@in-the-loop-labs/pair-review 3.5.1 → 3.5.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@in-the-loop-labs/pair-review",
-  "version": "3.5.1",
+  "version": "3.5.2",
   "description": "Your AI-powered code review partner - Close the feedback loop with AI coding agents",
   "main": "src/server.js",
   "bin": {
@@ -21,6 +21,20 @@
   "engines": {
     "node": ">=20.0.0"
   },
+  "scripts": {
+    "start": "node src/server.js",
+    "dev": "node bin/pair-review.js",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage",
+    "test:e2e": "playwright test",
+    "test:e2e:headed": "playwright test --headed",
+    "test:e2e:debug": "playwright test --debug",
+    "generate:skill-prompts": "node scripts/generate-skill-prompts.js",
+    "changeset": "changeset",
+    "version": "changeset version && pnpm install --lockfile-only && bash scripts/generate-package-lock.sh && node scripts/sync-plugin-versions.js && git add package.json pnpm-lock.yaml package-lock.json CHANGELOG.md .changeset .claude-plugin/marketplace.json plugin/.claude-plugin/plugin.json plugin-code-critic/.claude-plugin/plugin.json && git commit -m \"RELEASING: v$(node -p \"require('./package.json').version\")\"",
+    "release": "npm whoami > /dev/null || { echo 'Error: Not logged in to npm. Run: npm login'; exit 1; } && pnpm run version && changeset tag && npm publish && git push && git push --tags"
+  },
   "keywords": [
     "code-review",
     "pull-request",
@@ -70,18 +84,9 @@
     "supertest": "^7.1.4",
     "vitest": "^4.0.16"
   },
-  "scripts": {
-    "start": "node src/server.js",
-    "dev": "node bin/pair-review.js",
-    "test": "vitest run",
-    "test:watch": "vitest",
-    "test:coverage": "vitest run --coverage",
-    "test:e2e": "playwright test",
-    "test:e2e:headed": "playwright test --headed",
-    "test:e2e:debug": "playwright test --debug",
-    "generate:skill-prompts": "node scripts/generate-skill-prompts.js",
-    "changeset": "changeset",
-    "version": "changeset version && pnpm install --lockfile-only && bash scripts/generate-package-lock.sh && node scripts/sync-plugin-versions.js && git add package.json pnpm-lock.yaml package-lock.json CHANGELOG.md .changeset .claude-plugin/marketplace.json plugin/.claude-plugin/plugin.json plugin-code-critic/.claude-plugin/plugin.json && git commit -m \"RELEASING: v$(node -p \"require('./package.json').version\")\"",
-    "release": "npm whoami > /dev/null || { echo 'Error: Not logged in to npm. Run: npm login'; exit 1; } && pnpm run version && changeset tag && npm publish && git push && git push --tags"
+  "pnpm": {
+    "onlyBuiltDependencies": [
+      "better-sqlite3"
+    ]
   }
-}
+}

package/plugin/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "pair-review",
-  "version": "3.5.1",
+  "version": "3.5.2",
   "description": "pair-review app integration — Open PRs and local changes in the pair-review web UI, run server-side AI analysis, and address review feedback. Requires the pair-review MCP server.",
   "author": {
     "name": "in-the-loop-labs",

package/plugin-code-critic/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "code-critic",
-  "version": "3.5.1",
+  "version": "3.5.2",
   "description": "AI-powered code review analysis — Run three-level AI analysis and implement-review-fix loops directly in your coding agent. Works standalone, no server required.",
   "author": {
     "name": "in-the-loop-labs",

package/public/index.html

@@ -960,6 +960,65 @@
             animation: spin 0.8s linear infinite;
         }
 
+        /* Team Review Requests: filter-by-team control */
+        .team-filter-group {
+            display: flex;
+            align-items: center;
+            gap: 8px;
+            /* Push the filter to the left; fetched-at + refresh stay right. */
+            margin-right: auto;
+        }
+
+        .team-filter {
+            display: flex;
+            align-items: center;
+            gap: 4px;
+        }
+
+        .team-filter-input {
+            width: 160px;
+            height: 32px;
+            padding: 0 8px;
+            font-size: 13px;
+            background: var(--color-bg-primary);
+            border: 1px solid var(--color-border-primary);
+            border-radius: var(--radius-md);
+            color: var(--color-text-primary);
+        }
+
+        .team-filter-input:focus {
+            outline: none;
+            border-color: var(--ai-primary);
+        }
+
+        .team-filter-input.invalid {
+            border-color: var(--color-danger);
+        }
+
+        .team-filter-apply,
+        .team-filter-clear {
+            height: 32px;
+            padding: 0 10px;
+            font-size: 13px;
+            background: transparent;
+            border: 1px solid var(--color-border-primary);
+            border-radius: var(--radius-md);
+            color: var(--color-text-tertiary);
+            cursor: pointer;
+            transition: all var(--transition-fast);
+        }
+
+        .team-filter-apply:hover,
+        .team-filter-clear:hover {
+            background: var(--color-bg-secondary);
+            color: var(--color-text-primary);
+        }
+
+        .team-filter-hint {
+            font-size: 12px;
+            color: var(--color-danger);
+        }
+
         .collection-pr-row {
             cursor: pointer;
         }
@@ -1343,6 +1402,7 @@
                         <div class="tab-bar" id="unified-tab-bar">
                             <button class="tab-btn active" data-tab="pr-tab" type="button">Pull Requests</button>
                             <button class="tab-btn" data-tab="review-requests-tab" type="button">My Review Requests</button>
+                            <button class="tab-btn" data-tab="team-reviews-tab" type="button">Team Review Requests</button>
                             <button class="tab-btn" data-tab="my-prs-tab" type="button">My PRs</button>
                             <span class="tab-divider"></span>
                             <button class="tab-btn" data-tab="local-tab" type="button">Local Reviews</button>
@@ -1392,6 +1452,36 @@
                         </div>
                     </div>
 
