@formthefog/stratus 2026.2.24 → 2026.3.20

package/.github/sentinel/src/fixer.ts

@@ -0,0 +1,353 @@
+import * as core from "@actions/core"
+import * as github from "@actions/github"
+import { execSync } from "child_process"
+import * as fs from "fs"
+import type { ModelClient } from "./models/types"
+import type { ReviewContext, FixMode, FixPlan, FixResult, CodeContext } from "./types"
+import { analyzeCodebase, extractKeywords } from "./codebase"
+import { parseFixPlan, parseFixReview } from "./schemas/fix"
+
+type Octokit = ReturnType<typeof github.getOctokit>
+
+const PLAN_SYSTEM = `You are a senior engineer analyzing a bug report for a software project.
+
+Given the issue description and relevant source code, produce a fix plan.
+
+Rules:
+1. Be conservative — only propose changes you are confident will fix the issue
+2. Use search/replace pairs for modifications so changes can be applied precisely
+3. The "search" string must be an EXACT substring of the current file contents
+4. Keep changes minimal — fix the bug, don't refactor
+5. If you cannot determine a fix from the available context, set fixable=false
+
+Output a JSON object (no markdown fences):
+{
+  "analysis": "your understanding of the issue and root cause",
+  "fixable": true/false,
+  "confidence": 0.0-1.0,
+  "files": [
+    {
+      "path": "path/to/file",
+      "action": "modify|create|delete",
+      "changes": [{"search": "exact text to find", "replace": "replacement text"}],
+      "content": "full content for new files only",
+      "explanation": "why this change fixes the issue"
+    }
+  ],
+  "commit_message": "fix: description (fixes #N)",
+  "test_suggestions": ["test cases that should verify the fix"],
+  "risk_notes": ["potential risks or side effects"]
+}`
+
+const REVIEW_SYSTEM = `You are a senior engineer reviewing a proposed bug fix.
+
+Given:
+- The original issue
+- The proposed code changes
+- The relevant source code
+
+Evaluate whether the fix:
+1. Actually addresses the root cause
+2. Handles edge cases
+3. Could break anything else
+4. Is the minimal correct change
+
+Output a JSON object (no markdown fences):
+{
+  "approved": true/false,
+  "confidence": 0.0-1.0,
+  "concerns": ["any concerns about the fix"],
+  "verdict": "brief assessment"
+}`
+
+export async function fixIssue(
+  ctx: ReviewContext,
+  anthropic: ModelClient | null,
+  openai: ModelClient | null,
+  octokit: Octokit,
+  mode: FixMode,
+  confidenceThreshold: number
+): Promise<FixResult> {
+  if (!ctx.issue) return { success: false, error: "No issue context" }
+
+  const planner = anthropic || openai
+  const reviewer = anthropic && openai ? openai : planner
+  if (!planner) return { success: false, error: "No model available" }
+
+  core.info(`Analyzing issue #${ctx.issue.number}: ${ctx.issue.title}`)
+
+  const keywords = extractKeywords(ctx.issue.title, ctx.issue.body)
+  core.info(`Extracted ${keywords.length} keywords: ${keywords.slice(0, 5).join(", ")}`)
+
+  const codeContext = await analyzeCodebase(keywords)
+
+  if (codeContext.files.length === 0) {
+    return { success: false, error: "Could not find relevant code for this issue" }
+  }
+
+  const fixPlan = await generateFixPlan(planner, ctx, codeContext)
+
+  if (!fixPlan.fixable) {
+    return { success: false, fixPlan, error: `Issue not fixable: ${fixPlan.analysis}` }
