@delegance/claude-autopilot 2.3.0 → 2.4.0

package/CHANGELOG.md

@@ -1,5 +1,16 @@
 # Changelog
 
+## [2.4.0] — 2026-04-22
+
+### Added
+- **`ignore:` config key** — embed suppression rules in `autopilot.config.yaml` via `ignore: ['tests/**', { rule: hardcoded-secrets, path: src/vendor/** }]`; merged with `.autopilot-ignore` file rules at run time
+- **Per-run cost log** — appends `{timestamp, files, inputTokens, outputTokens, costUSD, durationMs}` to `.autopilot-cache/costs.jsonl` after every run; corrupt lines skipped on read; `readCostLog()` exported for tooling
+- **`--inline-comments`** — posts a GitHub PR review with per-line inline comments for every finding that has a `file:line`; re-runs dismiss the previous autopilot review before posting a new one; `autopilot ci` enables this by default (`--no-inline-comments` to opt out)
+- **`reviewStrategy: auto-diff`** — tries diff first, falls back to full-file `auto` when diff is empty (new files, no git history); `--diff` flag still forces pure diff mode
+- `src/cli/pr-review-comments.ts` — `postReviewComments()` using `gh api repos/{nwo}/pulls/{pr}/reviews`
+- `src/core/persist/cost-log.ts` — `appendCostLog()`, `readCostLog()`
+- 9 new tests — **257 total**
+
 ## [2.3.0] — 2026-04-22
 
 ### Added

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@delegance/claude-autopilot",
-  "version": "2.3.0",
+  "version": "2.4.0",
   "type": "module",
   "description": "Claude Code automation pipeline: spec → plan → implement → validate → PR",
   "keywords": [

package/src/cli/ci.ts

@@ -7,6 +7,7 @@ export interface CiCommandOptions {
   postComments?: boolean;
   sarifOutput?: string;
   diff?: boolean;
+  inlineComments?: boolean;
 }
 
 /**
@@ -36,5 +37,6 @@ export async function runCi(options: CiCommandOptions = {}): Promise<number> {
     format: 'sarif',
     outputPath: sarifOutput,
     diff: options.diff,
+    inlineComments: options.inlineComments ?? true,
   });
 }

package/src/cli/index.ts

@@ -68,6 +68,7 @@ Options (run):
   --dry-run            Show what would run without executing
   --diff               Send git diff hunks instead of full files (~70% fewer tokens)
   --delta              Only report findings new since last run (suppress pre-existing)
+  --inline-comments    Post per-line review comments on the PR diff
   --post-comments      Post/update a summary comment on the open PR
   --format <text|sarif>  Output format (default: text)
   --output <path>        Output file path (required with --format sarif)
@@ -124,6 +125,7 @@ switch (subcommand) {
     const dryRun = boolFlag('dry-run');
     const diff = boolFlag('diff');
     const delta = boolFlag('delta');
+    const inlineComments = boolFlag('inline-comments');
     const postComments = boolFlag('post-comments');
     const formatArg = flag('format');
     const outputPath = flag('output');
@@ -144,6 +146,7 @@ switch (subcommand) {
       dryRun,
       diff,
       delta,
+      inlineComments,
       postComments,
       format: formatArg as 'text' | 'sarif' | undefined,
       outputPath,
@@ -157,12 +160,14 @@ switch (subcommand) {
     const config = flag('config');
     const outputPath = flag('output');
     const noPostComments = boolFlag('no-post-comments');
+    const noInlineComments = boolFlag('no-inline-comments');
     const diff = boolFlag('diff');
     const code = await runCi({
       configPath: config,
       base,
       sarifOutput: outputPath,
       postComments: noPostComments ? false : undefined,
+      inlineComments: noInlineComments ? false : undefined,
       diff,
     });
     process.exit(code);

