npm - @in-the-loop-labs/pair-review - Versions diffs - 3.5.0 → 3.5.2 - Mend

@in-the-loop-labs/pair-review 3.5.0 → 3.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/README.md +1 -1
package/package.json +1 -1
package/plugin/.claude-plugin/plugin.json +1 -1
package/plugin-code-critic/.claude-plugin/plugin.json +1 -1
package/public/index.html +90 -0
package/public/js/index.js +298 -25
package/src/ai/claude-provider.js +68 -56
package/src/ai/codex-provider.js +64 -33
package/src/chat/api-reference.js +1 -1
package/src/chat/chat-providers.js +26 -0
package/src/chat/codex-bridge.js +238 -29
package/src/chat/session-manager.js +1 -0
package/src/main.js +3 -2
package/src/routes/github-collections.js +168 -90

package/src/routes/github-collections.js CHANGED Viewed

@@ -3,8 +3,14 @@
  * GitHub Collections Routes
  *
  * Handles endpoints for PR collections:
- * - Review Requests: PRs where the user's review is requested
+ * - Review Requests: PRs where the user's review is requested directly
+ * - Team Review Requests: PRs where a team the user belongs to is requested,
+ *   but the user is not requested directly
  * - My PRs: PRs authored by the user
+ *
+ * Each collection exposes two endpoints registered by `registerCollection`:
+ * - GET  /api/github/:collection          → cached rows from github_pr_cache
+ * - POST /api/github/:collection/refresh  → fetch from GitHub and re-cache
  */
 const express = require('express');
@@ -15,112 +21,184 @@ const logger = require('../utils/logger');
 const router = express.Router();
+const SELECT_COLUMNS = 'owner, repo, number, title, author, updated_at, html_url, state, fetched_at';
+// Valid `org/team` slug: two non-empty segments of GitHub-allowed characters.
+// Used to guard against query injection when interpolating the team into the
+// GitHub search query string. Must be applied server-side; client validation
+// is UX only.
+const TEAM_SLUG_PATTERN = /^[A-Za-z0-9._-]+\/[A-Za-z0-9._-]+$/;
 /**
- * Get cached review request PRs.
+ * Collection definitions. `buildQuery` receives the authenticated user's login
+ * and an optional params object, and returns the GitHub search query for that
+ * collection. Only collections with `supportsTeamFilter: true` consume
+ * `params.team` (currently just `team-reviews`); the others accept and ignore
+ * it. The flag also gates the team plumbing in `registerCollection`: a stray
+ * `?team=` on a collection that doesn't support it is ignored rather than
+ * validated or folded into the cache key, so it can never create a misleading
+ * namespaced cache entry for a query whose results are identical to the
+ * unfiltered view.
  */
-router.get('/api/github/review-requests', async (req, res) => {
-  try {
-    const db = req.app.get('db');
-    const rows = await query(db, 'SELECT owner, repo, number, title, author, updated_at, html_url, state, fetched_at FROM github_pr_cache WHERE collection = ? ORDER BY updated_at DESC', ['review-requests']);
-    const fetchedAt = rows.length > 0 ? rows[0].fetched_at : null;
-    res.json({ success: true, prs: rows, fetched_at: fetchedAt });
-  } catch (error) {
-    logger.error('Failed to fetch review requests:', error);
-    res.status(500).json({ success: false, error: 'Failed to fetch review requests' });
+const COLLECTIONS = [
+  {
+    name: 'review-requests',
+    label: 'review requests',
+    buildQuery: (login) => `is:pr is:open archived:false user-review-requested:${login}`
+  },
+  {
+    name: 'team-reviews',
+    label: 'team review requests',
+    supportsTeamFilter: true,
+    // Review requested from a team the user belongs to, excluding PRs where the
+    // user is requested directly (those appear under review-requests).
+    //
+    // When a specific `team` (org/team) is provided, narrow to that team's open
+    // review requests and drop the `-user-review-requested` exclusion: once the
+    // user explicitly picks a team, "show everything awaiting this team" is the
+    // least surprising behavior. The team value MUST already be validated.
+    buildQuery: (login, params) => {
+      const team = params && params.team;
+      if (team) {
+        return `is:pr is:open archived:false team-review-requested:${team}`;
+      }
+      return `is:pr is:open archived:false review-requested:${login} -user-review-requested:${login}`;
+    }
+  },
+  {
+    name: 'my-prs',
+    label: 'your pull requests',
+    buildQuery: (login) => `is:pr is:open archived:false author:${login}`
   }
-});
+];
 /**
- * Refresh review request PRs from GitHub.
