@in-the-loop-labs/pair-review 3.6.0 → 3.7.1

package/src/links/repo-links.js

@@ -0,0 +1,230 @@
+// Copyright 2026 Tim Perkins (tjwp) | SPDX-License-Identifier: Apache-2.0
+/**
+ * Repo Links Resolver
+ *
+ * Resolves per-repo header link configuration. Configuration shape:
+ *
+ *   "links": {
+ *     "external": { "label": "...", "url_template": "https://...", "icon": "<svg ...>...</svg>" },
+ *     "github": false,    // hide default GitHub link
+ *     "graphite": false   // hide Graphite stack link
+ *   }
+ *
+ * Public API:
+ *
+ *   substituteUrlTemplate(template, context)
+ *       — Replace whitelisted placeholders `{owner}`, `{repo}`, `{number}`,
+ *         `{branch}`, `{base_branch}`, `{head_sha}` with URL-encoded values
+ *         from `context`. Returns `null` if the resulting URL does not start
+ *         with `https://` or if the template is malformed.
+ *
+ *   sanitizeSvgIcon(svg)
+ *       — Strip `<script>` tags, on* event-handler attributes, and
+ *         `javascript:` URLs. Returns the sanitised SVG string, or null if
+ *         the value is not a string that looks like SVG markup.
+ *
+ *   resolveRepoLinks(config, repository)
+ *       — Returns `{ external, github, graphite }` for the given
+ *         `owner/repo`. The booleans are normalised: any non-false value (or
+ *         absence) becomes `true`. `external` is `null` unless valid, with
+ *         the icon already sanitised.
+ */
+
+const { getRepoConfig } = require('../config');
+const logger = require('../utils/logger');
+
+// Whitelist of allowed `{placeholder}` names. Anything else in the template
+// is left unsubstituted (so a malformed template surfaces visually rather
+// than silently producing the wrong URL).
+const ALLOWED_PLACEHOLDERS = new Set([
+  'owner', 'repo', 'number', 'branch', 'base_branch', 'head_sha'
+]);
+
+// Matches HTML on* event-handler attributes regardless of quoting style.
+// Used to strip dangerous attributes from user-supplied SVG icons.
+const ON_HANDLER_RE = /\s+on[a-zA-Z]+\s*=\s*(?:"[^"]*"|'[^']*'|[^\s>]+)/g;
+
+// Matches a complete `<script ...>...</script>` block (including the open
+// and close tags) with case-insensitive, dot-matches-newline semantics so
+// payload bodies that span lines are removed in one pass.
+const SCRIPT_BLOCK_RE = /<script\b[^>]*>[\s\S]*?<\/script\s*>/gi;
+
+// Matches standalone <script ...> open tags missing a closing tag — strip
+// them as well so a half-broken payload can't slip through.
+const SCRIPT_OPEN_RE = /<script\b[^>]*>/gi;
+
+// Matches values that begin with `javascript:` (anchor href, attribute
+// values). Captures the leading quote so we can preserve attribute syntax.
+const JS_URL_RE = /(["'=])\s*javascript:[^"'\s>]*/gi;
+
+/**
+ * Substitute whitelisted `{placeholder}` tokens in a URL template.
+ *
+ * Behaviour:
+ *   - Only `{owner}`, `{repo}`, `{number}`, `{branch}`, `{base_branch}`,
+ *     and `{head_sha}` are substituted. Other tokens are left as-is so
+ *     misconfigurations are visible.
+ *   - Each substituted value is run through `encodeURIComponent()` to
+ *     prevent injection of additional path segments or query params.
+ *   - The result is rejected (returns `null`) unless it starts with
+ *     `https://`, the same invariant `validateRepoConfig` enforces at
+ *     startup. This is defence-in-depth: a template like
+ *     `https://{owner}.example/foo` is technically `https://` at config
+ *     time but could be subverted at substitution time if `{owner}` were
+ *     unescaped — `encodeURIComponent` protects against that.
+ *
+ * @param {string} template
+ * @param {Object} context
+ * @param {string} [context.owner]
+ * @param {string} [context.repo]
+ * @param {number|string} [context.number]
+ * @param {string} [context.branch]
+ * @param {string} [context.base_branch]
+ * @param {string} [context.head_sha]
+ * @returns {string|null} Substituted URL, or null if it fails validation
+ */
+function substituteUrlTemplate(template, context) {
+  if (typeof template !== 'string' || !template) return null;
+  const ctx = context || {};
+
+  const substituted = template.replace(/\{([a-zA-Z_]+)\}/g, (match, name) => {
+    if (!ALLOWED_PLACEHOLDERS.has(name)) return match;
+    const value = ctx[name];
+    if (value === undefined || value === null || value === '') return match;
+    return encodeURIComponent(String(value));
+  });
+
+  if (!substituted.startsWith('https://')) return null;
+  // If any unsubstituted whitelisted placeholders remain, the URL is
+  // incomplete — reject rather than producing a broken link.
+  for (const placeholder of ALLOWED_PLACEHOLDERS) {
+    if (substituted.includes(`{${placeholder}}`)) return null;
+  }
+  return substituted;
+}
+
+/**