+                    <!-- Team Review Requests Tab -->
+                    <div class="tab-pane" id="team-reviews-tab">
+                        <div class="tab-pane-header">
+                            <div class="team-filter-group">
+                                <form class="team-filter" id="team-reviews-filter">
+                                    <input
+                                        type="text"
+                                        class="team-filter-input"
+                                        id="team-reviews-team-input"
+                                        placeholder="org/team"
+                                        autocomplete="off"
+                                        spellcheck="false"
+                                        aria-label="Filter by team (org/team)"
+                                        aria-describedby="team-reviews-filter-hint"
+                                    >
+                                    <button type="submit" class="team-filter-apply" id="team-reviews-filter-apply" title="Filter by this team">Filter</button>
+                                    <button type="button" class="team-filter-clear" id="team-reviews-filter-clear" title="Show all teams" hidden>Clear</button>
+                                </form>
+                                <span class="team-filter-hint" id="team-reviews-filter-hint" role="alert" hidden>Use the form org/team.</span>
+                            </div>
+                            <span class="fetched-at-label" id="team-reviews-fetched-at"></span>
+                            <button class="btn-refresh" id="refresh-team-reviews" title="Refresh from GitHub">
+                                <svg width="14" height="14" viewBox="0 0 16 16" fill="currentColor"><path d="M1.705 8.005a.75.75 0 0 1 .834.656 5.5 5.5 0 0 0 9.592 2.97l-1.204-1.204a.25.25 0 0 1 .177-.427h3.646a.25.25 0 0 1 .25.25v3.646a.25.25 0 0 1-.427.177l-1.38-1.38A7.002 7.002 0 0 1 1.05 8.84a.75.75 0 0 1 .656-.834ZM8 2.5a5.487 5.487 0 0 0-4.131 1.869l1.204 1.204A.25.25 0 0 1 4.896 6H1.25A.25.25 0 0 1 1 5.75V2.104a.25.25 0 0 1 .427-.177l1.38 1.38A7.002 7.002 0 0 1 14.95 7.16a.75.75 0 0 1-1.49.178A5.5 5.5 0 0 0 8 2.5Z"/></svg>
+                            </button>
+                        </div>
+                        <div id="team-reviews-container" class="recent-reviews-loading">
+                            Loading...
+                        </div>
+                    </div>
+
                     <!-- My PRs Tab -->
                     <div class="tab-pane" id="my-prs-tab">
                         <div class="tab-pane-header">

package/public/js/index.js

@@ -303,7 +303,21 @@
     loaded: false
   };
 
-  // ─── GitHub PR Collections (My Review Requests / My PRs) ───────────────────
+  // ─── GitHub PR Collections (Review Requests / Team Reviews / My PRs) ───────
+
+  /** Empty-state message per collection (used when a fetch returned no PRs). */
+  var COLLECTION_EMPTY_MESSAGES = {
+    'review-requests': 'No pull requests awaiting your review.',
+    'team-reviews': 'No pull requests awaiting your team’s review.',
+    'my-prs': 'You have no open pull requests.'
+  };
+
+  /** Noun used in the "Configure a GitHub token to see …" message per collection. */
+  var COLLECTION_TOKEN_LABELS = {
+    'review-requests': 'review requests',
+    'team-reviews': 'team review requests',
+    'my-prs': 'your pull requests'
+  };
 
   var reviewRequestsState = {
     loaded: false,
@@ -311,16 +325,90 @@
     fetchedAt: null
   };
 
+  var teamReviewsState = {
+    loaded: false,
+    prs: [],
+    fetchedAt: null,
+    // Monotonic token for the most recent team-reviews request (see
+    // beginTeamReviewsRequest). Stale responses compare against this and bail.
+    activeRequest: 0
+  };
+
   var myPrsState = {
     loaded: false,
     prs: [],
     fetchedAt: null
   };
 
