@delegance/claude-autopilot 2.5.0 → 5.0.0-alpha.2

package/src/cli/pr.ts

@@ -0,0 +1,76 @@
+import * as path from 'node:path';
+import * as fs from 'node:fs';
+import { spawnSync } from 'node:child_process';
+import { runCommand } from './run.ts';
+
+const C = {
+  reset: '\x1b[0m', bold: '\x1b[1m', dim: '\x1b[2m',
+  green: '\x1b[32m', yellow: '\x1b[33m', red: '\x1b[31m',
+};
+const fmt = (c: keyof typeof C, t: string) => `${C[c]}${t}${C.reset}`;
+
+export interface PrCommandOptions {
+  cwd?: string;
+  configPath?: string;
+  prNumber?: string;
+  noPostComments?: boolean;
+  noInlineComments?: boolean;
+}
+
+function ghJson<T>(args: string[], cwd: string): T | null {
+  const r = spawnSync('gh', args, { cwd, encoding: 'utf8' });
+  if (r.status !== 0) return null;
+  try { return JSON.parse(r.stdout) as T; } catch { return null; }
+}
+
+function gitFetch(remote: string, ref: string, cwd: string): boolean {
+  const r = spawnSync('git', ['fetch', remote, ref], { cwd, encoding: 'utf8', stdio: 'pipe' });
+  return r.status === 0;
+}
+
+export async function runPr(options: PrCommandOptions = {}): Promise<number> {
+  const cwd = options.cwd ?? process.cwd();
+  const configPath = options.configPath ?? path.join(cwd, 'guardrail.config.yaml');
+
+  if (!fs.existsSync(configPath)) {
+    console.error(fmt('red', `[pr] guardrail.config.yaml not found at ${configPath}`));
+    return 1;
+  }
+
+  // Resolve PR number
+  let prNumber = options.prNumber;
+  if (!prNumber) {
+    const detected = ghJson<{ number: number }>(['pr', 'view', '--json', 'number'], cwd);
+    if (!detected) {
+      console.error(fmt('red', '[pr] No PR number given and no open PR found for current branch.'));
+      console.error(fmt('dim', '  Usage: guardrail pr <number>'));
+      return 1;
+    }
+    prNumber = String(detected.number);
+  }
+
+  // Look up PR metadata
+  interface PrMeta { number: number; baseRefName: string; headRefName: string; title: string }
+  const pr = ghJson<PrMeta>(['pr', 'view', prNumber, '--json', 'number,baseRefName,headRefName,title'], cwd);
+  if (!pr) {
+    console.error(fmt('red', `[pr] Could not fetch PR #${prNumber} — is gh authenticated?`));
+    return 1;
+  }
+
+  console.log(`\n${fmt('bold', `[guardrail pr]`)} #${pr.number} ${fmt('dim', pr.title)}`);
+  console.log(fmt('dim', `  base: ${pr.baseRefName}  head: ${pr.headRefName}`));
+
+  // Fetch base ref so diff works locally
+  const fetched = gitFetch('origin', pr.baseRefName, cwd);
+  if (!fetched) {
+    console.log(fmt('yellow', `  [pr] Warning: could not fetch origin/${pr.baseRefName} — diff may be stale`));
+  }
+
+  return runCommand({
+    cwd,
+    configPath,
+    base: `origin/${pr.baseRefName}`,
+    postComments: !options.noPostComments,
+    inlineComments: !options.noInlineComments,
+  });
+}

package/src/cli/preflight.ts

@@ -3,6 +3,7 @@ import * as fs from 'node:fs';
 import * as path from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { runSafe } from '../core/shell.ts';
+import { detectLLMKey, loadEnvFile, LLM_KEY_NAMES } from '../core/detect/llm-key.ts';
 
 const PASS = '\x1b[32m✓\x1b[0m';
 const FAIL = '\x1b[31m✗\x1b[0m';
@@ -16,26 +17,92 @@ interface Check {
   message?: string;
 }
 
-function loadEnvFile(filePath: string): Record<string, string> {
-  const vars: Record<string, string> = {};
-  try {
-    const content = fs.readFileSync(filePath, 'utf-8');
-    for (const line of content.split('\n')) {
-      const trimmed = line.trim();
-      if (!trimmed || trimmed.startsWith('#')) continue;
-      const eq = trimmed.indexOf('=');
-      if (eq < 0) continue;
-      vars[trimmed.slice(0, eq).trim()] = trimmed.slice(eq + 1).trim().replace(/^['"]|['"]$/g, '');
-    }
-  } catch { /* ignore */ }
-  return vars;
-}
-
 export interface DoctorResult {
   blockers: number;
   warnings: number;
 }
 