+ * Strip dangerous content from user-supplied SVG markup.
+ *
+ * Removes:
+ *   - `<script>...</script>` blocks (paired or unpaired)
+ *   - All `on*=` event-handler attributes
+ *   - Attribute values starting with `javascript:` (sets them to empty)
+ *
+ * This is the bare-minimum sanitisation called out in the plan. The
+ * frontend additionally re-parses the SVG via DOMParser before injecting
+ * it into the DOM, so any script-like content that slips through gets a
+ * second filter at insertion time.
+ *
+ * @param {string} svg
+ * @returns {string|null} Sanitised SVG, or null if the input is not a
+ *                        string that looks like SVG markup.
+ */
+function sanitizeSvgIcon(svg) {
+  if (typeof svg !== 'string' || !svg.trim()) return null;
+  // Sanity check: the value should at least look like SVG markup. If it
+  // doesn't, refuse — `<svg ...>` is the only contract.
+  if (!/<svg\b/i.test(svg)) return null;
+
+  let cleaned = svg
+    .replace(SCRIPT_BLOCK_RE, '')
+    .replace(SCRIPT_OPEN_RE, '')
+    .replace(ON_HANDLER_RE, '')
+    // Replace dangerous javascript: URLs with empty strings, preserving
+    // the surrounding quote character so the attribute remains parseable.
+    .replace(JS_URL_RE, (_match, lead) => `${lead}`);
+
+  // Final guard: if any of the dangerous patterns survived (e.g.
+  // mismatched encoding tricks), reject the whole icon.
+  if (/<script\b/i.test(cleaned)) return null;
+  if (/\son[a-zA-Z]+\s*=/i.test(cleaned)) return null;
+  if (/javascript:/i.test(cleaned)) return null;
+
+  return cleaned;
+}
+
+/**
+ * Resolve link configuration for a repo. Reads `repos[owner/repo].links`
+ * and produces a normalised object the frontend can act on without
+ * further interpretation.
+ *
+ * `links.github` and `links.graphite` are booleans that gate the default
+ * built-in links. Anything that isn't an explicit `false` (including
+ * `undefined` and `true`) leaves the link enabled — preserving current
+ * behaviour for repos that omit the `links` block entirely.
+ *
+ * For the external link, the icon is sanitised here, server-side. If
+ * sanitisation strips the icon entirely (e.g. the input was hostile or
+ * malformed), a warning is logged and `icon` becomes `null` — the link
+ * is still rendered, just without a custom icon.
+ *
+ * @param {Object} config
+ * @param {string} repository  Canonical `owner/repo` identifier
+ * @returns {{ external: { label: string, url_template: string, icon: string|null }|null,
+ *             github: boolean,
+ *             graphite: boolean }}
+ */
+function resolveRepoLinks(config, repository) {
+  const result = { external: null, github: true, graphite: true };
+  if (!config || !repository) return result;
+
+  const repoConfig = getRepoConfig(config, repository);
+  if (!repoConfig || typeof repoConfig !== 'object') return result;
+
+  const links = repoConfig.links;
+  if (!links || typeof links !== 'object') return result;
+
+  if (links.github === false) result.github = false;
+  if (links.graphite === false) result.graphite = false;
+
+  const ext = links.external;
+  if (ext && typeof ext === 'object'
+      && typeof ext.label === 'string' && ext.label
+      && typeof ext.url_template === 'string'
+      && ext.url_template.startsWith('https://')) {
+    let icon = null;
+    if (ext.icon !== undefined && ext.icon !== null && ext.icon !== '') {
+      icon = sanitizeSvgIcon(ext.icon);
+      if (icon === null) {
+        logger.warn(
+          `Dropping links.external.icon for "${repository}" — failed sanitisation.`
+        );
+      }
+    }
+    result.external = {
+      // Optional host display name (e.g. "Meteorite"). When absent, the
+      // field is null and consumers fall back to "GitHub" via resolveHostName.
+      name: (typeof ext.name === 'string' && ext.name) ? ext.name : null,
+      label: ext.label,
+      url_template: ext.url_template,
+      icon
+    };
+  }
+
+  return result;
+}
+
+/**
+ * Resolve the display name of the remote code host for a repo, for use in
+ * user-facing text in place of the literal "GitHub".
+ *
+ * Returns `repos[owner/repo].links.external.name` when configured, otherwise
+ * `"GitHub"`. This is the server-side counterpart to the frontend
+ * `window.RepoLinks.hostName()` accessor.
+ *
+ * @param {Object} config
+ * @param {string} repository  Canonical `owner/repo` identifier
+ * @returns {string} The configured host name, or "GitHub" by default
+ */
+function resolveHostName(config, repository) {
+  const links = resolveRepoLinks(config, repository);
+  return (links.external && links.external.name) ? links.external.name : 'GitHub';
+}
+
+module.exports = {
+  substituteUrlTemplate,
+  sanitizeSvgIcon,
+  resolveRepoLinks,
+  resolveHostName,
+  ALLOWED_PLACEHOLDERS,
+};