+  // Filter-by-team support for the Team Review Requests tab.
+  // Client-side validation is UX only; the server re-validates before
+  // interpolating the value into the GitHub search query (query-injection
+  // guard). Pattern must match the server's TEAM_SLUG_PATTERN.
+  var TEAM_SLUG_PATTERN = /^[A-Za-z0-9._-]+\/[A-Za-z0-9._-]+$/;
+  var TEAM_FILTER_LS_KEY = 'github-collection-team:team-reviews';
+
+  /**
+   * Read the persisted team filter, returning '' (all teams) for an absent or
+   * invalid stored value.
+   * @returns {string} A validated `org/team` slug, or ''.
+   */
+  function getStoredTeamFilter() {
+    try {
+      var v = (localStorage.getItem(TEAM_FILTER_LS_KEY) || '').trim();
+      return v && TEAM_SLUG_PATTERN.test(v) ? v : '';
+    } catch (e) {
+      return '';
+    }
+  }
+
+  /**
+   * Begin a new team-reviews request "epoch" and return its token. Every user
+   * action that (re)loads the team-reviews view — filter apply, tab switch,
+   * manual refresh, initial load — calls this once and threads the returned id
+   * through BOTH the cached GET and the live refresh. Because multiple in-flight
+   * fetches write into the shared `teamReviewsState` and render into the same
+   * container, completion order alone could otherwise let a slower earlier
+   * request (e.g. a previous team, or the all-teams view) repaint the table with
+   * PRs that no longer match the active selection. loadCollectionPrs /
+   * refreshCollectionPrs bail after `await fetch(...)` when their token is no
+   * longer `activeRequest`, discarding the stale response before it mutates
+   * state or the DOM.
+   * @returns {number} The token for this request epoch.
+   */
+  function beginTeamReviewsRequest() {
+    teamReviewsState.activeRequest += 1;
+    return teamReviewsState.activeRequest;
+  }
+
+  /**
+   * Resync the Team Review Requests filter controls to a known-applied value
+   * (typically getStoredTeamFilter()). Switching tabs only toggles `.active` —
+   * it does not rebuild the Team Reviews DOM — so unapplied draft text typed
+   * into the input survives a tab switch. Because every reload path keys its
+   * fetch off getStoredTeamFilter() (the persisted value) rather than the live
+   * input, the visible filter could otherwise advertise one team while the
+   * queue, row-click navigation, and bulk actions operate on another. Any path
+   * that re-consumes the stored filter must call this first so the displayed
+   * filter cannot diverge from the team actually being fetched and rendered.
+   * @param {string} value - The validated `org/team` slug to display, or '' for all teams.
+   */
+  function syncTeamFilterControls(value) {
+    var input = document.getElementById('team-reviews-team-input');
+    if (input) {
+      input.value = value || '';
+      input.classList.remove('invalid');
+      input.removeAttribute('aria-invalid');
+    }
+    var hint = document.getElementById('team-reviews-filter-hint');
+    if (hint) hint.hidden = true;
+    var clearBtn = document.getElementById('team-reviews-filter-clear');
+    if (clearBtn) clearBtn.hidden = !value;
+  }
+
   /**
    * Render a single row for a collection PR table.
    * @param {Object} pr - PR object from the API
-   * @param {string} collection - The collection name ('review-requests' or 'my-prs')
+   * @param {string} collection - The collection name ('review-requests', 'team-reviews', or 'my-prs')
    * @returns {string} HTML string for the table row
    */
   function renderCollectionPrRow(pr, collection) {
@@ -366,15 +454,20 @@
    * Render the collection table into a container element.
    * @param {HTMLElement} container - The container element
    * @param {Object} state - The collection state object
-   * @param {string} collection - The collection name ('review-requests' or 'my-prs')
+   * @param {string} collection - The collection name ('review-requests', 'team-reviews', or 'my-prs')
    */
   function renderCollectionTable(container, state, collection) {
-    var sel = collection === 'review-requests' ? reviewRequestsSelection : myPrsSelection;
-    sel.exit();
+    var sel = collectionSelections[collection];
+    if (sel) sel.exit();
 
-    var fetchedAtId = collection === 'review-requests' ? 'review-requests-fetched-at' : 'my-prs-fetched-at';
-    var fetchedAtEl = document.getElementById(fetchedAtId);
+    var fetchedAtEl = document.getElementById(collection + '-fetched-at');
     if (fetchedAtEl) {
+      // Note: this key is intentionally NOT per-team — unlike the DB cache key
+      // in src/routes/github-collections.js (which uses cacheKey()), the
+      // fetched-at timestamp is informational only. We accept a brief label
+      // mismatch when the user switches the team-reviews filter; the label
+      // updates once that view's next refresh completes. See the write site in
+      // refreshCollectionPrs.
       var lsKey = 'github-collection-fetched-at:' + collection;
       var displayTs = localStorage.getItem(lsKey) || state.fetchedAt;
       fetchedAtEl.textContent = displayTs
@@ -383,13 +476,11 @@
     }
 
     if (state.prs.length === 0) {
-      var emptyMsg = collection === 'review-requests'
-        ? 'No pull requests awaiting your review.'
-        : 'You have no open pull requests.';
-
-      if (!state.fetchedAt) {
-        emptyMsg = 'Click refresh to fetch from GitHub.';
-      }
+      var emptyLsKey = 'github-collection-fetched-at:' + collection;
+      var hasFetched = state.fetchedAt || localStorage.getItem(emptyLsKey);
+      var emptyMsg = hasFetched
+        ? (COLLECTION_EMPTY_MESSAGES[collection] || 'No pull requests found.')
+        : 'Click refresh to fetch from GitHub.';
 
       container.innerHTML =
         '<div class="recent-reviews-empty">' +
@@ -401,7 +492,7 @@
 
     var authorTh = collection === 'my-prs' ? '' : '<th>Author</th>';
 
-    var tbodyId = collection === 'review-requests' ? 'review-requests-tbody' : 'my-prs-tbody';
+    var tbodyId = collection + '-tbody';
 
     container.innerHTML =
       '<table class="recent-reviews-table">' +
@@ -424,18 +515,28 @@
 
   /**
    * Load collection PRs from cached backend data.
-   * @param {string} collection - 'review-requests' or 'my-prs'
+   * @param {string} collection - 'review-requests', 'team-reviews', or 'my-prs'
    * @param {string} containerId - DOM id of the container element
    * @param {Object} state - The collection state object
+   * @param {string} [team] - Optional validated `org/team` filter (team-reviews
+   *   only). When set, requests the namespaced cache for that team.
+   * @param {number} [requestId] - Optional team-reviews request token (see
+   *   beginTeamReviewsRequest). When provided, the response is discarded if a
+   *   newer request has superseded it before this fetch resolved.
    */
-  async function loadCollectionPrs(collection, containerId, state) {
+  async function loadCollectionPrs(collection, containerId, state, team, requestId) {
     var container = document.getElementById(containerId);
 
     try {
-      var response = await fetch('/api/github/' + collection);
+      var url = '/api/github/' + collection + (team ? '?team=' + encodeURIComponent(team) : '');
+      var response = await fetch(url);
       if (!response.ok) throw new Error('Failed to fetch');
       var data = await response.json();
 