package/src/cli/pr-review-comments.ts

@@ -0,0 +1,92 @@
+import { runSafe } from '../core/shell.ts';
+import type { Finding } from '../core/findings/types.ts';
+
+const REVIEW_MARKER = '<!-- autopilot-inline -->';
+
+function getRepoNwo(cwd: string): string | null {
+  const raw = runSafe('gh', ['repo', 'view', '--json', 'nameWithOwner', '--jq', '.nameWithOwner'], { cwd });
+  return raw ? raw.trim() : null;
+}
+
+/** True when a review with our marker already exists on this PR (avoids duplicates on re-runs). */
+function findExistingReviewId(pr: number, nwo: string, cwd: string): number | null {
+  const raw = runSafe('gh', [
+    'api', `repos/${nwo}/pulls/${pr}/reviews`,
+    '--jq', `[.[] | select(.body | startswith("${REVIEW_MARKER}")) | .id] | first`,
+  ], { cwd });
+  if (!raw) return null;
+  const n = parseInt(raw.trim(), 10);
+  return isNaN(n) ? null : n;
+}
+
+export interface PostReviewCommentsResult {
+  posted: number;
+  skipped: number; // findings with no line number
+}
+
+/**
+ * Posts (or re-submits) a PR review with inline comments for each finding
+ * that has a file + line number. Findings without line numbers are skipped.
+ * Re-runs dismiss the previous autopilot review first to avoid stacking.
+ */
+export async function postReviewComments(
+  pr: number,
+  findings: Finding[],
+  cwd: string,
+): Promise<PostReviewCommentsResult> {
+  const nwo = getRepoNwo(cwd);
+  if (!nwo) throw new Error('Could not determine repository name — is gh authenticated?');
+
+  const commentable = findings.filter(
+    f => f.line !== undefined && f.file && f.file !== '<unspecified>' && f.file !== '<pipeline>',
+  );
+  const skipped = findings.length - commentable.length;
+
+  if (commentable.length === 0) return { posted: 0, skipped };
+
+  // Dismiss existing review so we don't stack on re-runs
+  const existingId = findExistingReviewId(pr, nwo, cwd);
+  if (existingId) {
+    runSafe('gh', [
+      'api', `repos/${nwo}/pulls/${pr}/reviews/${existingId}/dismissals`,
+      '--method', 'PUT',
+      '--field', 'message=Superseded by updated autopilot review',
+    ], { cwd });
+  }
+
+  // Build review body
+  const body = [
+    REVIEW_MARKER,
+    `**Autopilot** found ${commentable.length} inline finding${commentable.length !== 1 ? 's' : ''}.`,
+  ].join('\n');
+
+  // Build comments array as JSON
+  const comments = commentable.map(f => ({
+    path: f.file,
+    line: f.line,
+    side: 'RIGHT',
+    body: formatFindingBody(f),
+  }));
+
+  // gh api doesn't support array fields well via --field, use --input with JSON
+  const payload = JSON.stringify({ body, event: 'COMMENT', comments });
+  const result = runSafe('gh', [
+    'api', `repos/${nwo}/pulls/${pr}/reviews`,
+    '--method', 'POST',
+    '--input', '-',
+  ], { cwd, input: payload });
+
+  if (!result) throw new Error('Failed to post review — gh api returned no output');
+
+  return { posted: commentable.length, skipped };
+}
+
+function formatFindingBody(f: Finding): string {
+  const sev = f.severity === 'critical' ? '🚨 **CRITICAL**'
+            : f.severity === 'warning'  ? '⚠️ **Warning**'
+            : '💡 **Note**';
+  const lines = [`${sev} — ${f.message}`];
+  if (f.suggestion) lines.push(`\n> **Suggestion:** ${f.suggestion}`);
+  lines.push(`\n*[@delegance/claude-autopilot](https://github.com/axledbetter/claude-autopilot)*`);
+  return lines.join('');
+}

package/src/cli/run.ts

@@ -38,8 +38,10 @@ import { detectProtectedPaths } from '../core/detect/protected-paths.ts';
 import { detectGitContext } from '../core/detect/git-context.ts';
 import { detectProject } from './detector.ts';
 import { detectPrNumber, formatComment, postPrComment } from './pr-comment.ts';
-import { loadIgnoreRules, applyIgnoreRules } from '../core/ignore/index.ts';
+import { postReviewComments } from './pr-review-comments.ts';
+import { loadIgnoreRules, parseConfigIgnore, applyIgnoreRules } from '../core/ignore/index.ts';
 import { loadCachedFindings, saveCachedFindings, filterNewFindings } from '../core/persist/findings-cache.ts';
+import { appendCostLog } from '../core/persist/cost-log.ts';
 