package/src/local-review.js

@@ -4,7 +4,7 @@ const { promisify } = require('util');
 const crypto = require('crypto');
 const path = require('path');
 const fs = require('fs').promises;
-const { loadConfig, showWelcomeMessage, resolveDbName, getGitHubToken } = require('./config');
+const { loadConfig, showWelcomeMessage, resolveDbName, getGitHubToken, resolveHostBinding } = require('./config');
 const logger = require('./utils/logger');
 const { rejectUrlLikeLocalReviewPath } = require('./utils/local-path-input');
 const { fireHooks, hasHooks } = require('./hooks/hook-runner');
@@ -791,11 +791,14 @@ async function setupLocalReviewSession({ db, config, repoPath, flags = {} }) {
   let branchInfo = null;
   if (!includesBranch(scopeStart)) {
     const untrackedFiles = await getUntrackedFiles(repoPath);
+    // Resolve binding so alt-host repos look up PRs on the right host.
+    const branchBinding = repository ? resolveHostBinding(repository, config) : null;
     branchInfo = await module.exports.detectAndBuildBranchInfo(repoPath, branch, {
       repository,
       diff,
       untrackedFiles,
-      githubToken: getGitHubToken(config),
+      githubToken: branchBinding?.token || getGitHubToken(config),
+      hostBinding: branchBinding,
       enableGraphite: config.enable_graphite === true
     });
     if (branchInfo) {
@@ -1038,11 +1041,12 @@ async function getFirstCommitSubject(repoPath, baseBranch) {
  * @param {string} [options.diff] - The uncommitted diff content (empty = eligible)
  * @param {Array} [options.untrackedFiles] - Untracked files array (empty = eligible)
  * @param {string} [options.githubToken] - Resolved GitHub token for PR lookup
+ * @param {Object} [options.hostBinding] - Resolved host binding (apiHost/token/features) for alt-host PR lookup
  * @param {boolean} [options.enableGraphite] - When true, try Graphite CLI for parent branch
  * @returns {Promise<{baseBranch: string, commitCount: number, source: string, prNumber?: number}|null>}
  */
 async function detectAndBuildBranchInfo(repoPath, branch, options = {}) {
-  const { repository, diff, untrackedFiles, githubToken, enableGraphite } = options;
+  const { repository, diff, untrackedFiles, githubToken, hostBinding, enableGraphite } = options;
 