+  }
+
+  if (fixPlan.confidence < confidenceThreshold) {
+    return {
+      success: false,
+      fixPlan,
+      error: `Confidence too low: ${(fixPlan.confidence * 100).toFixed(0)}% (threshold: ${(confidenceThreshold * 100).toFixed(0)}%)`,
+    }
+  }
+
+  if (reviewer && reviewer !== planner) {
+    const reviewResult = await reviewFixPlan(reviewer, ctx, fixPlan, codeContext)
+    if (!reviewResult.approved) {
+      core.warning(`Fix review rejected: ${reviewResult.verdict}`)
+      fixPlan.riskNotes.push(`Review concerns: ${reviewResult.concerns.join("; ")}`)
+
+      if (reviewResult.confidence < 0.5) {
+        return {
+          success: false,
+          fixPlan,
+          error: `Fix rejected by reviewer: ${reviewResult.verdict}`,
+        }
+      }
+    }
+  }
+
+  if (mode === "propose_only") {
+    core.info("Propose-only mode — returning fix plan without applying")
+    return { success: true, fixPlan }
+  }
+
+  const branch = await createFixBranch(ctx.issue.number)
+
+  try {
+    await applyChanges(fixPlan)
+    await commitAndPush(branch, fixPlan.commitMessage)
+
+    const pr = await createFixPR(octokit, ctx, fixPlan, branch)
+    core.info(`Fix PR created: ${pr.url}`)
+
+    if (mode === "yolo") {
+      core.info("Yolo mode — auto-merging fix PR")
+      await mergeFixPR(octokit, pr.number)
+    }
+
+    return {
+      success: true,
+      fixPlan,
+      branch,
+      prNumber: pr.number,
+      prUrl: pr.url,
+    }
+  } catch (err) {
+    core.warning(`Failed to apply fix: ${err}`)
+    try {
+      execSync(`git checkout ${ctx.repository.defaultBranch} 2>/dev/null || git checkout main`, { encoding: "utf-8" })
+      execSync(`git branch -D ${branch} 2>/dev/null`, { encoding: "utf-8" })
+    } catch { /* cleanup best effort */ }
+
+    return {
+      success: false,
+      fixPlan,
+      error: `Failed to apply changes: ${err instanceof Error ? err.message : String(err)}`,
+    }
+  }
+}
+
+async function generateFixPlan(
+  model: ModelClient,
+  ctx: ReviewContext,
+  codeContext: CodeContext
+): Promise<FixPlan> {
+  const issue = ctx.issue!
+  const filesContext = codeContext.files
+    .map((f) => `### ${f.path}\nRelevance: ${f.relevance}\n\`\`\`\n${f.content}\n\`\`\``)
+    .join("\n\n")
+
+  const prompt = [
+    `# Issue #${issue.number}: ${issue.title}`,
+    "",
+    issue.body,
+    "",
+    "## Project Structure",
+    codeContext.structure,
+    "",
+    "## Dependencies",
+    codeContext.dependencies,
+    "",
+    "## Relevant Source Files",
+    filesContext,
+  ].join("\n")
+
+  const result = await model.chat(PLAN_SYSTEM, prompt)
+  const parsed = parseFixPlan(result.text)
+
+  return {
+    analysis: parsed.analysis,
+    fixable: parsed.fixable,
+    confidence: parsed.confidence,
+    files: parsed.files.map((f) => ({
+      path: f.path,
+      action: f.action,
+      changes: f.changes,
+      content: f.content,
+      explanation: f.explanation,
+    })),
+    commitMessage: parsed.commit_message,
+    testSuggestions: parsed.test_suggestions,
+    riskNotes: parsed.risk_notes,
+  }
+}
+
+async function reviewFixPlan(
+  model: ModelClient,
+  ctx: ReviewContext,
+  plan: FixPlan,
+  codeContext: CodeContext
+): Promise<{ approved: boolean; confidence: number; concerns: string[]; verdict: string }> {
+  const issue = ctx.issue!