 function readToolVersion(): string {
   const pkgPath = path.join(path.dirname(fileURLToPath(import.meta.url)), '../../package.json');
@@ -66,8 +68,9 @@ export interface RunCommandOptions {
   base?: string;        // git base ref (default HEAD~1)
   files?: string[];     // explicit file list (skips git detection)
   dryRun?: boolean;     // skip review, print what would run
-  diff?: boolean;       // use diff strategy (send git hunks instead of full files)
-  delta?: boolean;      // only report findings not present in last run's baseline
+  diff?: boolean;           // use diff strategy (send git hunks instead of full files)
+  delta?: boolean;          // only report findings not present in last run's baseline
+  inlineComments?: boolean; // post per-line review comments on the PR diff
   format?: 'text' | 'sarif';
   outputPath?: string;
   postComments?: boolean; // post/update summary comment on the open PR
@@ -190,8 +193,8 @@ export async function runCommand(options: RunCommandOptions = {}): Promise<numbe
   console.log('');
   const result = await runAutopilot(input);
 
-  // Apply .autopilot-ignore suppression rules
-  const ignoreRules = loadIgnoreRules(cwd);
+  // Apply .autopilot-ignore + config ignore: rules
+  const ignoreRules = [...loadIgnoreRules(cwd), ...parseConfigIgnore(config.ignore)];
   if (ignoreRules.length > 0) {
     const before = result.allFindings.length;
     result.allFindings = applyIgnoreRules(result.allFindings, ignoreRules);
@@ -220,6 +223,17 @@ export async function runCommand(options: RunCommandOptions = {}): Promise<numbe
   // Always persist the unfiltered findings as the new baseline
   saveCachedFindings(cwd, result.allFindings);
 
+  // Append to per-run cost log
+  const reviewPhase = result.phases.find(p => p.phase === 'review') as { usage?: { input: number; output: number } } | undefined;
+  appendCostLog(cwd, {
+    timestamp: new Date().toISOString(),
+    files: touchedFiles.length,
+    inputTokens: reviewPhase?.usage?.input ?? 0,
+    outputTokens: reviewPhase?.usage?.output ?? 0,
+    costUSD: result.totalCostUSD ?? 0,
+    durationMs: result.durationMs,
+  });
+
   // emitAnnotations is a no-op unless GITHUB_ACTIONS=true
   emitAnnotations(result.allFindings);
 
@@ -231,6 +245,21 @@ export async function runCommand(options: RunCommandOptions = {}): Promise<numbe
     console.log(fmt('dim', `[run] SARIF written to ${options.outputPath}`));
   }
 
+  // Post inline PR review comments if requested
+  if (options.inlineComments) {
+    const pr = detectPrNumber(cwd);
+    if (!pr) {
+      console.log(fmt('yellow', '  [run] --inline-comments: no open PR found — skipping'));
+    } else {
+      try {
+        const { posted, skipped } = await postReviewComments(pr, result.allFindings, cwd);
+        console.log(fmt('dim', `  [run] PR #${pr} inline review: ${posted} comment${posted !== 1 ? 's' : ''} posted${skipped > 0 ? `, ${skipped} skipped (no line number)` : ''}`));
+      } catch (err) {
+        console.error(fmt('yellow', `  [run] Failed to post inline comments: ${err instanceof Error ? err.message : String(err)}`));
+      }
+    }
+  }
+
   // Post PR comment if requested
   if (options.postComments) {
     const pr = detectPrNumber(cwd);

package/src/core/chunking/index.ts

@@ -13,12 +13,12 @@ export interface ReviewChunk {
 
 export interface BuildChunksInput {
   touchedFiles: string[];
-  strategy: 'auto' | 'single-pass' | 'file-level' | 'diff';
+  strategy: 'auto' | 'single-pass' | 'file-level' | 'diff' | 'auto-diff';
   chunking?: AutopilotConfig['chunking'];
   engine: ReviewEngine;
   cwd?: string;
   protectedPaths?: string[];
-  base?: string;  // git base ref — required for 'diff' strategy
+  base?: string;  // git base ref — required for 'diff'/'auto-diff' strategy
 }
 
 const DEFAULT_SMALL_TIER_TOKENS = 8000;
@@ -33,6 +33,14 @@ export async function buildReviewChunks(input: BuildChunksInput): Promise<Review
     return buildDiffChunks(input);
   }
 