   // Guard: detached HEAD, has uncommitted changes, or has untracked files
   if (branch === 'HEAD') return null;
@@ -1051,7 +1055,12 @@ async function detectAndBuildBranchInfo(repoPath, branch, options = {}) {
 
   try {
     const { detectBaseBranch } = require('./git/base-branch');
-    const depsOverride = githubToken ? { getGitHubToken: () => githubToken } : undefined;
+    const depsOverride = githubToken || hostBinding
+      ? {
+          getGitHubToken: () => githubToken || '',
+          getHostBinding: () => hostBinding || null
+        }
+      : undefined;
     const detection = await detectBaseBranch(repoPath, branch, {
       repository,
       enableGraphite,

package/src/main.js

@@ -1,6 +1,6 @@
 // Copyright 2026 Tim Perkins (tjwp) | SPDX-License-Identifier: Apache-2.0
 const fs = require('fs');
-const { loadConfig, getConfigDir, getGitHubToken, showWelcomeMessage, resolveDbName, resolveRepoOptions, resolvePoolConfig, getRepoResetScript, resolveLoadSkills } = require('./config');
+const { loadConfig, getConfigDir, getGitHubToken, resolveHostBinding, showWelcomeMessage, resolveDbName, resolveRepoOptions, resolvePoolConfig, getRepoResetScript, resolveLoadSkills } = require('./config');
 const { initializeDatabase, run, queryOne, query, migrateExistingWorktrees, WorktreeRepository, ReviewRepository, RepoSettingsRepository, GitHubReviewRepository, WorktreePoolRepository } = require('./database');
 const { PRArgumentParser } = require('./github/parser');
 const { GitHubClient } = require('./github/client');
@@ -26,6 +26,47 @@ const { attemptDelegation } = require('./single-port');
 
 let db = null;
 
