npm - @krotovm/gitlab-ai-review - Versions diffs - 1.0.19 → 1.0.21 - Mend

@krotovm/gitlab-ai-review 1.0.19 → 1.0.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -32,12 +32,12 @@ ai_review:
 ## Env variables
-Set these in your project/group CI settings (or locally in your shell):
+Set these in your project/group CI settings:
 - `OPENAI_API_KEY` (required)
 - `OPENAI_BASE_URL` (optional, for OpenAI-compatible providers/proxies)
 - `AI_MODEL` (optional, default: `gpt-4o-mini`; example: `gpt-4o`)
-- `PROJECT_ACCESS_TOKEN` (optional but recommended for private projects; token with `api` scope)
+- `PROJECT_ACCESS_TOKEN` (optional for public projects, but required for most private projects; token with `api` scope)
 - `GITLAB_TOKEN` (optional alias for `PROJECT_ACCESS_TOKEN`)
 `OPENAI_BASE_URL` is passed through to the `openai` SDK client, so you can use any OpenAI-compatible gateway/provider endpoint.
@@ -62,12 +62,10 @@ GitLab provides these automatically in Merge Request pipelines:
 ## Architecture
-The reviewer uses a three-pass pipeline optimised for large merge requests:
+The reviewer uses a three-pass pipeline optimized for large merge requests:
-1. **Triage** — a fast LLM call classifies each changed file as `NEEDS_REVIEW` or `SKIP` (cosmetic-only changes, docs, config) and produces a short MR summary.
-2. **Per-file review** — only `NEEDS_REVIEW` files are reviewed, each in a dedicated LLM call running in parallel (with tool access to fetch full files or grep the repository). Each file gets full model attention instead of competing for it across a single giant prompt.
-3. **Consolidate** — all per-file findings are merged, deduplicated, ranked by severity, and trimmed to the top N (default 5).
+1. **Triage** - A fast LLM pass classifies each changed file as `NEEDS_REVIEW` or `SKIP` and generates a short MR summary.
+2. **Per-file review** - Only `NEEDS_REVIEW` files are reviewed, each in a dedicated LLM call running in parallel (with tools to fetch full files or grep the repository).
+3. **Consolidate** - Per-file findings are merged, deduplicated, ranked by severity, and trimmed to top N (default 5).
 If the triage pass fails (API error, unparseable response), the pipeline falls back to the original single-pass approach automatically.
-The CI pipeline falls back to a simpler single-pass review automatically when triage cannot be used.

package/dist/cli/ci-review.js CHANGED Viewed

@@ -1,6 +1,6 @@
 /** @format */
 import OpenAI from "openai";
-import { AI_MAX_OUTPUT_TOKENS, buildAnswer, buildConsolidatePrompt, buildFileReviewPrompt, buildPrompt, buildTriagePrompt, extractCompletionText, parseTriageResponse, } from "../prompt/index.js";
+import { AI_MAX_OUTPUT_TOKENS, buildAnswer, buildConsolidatePrompt, buildFileReviewPrompt, buildPrompt, buildTriagePrompt, buildVerificationPrompt, extractCompletionText, parseTriageResponse, } from "../prompt/index.js";
 import { fetchFileAtRef, searchRepository, } from "../gitlab/services.js";
 import { logToolUsageMinimal, MAX_FILE_TOOL_ROUNDS, MAX_TOOL_ROUNDS, TOOL_NAME_GET_FILE, TOOL_NAME_GREP, } from "./tooling.js";
 function buildReviewMetadata(changes, refs) {
@@ -339,7 +339,7 @@ async function runFileReviewWithTools(params) {
 export async function reviewMergeRequestMultiPass(params) {
     const { openaiInstance, aiModel, promptLimits, changes, refs, gitLabProjectApiUrl, projectId, headers, maxFindings, reviewConcurrency, forceTools, loggers, } = params;
     const { logStep } = loggers;
-    logStep(`Pass 1/3: triaging ${changes.length} file(s)`);
+    logStep(`Pass 1/4: triaging ${changes.length} file(s)`);
     const triageInputs = changes.map((c) => ({
         path: c.new_path,
         new_file: c.new_file,
@@ -387,7 +387,7 @@ export async function reviewMergeRequestMultiPass(params) {
         const DISCLAIMER = "This comment was generated by an artificial intelligence duck.";
         return `No confirmed bugs or high-value optimizations found.\n\n---\n_${DISCLAIMER}_`;
     }
-    logStep(`Pass 2/3: reviewing ${reviewFiles.length} file(s) (concurrency=${reviewConcurrency})`);
+    logStep(`Pass 2/4: reviewing ${reviewFiles.length} file(s) (concurrency=${reviewConcurrency})`);
     const allChangedPaths = changes.map((c) => c.new_path);
     const perFileFindings = await mapWithConcurrency(reviewFiles, reviewConcurrency, async (change) => {
         const otherFiles = allChangedPaths.filter((p) => p !== change.new_path);
@@ -407,7 +407,7 @@ export async function reviewMergeRequestMultiPass(params) {
         });
         return { path: change.new_path, findings };
     });
-    logStep("Pass 3/3: consolidating findings");
+    logStep("Pass 3/4: consolidating findings");
     const consolidateMessages = buildConsolidatePrompt({
         perFileFindings,
         summary: triageResult.summary,
@@ -425,7 +425,31 @@ export async function reviewMergeRequestMultiPass(params) {
             stream: false,
             messages: consolidateMessages,
         });
-        return buildAnswer(consolidateCompletion);
+        const consolidatedText = extractCompletionText(consolidateCompletion);
+        if (consolidatedText == null || consolidatedText.trim() === "") {
+            return buildAnswer(consolidateCompletion);
+        }
+        logStep("Pass 4/4: verifying consolidated findings");
+        const verificationMessages = buildVerificationPrompt({
+            perFileFindings,
+            summary: triageResult.summary,
+            consolidatedFindings: consolidatedText,
+            maxFindings,
+        });
+        try {
+            const verificationCompletion = await openaiInstance.chat.completions.create({
+                model: aiModel,
+                temperature: 0.0,
+                max_tokens: AI_MAX_OUTPUT_TOKENS,
+                stream: false,
+                messages: verificationMessages,
+            });
+            return buildAnswer(verificationCompletion);
+        }
+        catch (error) {
+            logStep(`Verification failed: ${error?.message ?? error}. Returning consolidated findings.`);
+            return buildAnswer(consolidateCompletion);
+        }
     }
     catch (error) {
         logStep(`Consolidation failed: ${error?.message ?? error}. Returning raw per-file findings.`);