+/**
+ * Checks that the superpowers plugin skills required by the pipeline are resolvable
+ * from the usual Claude Code plugin paths. Returns skill names that weren't found.
+ */
+const REQUIRED_SUPERPOWERS_SKILLS = [
+  'writing-plans',
+  'using-git-worktrees',
+  'subagent-driven-development',
+] as const;
+
+function skillRoots(): string[] {
+  const home = process.env.HOME || process.env.USERPROFILE || '';
+  const cwd = process.cwd();
+  const roots: string[] = [];
+  // Project-local plugin install
+  roots.push(path.join(cwd, '.claude', 'plugins'));
+  // User-global plugin install
+  if (home) roots.push(path.join(home, '.claude', 'plugins'));
+  return roots.filter(p => fs.existsSync(p));
+}
+
+export function findMissingSuperpowersSkills(): string[] {
+  // Traverse each root once, collect all discovered skill names, then diff against
+  // the required set. Previous implementation did N × roots separate recursive walks.
+  const discovered = new Set<string>();
+  const MAX_DIRS_PER_ROOT = 2000; // safety cap to prevent pathological plugin trees
+
+  for (const root of skillRoots()) {
+    collectSkills(root, discovered, { visited: { n: 0 }, max: MAX_DIRS_PER_ROOT });
+  }
+
+  return REQUIRED_SUPERPOWERS_SKILLS.filter(s => !discovered.has(s));
+}
+
+// Walks up to 8 levels deep, capped at `max` directories total. When it finds a
+// `skills/` directory, records every `<skill-name>/SKILL.md` and `<skill-name>.md`
+// entry directly into the Set. Never revisits by name (Claude Code plugin caches
+// can contain many parallel copies — we only care whether a skill exists *somewhere*).
+function collectSkills(
+  dir: string,
+  out: Set<string>,
+  ctx: { visited: { n: number }; max: number },
+  depth = 0,
+): void {
+  if (depth > 8) return;
+  if (ctx.visited.n >= ctx.max) return;
+  ctx.visited.n++;
+
+  let entries: fs.Dirent[];
+  try {
+    entries = fs.readdirSync(dir, { withFileTypes: true });
+  } catch {
+    return;
+  }
+
+  // If this dir has a skills/ child, record every skill inside it
+  for (const entry of entries) {
+    if (entry.isDirectory() && entry.name === 'skills') {
+      const skillsDir = path.join(dir, 'skills');
+      try {
+        for (const skill of fs.readdirSync(skillsDir, { withFileTypes: true })) {
+          if (skill.isDirectory() && fs.existsSync(path.join(skillsDir, skill.name, 'SKILL.md'))) {
+            out.add(skill.name);
+          } else if (skill.isFile() && skill.name.endsWith('.md') && skill.name !== 'README.md') {
+            out.add(skill.name.slice(0, -3)); // strip .md
+          }
+        }
+      } catch { /* ignore */ }
+    }
+  }
+
+  // Recurse into non-skills dirs (bounded depth + visit cap prevent pathological scans)
+  for (const entry of entries) {
+    if (!entry.isDirectory()) continue;
+    if (entry.name.startsWith('.')) continue;
+    if (entry.name === 'node_modules') continue;
+    if (entry.name === 'skills') continue; // already handled above
+    collectSkills(path.join(dir, entry.name), out, ctx, depth + 1);
+  }
+}
+
 export async function runDoctor(): Promise<DoctorResult> {
   const checks: Check[] = [];
 
@@ -56,7 +123,7 @@ export async function runDoctor(): Promise<DoctorResult> {
   checks.push({
     name: 'tsx available',
     result: tsxVersion ? 'pass' : 'fail',
-    message: !tsxVersion ? 'tsx not found — run: npm install @delegance/claude-autopilot (includes tsx)' : undefined,
+    message: !tsxVersion ? 'tsx not found — run: npm install @delegance/guardrail (includes tsx)' : undefined,
   });
 