+      // Discard a response a newer team-reviews request has superseded, so a
+      // slow earlier load can't repaint the table with a stale team's PRs.
+      if (requestId != null && requestId !== state.activeRequest) return;
+
       state.loaded = true;
       state.prs = data.prs || [];
       state.fetchedAt = data.fetched_at;
@@ -443,6 +544,8 @@
       renderCollectionTable(container, state, collection);
     } catch (error) {
       console.error('Error loading ' + collection + ':', error);
+      // Don't paint the error over a view a newer request now owns.
+      if (requestId != null && requestId !== state.activeRequest) return;
       container.innerHTML =
         '<div class="recent-reviews-empty">' +
           '<p>Failed to load. Click refresh to try again.</p>' +
@@ -453,14 +556,18 @@
 
   /**
    * Refresh collection PRs by fetching fresh data from GitHub.
-   * @param {string} collection - 'review-requests' or 'my-prs'
+   * @param {string} collection - 'review-requests', 'team-reviews', or 'my-prs'
    * @param {string} containerId - DOM id of the container element
    * @param {Object} state - The collection state object
+   * @param {string} [team] - Optional validated `org/team` filter (team-reviews
+   *   only). When set, refreshes and caches under the namespaced key.
+   * @param {number} [requestId] - Optional team-reviews request token (see
+   *   beginTeamReviewsRequest). When provided, the response is discarded if a
+   *   newer request has superseded it before this fetch resolved.
    */
-  async function refreshCollectionPrs(collection, containerId, state) {
+  async function refreshCollectionPrs(collection, containerId, state, team, requestId) {
     var container = document.getElementById(containerId);
-    var btnId = collection === 'review-requests' ? 'refresh-review-requests' : 'refresh-my-prs';
-    var btn = document.getElementById(btnId);
+    var btn = document.getElementById('refresh-' + collection);
 
     if (btn) btn.classList.add('refreshing');
 
@@ -470,7 +577,12 @@
     }
 
     try {
-      var response = await fetch('/api/github/' + collection + '/refresh', { method: 'POST' });
+      var refreshUrl = '/api/github/' + collection + '/refresh' + (team ? '?team=' + encodeURIComponent(team) : '');
+      var response = await fetch(refreshUrl, { method: 'POST' });
+
+      // A newer team-reviews request has superseded this one; drop it before
+      // touching the 401 message, shared state, or the table.
+      if (requestId != null && requestId !== state.activeRequest) return;
 
       if (!response.ok) {
         var errData = await response.json().catch(function() { return {}; });
@@ -478,7 +590,7 @@
           container.innerHTML =
             '<div class="recent-reviews-empty">' +
               '<p>Configure a GitHub token to see ' +
-              (collection === 'review-requests' ? 'review requests' : 'your pull requests') +
+              (COLLECTION_TOKEN_LABELS[collection] || 'pull requests') +
               '.</p>' +
             '</div>';
           container.classList.remove('recent-reviews-loading');
@@ -488,14 +600,26 @@
       }
 
       var data = await response.json();
+
+      // Re-check after the body parse: a newer request may have started while
+      // the response was streaming.
+      if (requestId != null && requestId !== state.activeRequest) return;
+
       state.prs = data.prs || [];
       state.fetchedAt = data.fetched_at;
       state.loaded = true;
+      // Note: this key is intentionally NOT per-team — unlike the DB cache key
+      // in src/routes/github-collections.js (which uses cacheKey()), the
+      // fetched-at timestamp is informational only. We accept a brief label
+      // mismatch when the user switches the team-reviews filter; the label
+      // updates once the next refresh completes (read site: renderCollectionTable).
       localStorage.setItem('github-collection-fetched-at:' + collection, new Date().toISOString());
 
       renderCollectionTable(container, state, collection);
     } catch (error) {
       console.error('Error refreshing ' + collection + ':', error);
+      // Don't repaint a view a newer request now owns.
+      if (requestId != null && requestId !== state.activeRequest) return;
       // If we had existing data, keep showing it
       if (state.prs.length > 0) {
         renderCollectionTable(container, state, collection);
@@ -511,6 +635,62 @@
     }
   }
 
