@in-the-loop-labs/pair-review 3.6.0 → 3.7.0

package/src/routes/bulk-analysis-configs.js

@@ -0,0 +1,295 @@
+// Copyright 2026 Tim Perkins (tjwp) | SPDX-License-Identifier: Apache-2.0
+/**
+ * Bulk analysis configuration routes.
+ *
+ * The index page can open many PR tabs at once. Rather than placing a large
+ * analysis configuration in every PR URL, the browser stores it here and passes
+ * a short ID through the setup/review URL. Each PR tab then resolves the ID
+ * before starting auto-analysis.
+ */
+
+const crypto = require('crypto');
+const express = require('express');
+const logger = require('../utils/logger');
+const { VALID_TIERS } = require('../ai/prompts/config');
+const { getAllProvidersInfo } = require('../ai');
+const { normalizeCouncilConfig, validateCouncilConfig } = require('./councils');
+
+const router = express.Router();
+
+const configs = new Map();
+const CONFIG_TTL_MS = 30 * 60 * 1000;
+const MAX_CONFIGS = 1000;
+const MAX_INSTRUCTIONS_LENGTH = 5000;
+const VALID_TIER_SET = new Set(VALID_TIERS);
+const VALID_CONFIG_TYPES = new Set(['council', 'advanced']);
+const FORBIDDEN_KEYS = new Set(['__proto__', 'prototype', 'constructor']);
+
+function pruneExpired(now = Date.now()) {
+  for (const [id, entry] of configs.entries()) {
+    if (entry.expiresAt <= now) {
+      configs.delete(id);
+    }
+  }
+}
+
+function enforceMaxConfigs() {
+  while (configs.size > MAX_CONFIGS) {
+    const oldestId = configs.keys().next().value;
+    if (!oldestId) return;
+    configs.delete(oldestId);
+  }
+}
+
+function isPlainObject(value) {
+  return !!value && typeof value === 'object' && !Array.isArray(value);
+}
+
+function validateString(value, field, { required = false, max = 200 } = {}) {
+  if (value == null) {
+    return required ? `${field} is required` : null;
+  }
+  if (typeof value !== 'string' || value.trim().length === 0 || value.length > max) {
+    return `${field} must be a non-empty string up to ${max} characters`;
+  }
+  return null;
+}
+
+function validateCustomInstructions(value) {
+  if (value == null) return null;
+  if (typeof value !== 'string') return 'customInstructions must be a string';
+  if (value.length > MAX_INSTRUCTIONS_LENGTH) {
+    return `customInstructions exceed maximum length of ${MAX_INSTRUCTIONS_LENGTH} characters`;
+  }
+  return null;
+}
+
+function validateJsonShape(value, path = 'analysisConfig', depth = 0) {
+  if (depth > 20) return `${path} is too deeply nested`;
+  if (value == null || typeof value === 'boolean' || typeof value === 'number' || typeof value === 'string') {
+    return null;
+  }
+  if (Array.isArray(value)) {
+    if (value.length > 200) return `${path} has too many items`;
+    for (let i = 0; i < value.length; i++) {
+      const error = validateJsonShape(value[i], `${path}[${i}]`, depth + 1);
+      if (error) return error;
+    }
+    return null;
+  }
+  if (!isPlainObject(value)) return `${path} must contain only JSON values`;
+
+  const entries = Object.entries(value);
+  if (entries.length > 200) return `${path} has too many keys`;
+  for (const [key, child] of entries) {
+    if (FORBIDDEN_KEYS.has(key)) return `${path} contains forbidden key ${key}`;
+    const error = validateJsonShape(child, `${path}.${key}`, depth + 1);
+    if (error) return error;
+  }
+  return null;
+}
+
+function sanitizeExcludePrevious(value) {
+  if (value == null) return { error: null, value: undefined };
+  if (!isPlainObject(value)) return { error: 'excludePrevious must be an object' };
+  return {
+    error: null,
+    value: {
+      github: value.github === true,
+      feedback: value.feedback === true
+    }
+  };
+}
+
+function sanitizeEnabledLevels(value) {
+  if (value == null) return { error: null, value: undefined };
+  if (!Array.isArray(value)) return { error: 'enabledLevels must be an array' };
+
+  const levels = [];
+  for (const level of value) {
+    const number = Number(level);
+    if (![1, 2, 3].includes(number)) {
+      return { error: 'enabledLevels may only include levels 1, 2, and 3' };
+    }
+    if (!levels.includes(number)) levels.push(number);
+  }
+
+  if (levels.length === 0) return { error: 'enabledLevels must include at least one level' };
+  return { error: null, value: levels };
+}
+
+function sanitizeSingleConfig(config) {
+  let error = validateString(config.provider, 'provider', { required: true });
+  if (error) return { error };
+
+  error = validateString(config.model, 'model', { required: true });
+  if (error) return { error };
+
+  if (config.tier != null && (!VALID_TIER_SET.has(config.tier))) {
+    return { error: `tier must be one of ${VALID_TIERS.join(', ')}` };
+  }
+
+  // The modal builds two related fields: `instructions` carries the *effective*
+  // prompt (selected preset chips concatenated with the textarea) while
+  // `customInstructions` is the raw textarea only. Persist the effective prompt
+  // so bulk-launched analyses see the same prompt the modal showed the user —
+  // otherwise any chosen preset chips are silently dropped.
+  const effectiveInstructions = config.instructions || config.customInstructions;
+
+  error = validateCustomInstructions(effectiveInstructions);
+  if (error) return { error };
+
+  const enabledLevels = sanitizeEnabledLevels(config.enabledLevels);
+  if (enabledLevels.error) return { error: enabledLevels.error };