+  const changesDescription = plan.files
+    .map((f) => `${f.path} (${f.action}): ${f.explanation}`)
+    .join("\n")
+
+  const prompt = [
+    `# Original Issue #${issue.number}: ${issue.title}`,
+    issue.body,
+    "",
+    "# Proposed Fix",
+    `Analysis: ${plan.analysis}`,
+    `Confidence: ${plan.confidence}`,
+    "",
+    "## Changes",
+    changesDescription,
+    "",
+    "## Detailed Changes",
+    JSON.stringify(plan.files, null, 2),
+    "",
+    "## Relevant Code Context",
+    codeContext.files.slice(0, 5).map((f) => `### ${f.path}\n\`\`\`\n${f.content.substring(0, 3000)}\n\`\`\``).join("\n\n"),
+  ].join("\n")
+
+  try {
+    const result = await model.chat(REVIEW_SYSTEM, prompt)
+    const parsed = parseFixReview(result.text)
+    return parsed
+  } catch {
+    return { approved: true, confidence: 0.5, concerns: ["Review parsing failed"], verdict: "Proceeding with caution" }
+  }
+}
+
+async function createFixBranch(issueNumber: number): Promise<string> {
+  const branch = `fix/issue-${issueNumber}`
+  execSync(`git checkout -b ${branch}`, { encoding: "utf-8" })
+  return branch
+}
+
+async function applyChanges(plan: FixPlan): Promise<void> {
+  for (const file of plan.files) {
+    if (file.action === "delete") {
+      if (fs.existsSync(file.path)) {
+        fs.unlinkSync(file.path)
+        core.info(`Deleted: ${file.path}`)
+      }
+      continue
+    }
+
+    if (file.action === "create") {
+      const dir = file.path.split("/").slice(0, -1).join("/")
+      if (dir) fs.mkdirSync(dir, { recursive: true })
+      fs.writeFileSync(file.path, file.content || "")
+      core.info(`Created: ${file.path}`)
+      continue
+    }
+
+    if (file.action === "modify" && file.changes) {
+      if (!fs.existsSync(file.path)) {
+        throw new Error(`File not found: ${file.path}`)
+      }
+
+      let content = fs.readFileSync(file.path, "utf-8")
+
+      for (const change of file.changes) {
+        if (!content.includes(change.search)) {
+          throw new Error(`Search text not found in ${file.path}: "${change.search.substring(0, 60)}..."`)
+        }
+        content = content.replace(change.search, change.replace)
+      }
+
+      fs.writeFileSync(file.path, content)
+      core.info(`Modified: ${file.path} (${file.changes.length} change(s))`)
+    }
+  }
+}
+
+async function commitAndPush(branch: string, message: string): Promise<void> {
+  execSync('git config user.name "sentinel[bot]"', { encoding: "utf-8" })
+  execSync('git config user.email "sentinel[bot]@users.noreply.github.com"', { encoding: "utf-8" })
+  execSync("git add -A", { encoding: "utf-8" })
+  execSync(`git commit -m "${message.replace(/"/g, '\\"')}"`, { encoding: "utf-8" })
+  execSync(`git push origin ${branch}`, { encoding: "utf-8" })
+}
+
+async function createFixPR(
+  octokit: Octokit,
+  ctx: ReviewContext,
+  plan: FixPlan,
+  branch: string
+): Promise<{ number: number; url: string }> {
+  const { owner, name: repo } = ctx.repository
+  const issue = ctx.issue!
