets used by `auto`.
 
-In a full spec→PR pipeline, `autopilot run` replaces the validate step:
+## Integration with Development Pipeline
 
 ```bash
-# After implementing feature on branch
+# After implementing feature
 npx autopilot run --base main
 
 # If findings → fix → re-run (max 3 iterations)
 # If clean → push → create PR
 ```
-
-## GitHub Actions
-
-```yaml
-- uses: axledbetter/claude-autopilot/.github/actions/ci@main
-  with:
-    openai-api-key: ${{ secrets.OPENAI_API_KEY }}
-```
-
-Runs the pipeline, uploads SARIF, annotates the PR diff inline.

package/src/cli/ci.ts

@@ -0,0 +1,38 @@
+import { runCommand } from './run.ts';
+
+export interface CiCommandOptions {
+  cwd?: string;
+  configPath?: string;
+  base?: string;
+  postComments?: boolean;
+  sarifOutput?: string;
+}
+
+/**
+ * `autopilot ci` — opinionated single-command CI entrypoint.
+ *
+ * Equivalent to:
+ *   autopilot run --base <ref> --post-comments --format sarif --output <path>
+ *
+ * Defaults:
+ *   base       GITHUB_BASE_REF → HEAD~1
+ *   output     autopilot.sarif
+ *   post-comments  true (skip if no PR detected — run.ts handles gracefully)
+ */
+export async function runCi(options: CiCommandOptions = {}): Promise<number> {
+  const base = options.base
+    ?? process.env.GITHUB_BASE_REF
+    ?? process.env.CI_MERGE_REQUEST_TARGET_BRANCH_NAME  // GitLab
+    ?? 'HEAD~1';
+
+  const sarifOutput = options.sarifOutput ?? 'autopilot.sarif';
+
+  return runCommand({
+    cwd: options.cwd,
+    configPath: options.configPath,
+    base,
+    postComments: options.postComments ?? true,
+    format: 'sarif',
+    outputPath: sarifOutput,
+  });
+}

package/src/cli/index.ts

@@ -14,6 +14,7 @@ import { runCommand } from './run.ts';
 import { runWatch } from './watch.ts';
 import { runSetup } from './setup.ts';
 import { runDoctor } from './preflight.ts';
+import { runCi } from './ci.ts';
 
 const args = process.argv.slice(2);
 
@@ -27,7 +28,7 @@ if (args[0] === '--version' || args[0] === '-v') {
   process.exit(0);
 }
 
-const SUBCOMMANDS = ['init', 'run', 'watch', 'hook', 'autoregress', 'doctor', 'preflight', 'setup', 'help', '--help', '-h'] as const;
+const SUBCOMMANDS = ['init', 'run', 'ci', 'watch', 'hook', 'autoregress', 'doctor', 'preflight', 'setup', 'help', '--help', '-h'] as const;
 const VALUE_FLAGS = ['base', 'config', 'files', 'format', 'output', 'debounce'];
 
 // Detect first non-flag arg as subcommand, default to 'run'
@@ -145,6 +146,21 @@ switch (subcommand) {
     break;
   }
 
+  case 'ci': {
+    const base = flag('base');
+    const config = flag('config');
+    const outputPath = flag('output');
+    const noPostComments = boolFlag('no-post-comments');
+    const code = await runCi({
+      configPath: config,
+      base,
+      sarifOutput: outputPath,
+      postComments: noPostComments ? false : undefined,
+    });
+    process.exit(code);
+    break;
+  }
+
   case 'hook': {
     const { runHook } = await import('./hook.ts');
     const hookSub = args[1] ?? 'status';

package/src/core/chunking/index.ts

@@ -2,6 +2,7 @@ import * as fs from 'node:fs/promises';
 import * as path from 'node:path';
 import type { ReviewEngine, ReviewInput } from '../../adapters/review-engine/types.ts';
 import type { AutopilotConfig } from '../config/types.ts';
+import { rankByRisk } from './risk-ranker.ts';
 