+/**
+ * Build a user-facing "missing token" error message tailored to the
+ * resolved host binding.
+ *
+ * For github.com bindings (`apiHost === null`), suggest the legacy
+ * options: `GITHUB_TOKEN` env var, `config.github_token`, or
+ * `config.github_token_command`. For alt-host bindings, suppress those
+ * suggestions (the github.com top-level credentials are intentionally
+ * not used for alt-hosts) and point exclusively at the per-repo
+ * `token` / `token_command` keys under the resolved bindingRepository.
+ *
+ * @param {Object} params
+ * @param {string} params.owner
+ * @param {string} params.repo
+ * @param {string} params.bindingRepository - The `repos[...]` config key
+ *   that the binding lookup was performed against. May differ from
+ *   `<owner>/<repo>` for monorepo-style configs (see Fix #8).
+ * @param {string|null} params.apiHost - Resolved api_host (null = github.com)
+ * @returns {string}
+ */
+function buildMissingTokenError({ owner, repo, bindingRepository, apiHost }) {
+  if (apiHost) {
+    return (
+      `GitHub token not found for alt-host repo ${owner}/${repo} (${apiHost}). ` +
+      `GITHUB_TOKEN and top-level github_token/github_token_command are github.com-only ` +
+      `and are not used for alt-hosts. Configure ` +
+      `\`config.repos["${bindingRepository}"].token\` or ` +
+      `\`config.repos["${bindingRepository}"].token_command\` ` +
+      `(e.g., "althost-cli auth token"). Run: npx pair-review --configure`
+    );
+  }
+  return (
+    `GitHub token not found for ${owner}/${repo}. ` +
+    `Set GITHUB_TOKEN env var, or configure a token at ` +
+    `\`config.repos["${bindingRepository}"].token\` or ` +
+    `\`config.repos["${bindingRepository}"].token_command\`, or set ` +
+    `top-level \`github_token\` / \`github_token_command\` ` +
+    `(e.g., "gh auth token"). Run: npx pair-review --configure`
+  );
+}
+
 /**
  * Detect PR information from GitHub Actions environment variables.
  * Returns null if not in GitHub Actions or PR info cannot be determined.
@@ -118,8 +159,9 @@ OPTIONS:
                             The web UI also starts for the human reviewer.
     --model <name>          Override the AI model. Claude Code is the default provider.
                             Available models: opus, sonnet, haiku (Claude Code);
-                            also: opus-4.8-xhigh, opus-4.8-high, opus-4.7-xhigh,
-                                  opus-4.7-high, opus-4.6-high, opus-4.6-1m, sonnet-4.6
+                            also: fable-5-xhigh, fable-5-high, opus-4.8-xhigh,
+                                  opus-4.8-high, opus-4.7-xhigh, opus-4.7-high,
+                                  opus-4.6-high, opus-4.6-1m, sonnet-4.6
                             (opus is Opus 4.7 XHigh, the default)
                             or use provider-specific models with Gemini/Codex
     --use-checkout          Use current directory instead of creating worktree
@@ -573,16 +615,33 @@ AI PROVIDERS:
  */
 async function handlePullRequest(args, config, db, flags = {}, poolLifecycle = null) {
   try {
-    // Get GitHub token (env var takes precedence over config)
-    const githubToken = getGitHubToken(config);
-    if (!githubToken) {
-      throw new Error('GitHub token not found. Set GITHUB_TOKEN env var, add github_token to config, or set github_token_command (e.g., "gh auth token"). Run: npx pair-review --configure');
-    }
-
-    // Parse PR arguments
-    const parser = new PRArgumentParser();
+    // Parse PR arguments FIRST — pass config so url_pattern matching for
+    // alternate hosts can resolve pasted URLs to the canonical
+    // owner/repo before falling back to GitHub/Graphite parsers.
+    // We must know the target repo before resolving its token, so that
+    // repo-scoped tokens, repo-scoped token_command entries, and alt-host
+    // configurations are honored. A no-repository token preflight only
+    // sees env + top-level credentials and would reject valid configs.
+    const parser = new PRArgumentParser(config);
     const prInfo = await parser.parsePRArguments(args);
 
+    // Resolve token via repo-aware host binding so alt-host and
+    // repo-scoped credentials are respected. When a per-repo
+    // `url_pattern` matched, prefer its `bindingRepository` — that's the
+    // matched `repos[...]` config key, which may differ from the
+    // captured `${owner}/${repo}` for monorepo-style patterns.
+    const repositoryForBinding = prInfo.bindingRepository
+      || normalizeRepository(prInfo.owner, prInfo.repo);
+    const binding = resolveHostBinding(repositoryForBinding, config);
+    if (!binding.token) {
+      throw new Error(buildMissingTokenError({
+        owner: prInfo.owner,
+        repo: prInfo.repo,
+        bindingRepository: repositoryForBinding,
+        apiHost: binding.apiHost
+      }));
+    }
+
     // Register cwd as known repo path if it matches the target repo
     const currentDir = parser.getCurrentDirectory();
     const isMatchingRepo = await parser.isMatchingRepository(currentDir, prInfo.owner, prInfo.repo);
@@ -677,20 +736,33 @@ async function performHeadlessReview(args, config, db, flags, options, externalP
   let poolLifecycle = null;
 
   try {
-    // Get GitHub token (env var takes precedence over config)
-    const githubToken = getGitHubToken(config);
-    if (!githubToken) {
-      throw new Error('GitHub token not found. Set GITHUB_TOKEN env var, add github_token to config, or set github_token_command (e.g., "gh auth token"). Run: npx pair-review --configure');
-    }
-
-    // Parse PR arguments
-    const parser = new PRArgumentParser();
+    // Parse PR arguments — pass config so url_pattern matching for
+    // alternate hosts can resolve pasted URLs to the canonical
+    // owner/repo before falling back to GitHub/Graphite parsers.
+    const parser = new PRArgumentParser(config);
     prInfo = await parser.parsePRArguments(args);
 