+  /**
+   * Apply the Team Review Requests team filter from the input field.
+   * Validates client-side (UX only), persists the value, toggles the Clear
+   * affordance and inline hint, then reloads the team-reviews view for the
+   * selected team (empty input = all teams).
+   */
+  function applyTeamFilter() {
+    var input = document.getElementById('team-reviews-team-input');
+    if (!input) return;
+    var hint = document.getElementById('team-reviews-filter-hint');
+    var clearBtn = document.getElementById('team-reviews-filter-clear');
+    var value = input.value.trim();
+
+    // Non-empty input must match the org/team format; skip the fetch and show
+    // the inline hint on invalid input. Empty means "all teams" (valid).
+    if (value !== '' && !TEAM_SLUG_PATTERN.test(value)) {
+      input.classList.add('invalid');
+      input.setAttribute('aria-invalid', 'true');
+      if (hint) hint.hidden = false;
+      return;
+    }
+
+    input.classList.remove('invalid');
+    input.removeAttribute('aria-invalid');
+    if (hint) hint.hidden = true;
+
+    try {
+      if (value) {
+        localStorage.setItem(TEAM_FILTER_LS_KEY, value);
+      } else {
+        localStorage.removeItem(TEAM_FILTER_LS_KEY);
+      }
+    } catch (e) { /* localStorage unavailable; filter still applies for this view */ }
+
+    if (clearBtn) clearBtn.hidden = !value;
+
+    // Reset loaded state so we read the (namespaced) cache for the new view
+    // before refreshing live from GitHub.
+    teamReviewsState.loaded = false;
+    teamReviewsState.prs = [];
+    // Paint a placeholder so the previous team's rows don't linger while
+    // loadCollectionPrs / refreshCollectionPrs run asynchronously.
+    var container = document.getElementById('team-reviews-container');
+    if (container) {
+      container.innerHTML = '<div class="recent-reviews-loading">Loading...</div>';
+    }
+    var team = value || '';
+    // One token for this user action, threaded through both the cached GET and
+    // the live refresh, so a slower earlier request can't clobber this view.
+    var requestId = beginTeamReviewsRequest();
+    loadCollectionPrs('team-reviews', 'team-reviews-container', teamReviewsState, team, requestId)
+      .then(function () {
+        refreshCollectionPrs('team-reviews', 'team-reviews-container', teamReviewsState, team, requestId);
+      });
+  }
+
   /**
    * Fetch and display local review sessions (initial load).
    */
@@ -1610,6 +1790,17 @@
     ]
   });
 
+  var teamReviewsSelection = new SelectionMode({
+    tabId: 'team-reviews-tab',
+    containerId: 'team-reviews-container',
+    tbodyId: 'team-reviews-tbody',
+    rowIdAttr: 'prUrl',
+    actions: [
+      { label: 'Open', className: 'btn-bulk-open', handler: handleBulkOpen },
+      { label: 'Analyze', className: 'btn-bulk-analyze', handler: handleBulkAnalyze }
+    ]
+  });
+
   var myPrsSelection = new SelectionMode({
     tabId: 'my-prs-tab',
     containerId: 'my-prs-container',
@@ -1621,6 +1812,13 @@
     ]
   });
 
+  /** Map of collection name → its SelectionMode instance. */
+  var collectionSelections = {
+    'review-requests': reviewRequestsSelection,
+    'team-reviews': teamReviewsSelection,
+    'my-prs': myPrsSelection
+  };
+
   async function handleBulkDeletePR(selectedIds, selectionInstance) {
     var count = selectedIds.size;
     selectionInstance.showConfirm('Delete ' + count + ' review' + (count === 1 ? '' : 's') + '?', async function () {
@@ -1762,6 +1960,19 @@
       return;
     }
 
+    var refreshTeamReviewsBtn = event.target.closest('#refresh-team-reviews');
+    if (refreshTeamReviewsBtn) {
+      event.preventDefault();
+      // Resync the controls to the applied filter before refreshing: unapplied
+      // draft text in the input must not advertise a team different from the one
+      // we actually fetch (which keys off the persisted value).
+      var teamReviewsRefreshFilter = getStoredTeamFilter();
+      syncTeamFilterControls(teamReviewsRefreshFilter);
+      var teamReviewsRefreshId = beginTeamReviewsRequest();
+      refreshCollectionPrs('team-reviews', 'team-reviews-container', teamReviewsState, teamReviewsRefreshFilter, teamReviewsRefreshId);
+      return;
+    }
+
     var refreshMyPrsBtn = event.target.closest('#refresh-my-prs');
     if (refreshMyPrsBtn) {
       event.preventDefault();
@@ -1774,7 +1985,7 @@
     if (selectToggle) {
       event.preventDefault();
       var tabId = selectToggle.dataset.selectionTab;
-      var instances = { 'pr-tab': prSelection, 'local-tab': localSelection, 'review-requests-tab': reviewRequestsSelection, 'my-prs-tab': myPrsSelection };
+      var instances = { 'pr-tab': prSelection, 'local-tab': localSelection, 'review-requests-tab': reviewRequestsSelection, 'team-reviews-tab': teamReviewsSelection, 'my-prs-tab': myPrsSelection };
       var instance = instances[tabId];
       if (instance) instance.toggle();
       return;
@@ -1851,6 +2062,18 @@
           }
           refreshCollectionPrs('review-requests', 'review-requests-container', reviewRequestsState);
         }
+        if (tabId === 'team-reviews-tab') {
+          var teamFilter = getStoredTeamFilter();
+          // Re-entering the tab preserves any unapplied draft text in the input
+          // (switchTab does not rebuild the DOM). Resync the controls to the
+          // applied filter so the visible team matches the one we reload.
+          syncTeamFilterControls(teamFilter);
+          var teamReviewsTabRequestId = beginTeamReviewsRequest();
+          if (!teamReviewsState.loaded) {
+            await loadCollectionPrs('team-reviews', 'team-reviews-container', teamReviewsState, teamFilter, teamReviewsTabRequestId);
+          }
+          refreshCollectionPrs('team-reviews', 'team-reviews-container', teamReviewsState, teamFilter, teamReviewsTabRequestId);
+        }
         if (tabId === 'my-prs-tab') {
           if (!myPrsState.loaded) {
             await loadCollectionPrs('my-prs', 'my-prs-container', myPrsState);
@@ -1894,6 +2117,12 @@
       loadCollectionPrs('review-requests', 'review-requests-container', reviewRequestsState)
         .then(function () { refreshCollectionPrs('review-requests', 'review-requests-container', reviewRequestsState); });
     }
+    if (savedTab === 'team-reviews-tab') {
+      var initialTeamFilter = getStoredTeamFilter();
+      var initialTeamRequestId = beginTeamReviewsRequest();
+      loadCollectionPrs('team-reviews', 'team-reviews-container', teamReviewsState, initialTeamFilter, initialTeamRequestId)
+        .then(function () { refreshCollectionPrs('team-reviews', 'team-reviews-container', teamReviewsState, initialTeamFilter, initialTeamRequestId); });
+    }
     if (savedTab === 'my-prs-tab') {
       loadCollectionPrs('my-prs', 'my-prs-container', myPrsState)
         .then(function () { refreshCollectionPrs('my-prs', 'my-prs-container', myPrsState); });
@@ -1922,6 +2151,37 @@
       browseBtn.addEventListener('click', handleBrowseLocal);
     }
 