   // 3. gh CLI authenticated
@@ -67,13 +134,13 @@ export async function runDoctor(): Promise<DoctorResult> {
     message: ghAuth === null ? 'gh CLI not authenticated — run: gh auth login' : undefined,
   });
 
-  // 4. autopilot.config.yaml in cwd
-  const configYaml = path.join(process.cwd(), 'autopilot.config.yaml');
+  // 4. guardrail.config.yaml in cwd
+  const configYaml = path.join(process.cwd(), 'guardrail.config.yaml');
   checks.push({
-    name: 'autopilot.config.yaml',
+    name: 'guardrail.config.yaml',
     result: fs.existsSync(configYaml) ? 'pass' : 'warn',
     message: !fs.existsSync(configYaml)
-      ? 'autopilot.config.yaml not found in current directory — copy from a preset: presets/nextjs-supabase/autopilot.config.yaml'
+      ? 'guardrail.config.yaml not found in current directory — copy from a preset: presets/nextjs-supabase/guardrail.config.yaml'
       : undefined,
   });
 
@@ -83,21 +150,18 @@ export async function runDoctor(): Promise<DoctorResult> {
     name: `Local env file (${envFile ?? 'none found'})`,
     result: envFile ? 'pass' : 'warn',
     message: !envFile
-      ? `No env file found. Looked for: ${ENV_CANDIDATES.join(', ')}. Create one with your OPENAI_API_KEY.`
+      ? `No env file found. Looked for: ${ENV_CANDIDATES.join(', ')}. Create one with one of: ${LLM_KEY_NAMES.join(', ')}.`
       : undefined,
   });
 
-  // 6. LLM API key (ANTHROPIC_API_KEY preferred, OPENAI_API_KEY as fallback)
+  // 6. LLM API key — shared detection with setup/scan/run (all 5 providers)
   const envVars = envFile ? loadEnvFile(envFile) : {};
-  const hasAnthropic = !!process.env.ANTHROPIC_API_KEY || !!envVars['ANTHROPIC_API_KEY'];
-  const hasOpenAI = !!process.env.OPENAI_API_KEY || !!envVars['OPENAI_API_KEY'];
-  const hasLLMKey = hasAnthropic || hasOpenAI;
-  const llmKeyName = hasAnthropic ? 'ANTHROPIC_API_KEY' : hasOpenAI ? 'OPENAI_API_KEY' : 'none';
+  const { hasKey, preferred } = detectLLMKey({ extraEnv: envVars });
   checks.push({
-    name: `LLM API key (${llmKeyName})`,
-    result: hasLLMKey ? 'pass' : 'warn',
-    message: !hasLLMKey
-      ? `No LLM API key found — set ANTHROPIC_API_KEY (recommended) or OPENAI_API_KEY to enable review`
+    name: `LLM API key (${preferred ?? 'none'})`,
+    result: hasKey ? 'pass' : 'warn',
+    message: !hasKey
+      ? `No LLM API key found — set one of: ${LLM_KEY_NAMES.join(', ')} to enable review`
       : undefined,
   });
 
@@ -123,9 +187,22 @@ export async function runDoctor(): Promise<DoctorResult> {
       : undefined,
   });
 
+  // 9. Superpowers plugin — required for pipeline phases, optional for review-only use
+  const missingSkills = findMissingSuperpowersSkills();
+  const allSkillsFound = missingSkills.length === 0;
+  checks.push({
+    name: `Superpowers plugin${allSkillsFound ? '' : ` (missing: ${missingSkills.join(', ')})`}`,
+    // Treat as warn, not fail — users who only run `claude-autopilot run` (review phase)
+    // don't need superpowers. Pipeline invocations (`autopilot` skill) will hard-fail at
+    // their own entry point.
+    result: allSkillsFound ? 'pass' : 'warn',
+    message: !allSkillsFound
+      ? 'Install: `claude plugin install superpowers` (required for pipeline phases — brainstorm/plan/implement)'
+      : undefined,
+  });
 