+ * Derive the cache storage key for a collection, namespacing by team so a
+ * filtered view never clobbers the all-teams cache. Both the GET (read) and
+ * POST refresh (write/delete) handlers must route through this single helper so
+ * they never diverge.
+ * @param {string} name - Collection name.
+ * @param {string} [team] - Validated `org/team` slug, or falsy for all-teams.
+ * @returns {string} The `collection` column value to use.
  */
-router.post('/api/github/review-requests/refresh', async (req, res) => {
-  try {
-    const config = req.app.get('config');
-    const githubToken = getGitHubToken(config);
-    if (!githubToken) {
-      return res.status(401).json({ success: false, error: 'GitHub token not configured' });
-    }
+function cacheKey(name, team) {
+  return team ? `${name}:${team}` : name;
+}
-    const db = req.app.get('db');
-    const client = new GitHubClient(githubToken);
-    const user = await client.getAuthenticatedUser();
-    const prs = await client.searchPullRequests(`is:pr is:open archived:false user-review-requested:${user.login}`);
-    await withTransaction(db, async () => {
-      await run(db, 'DELETE FROM github_pr_cache WHERE collection = ?', ['review-requests']);
-      for (const pr of prs) {
-        await run(db,
-          'INSERT INTO github_pr_cache (owner, repo, number, title, author, updated_at, html_url, state, collection) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)',
-          [pr.owner, pr.repo, pr.number, pr.title, pr.author, pr.updated_at, pr.html_url, pr.state, 'review-requests']
-        );
-      }
-    });
-    const rows = await query(db, 'SELECT owner, repo, number, title, author, updated_at, html_url, state, fetched_at FROM github_pr_cache WHERE collection = ? ORDER BY updated_at DESC', ['review-requests']);
-    const fetchedAt = rows.length > 0 ? rows[0].fetched_at : null;
-    res.json({ success: true, prs: rows, fetched_at: fetchedAt });
-  } catch (error) {
-    if (error.status === 401 || error.status === 403) {
-      return res.status(401).json({ success: false, error: 'GitHub token is invalid or expired' });
-    }
-    logger.error('Failed to refresh review requests:', error);
-    res.status(500).json({ success: false, error: 'Failed to refresh review requests' });
+/**
+ * Validate and normalize the `team` query param.
+ * @param {*} raw - The raw `team` value from the request.
+ * @returns {{ team: string|null, error: string|null }} `team` is the validated
+ *   slug (or null for all-teams); `error` is set when the input is invalid.
+ */
+function parseTeamParam(raw) {
+  if (raw === undefined || raw === null || raw === '') {
+    return { team: null, error: null };
+  }
+  if (typeof raw !== 'string' || !TEAM_SLUG_PATTERN.test(raw)) {
+    return { team: null, error: 'Invalid team. Use the form org/team.' };
   }
-});
+  return { team: raw, error: null };
+}
 /**
- * Get cached user's own PRs.
+ * Fetch cached rows for a collection, newest first.
  */
-router.get('/api/github/my-prs', async (req, res) => {
-  try {
-    const db = req.app.get('db');
-    const rows = await query(db, 'SELECT owner, repo, number, title, author, updated_at, html_url, state, fetched_at FROM github_pr_cache WHERE collection = ? ORDER BY updated_at DESC', ['my-prs']);
-    const fetchedAt = rows.length > 0 ? rows[0].fetched_at : null;
-    res.json({ success: true, prs: rows, fetched_at: fetchedAt });
-  } catch (error) {
-    logger.error('Failed to fetch my PRs:', error);
-    res.status(500).json({ success: false, error: 'Failed to fetch my PRs' });
-  }
-});
+async function getCachedRows(db, collection) {
+  return query(
+    db,
+    `SELECT ${SELECT_COLUMNS} FROM github_pr_cache WHERE collection = ? ORDER BY updated_at DESC`,
+    [collection]
+  );
+}
 /**
- * Refresh user's own PRs from GitHub.
+ * Register the GET (cached) and POST (refresh) routes for a single collection.
+ * @param {Object} def - Collection definition
+ *   ({ name, label, buildQuery, supportsTeamFilter }).
  */
-router.post('/api/github/my-prs/refresh', async (req, res) => {
-  try {
-    const config = req.app.get('config');
-    const githubToken = getGitHubToken(config);
-    if (!githubToken) {
-      return res.status(401).json({ success: false, error: 'GitHub token not configured' });
+function registerCollection(def) {
+  const { name, label, buildQuery, supportsTeamFilter } = def;
+  // GET cached PRs.
+  router.get(`/api/github/${name}`, async (req, res) => {
+    try {
+      // Only team-aware collections consume `team`; for the rest, ignore any
+      // stray `?team=` so it can't validate-error or skew the cache key.