+    // Set up Team Review Requests team-filter handlers and restore the
+    // persisted value.
+    const teamFilterInput = document.getElementById('team-reviews-team-input');
+    const teamFilterForm = document.getElementById('team-reviews-filter');
+    const teamFilterClearBtn = document.getElementById('team-reviews-filter-clear');
+    if (teamFilterInput) {
+      // Restore the persisted filter into the controls on initial load (same
+      // resync the reload paths use, so the displayed team always matches the
+      // applied filter).
+      syncTeamFilterControls(getStoredTeamFilter());
+      // Clear the invalid state / inline hint as the user edits.
+      teamFilterInput.addEventListener('input', function () {
+        teamFilterInput.classList.remove('invalid');
+        teamFilterInput.removeAttribute('aria-invalid');
+        const hint = document.getElementById('team-reviews-filter-hint');
+        if (hint) hint.hidden = true;
+      });
+    }
+    if (teamFilterForm) {
+      teamFilterForm.addEventListener('submit', function (event) {
+        event.preventDefault();
+        applyTeamFilter();
+      });
+    }
+    if (teamFilterClearBtn) {
+      teamFilterClearBtn.addEventListener('click', function () {
+        if (teamFilterInput) teamFilterInput.value = '';
+        applyTeamFilter();
+      });
+    }
+
     // Set up PR Analyze button handler
     const analyzeReviewBtn = document.getElementById('analyze-review-btn');
     if (analyzeReviewBtn) {
@@ -1985,6 +2245,19 @@
       rrHeader.insertBefore(rrBtn, rrHeader.firstChild);
     }
 
+    // Team Reviews tab: add to existing header. Insert before the fetched-at
+    // label rather than as firstChild — the leading `.team-filter-group` carries
+    // `margin-right: auto`, so a firstChild button would be shoved to the far
+    // left. Placing it here keeps Select grouped with fetched-at + refresh on
+    // the right, matching the other collection tabs.
+    var trHeader = document.querySelector('#team-reviews-tab .tab-pane-header');
+    if (trHeader) {
+      var trBtn = createSelectButton('team-reviews-tab');
+      teamReviewsSelection._toggleBtn = trBtn;
+      var trFetchedAt = document.getElementById('team-reviews-fetched-at');
+      trHeader.insertBefore(trBtn, trFetchedAt || trHeader.firstChild);
+    }
+
     // My PRs tab: add to existing header
     var mpHeader = document.querySelector('#my-prs-tab .tab-pane-header');
     if (mpHeader) {

package/src/routes/github-collections.js

@@ -3,8 +3,14 @@
  * GitHub Collections Routes
  *
  * Handles endpoints for PR collections:
- * - Review Requests: PRs where the user's review is requested
+ * - Review Requests: PRs where the user's review is requested directly
+ * - Team Review Requests: PRs where a team the user belongs to is requested,
+ *   but the user is not requested directly
  * - My PRs: PRs authored by the user
+ *
+ * Each collection exposes two endpoints registered by `registerCollection`:
+ * - GET  /api/github/:collection          → cached rows from github_pr_cache
+ * - POST /api/github/:collection/refresh  → fetch from GitHub and re-cache
  */
 
 const express = require('express');
@@ -15,112 +21,184 @@ const logger = require('../utils/logger');
 
 const router = express.Router();
 