   // Print results
-  console.log('\n\x1b[1m[doctor] Autopilot prerequisite check\x1b[0m\n');
+  console.log('\n\x1b[1m[doctor] Guardrail prerequisite check\x1b[0m\n');
   let blockers = 0;
   let warnings = 0;
   for (const check of checks) {
@@ -140,7 +217,7 @@ export async function runDoctor(): Promise<DoctorResult> {
 
   console.log('');
   if (blockers > 0) {
-    console.log(`\x1b[31m[doctor] ${blockers} blocker(s) — fix before running npx autopilot run\x1b[0m\n`);
+    console.log(`\x1b[31m[doctor] ${blockers} blocker(s) — fix before running npx guardrail run\x1b[0m\n`);
   } else if (warnings > 0) {
     console.log(`\x1b[33m[doctor] ${warnings} warning(s) — pipeline will run but some steps may be skipped\x1b[0m\n`);
   } else {

package/src/cli/report.ts

@@ -0,0 +1,186 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { loadCachedFindings } from '../core/persist/findings-cache.ts';
+import { readCostLog } from '../core/persist/cost-log.ts';
+import type { Finding } from '../core/findings/types.ts';
+
+const C = {
+  reset: '\x1b[0m', bold: '\x1b[1m', dim: '\x1b[2m',
+  green: '\x1b[32m', yellow: '\x1b[33m', red: '\x1b[31m',
+};
+const fmt = (c: keyof typeof C, t: string) => `${C[c]}${t}${C.reset}`;
+
+export interface ReportCommandOptions {
+  cwd?: string;
+  output?: string;   // file path to write markdown (default: stdout)
+  trend?: boolean;   // include trend analysis from cost log run history
+}
+
+function severityOrder(s: Finding['severity']): number {
+  return s === 'critical' ? 0 : s === 'warning' ? 1 : 2;
+}
+
+function buildTrendSection(cwd: string): string {
+  const log = readCostLog(cwd);
+  if (log.length === 0) return '';
+
+  const sevenDaysAgo = Date.now() - 7 * 24 * 60 * 60 * 1000;
+  const recent = log.filter(e => new Date(e.timestamp).getTime() >= sevenDaysAgo);
+  const totalCost = log.reduce((s, e) => s + e.costUSD, 0);
+  const avgFiles = log.reduce((s, e) => s + e.files, 0) / log.length;
+
+  const lines: string[] = [
+    '## 📈 Trend',
+    '',
+    `| Metric | Value |`,
+    `|--------|-------|`,
+    `| Runs (7d) | ${recent.length} |`,
+    `| Runs (all-time) | ${log.length} |`,
+    `| All-time cost | $${totalCost.toFixed(4)} |`,
+    `| Avg files/run | ${avgFiles.toFixed(1)} |`,
+    '',
+  ];
+
+  if (recent.length > 0) {
+    lines.push('### Recent runs', '');
+    lines.push('| Date | Files | Cost |');
+    lines.push('|------|-------|------|');
+    for (const e of recent.slice(-7).reverse()) {
+      const d = new Date(e.timestamp).toLocaleDateString();
+      lines.push(`| ${d} | ${e.files} | $${e.costUSD.toFixed(4)} |`);
+    }
+    lines.push('');
+  }
+
+  return lines.join('\n');
+}
+
+function buildFileBreakdown(findings: Finding[]): string {
+  const withFiles = findings.filter(f => f.file && f.file !== '<unspecified>' && f.file !== '<pipeline>');
+  if (withFiles.length === 0) return '';
+
+  const counts = new Map<string, { critical: number; warning: number; note: number; total: number }>();
+  for (const f of withFiles) {
+    const entry = counts.get(f.file) ?? { critical: 0, warning: 0, note: 0, total: 0 };
+    entry[f.severity]++;
+    entry.total++;
+    counts.set(f.file, entry);
+  }
+
+  const sorted = [...counts.entries()].sort((a, b) => b[1].total - a[1].total).slice(0, 10);
+  if (sorted.length < 2) return ''; // single file — not worth a table
+
+  const lines = [
+    '## 📁 By File',
+    '',
+    '| File | Critical | Warning | Note | Total |',
+    '|------|----------|---------|------|-------|',
+  ];
+  for (const [file, c] of sorted) {
+    lines.push(`| \`${file}\` | ${c.critical || '–'} | ${c.warning || '–'} | ${c.note || '–'} | **${c.total}** |`);
+  }
+  if (counts.size > 10) lines.push(`| *(${counts.size - 10} more files)* | | | | |`);
+  lines.push('');
+  return lines.join('\n');