+      let team = null;
+      if (supportsTeamFilter) {
+        const parsed = parseTeamParam(req.query.team);
+        if (parsed.error) {
+          return res.status(400).json({ success: false, error: parsed.error });
+        }
+        team = parsed.team;
+      }
+      const db = req.app.get('db');
+      const rows = await getCachedRows(db, cacheKey(name, team));
+      const fetchedAt = rows.length > 0 ? rows[0].fetched_at : null;
+      res.json({ success: true, prs: rows, fetched_at: fetchedAt });
+    } catch (error) {
+      logger.error(`Failed to fetch ${label}:`, error);
+      res.status(500).json({ success: false, error: `Failed to fetch ${label}` });
     }
+  });
-    const db = req.app.get('db');
-    const client = new GitHubClient(githubToken);
-    const user = await client.getAuthenticatedUser();
-    const prs = await client.searchPullRequests(`is:pr is:open archived:false author:${user.login}`);
-    await withTransaction(db, async () => {
-      await run(db, 'DELETE FROM github_pr_cache WHERE collection = ?', ['my-prs']);
-      for (const pr of prs) {
-        await run(db,
-          'INSERT INTO github_pr_cache (owner, repo, number, title, author, updated_at, html_url, state, collection) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)',
-          [pr.owner, pr.repo, pr.number, pr.title, pr.author, pr.updated_at, pr.html_url, pr.state, 'my-prs']
-        );
+  // POST refresh from GitHub.
+  router.post(`/api/github/${name}/refresh`, async (req, res) => {
+    try {
+      // Only team-aware collections consume `team` (from the query string or
+      // request body); for the rest, ignore any stray value so it can't
+      // validate-error or skew the cache key. Empty/absent means "all teams".
+      let team = null;
+      if (supportsTeamFilter) {
+        const rawTeam = req.query.team !== undefined ? req.query.team : (req.body && req.body.team);
+        const parsed = parseTeamParam(rawTeam);
+        if (parsed.error) {
+          return res.status(400).json({ success: false, error: parsed.error });
+        }
+        team = parsed.team;
       }
-    });
-    const rows = await query(db, 'SELECT owner, repo, number, title, author, updated_at, html_url, state, fetched_at FROM github_pr_cache WHERE collection = ? ORDER BY updated_at DESC', ['my-prs']);
-    const fetchedAt = rows.length > 0 ? rows[0].fetched_at : null;
-    res.json({ success: true, prs: rows, fetched_at: fetchedAt });
-  } catch (error) {
-    if (error.status === 401 || error.status === 403) {
-      return res.status(401).json({ success: false, error: 'GitHub token is invalid or expired' });
+      const config = req.app.get('config');
+      const githubToken = getGitHubToken(config);
+      if (!githubToken) {
+        return res.status(401).json({ success: false, error: 'GitHub token not configured' });
+      }
+      const db = req.app.get('db');
+      const client = new GitHubClient(githubToken);
+      const user = await client.getAuthenticatedUser();
+      const prs = await client.searchPullRequests(buildQuery(user.login, { team }));
+      // Namespace the cache so a filtered view never clobbers the all-teams
+      // cache. Every distinct team string the user tries creates its own cached
+      // rows that are never garbage-collected; negligible for a local SQLite
+      // home-page feature.
+      const key = cacheKey(name, team);
+      await withTransaction(db, async () => {
+        await run(db, 'DELETE FROM github_pr_cache WHERE collection = ?', [key]);
+        for (const pr of prs) {
+          await run(db,
+            'INSERT INTO github_pr_cache (owner, repo, number, title, author, updated_at, html_url, state, collection) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)',
+            [pr.owner, pr.repo, pr.number, pr.title, pr.author, pr.updated_at, pr.html_url, pr.state, key]
+          );
+        }
+      });
+      const rows = await getCachedRows(db, key);
+      const fetchedAt = rows.length > 0 ? rows[0].fetched_at : null;
+      res.json({ success: true, prs: rows, fetched_at: fetchedAt });
+    } catch (error) {
+      if (error.status === 401 || error.status === 403) {
+        return res.status(401).json({ success: false, error: 'GitHub token is invalid or expired' });
+      }
+      logger.error(`Failed to refresh ${label}:`, error);
+      res.status(500).json({ success: false, error: `Failed to refresh ${label}` });
     }
-    logger.error('Failed to refresh my PRs:', error);
-    res.status(500).json({ success: false, error: 'Failed to refresh my PRs' });
-  }
-});
+  });
+}
+COLLECTIONS.forEach(registerCollection);
 module.exports = router;