+
+  const excludePrevious = sanitizeExcludePrevious(config.excludePrevious);
+  if (excludePrevious.error) return { error: excludePrevious.error };
+
+  // Defense in depth: the bulk replay path forwards this stored pair straight to
+  // analysis with no client-side guard. If the model does not belong to the
+  // provider (a mismatched pair that slipped past the client resolver), fall back
+  // to the provider's own default rather than forwarding an invalid pair. Unknown
+  // providers (custom/unavailable, not in the registry) pass through unchanged.
+  let normalizedModel = config.model;
+  const providerInfo = getAllProvidersInfo().find(p => p.id === config.provider);
+  if (providerInfo && !providerInfo.models.some(m => m.id === config.model)) {
+    normalizedModel = providerInfo.defaultModel || config.model;
+  }
+
+  return {
+    error: null,
+    config: {
+      provider: config.provider,
+      model: normalizedModel,
+      tier: config.tier,
+      customInstructions: effectiveInstructions || null,
+      enabledLevels: enabledLevels.value,
+      skipLevel3: config.skipLevel3 === true,
+      noLevels: config.noLevels === true,
+      excludePrevious: excludePrevious.value
+    }
+  };
+}
+
+function sanitizeCouncilConfig(config) {
+  // configType selects which downstream validator runs, so reject unrecognized
+  // values rather than silently coercing them (which could route councilConfig
+  // through the wrong validator).
+  if (config.configType != null && !VALID_CONFIG_TYPES.has(config.configType)) {
+    return { error: `configType must be one of ${[...VALID_CONFIG_TYPES].join(', ')}` };
+  }
+  const configType = config.configType || 'advanced';
+
+  let error = validateString(config.councilId, 'councilId', { max: 128 });
+  if (error) return { error };
+
+  if (config.councilName != null) {
+    error = validateString(config.councilName, 'councilName', { max: 200 });
+    if (error) return { error };
+  }
+
+  error = validateCustomInstructions(config.customInstructions);
+  if (error) return { error };
+
+  const excludePrevious = sanitizeExcludePrevious(config.excludePrevious);
+  if (excludePrevious.error) return { error: excludePrevious.error };
+
+  if (!config.councilId && !config.councilConfig) {
+    return { error: 'Either councilId or councilConfig is required' };
+  }
+
+  let councilConfig;
+  if (config.councilConfig != null) {
+    const shapeError = validateJsonShape(config.councilConfig, 'councilConfig');
+    if (shapeError) return { error: shapeError };
+
+    councilConfig = normalizeCouncilConfig(config.councilConfig, configType);
+    const councilError = validateCouncilConfig(councilConfig, configType);
+    if (councilError) return { error: `Invalid council config: ${councilError}` };
+  }
+
+  return {
+    error: null,
+    config: {
+      isCouncil: true,
+      configType,
+      // When an inline snapshot is stored, drop councilId so the downstream
+      // analysis route is forced to use the exact modal-selected councilConfig
+      // rather than re-fetching (and possibly diverging from) the DB record.
+      councilId: councilConfig ? undefined : (config.councilId || undefined),
+      councilName: config.councilName || null,
+      councilConfig,
+      customInstructions: config.customInstructions || null,
+      excludePrevious: excludePrevious.value
+    }
+  };
+}
+
+function sanitizeAnalysisConfig(config) {
+  if (!isPlainObject(config)) {
+    return { error: 'analysisConfig object required' };
+  }
+
+  const shapeError = validateJsonShape(config);
+  if (shapeError) return { error: shapeError };
+
+  if (config.isCouncil === true) {
+    return sanitizeCouncilConfig(config);
+  }
+  return sanitizeSingleConfig(config);
+}
+
+router.post('/api/bulk-analysis-configs', (req, res) => {
+  try {
+    const result = sanitizeAnalysisConfig(req.body?.analysisConfig);
+    if (result.error) {
+      return res.status(400).json({ error: result.error });
+    }
+
+    pruneExpired();
+
+    const id = crypto.randomUUID();
+    configs.set(id, {
+      analysisConfig: result.config,
+      expiresAt: Date.now() + CONFIG_TTL_MS
+    });
+    enforceMaxConfigs();
+
+    res.json({ success: true, id, expiresInMs: CONFIG_TTL_MS });
+  } catch (error) {
+    logger.error('Failed to store bulk analysis config:', error);
+    res.status(500).json({ error: 'Failed to store bulk analysis config' });
+  }
+});
+
+router.get('/api/bulk-analysis-configs/:id', (req, res) => {
+  const { id } = req.params;
+  pruneExpired();
+
+  const entry = configs.get(id);
+  if (!entry) {
+    return res.status(404).json({ error: 'Bulk analysis config not found' });
+  }
+
+  res.json({
+    success: true,
+    analysisConfig: entry.analysisConfig
+  });
+});
+
+function _resetBulkAnalysisConfigs() {
+  configs.clear();
+}
+
+function _getBulkAnalysisConfig(id) {
+  const entry = configs.get(id);
+  return entry ? entry.analysisConfig : null;
+}
+
+module.exports = router;
+module.exports._resetBulkAnalysisConfigs = _resetBulkAnalysisConfigs;
+module.exports._getBulkAnalysisConfig = _getBulkAnalysisConfig;
+module.exports._pruneExpired = pruneExpired;
+module.exports._CONFIG_TTL_MS = CONFIG_TTL_MS;
+module.exports._MAX_CONFIGS = MAX_CONFIGS;
+module.exports._sanitizeAnalysisConfig = sanitizeAnalysisConfig;