+
+  const body = [
+    `Fixes #${issue.number}`,
+    "",
+    "## Analysis",
+    plan.analysis,
+    "",
+    "## Changes",
+    ...plan.files.map((f) => `- **${f.path}** (${f.action}): ${f.explanation}`),
+    "",
+    plan.riskNotes.length > 0
+      ? `## Risk Notes\n${plan.riskNotes.map((n) => `- ⚠️ ${n}`).join("\n")}`
+      : "",
+    "",
+    plan.testSuggestions.length > 0
+      ? `## Suggested Tests\n${plan.testSuggestions.map((t) => `- [ ] ${t}`).join("\n")}`
+      : "",
+    "",
+    `---`,
+    `*Generated by Sentinel · Confidence: ${(plan.confidence * 100).toFixed(0)}%*`,
+  ]
+    .filter(Boolean)
+    .join("\n")
+
+  const { data: pr } = await octokit.rest.pulls.create({
+    owner,
+    repo,
+    title: plan.commitMessage,
+    body,
+    head: branch,
+    base: ctx.repository.defaultBranch,
+    draft: ctx.repoPolicies.fix.createDraftPr,
+  })
+
+  return { number: pr.number, url: pr.html_url }
+}
+
+async function mergeFixPR(octokit: Octokit, prNumber: number): Promise<void> {
+  const { owner, repo } = github.context.repo
+
+  try {
+    await octokit.rest.pulls.merge({
+      owner,
+      repo,
+      pull_number: prNumber,
+      merge_method: "squash",
+    })
+    core.info(`Auto-merged PR #${prNumber} (yolo mode)`)
+  } catch (err) {
+    core.warning(`Auto-merge failed for PR #${prNumber}: ${err}`)
+  }
+}

package/.github/sentinel/src/index.ts

@@ -0,0 +1,263 @@
+import * as core from "@actions/core"
+import * as github from "@actions/github"
+import { routeEvent } from "./router"
+import { buildPRContext, buildIssueContext } from "./context"
+import { loadPolicies, evaluateTrust } from "./policy"
+import { orchestrateReview } from "./orchestrator"
+import { reportReview, reportIssueTriage, reportFailure, reportFixResult } from "./reporter"
+import { fixIssue } from "./fixer"
+import { handleResponse } from "./responder"
+import { AnthropicClient } from "./models/anthropic"
+import { OpenAIClient } from "./models/openai"
+import { OpenRouterClient } from "./models/openrouter"
+import { readPrContact, readCommitContact, notifySubwayAgent } from "./subway"
+import type { ModelClient } from "./models/types"
+
+async function run(): Promise<void> {
+  const start = Date.now()
+
+  try {
+    const githubToken = core.getInput("github_token") || process.env.GITHUB_TOKEN || ""
+    const anthropicKey = core.getInput("anthropic_api_key")
+    const openaiKey = core.getInput("openai_api_key")
+    const openrouterKey = core.getInput("openrouter_api_key")
+    const configPath = core.getInput("config_path") || ".github/sentinel.yml"
+    const modeOverride = core.getInput("mode") || undefined
+    const debug = core.getInput("debug") === "true"
+
+    if (debug) core.info(`Event: ${github.context.eventName} / ${github.context.payload.action}`)
+
+    if (!githubToken) {
+      core.setFailed("github_token is required")
+      return
+    }
+
+    const octokit = github.getOctokit(githubToken)
+    const policies = await loadPolicies(octokit, configPath, modeOverride)
+    const routed = routeEvent(policies)
+
+    if (debug) core.info(`Routed to: ${routed.actionType}`)
+
+    if (routed.actionType === "noop") {
+      core.info("No action required for this event")
+      return
+    }
+
+    let anthropic: ModelClient | null = null
+    let openai: ModelClient | null = null
+
+    if (anthropicKey && policies.models.anthropic.enabled) {
+      anthropic = new AnthropicClient(anthropicKey, policies.models.anthropic.model)
+    } else if (openrouterKey && policies.models.anthropic.enabled) {
+      const model = core.getInput("openrouter_anthropic_model") || "anthropic/claude-sonnet-4-20250514"
+      anthropic = new OpenRouterClient(openrouterKey, model, "anthropic")
+      core.info(`Anthropic slot: using OpenRouter fallback (${model})`)
+    } else {
+      core.warning("Anthropic disabled or no API key (no OpenRouter fallback)")
+    }
+
+    if (openaiKey && policies.models.openai.enabled) {
+      openai = new OpenAIClient(openaiKey, policies.models.openai.model)
+    } else if (openrouterKey && policies.models.openai.enabled) {
+      const model = core.getInput("openrouter_openai_model") || "openai/gpt-4o"
+      openai = new OpenRouterClient(openrouterKey, model, "openai")
+      core.info(`OpenAI slot: using OpenRouter fallback (${model})`)
+    } else {
+      core.warning("OpenAI disabled or no API key (no OpenRouter fallback)")
+    }
+
+    if (!anthropic && !openai) {
+      core.setFailed("At least one model must be configured (anthropic_api_key, openai_api_key, or openrouter_api_key)")
+      return
+    }
+
+    switch (routed.actionType) {
+      case "pr_review": {
+        await handlePRReview(octokit, routed.context, anthropic, openai, debug, policies.review.summaryOnClean)
+        break
+      }
+      case "issue_fix": {
+        await handleIssueFix(octokit, routed.context, anthropic, openai, debug)
+        break
+      }
+      case "issue_triage": {
+        await handleIssueTriage(octokit, routed.context)
+        break
+      }
+      case "respond": {
+        if (routed.responseContext) {
+          const model = anthropic || openai!