+    // Resolve host binding for the target repo (handles alt-host).
+    // Prefer `bindingRepository` (from url_pattern match) over the raw
+    // `${owner}/${repo}` since they can differ when one config entry
+    // serves many monorepo-shaped URLs.
+    const repositoryForBinding = prInfo.bindingRepository
+      || normalizeRepository(prInfo.owner, prInfo.repo);
+    const headlessBinding = resolveHostBinding(repositoryForBinding, config);
+    if (!headlessBinding.token) {
+      throw new Error(buildMissingTokenError({
+        owner: prInfo.owner,
+        repo: prInfo.repo,
+        bindingRepository: repositoryForBinding,
+        apiHost: headlessBinding.apiHost
+      }));
+    }
+    const githubToken = headlessBinding.token;
+
     console.log(`Processing pull request #${prInfo.number} from ${prInfo.owner}/${prInfo.repo} in ${options.modeLabel}`);
 
     // Create GitHub client and verify repository access
-    const githubClient = new GitHubClient(githubToken);
+    const githubClient = new GitHubClient(headlessBinding);
     const repoExists = await githubClient.repositoryExists(prInfo.owner, prInfo.repo);
     if (!repoExists) {
       throw new Error(`Repository ${prInfo.owner}/${prInfo.repo} not found or not accessible`);
@@ -786,9 +858,10 @@ async function performHeadlessReview(args, config, db, flags, options, externalP
 
         // Resolve monorepo config options (checkout_script, worktree_directory, worktree_name_template)
         // even when running from inside the target repo, so they are not silently ignored.
+        // Config lookups must use the binding key (matched `repos[...]` entry), not the PR identity.
         const repoSettingsRepo = new RepoSettingsRepository(db);
         const repoSettings = await repoSettingsRepo.getRepoSettings(repository);
-        const resolved = resolveRepoOptions(config, repository, repoSettings);
+        const resolved = resolveRepoOptions(config, repositoryForBinding, repoSettings);
         checkoutScript = resolved.checkoutScript;
         checkoutTimeout = resolved.checkoutTimeout;
         worktreeConfig = resolved.worktreeConfig;
@@ -802,8 +875,10 @@ async function performHeadlessReview(args, config, db, flags, options, externalP
           owner: prInfo.owner,
           repo: prInfo.repo,
           repository,
+          bindingRepository: repositoryForBinding,
           prNumber: prInfo.number,
           config,
+          cloneUrl: prData?.repository?.clone_url,
           onProgress: (progress) => {
             if (progress.message) {
               console.log(progress.message);
@@ -816,11 +891,12 @@ async function performHeadlessReview(args, config, db, flags, options, externalP
         checkoutTimeout = result.checkoutTimeout;
         worktreeConfig = result.worktreeConfig;
         // findRepositoryPath doesn't return pool config; resolve from DB + file config
+        // (binding key, not PR identity).
         const repoSettingsRepo = new RepoSettingsRepository(db);
         const repoSettings = await repoSettingsRepo.getRepoSettings(repository);
-        const { poolSize: resolvedPoolSize, poolFetchIntervalMinutes: _resolvedFetchInterval } = resolvePoolConfig(config, repository, repoSettings);
+        const { poolSize: resolvedPoolSize, poolFetchIntervalMinutes: _resolvedFetchInterval } = resolvePoolConfig(config, repositoryForBinding, repoSettings);
         poolSize = resolvedPoolSize || 0;
-        resetScript = config ? getRepoResetScript(config, repository) : null;
+        resetScript = config ? getRepoResetScript(config, repositoryForBinding) : null;
       }
 