package/src/routes/config.js

@@ -23,11 +23,16 @@ const { normalizeRepository } = require('../utils/paths');
 const {
   isRunningViaNpx,
   getGitHubToken,
+  getDefaultProvider,
+  getDefaultModel,
+  resolveHostBinding,
+  resolveBindingRepositoryFromPR,
   getSummaryEnabled,
   getSummaryAutoGenerate,
   getTourEnabled,
   getTourAutoGenerate
 } = require('../config');
+const { resolveRepoLinks } = require('../links/repo-links');
 const { version } = require('../../package.json');
 const semver = require('semver');
 const { getAllChatProviders, getAllCachedChatAvailability } = require('../chat/chat-providers');
@@ -70,10 +75,54 @@ router.get('/runtime-config.js', (req, res) => {
 
 /**
  * Get user configuration (for frontend use)
- * Returns safe-to-expose configuration values
+ * Returns safe-to-expose configuration values.
+ *
+ * GitHub token presence is reported with two distinct fields:
+ *   - has_global_github_token: always present. True iff `getGitHubToken(config)`
+ *     resolves a token from the top-level config / env (no repo context).
+ *   - has_github_token: present ONLY when both ?owner and ?repo query
+ *     parameters are supplied. True iff a token can be resolved for that
+ *     specific repository via `resolveHostBinding(repo, config)` — this
+ *     covers repo-scoped `token`, `token_command`, alt-host bindings, AND
+ *     falls through to the global lookup. Callers that know which repo
+ *     they're rendering should pass these params so that repo-scoped
+ *     authentication is reflected accurately (e.g. for deciding whether
+ *     to enable GitHub-comment dedup). When the params are absent, the
+ *     repo-aware field is omitted entirely — there is no safe default
+ *     that doesn't risk silently meaning the wrong thing.
+ */
+/**
+ * Resolve a coherent default provider/model PAIR for the frontend.
+ *
+ * `default_provider` and `default_model` seed the bulk modal, auto-analyze, and
+ * the manual analyze dialog as a single selection, so they must belong together.
+ * An explicitly configured model wins (the user opted into it). When no model is
+ * configured, derive it from the selected provider's own default rather than the
+ * provider-agnostic global default — otherwise a provider-only override (e.g.
+ * `default_provider: 'gemini'`) would pair with an Anthropic model like 'opus'.
+ *
+ * @param {Object} config - Configuration object
+ * @returns {{ provider: string, model: string }}
  */
+function resolveDefaultProviderModel(config) {
+  const provider = getDefaultProvider(config);
+  const providerInfo = getAllProvidersInfo().find(p => p.id === provider);
+  const explicitModel = config.default_model || config.model;
+  // Only honour an explicit model if it actually belongs to the selected provider.
+  // `DEFAULT_CONFIG.default_model` is always populated (e.g. 'opus'), so a
+  // provider-only override like `default_provider: 'gemini'` would otherwise inherit
+  // a foreign Anthropic model and return a mismatched pair. When the model does not
+  // belong to the provider, derive a coherent default from the provider itself.
+  const modelBelongs = explicitModel && providerInfo?.models?.some(m => m.id === explicitModel);
+  if (modelBelongs) {
+    return { provider, model: explicitModel };
+  }
+  return { provider, model: providerInfo?.defaultModel || getDefaultModel(config) };
+}
+
 router.get('/api/config', (req, res) => {
   const config = req.app.get('config') || {};
+  const defaultPair = resolveDefaultProviderModel(config);
 