+          await handleResponse(routed.context, routed.responseContext, model, octokit)
+        }
+        break
+      }
+      case "pr_fix": {
+        core.info("PR fix mode not yet implemented (Phase 2)")
+        break
+      }
+      case "slash_command": {
+        const cmd = routed.slashCommand
+        if (cmd?.command === "fix") {
+          if (cmd.isPR) {
+            core.info("PR fix via slash command not yet implemented")
+          } else {
+            await handleIssueFix(octokit, routed.context, anthropic, openai, debug)
+          }
+        } else if (cmd?.command === "review" && cmd.isPR) {
+          await handlePRReview(octokit, routed.context, anthropic, openai, debug)
+        } else {
+          core.info(`Slash command /bot ${cmd?.command} — not yet implemented`)
+        }
+        break
+      }
+    }
+
+    core.info(`Sentinel completed in ${((Date.now() - start) / 1000).toFixed(1)}s`)
+  } catch (err) {
+    core.setFailed(`Sentinel failed: ${err instanceof Error ? err.message : String(err)}`)
+
+    try {
+      const githubToken = core.getInput("github_token") || process.env.GITHUB_TOKEN || ""
+      if (githubToken) {
+        const octokit = github.getOctokit(githubToken)
+        const prNumber = github.context.payload.pull_request?.number
+          || github.context.payload.issue?.number
+        if (prNumber) {
+          await reportFailure(octokit, prNumber, err instanceof Error ? err.message : String(err))
+        }
+      }
+    } catch {
+      core.debug("Could not post failure comment")
+    }
+  }
+}
+
+async function handlePRReview(
+  octokit: ReturnType<typeof github.getOctokit>,
+  ctx: import("./types").ReviewContext,
+  anthropic: ModelClient | null,
+  openai: ModelClient | null,
+  debug: boolean,
+  summaryOnClean = false
+): Promise<void> {
+  if (!ctx.pullRequest) {
+    core.warning("No PR context available")
+    return
+  }
+
+  ctx = await buildPRContext(ctx, octokit)
+
+  if (ctx.pullRequest!.changedFiles.length === 0) {
+    core.info("No changed files to review")
+    return
+  }
+
+  if (debug) {
+    core.info(`Reviewing PR #${ctx.pullRequest!.number}: ${ctx.pullRequest!.changedFiles.length} files`)
+  }
+
+  const decision = await orchestrateReview(ctx, anthropic, openai)
+
+  if (debug) {
+    core.info(`Decision: ${decision.action}, ${decision.findings.length} findings, ${decision.durationMs}ms`)
+  }
+
+  await reportReview(octokit, decision, ctx.pullRequest!.number, summaryOnClean)
+
+  if (core.getInput("subway_notify") !== "false") {
+    try {
+      // Commit trailer takes priority — always fresh, no file needed.
+      // Falls back to .subway/pr-contact if no trailer found.