+  // auto-diff: try diff first; fall back to full-file auto if diff is empty
+  // (handles new files, initial commits, or repos with no base ref)
+  if (input.strategy === 'auto-diff') {
+    const diffChunks = buildDiffChunks(input);
+    if (diffChunks.length > 0) return diffChunks;
+    // fall through to auto with full files
+  }
+
   const ranked = rankByRisk(input.touchedFiles, { protectedPaths: input.protectedPaths });
   const fileContents = await readFiles(ranked, input.cwd);
 

package/src/core/config/types.ts

@@ -27,7 +27,8 @@ export interface AutopilotConfig {
     maxCodexRetries?: number;
     maxBugbotRounds?: number;
   };
-  reviewStrategy?: 'auto' | 'single-pass' | 'file-level' | 'diff';
+  ignore?: Array<string | { rule?: string; path: string }>;
+  reviewStrategy?: 'auto' | 'single-pass' | 'file-level' | 'diff' | 'auto-diff';
   chunking?: {
     smallTierMaxTokens?: number;
     partialReviewTokens?: number;

package/src/core/ignore/index.ts

@@ -2,6 +2,7 @@ import * as fs from 'node:fs';
 import * as path from 'node:path';
 import { minimatch } from 'minimatch';
 import type { Finding } from '../findings/types.ts';
+import type { AutopilotConfig } from '../config/types.ts';
 
 export interface IgnoreRule {
   ruleId: string | '*';  // finding id prefix or '*' for any
@@ -36,6 +37,17 @@ function matchesRule(finding: Finding, rule: IgnoreRule): boolean {
   return minimatch(finding.file.replace(/\\/g, '/'), rule.pathGlob, { matchBase: true });
 }
 
+/** Convert `ignore:` entries from autopilot.config.yaml into IgnoreRules. */
+export function parseConfigIgnore(entries: AutopilotConfig['ignore']): IgnoreRule[] {
+  if (!entries || entries.length === 0) return [];
+  return entries.map(entry => {
+    if (typeof entry === 'string') {
+      return { ruleId: '*', pathGlob: entry };
+    }
+    return { ruleId: entry.rule ?? '*', pathGlob: entry.path };
+  });
+}
+
 export function applyIgnoreRules(findings: Finding[], rules: IgnoreRule[]): Finding[] {
   if (rules.length === 0) return findings;
   return findings.filter(f => !rules.some(r => matchesRule(f, r)));

package/src/core/persist/cost-log.ts

@@ -0,0 +1,30 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+
+const CACHE_DIR = '.autopilot-cache';
+const LOG_FILE = 'costs.jsonl';
+
+export interface CostLogEntry {
+  timestamp: string;
+  files: number;
+  inputTokens: number;
+  outputTokens: number;
+  costUSD: number;
+  durationMs: number;
+}
+
+export function appendCostLog(cwd: string, entry: CostLogEntry): void {
+  const dir = path.join(cwd, CACHE_DIR);
+  fs.mkdirSync(dir, { recursive: true });
+  fs.appendFileSync(path.join(dir, LOG_FILE), JSON.stringify(entry) + '\n', 'utf8');
+}
+
+export function readCostLog(cwd: string): CostLogEntry[] {
+  const p = path.join(cwd, CACHE_DIR, LOG_FILE);
+  if (!fs.existsSync(p)) return [];
+  return fs.readFileSync(p, 'utf8')
+    .split('\n')
+    .filter(Boolean)
+    .map(line => { try { return JSON.parse(line) as CostLogEntry; } catch { return null; } })
+    .filter((e): e is CostLogEntry => e !== null);
+}