       const worktreeManager = new GitWorktreeManager(db, worktreeConfig || {});
@@ -906,8 +982,11 @@ async function performHeadlessReview(args, config, db, flags, options, externalP
 
     let analysisSummary = null;
     try {
-      // Pass all instruction levels to ensure they're captured in the analysis run
-      const analysisResult = await analyzer.analyzeAllLevels(review.id, worktreePath, storedPRData, null, { globalInstructions, repoInstructions });
+      // Pass all instruction levels to ensure they're captured in the analysis run.
+      // githubClient is forwarded so the analyzer can pre-fetch existing PR review
+      // comments when callers opt in via excludePrevious.github.
+      logger.debug(`analyzer githubClient wired for ${prInfo.owner}/${prInfo.repo}#${prInfo.number}`);
+      const analysisResult = await analyzer.analyzeAllLevels(review.id, worktreePath, storedPRData, null, { globalInstructions, repoInstructions }, null, { githubClient });
       analysisSummary = analysisResult.summary;
       console.log('AI analysis completed successfully');
     } catch (analysisError) {
@@ -992,24 +1071,49 @@ Found ${validSuggestions.length} suggestion${validSuggestions.length === 1 ? ''
     // Submit review to GitHub via GraphQL (same path as web UI)
     console.log(`Submitting review with ${githubComments.length} comments...`);
 
-    const prNodeId = storedPRData.node_id;
-    if (!prNodeId) {
-      throw new Error(`PR node_id not available for ${prInfo.owner}/${prInfo.repo}#${prInfo.number}. Cannot submit review without GraphQL node ID.`);
-    }
-
     // Check for existing pending draft (GitHub only allows one per user per PR)
     const existingDraft = await githubClient.getPendingReviewForUser(
       prInfo.owner, prInfo.repo, prInfo.number
     );
 
+    // GraphQL PR node id is only required when we'll be creating a NEW
+    // GraphQL review (no existing draft to reuse) OR adding GraphQL
+    // review comments. REST and host-impl configurations address the
+    // PR by (owner, repo, prNumber) + numeric review id and ignore
+    // prNodeId; reusing an existing GraphQL draft also doesn't need
+    // the PR node id because the review node id is sufficient.
+    const willCreateNewGraphQLReview =
+      headlessBinding.features.review_lifecycle === 'graphql' && !existingDraft;
+    const willAddGraphQLComments =
+      githubComments.length > 0 && headlessBinding.features.pending_review_comments === 'graphql';
+    const needsGraphQLNodeId = willCreateNewGraphQLReview || willAddGraphQLComments;
+
+    if (needsGraphQLNodeId && !storedPRData.node_id) {
+      throw new Error(
+        `GraphQL PR node id required for ${prInfo.owner}/${prInfo.repo}#${prInfo.number} ` +
+        `(features.review_lifecycle = "${headlessBinding.features.review_lifecycle}", ` +
+        `pending_review_comments = "${headlessBinding.features.pending_review_comments}"). ` +
+        `PR record is missing node_id — refresh the PR data and try again.`
+      );
+    }
+
+    const prNodeId = storedPRData.node_id ?? null;
+
+    const submitPrContext = {
+      owner: prInfo.owner,
+      repo: prInfo.repo,
+      prNumber: prInfo.number,
+      reviewId: existingDraft?.databaseId
+    };
+
     let githubReview;
     if (options.reviewEvent === 'DRAFT') {
       githubReview = await githubClient.createDraftReviewGraphQL(
-        prNodeId, reviewBody, githubComments, existingDraft?.id
+        prNodeId, reviewBody, githubComments, existingDraft?.id, submitPrContext
       );
     } else {
       githubReview = await githubClient.createReviewGraphQL(
-        prNodeId, options.reviewEvent, reviewBody, githubComments, existingDraft?.id
+        prNodeId, options.reviewEvent, reviewBody, githubComments, existingDraft?.id, submitPrContext
       );
     }
 