+      const headSha = github.context.payload.pull_request?.head?.sha as string | undefined
+      const contact = readCommitContact(headSha) ?? readPrContact()
+      const bridgeUrl = core.getInput("subway_bridge_url") || "https://relay.subway.dev"
+      const { owner, name } = ctx.repository
+      const prNumber = ctx.pullRequest!.number
+
+      // Use event payload for PR state — avoids an extra API call.
+      // github.context.payload.pull_request is populated for pull_request events;
+      // fall back to API only for non-PR triggers (e.g. issue_comment on a PR).
+      const prPayload = github.context.payload.pull_request
+      let prState: "open" | "closed" | "merged"
+      if (prPayload) {
+        prState = prPayload.merged ? "merged" : prPayload.state === "open" ? "open" : "closed"
+      } else {
+        const { data: prData } = await octokit.rest.pulls.get({ owner, repo: name, pull_number: prNumber })
+        prState = prData.merged ? "merged" : prData.state === "open" ? "open" : "closed"
+      }
+
+      if (prState !== "open") {
+        core.info(`Subway: PR #${prNumber} is ${prState} — skipping notification`)
+      } else {
+        await notifySubwayAgent(contact, decision, {
+          prNumber,
+          prUrl: `https://github.com/${owner}/${name}/pull/${prNumber}`,
+          repo: `${owner}/${name}`,
+          headSha: github.context.payload.pull_request?.head?.sha ?? process.env.GITHUB_SHA ?? "unknown",
+          prState,
+          runUrl: `${process.env.GITHUB_SERVER_URL ?? "https://github.com"}/${process.env.GITHUB_REPOSITORY ?? `${owner}/${name}`}/actions/runs/${process.env.GITHUB_RUN_ID ?? ""}`,
+        }, bridgeUrl)
+      }
+    } catch (err) {
+      core.info(`Subway notification failed non-fatally: ${(err as Error).message}`)
+    }
+  }
+}
+
+async function handleIssueFix(
+  octokit: ReturnType<typeof github.getOctokit>,
+  ctx: import("./types").ReviewContext,
+  anthropic: ModelClient | null,
+  openai: ModelClient | null,
+  debug: boolean
+): Promise<void> {
+  if (!ctx.issue) {
+    core.warning("No issue context available")
+    return
+  }
+
+  ctx = await buildIssueContext(ctx, octokit)
+
+  if (debug) {
+    core.info(`Fixing issue #${ctx.issue!.number}: ${ctx.issue!.title}`)
+  }
+
+  const { mode, confidenceThreshold } = ctx.repoPolicies.fix
+
+  const trust = evaluateTrust({
+    actor: ctx.event.actor,
+    isFork: ctx.event.isFork,
+    policies: ctx.repoPolicies,
+  })
+
+  const effectiveMode = trust.canMutate ? mode : "propose_only" as const
+  if (effectiveMode !== mode) {
+    core.info(`Mutation blocked: ${trust.reason}. Mode downgraded to propose_only.`)
+  }
+
+  const result = await fixIssue(ctx, anthropic, openai, octokit, effectiveMode, confidenceThreshold)
+
+  await reportFixResult(octokit, ctx.issue!.number, result, mode)
+
+  if (result.success) {
+    core.info(`Fix ${mode === "propose_only" ? "proposed" : "applied"} for issue #${ctx.issue!.number}`)
+  } else {
+    core.warning(`Fix failed for issue #${ctx.issue!.number}: ${result.error}`)
+  }
+}
+
+async function handleIssueTriage(
+  octokit: ReturnType<typeof github.getOctokit>,
+  ctx: import("./types").ReviewContext
+): Promise<void> {
+  if (!ctx.issue) {
+    core.warning("No issue context available")
+    return
+  }
+
+  ctx = await buildIssueContext(ctx, octokit)
+
+  core.info(`Issue #${ctx.issue!.number} triage: routing to fix flow`)
+}
+
+run()