+const SELECT_COLUMNS = 'owner, repo, number, title, author, updated_at, html_url, state, fetched_at';
+
+// Valid `org/team` slug: two non-empty segments of GitHub-allowed characters.
+// Used to guard against query injection when interpolating the team into the
+// GitHub search query string. Must be applied server-side; client validation
+// is UX only.
+const TEAM_SLUG_PATTERN = /^[A-Za-z0-9._-]+\/[A-Za-z0-9._-]+$/;
+
 /**
- * Get cached review request PRs.
+ * Collection definitions. `buildQuery` receives the authenticated user's login
+ * and an optional params object, and returns the GitHub search query for that
+ * collection. Only collections with `supportsTeamFilter: true` consume
+ * `params.team` (currently just `team-reviews`); the others accept and ignore
+ * it. The flag also gates the team plumbing in `registerCollection`: a stray
+ * `?team=` on a collection that doesn't support it is ignored rather than
+ * validated or folded into the cache key, so it can never create a misleading
+ * namespaced cache entry for a query whose results are identical to the
+ * unfiltered view.
  */
-router.get('/api/github/review-requests', async (req, res) => {
-  try {
-    const db = req.app.get('db');
-    const rows = await query(db, 'SELECT owner, repo, number, title, author, updated_at, html_url, state, fetched_at FROM github_pr_cache WHERE collection = ? ORDER BY updated_at DESC', ['review-requests']);
-
-    const fetchedAt = rows.length > 0 ? rows[0].fetched_at : null;
-    res.json({ success: true, prs: rows, fetched_at: fetchedAt });
-  } catch (error) {
-    logger.error('Failed to fetch review requests:', error);
-    res.status(500).json({ success: false, error: 'Failed to fetch review requests' });
+const COLLECTIONS = [
+  {
+    name: 'review-requests',
+    label: 'review requests',
+    buildQuery: (login) => `is:pr is:open archived:false user-review-requested:${login}`
+  },
+  {
+    name: 'team-reviews',
+    label: 'team review requests',
+    supportsTeamFilter: true,
+    // Review requested from a team the user belongs to, excluding PRs where the
+    // user is requested directly (those appear under review-requests).
+    //
+    // When a specific `team` (org/team) is provided, narrow to that team's open
+    // review requests and drop the `-user-review-requested` exclusion: once the
+    // user explicitly picks a team, "show everything awaiting this team" is the
+    // least surprising behavior. The team value MUST already be validated.
+    buildQuery: (login, params) => {
+      const team = params && params.team;
+      if (team) {
+        return `is:pr is:open archived:false team-review-requested:${team}`;
+      }
+      return `is:pr is:open archived:false review-requested:${login} -user-review-requested:${login}`;
+    }
+  },
+  {
+    name: 'my-prs',
+    label: 'your pull requests',
+    buildQuery: (login) => `is:pr is:open archived:false author:${login}`
   }
-});
+];
 
 /**
- * Refresh review request PRs from GitHub.
+ * Derive the cache storage key for a collection, namespacing by team so a
+ * filtered view never clobbers the all-teams cache. Both the GET (read) and
+ * POST refresh (write/delete) handlers must route through this single helper so
+ * they never diverge.
+ * @param {string} name - Collection name.
+ * @param {string} [team] - Validated `org/team` slug, or falsy for all-teams.
+ * @returns {string} The `collection` column value to use.
  */
-router.post('/api/github/review-requests/refresh', async (req, res) => {
-  try {
-    const config = req.app.get('config');
-    const githubToken = getGitHubToken(config);
-    if (!githubToken) {
-      return res.status(401).json({ success: false, error: 'GitHub token not configured' });
-    }
+function cacheKey(name, team) {
+  return team ? `${name}:${team}` : name;
+}
 
-    const db = req.app.get('db');
-    const client = new GitHubClient(githubToken);
-    const user = await client.getAuthenticatedUser();
-    const prs = await client.searchPullRequests(`is:pr is:open archived:false user-review-requested:${user.login}`);
-
-    await withTransaction(db, async () => {
-      await run(db, 'DELETE FROM github_pr_cache WHERE collection = ?', ['review-requests']);
-      for (const pr of prs) {
-        await run(db,
-          'INSERT INTO github_pr_cache (owner, repo, number, title, author, updated_at, html_url, state, collection) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)',
-          [pr.owner, pr.repo, pr.number, pr.title, pr.author, pr.updated_at, pr.html_url, pr.state, 'review-requests']
-        );
-      }
-    });
-
-    const rows = await query(db, 'SELECT owner, repo, number, title, author, updated_at, html_url, state, fetched_at FROM github_pr_cache WHERE collection = ? ORDER BY updated_at DESC', ['review-requests']);
-    const fetchedAt = rows.length > 0 ? rows[0].fetched_at : null;
-    res.json({ success: true, prs: rows, fetched_at: fetchedAt });
-  } catch (error) {
-    if (error.status === 401 || error.status === 403) {
-      return res.status(401).json({ success: false, error: 'GitHub token is invalid or expired' });
-    }
-    logger.error('Failed to refresh review requests:', error);
-    res.status(500).json({ success: false, error: 'Failed to refresh review requests' });
+/**
+ * Validate and normalize the `team` query param.
+ * @param {*} raw - The raw `team` value from the request.
+ * @returns {{ team: string|null, error: string|null }} `team` is the validated
+ *   slug (or null for all-teams); `error` is set when the input is invalid.
+ */
+function parseTeamParam(raw) {
+  if (raw === undefined || raw === null || raw === '') {
+    return { team: null, error: null };
+  }
+  if (typeof raw !== 'string' || !TEAM_SLUG_PATTERN.test(raw)) {
+    return { team: null, error: 'Invalid team. Use the form org/team.' };
   }
-});
+  return { team: raw, error: null };
+}
 
 /**
- * Get cached user's own PRs.
+ * Fetch cached rows for a collection, newest first.
  */
-router.get('/api/github/my-prs', async (req, res) => {
-  try {
-    const db = req.app.get('db');
-    const rows = await query(db, 'SELECT owner, repo, number, title, author, updated_at, html_url, state, fetched_at FROM github_pr_cache WHERE collection = ? ORDER BY updated_at DESC', ['my-prs']);
-
-    const fetchedAt = rows.length > 0 ? rows[0].fetched_at : null;
-    res.json({ success: true, prs: rows, fetched_at: fetchedAt });
-  } catch (error) {
-    logger.error('Failed to fetch my PRs:', error);
-    res.status(500).json({ success: false, error: 'Failed to fetch my PRs' });
-  }
-});
+async function getCachedRows(db, collection) {
+  return query(
+    db,
+    `SELECT ${SELECT_COLUMNS} FROM github_pr_cache WHERE collection = ? ORDER BY updated_at DESC`,
+    [collection]
+  );
+}
 