+}
+
+function buildSourceBreakdown(findings: Finding[]): string {
+  const counts = new Map<string, number>();
+  for (const f of findings) {
+    counts.set(f.source, (counts.get(f.source) ?? 0) + 1);
+  }
+  if (counts.size < 2) return '';
+
+  const lines = ['## 🔬 By Source', '', '| Source | Findings |', '|--------|----------|'];
+  for (const [source, n] of [...counts.entries()].sort((a, b) => b[1] - a[1])) {
+    lines.push(`| ${source} | ${n} |`);
+  }
+  lines.push('');
+  return lines.join('\n');
+}
+
+function buildMarkdown(findings: Finding[], cwd: string, trend: boolean): string {
+  const critical = findings.filter(f => f.severity === 'critical');
+  const warnings  = findings.filter(f => f.severity === 'warning');
+  const notes     = findings.filter(f => f.severity === 'note');
+  const fixable   = critical.length + warnings.length;
+
+  const lines: string[] = [
+    '# Guardrail Report',
+    '',
+    `> Generated ${new Date().toISOString()}`,
+    '',
+    '## Summary',
+    '',
+    `| Severity | Count |`,
+    `|----------|-------|`,
+    `| 🚨 Critical | ${critical.length} |`,
+    `| ⚠️  Warning  | ${warnings.length} |`,
+    `| ℹ️  Note     | ${notes.length} |`,
+    `| **Total**   | **${findings.length}** |`,
+    '',
+  ];
+
+  if (fixable > 0) {
+    lines.push(`> **${fixable} finding${fixable !== 1 ? 's' : ''} can be auto-fixed** — run \`guardrail fix\` to attempt repairs.`, '');
+  }
+
+  if (trend) {
+    const trendSection = buildTrendSection(cwd);
+    if (trendSection) lines.push(trendSection);
+  }
+
+  const fileBreakdown = buildFileBreakdown(findings);
+  if (fileBreakdown) lines.push(fileBreakdown);
+
+  const sourceBreakdown = buildSourceBreakdown(findings);
+  if (sourceBreakdown) lines.push(sourceBreakdown);
+
+  function renderGroup(label: string, icon: string, group: Finding[]) {
+    if (group.length === 0) return;
+    lines.push(`## ${icon} ${label}`, '');
+    for (const f of group) {
+      const loc = f.file && f.file !== '<unspecified>' && f.file !== '<pipeline>'
+        ? `\`${f.file}${f.line ? `:${f.line}` : ''}\``
+        : null;
+      lines.push(`### ${loc ? `${loc} — ` : ''}${f.message}`);
+      if (f.suggestion) lines.push('', `> **Suggestion:** ${f.suggestion}`);
+      lines.push('', `*Source: ${f.source} · Rule: ${f.id}*`, '');
+    }
+  }
+
+  renderGroup('Critical', '🚨', critical);
+  renderGroup('Warnings', '⚠️', warnings);
+  renderGroup('Notes', 'ℹ️', notes);
+
+  if (findings.length === 0) {
+    lines.push('## ✅ No findings', '', 'No cached findings — run `guardrail run` or `guardrail scan` first.', '');
+  }
+
+  return lines.join('\n');
+}
+
+export async function runReport(options: ReportCommandOptions = {}): Promise<number> {
+  const cwd = options.cwd ?? process.cwd();
+  const findings = loadCachedFindings(cwd);
+
+  if (findings.length === 0) {
+    console.log(fmt('yellow', '[report] No cached findings — run `guardrail run` or `guardrail scan` first.'));
+    return 0;
+  }
+
+  const sorted = [...findings].sort((a, b) => severityOrder(a.severity) - severityOrder(b.severity));
+  const md = buildMarkdown(sorted, cwd, options.trend ?? false);
+
+  if (options.output) {
+    fs.writeFileSync(options.output, md, 'utf8');
+    const critical = findings.filter(f => f.severity === 'critical').length;
+    const warnings = findings.filter(f => f.severity === 'warning').length;
+    console.log(fmt('bold', `[report] Written to ${options.output}`));
+    console.log(`  ${critical > 0 ? fmt('red', `${critical} critical`) : fmt('green', '0 critical')}  ${warnings > 0 ? fmt('yellow', `${warnings} warning${warnings !== 1 ? 's' : ''}`) : fmt('dim', '0 warnings')}`);
+  } else {
+    process.stdout.write(md + '\n');
+  }
+
+  return findings.some(f => f.severity === 'critical') ? 1 : 0;
+}