   // Build chat_providers array with availability
   const chatAvailability = getAllCachedChatAvailability();
@@ -81,13 +130,34 @@ router.get('/api/config', (req, res) => {
     id: p.id, name: p.name, type: p.type, available: chatAvailability[p.id]?.available || false
   }));
 
+  // Repo-aware token resolution (opt-in via ?owner & ?repo query params).
+  // Both must be non-empty strings; missing/partial params fall back to the
+  // global-only response shape.
+  const { owner, repo } = req.query;
+  const hasRepoContext = typeof owner === 'string' && owner.length > 0
+    && typeof repo === 'string' && repo.length > 0;
+
+  const hasGlobalGithubToken = Boolean(getGitHubToken(config));
+  let hasRepoGithubToken = null;
+  if (hasRepoContext) {
+    const repository = `${owner}/${repo}`;
+    // resolveHostBinding already falls through to top-level config when
+    // no repo-scoped token is configured, so this is a true union of
+    // "repo-scoped binding works" OR "global token works".
+    hasRepoGithubToken = Boolean(resolveHostBinding(repository, config).token);
+  }
+
   // Only return safe configuration values (not secrets like github_token)
   res.json({
     version,
     theme: config.theme || 'light',
-    has_github_token: Boolean(getGitHubToken(config)),
+    has_global_github_token: hasGlobalGithubToken,
+    // Repo-aware field — only included when owner+repo were supplied.
+    ...(hasRepoContext ? { has_github_token: hasRepoGithubToken } : {}),
     comment_button_action: config.comment_button_action || 'submit',
     comment_format: config.comment_format || 'legacy',
+    default_provider: defaultPair.provider,
+    default_model: defaultPair.model,
     // Include npx detection for frontend command examples
     is_running_via_npx: isRunningViaNpx(),
     enable_chat: config.enable_chat !== false,
@@ -215,6 +285,35 @@ router.get('/api/repos/:owner/:repo/settings', async (req, res) => {
   }
 });
 
+/**
+ * Get repository-specific header link configuration.
+ * Reads `config.repos["owner/repo"].links` and returns:
+ *   - external: { label, url_template, icon } | null
+ *   - github: boolean (false means hide the default GitHub link)
+ *   - graphite: boolean (false means hide the Graphite link)
+ *
+ * The icon SVG is sanitised server-side (script tags, on* handlers, and
+ * `javascript:` URLs stripped). The url_template is NOT substituted here —
+ * the frontend has the live PR/branch context, so it performs the
+ * whitelisted substitution at render time.
+ */
+router.get('/api/repos/:owner/:repo/links', (req, res) => {
+  try {
+    const { owner, repo } = req.params;
+    const repository = normalizeRepository(owner, repo);
+    const config = req.app.get('config') || {};
+    // Resolve via bindingRepository so monorepo-style configs (one
+    // `repos[...]` entry serving many captured owner/repo via
+    // url_pattern) surface the right link config.
+    const bindingRepository = resolveBindingRepositoryFromPR(owner, repo, config);
+    const links = resolveRepoLinks(config, bindingRepository);
+    res.json({ repository, links });
+  } catch (error) {
+    logger.error('Error resolving repo links:', error);
+    res.status(500).json({ error: 'Failed to resolve repository links' });
+  }
+});
+
 /**
  * Save repository-specific settings
  * Saves default_instructions, default_provider, and/or default_model for the repository
@@ -425,3 +524,4 @@ function _resetPendingUpdate() {
 