 /**
- * Refresh user's own PRs from GitHub.
+ * Register the GET (cached) and POST (refresh) routes for a single collection.
+ * @param {Object} def - Collection definition
+ *   ({ name, label, buildQuery, supportsTeamFilter }).
  */
-router.post('/api/github/my-prs/refresh', async (req, res) => {
-  try {
-    const config = req.app.get('config');
-    const githubToken = getGitHubToken(config);
-    if (!githubToken) {
-      return res.status(401).json({ success: false, error: 'GitHub token not configured' });
+function registerCollection(def) {
+  const { name, label, buildQuery, supportsTeamFilter } = def;
+
+  // GET cached PRs.
+  router.get(`/api/github/${name}`, async (req, res) => {
+    try {
+      // Only team-aware collections consume `team`; for the rest, ignore any
+      // stray `?team=` so it can't validate-error or skew the cache key.
+      let team = null;
+      if (supportsTeamFilter) {
+        const parsed = parseTeamParam(req.query.team);
+        if (parsed.error) {
+          return res.status(400).json({ success: false, error: parsed.error });
+        }
+        team = parsed.team;
+      }
+
+      const db = req.app.get('db');
+      const rows = await getCachedRows(db, cacheKey(name, team));
+      const fetchedAt = rows.length > 0 ? rows[0].fetched_at : null;
+      res.json({ success: true, prs: rows, fetched_at: fetchedAt });
+    } catch (error) {
+      logger.error(`Failed to fetch ${label}:`, error);
+      res.status(500).json({ success: false, error: `Failed to fetch ${label}` });
     }
+  });
 
-    const db = req.app.get('db');
-    const client = new GitHubClient(githubToken);
-    const user = await client.getAuthenticatedUser();
-    const prs = await client.searchPullRequests(`is:pr is:open archived:false author:${user.login}`);
-
-    await withTransaction(db, async () => {
-      await run(db, 'DELETE FROM github_pr_cache WHERE collection = ?', ['my-prs']);
-      for (const pr of prs) {
-        await run(db,
-          'INSERT INTO github_pr_cache (owner, repo, number, title, author, updated_at, html_url, state, collection) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)',
-          [pr.owner, pr.repo, pr.number, pr.title, pr.author, pr.updated_at, pr.html_url, pr.state, 'my-prs']
-        );
+  // POST refresh from GitHub.
+  router.post(`/api/github/${name}/refresh`, async (req, res) => {
+    try {
+      // Only team-aware collections consume `team` (from the query string or
+      // request body); for the rest, ignore any stray value so it can't
+      // validate-error or skew the cache key. Empty/absent means "all teams".
+      let team = null;
+      if (supportsTeamFilter) {
+        const rawTeam = req.query.team !== undefined ? req.query.team : (req.body && req.body.team);
+        const parsed = parseTeamParam(rawTeam);
+        if (parsed.error) {
+          return res.status(400).json({ success: false, error: parsed.error });
+        }
+        team = parsed.team;
       }
-    });
-
-    const rows = await query(db, 'SELECT owner, repo, number, title, author, updated_at, html_url, state, fetched_at FROM github_pr_cache WHERE collection = ? ORDER BY updated_at DESC', ['my-prs']);
-    const fetchedAt = rows.length > 0 ? rows[0].fetched_at : null;
-    res.json({ success: true, prs: rows, fetched_at: fetchedAt });
-  } catch (error) {
-    if (error.status === 401 || error.status === 403) {
-      return res.status(401).json({ success: false, error: 'GitHub token is invalid or expired' });
+
+      const config = req.app.get('config');
+      const githubToken = getGitHubToken(config);
+      if (!githubToken) {
+        return res.status(401).json({ success: false, error: 'GitHub token not configured' });
+      }
+
+      const db = req.app.get('db');
+      const client = new GitHubClient(githubToken);
+      const user = await client.getAuthenticatedUser();
+      const prs = await client.searchPullRequests(buildQuery(user.login, { team }));
+
+      // Namespace the cache so a filtered view never clobbers the all-teams
+      // cache. Every distinct team string the user tries creates its own cached
+      // rows that are never garbage-collected; negligible for a local SQLite
+      // home-page feature.
+      const key = cacheKey(name, team);
+      await withTransaction(db, async () => {
+        await run(db, 'DELETE FROM github_pr_cache WHERE collection = ?', [key]);
+        for (const pr of prs) {
+          await run(db,
+            'INSERT INTO github_pr_cache (owner, repo, number, title, author, updated_at, html_url, state, collection) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)',
+            [pr.owner, pr.repo, pr.number, pr.title, pr.author, pr.updated_at, pr.html_url, pr.state, key]
+          );
+        }
+      });
+
+      const rows = await getCachedRows(db, key);
+      const fetchedAt = rows.length > 0 ? rows[0].fetched_at : null;
+      res.json({ success: true, prs: rows, fetched_at: fetchedAt });
+    } catch (error) {
+      if (error.status === 401 || error.status === 403) {
+        return res.status(401).json({ success: false, error: 'GitHub token is invalid or expired' });
+      }
+      logger.error(`Failed to refresh ${label}:`, error);
+      res.status(500).json({ success: false, error: `Failed to refresh ${label}` });
     }
-    logger.error('Failed to refresh my PRs:', error);
-    res.status(500).json({ success: false, error: 'Failed to refresh my PRs' });
-  }
-});
+  });
+}
+
+COLLECTIONS.forEach(registerCollection);
 
 module.exports = router;