package/src/routes/analyses.js

@@ -33,7 +33,8 @@ const {
   killProcesses,
   createProgressCallback
 } = require('./shared');
-const { generateLocalDiff, computeLocalDiffDigest, getCurrentBranch } = require('../local-review');
+const { generateScopedDiff, computeScopedDigest, getCurrentBranch } = require('../local-review');
+const { reviewScope } = require('../local-scope');
 const { validateCouncilConfig, normalizeCouncilConfig } = require('./councils');
 const { TIERS, TIER_ALIASES, VALID_TIERS, resolveTier } = require('../ai/prompts/config');
 
@@ -229,13 +230,34 @@ router.post('/api/analyses/results', async (req, res) => {
         });
       }
 
-      // Generate and store diff so the web UI can display it
+      // Generate and store diff so the web UI can display it. Persist to the
+      // `local_diffs` table as well as the in-memory cache so the diff survives
+      // a restart and the manual tour/summary buttons never falsely report
+      // "no-diff" for a review created via this analysis-push path.
+      //
+      // Use the review's recorded scope (mirroring the council path) — NOT the
+      // default-scope `generateLocalDiff` wrapper — so that re-using an existing
+      // review whose scope is `staged` or `branch` does not clobber its durable
+      // `local_diffs` row with a narrower default-scope patch. For brand-new
+      // reviews the upsert above created a default-scope row, so either lookup
+      // yields the correct scope; reviewScope() falls back to the default scope
+      // when the columns are unset.
+      const reviewForScope = existingReview || await reviewRepo.getLocalReviewById(reviewId);
+      const { start: scopeStart, end: scopeEnd } = reviewScope(reviewForScope);
       try {
-        const diffResult = await generateLocalDiff(localPath);
-        const digest = await computeLocalDiffDigest(localPath);
+        const diffResult = await generateScopedDiff(
+          localPath,
+          scopeStart,
+          scopeEnd,
+          reviewForScope.local_base_branch || null
+        );
+        const digest = await computeScopedDigest(localPath, scopeStart, scopeEnd);
         localReviewDiffs.set(reviewId, { diff: diffResult.diff, stats: diffResult.stats, digest });
+        await reviewRepo.saveLocalDiff(reviewId, { diff: diffResult.diff, stats: diffResult.stats, digest });
       } catch (diffError) {
-        logger.warn(`Could not generate diff for local review ${reviewId}: ${diffError.message}`);
+        // Covers both diff generation AND the durable saveLocalDiff write, so the
+        // message names both failure modes rather than only generation.
+        logger.warn(`Could not generate or persist diff for local review ${reviewId}: ${diffError.message}`);
       }
     } else {
       const repoParts = repo.split('/');
@@ -495,6 +517,7 @@ async function launchCouncilAnalysis(db, modeContext, councilConfig, councilId,
     config: modeConfig,
     excludePrevious,
     serverPort,
+    githubClient,
     providerOverrides = {},
     providerOverridesMap = null,
     hookContext = {},
@@ -606,8 +629,8 @@ async function launchCouncilAnalysis(db, modeContext, councilConfig, councilId,
     };
 
     analysisPromise = isVoiceCentric
-      ? analyzer.runReviewerCentricCouncil(reviewContext, councilConfig, { analysisId, runId, progressCallback, excludePrevious, serverPort })
-      : analyzer.runCouncilAnalysis(reviewContext, councilConfig, { analysisId, runId, progressCallback, excludePrevious, serverPort });
+      ? analyzer.runReviewerCentricCouncil(reviewContext, councilConfig, { analysisId, runId, progressCallback, excludePrevious, serverPort, githubClient })
+      : analyzer.runCouncilAnalysis(reviewContext, councilConfig, { analysisId, runId, progressCallback, excludePrevious, serverPort, githubClient });
   } catch (setupError) {
     // Synchronous setup failure — clean up the analysis hold immediately
     reviewToAnalysisId.delete(reviewId);