 module.exports = router;
 module.exports._resetPendingUpdate = _resetPendingUpdate;
+module.exports._resolveDefaultProviderModel = resolveDefaultProviderModel;

package/src/routes/external-comments.js

@@ -34,8 +34,9 @@ const router = express.Router();
  * Default dependencies for the sync flow. Tests override these via the
  * `externalCommentsDeps` Express app setting (or by passing `_deps` to
  * `executeSync` directly). Credential resolution is delegated to the
- * adapter via `adapter.resolveCredentials(config)` — keeps the route
- * source-agnostic and lets each adapter name its own env var in errors.
+ * adapter via `adapter.resolveCredentials(config, repository)` — keeps the
+ * route source-agnostic, lets each adapter name its own env var in errors,
+ * and threads the repo through so per-repo alt-host bindings apply.
  */
 const defaults = {
   getAdapter
@@ -115,7 +116,7 @@ function isPRMode(review) {
  * @param {Object} params.config - Server config (for token lookup)
  * @param {Object} params.review - Validated review row
  * @param {string} params.source - Adapter source name (e.g. 'github')
- * @param {Object} [params._deps] - Test overrides for { GitHubClient, getGitHubToken, getAdapter }
+ * @param {Object} [params._deps] - Test overrides for { GitHubClient, getGitHubToken, getAdapter, resolveHostBinding, resolveBindingRepositoryFromPR }
  * @returns {Promise<{count: number, lostAnchors: number, syncedAt: string}>}
  */
 async function executeSync({ db, config, review, source, _deps }) {
@@ -124,12 +125,9 @@ async function executeSync({ db, config, review, source, _deps }) {
   // Look up adapter — throws on unknown sources, caught by the route.
   const adapter = deps.getAdapter(source);
 
-  // Delegate credential resolution to the adapter so the route stays
-  // source-agnostic and each adapter can name its own env var in errors.
-  // The adapter throws (e.g. GitHubApiError 401) when credentials are
-  // missing — the route's catch maps it to a 401 response.
-  const { client } = adapter.resolveCredentials(config || {}, _deps);
-
+  // Parse owner/repo BEFORE resolving credentials: the repository drives
+  // binding-aware credential resolution (per-repo api_host/token for
+  // alt-host repos), so it must be validated first.
   const [owner, repo] = String(review.repository).split('/');
   if (!owner || !repo) {
     throw new BadRequestError(
@@ -137,6 +135,18 @@ async function executeSync({ db, config, review, source, _deps }) {
     );
   }
 
+  // Delegate credential resolution to the adapter so the route stays
+  // source-agnostic and each adapter can name its own env var in errors.
+  // Thread `review.repository` through so the adapter resolves the
+  // repo-scoped host binding (alt-host api_host + repo token) instead of
+  // always targeting api.github.com with the top-level github.com token.
+  // The adapter throws (e.g. GitHubApiError 401) when credentials are
+  // missing — the route's catch maps it to a 401 response.
+  // `isAltHost` reflects whether the resolved binding targets an alternate
+  // Git host. Alt-hosts don't implement GitHub's deprecated `position`
+  // field, so it drives line-based anchoring in `mapComment` below.
+  const { client, isAltHost } = adapter.resolveCredentials(config || {}, review.repository, _deps);
+
   const apiRows = await adapter.fetchComments({
     client,
     owner,
@@ -156,7 +166,7 @@ async function executeSync({ db, config, review, source, _deps }) {
   for (const apiRow of apiRows || []) {
     let mapped;
     try {
-      mapped = adapter.mapComment(apiRow);
+      mapped = adapter.mapComment(apiRow, { isAltHost });
     } catch (mapError) {
       // A malformed row from the source shouldn't kill the whole sync — log
       // it and keep going. The adapter only throws for genuinely malformed

package/src/routes/github-collections.js

@@ -161,7 +161,9 @@ function registerCollection(def) {
       }
 
       const config = req.app.get('config');
-      const githubToken = getGitHubToken(config);
+      // Cross-repo search on github.com — no per-repo binding applies here.
+      // Explicit `undefined` repository selects the no-repo (top-level) path.
+      const githubToken = getGitHubToken(config, undefined);
       if (!githubToken) {
         return res.status(401).json({ success: false, error: 'GitHub token not configured' });
       }