package/dist/cli.js CHANGED Viewed

@@ -30,7 +30,7 @@ function printHelp() {
         "  OPENAI_API_KEY (required)  OpenAI API key.",
         "  OPENAI_BASE_URL (optional)  Custom OpenAI-compatible API base URL.",
         "  AI_MODEL      (optional)  OpenAI chat model, e.g. gpt-4o. Default: gpt-4o-mini.",
-        "  PROJECT_ACCESS_TOKEN (optional)  GitLab Project/Personal Access Token for API calls (recommended for private projects).",
+        "  PROJECT_ACCESS_TOKEN (optional)  GitLab Project/Personal Access Token for API calls (required for most private repos; should have api scope).",
         "",
         "CI-only env vars (provided by GitLab):",
         "  CI_API_V4_URL, CI_PROJECT_ID, CI_MERGE_REQUEST_IID, CI_JOB_TOKEN (only if PROJECT_ACCESS_TOKEN is not set)",

package/dist/prompt/index.js CHANGED Viewed

@@ -9,7 +9,7 @@ export const DEFAULT_PROMPT_LIMITS = {
 const MESSAGES = buildMainSystemMessages();
 export const AI_MODEL_TEMPERATURE = 0.2;
 export const AI_MAX_OUTPUT_TOKENS = 600;
-export const buildPrompt = ({ changes, limits, allowTools = false, additionalContext, }) => {
+export const buildPrompt = ({ changes, limits, allowTools = false, }) => {
     const effectiveLimits = {
         ...DEFAULT_PROMPT_LIMITS,
         ...(limits ?? {}),
@@ -36,9 +36,6 @@ export const buildPrompt = ({ changes, limits, allowTools = false, additionalCon
     const userContent = [
         `Review the following code changes (git diff format). ${stats}`,
         toolNote,
-        additionalContext?.trim()
-            ? `\nAdditional local context (best-effort snippets):\n${additionalContext}`
-            : "",
         "",
         "Changes:",
         changesText || "(no changes provided)",
@@ -169,6 +166,47 @@ export function buildConsolidatePrompt(params) {
         },
     ];
 }
+export function buildVerificationPrompt(params) {
+    const { perFileFindings, summary, consolidatedFindings, maxFindings } = params;
+    const findingsText = perFileFindings
+        .map((f) => `### ${f.path}\n${f.findings}`)
+        .join("\n\n");
+    return [
+        {
+            role: "system",
+            content: [
+                "You are a skeptical verifier of a merge request review.",
+                "Your job is to remove weak, speculative, or unsupported findings from the draft list.",
+                "Do not add new findings. Keep, rewrite for clarity, or remove existing findings only.",
+                "A finding can stay only if it is directly supported by evidence from the per-file findings.",
+                "If confidence is not high, drop the finding.",
+                "Preserve this exact per-finding markdown block:",
+                "`- [high|medium] <title>`",
+                "`  File: <path>`",
+                "`  Line: ~<N>`",
+                "`  Why: <one concise sentence with key evidence>`",
+                "Do not add headings, summaries, or extra commentary.",
+                `Return at most ${maxFindings} findings.`,
+                'If no findings survive verification, return exactly: "No confirmed bugs or high-value optimizations found."',
+                "GitLab-flavoured markdown.",
+            ].join("\n"),
+        },
+        {
+            role: "user",
+            content: [
+                `MR Summary: ${summary}`,
+                "",
+                "Per-file findings (evidence pool):",
+                findingsText,
+                "",
+                "Draft consolidated findings to verify:",
+                consolidatedFindings,
+                "",
+                "Return only the verified final findings.",
+            ].join("\n"),
+        },
+    ];
+}
 export function extractCompletionText(completion) {
     if (completion instanceof Error || completion == null)
         return null;

package/package.json CHANGED Viewed

@@ -1,8 +1,8 @@
 {
   "type": "module",
   "name": "@krotovm/gitlab-ai-review",
-  "version": "1.0.19",
-  "description": "CLI tool to generate AI code reviews for GitLab merge requests and local diffs.",
+  "version": "1.0.21",
+  "description": "CLI tool to generate AI code reviews for GitLab merge requests.",
   "main": "dist/cli.js",
   "bin": {
     "gitlab-ai-review": "dist/cli.js"