 export interface ReviewChunk {
   content: string;
@@ -15,6 +16,7 @@ export interface BuildChunksInput {
   chunking?: AutopilotConfig['chunking'];
   engine: ReviewEngine;
   cwd?: string;
+  protectedPaths?: string[];
 }
 
 const DEFAULT_SMALL_TIER_TOKENS = 8000;
@@ -24,7 +26,8 @@ export async function buildReviewChunks(input: BuildChunksInput): Promise<Review
   const smallMax = input.chunking?.smallTierMaxTokens ?? DEFAULT_SMALL_TIER_TOKENS;
   const fileMax = input.chunking?.perFileMaxTokens ?? DEFAULT_FILE_TIER_TOKENS;
 
-  const fileContents = await readFiles(input.touchedFiles, input.cwd);
+  const ranked = rankByRisk(input.touchedFiles, { protectedPaths: input.protectedPaths });
+  const fileContents = await readFiles(ranked, input.cwd);
 
   if (input.strategy === 'single-pass') {
     const combined = formatBatch(fileContents);

package/src/core/chunking/risk-ranker.ts

@@ -0,0 +1,56 @@
+import { minimatch } from 'minimatch';
+
+interface RankOptions {
+  protectedPaths?: string[];
+}
+
+const AUTH_PATTERNS = [
+  /auth/i, /login/i, /logout/i, /session/i, /token/i, /jwt/i, /oauth/i,
+  /password/i, /credential/i, /secret/i, /permission/i, /role/i, /acl/i,
+];
+
+const PAYMENT_PATTERNS = [
+  /payment/i, /billing/i, /stripe/i, /checkout/i, /invoice/i, /charge/i,
+  /subscription/i, /wallet/i, /transaction/i, /refund/i,
+];
+
+const CORE_PATTERNS = [
+  /\/services\//i, /\/core\//i, /\/api\//i, /\/routes?\//i,
+  /\/controllers?\//i, /\/models?\//i, /\/middleware\//i, /\/handlers?\//i,
+];
+
+const TEST_EXT = /\.(test|spec)\.[a-z]+$/i;
+const DOC_EXT = /\.(md|txt|rst|adoc)$/i;
+const CONFIG_EXT = /\.(ya?ml|json|toml|ini|env)$/i;
+const CONFIG_NAMES = /(config|settings|env|constants)\./i;
+
+function scoreFile(file: string, protectedPaths: string[]): number {
+  const norm = file.replace(/\\/g, '/');
+
+  // Protected paths are highest risk
+  for (const pattern of protectedPaths) {
+    if (minimatch(norm, pattern, { matchBase: false }) ||
+        minimatch(norm, pattern, { matchBase: true })) {
+      return 100;
+    }
+  }
+
+  if (TEST_EXT.test(norm)) return 10;
+  if (DOC_EXT.test(norm)) return 5;
+
+  if (AUTH_PATTERNS.some(p => p.test(norm))) return 80;
+  if (PAYMENT_PATTERNS.some(p => p.test(norm))) return 70;
+  if (CORE_PATTERNS.some(p => p.test(norm))) return 50;
+  if (CONFIG_EXT.test(norm) || CONFIG_NAMES.test(norm)) return 40;
+
+  return 30;
+}
+
+/**
+ * Returns files sorted highest-risk first so LLM sees the most sensitive code
+ * at the start of its context window.
+ */
+export function rankByRisk(files: string[], options: RankOptions = {}): string[] {
+  const protectedPaths = options.protectedPaths ?? [];
+  return [...files].sort((a, b) => scoreFile(b, protectedPaths) - scoreFile(a, protectedPaths));
+}

package/src/core/pipeline/review-phase.ts

@@ -34,6 +34,7 @@ export async function runReviewPhase(input: ReviewPhaseInput): Promise<ReviewPha
     chunking: input.config.chunking,
     engine: input.engine,
     cwd: input.cwd,
+    protectedPaths: input.config.protectedPaths,
   });
 
   const allFindings: Finding[] = [];