@krotovm/gitlab-ai-review 1.0.19 → 1.0.22

package/README.md

@@ -32,12 +32,12 @@ ai_review:
 
 ## Env variables
 
-Set these in your project/group CI settings (or locally in your shell):
+Set these in your project/group CI settings:
 
 - `OPENAI_API_KEY` (required)
 - `OPENAI_BASE_URL` (optional, for OpenAI-compatible providers/proxies)
 - `AI_MODEL` (optional, default: `gpt-4o-mini`; example: `gpt-4o`)
-- `PROJECT_ACCESS_TOKEN` (optional but recommended for private projects; token with `api` scope)
+- `PROJECT_ACCESS_TOKEN` (optional for public projects, but required for most private projects; token with `api` scope)
 - `GITLAB_TOKEN` (optional alias for `PROJECT_ACCESS_TOKEN`)
 
 `OPENAI_BASE_URL` is passed through to the `openai` SDK client, so you can use any OpenAI-compatible gateway/provider endpoint.
@@ -62,12 +62,10 @@ GitLab provides these automatically in Merge Request pipelines:
 
 ## Architecture
 
-The reviewer uses a three-pass pipeline optimised for large merge requests:
+The reviewer uses a three-pass pipeline optimized for large merge requests:
 
-1. **Triage** — a fast LLM call classifies each changed file as `NEEDS_REVIEW` or `SKIP` (cosmetic-only changes, docs, config) and produces a short MR summary.
-2. **Per-file review** — only `NEEDS_REVIEW` files are reviewed, each in a dedicated LLM call running in parallel (with tool access to fetch full files or grep the repository). Each file gets full model attention instead of competing for it across a single giant prompt.
-3. **Consolidate** — all per-file findings are merged, deduplicated, ranked by severity, and trimmed to the top N (default 5).
+1. **Triage** - A fast LLM pass classifies each changed file as `NEEDS_REVIEW` or `SKIP` and generates a short MR summary.
+2. **Per-file review** - Only `NEEDS_REVIEW` files are reviewed, each in a dedicated LLM call running in parallel (with tools to fetch full files or grep the repository).
+3. **Consolidate** - Per-file findings are merged, deduplicated, ranked by severity, and trimmed to top N (default 5).
 
 If the triage pass fails (API error, unparseable response), the pipeline falls back to the original single-pass approach automatically.
-
-The CI pipeline falls back to a simpler single-pass review automatically when triage cannot be used.

package/dist/cli/ci-review.js

@@ -1,6 +1,6 @@
 /** @format */
 import OpenAI from "openai";
-import { AI_MAX_OUTPUT_TOKENS, buildAnswer, buildConsolidatePrompt, buildFileReviewPrompt, buildPrompt, buildTriagePrompt, extractCompletionText, parseTriageResponse, } from "../prompt/index.js";
+import { buildAnswer, buildConsolidatePrompt, buildFileReviewPrompt, buildPrompt, buildTriagePrompt, buildVerificationPrompt, extractCompletionText, parseTriageResponse, } from "../prompt/index.js";
 import { fetchFileAtRef, searchRepository, } from "../gitlab/services.js";
 import { logToolUsageMinimal, MAX_FILE_TOOL_ROUNDS, MAX_TOOL_ROUNDS, TOOL_NAME_GET_FILE, TOOL_NAME_GREP, } from "./tooling.js";
 function buildReviewMetadata(changes, refs) {
@@ -219,7 +219,6 @@ export async function reviewMergeRequestWithTools(params) {
     const finalCompletion = await openaiInstance.chat.completions.create({
         model: aiModel,
         temperature: 0.2,
-        max_tokens: AI_MAX_OUTPUT_TOKENS,
         stream: false,
         messages,
     });
@@ -330,7 +329,6 @@ async function runFileReviewWithTools(params) {
     const final = await openaiInstance.chat.completions.create({
         model: aiModel,
         temperature: 0.2,
-        max_tokens: AI_MAX_OUTPUT_TOKENS,
         stream: false,
         messages,
     });
@@ -339,7 +337,7 @@ async function runFileReviewWithTools(params) {
 export async function reviewMergeRequestMultiPass(params) {
     const { openaiInstance, aiModel, promptLimits, changes, refs, gitLabProjectApiUrl, projectId, headers, maxFindings, reviewConcurrency, forceTools, loggers, } = params;
     const { logStep } = loggers;
-    logStep(`Pass 1/3: triaging ${changes.length} file(s)`);
+    logStep(`Pass 1/4: triaging ${changes.length} file(s)`);
     const triageInputs = changes.map((c) => ({
         path: c.new_path,
         new_file: c.new_file,
@@ -387,7 +385,7 @@ export async function reviewMergeRequestMultiPass(params) {
         const DISCLAIMER = "This comment was generated by an artificial intelligence duck.";
         return `No confirmed bugs or high-value optimizations found.\n\n---\n_${DISCLAIMER}_`;
     }
-    logStep(`Pass 2/3: reviewing ${reviewFiles.length} file(s) (concurrency=${reviewConcurrency})`);
+    logStep(`Pass 2/4: reviewing ${reviewFiles.length} file(s) (concurrency=${reviewConcurrency})`);
     const allChangedPaths = changes.map((c) => c.new_path);
     const perFileFindings = await mapWithConcurrency(reviewFiles, reviewConcurrency, async (change) => {
         const otherFiles = allChangedPaths.filter((p) => p !== change.new_path);
@@ -407,7 +405,7 @@ export async function reviewMergeRequestMultiPass(params) {
         });
         return { path: change.new_path, findings };
     });
-    logStep("Pass 3/3: consolidating findings");
+    logStep("Pass 3/4: consolidating findings");
     const consolidateMessages = buildConsolidatePrompt({
         perFileFindings,
         summary: triageResult.summary,
@@ -421,11 +419,33 @@ export async function reviewMergeRequestMultiPass(params) {
         const consolidateCompletion = await openaiInstance.chat.completions.create({
             model: aiModel,
             temperature: 0.1,
-            max_tokens: AI_MAX_OUTPUT_TOKENS,
             stream: false,
             messages: consolidateMessages,
         });
-        return buildAnswer(consolidateCompletion);
+        const consolidatedText = extractCompletionText(consolidateCompletion);
+        if (consolidatedText == null || consolidatedText.trim() === "") {
+            return buildAnswer(consolidateCompletion);
+        }
+        logStep("Pass 4/4: verifying consolidated findings");
+        const verificationMessages = buildVerificationPrompt({
+            perFileFindings,
+            summary: triageResult.summary,
+            consolidatedFindings: consolidatedText,
+            maxFindings,
+        });
+        try {
+            const verificationCompletion = await openaiInstance.chat.completions.create({
+                model: aiModel,
+                temperature: 0.0,
+                stream: false,
+                messages: verificationMessages,
+            });
+            return buildAnswer(verificationCompletion);
+        }
+        catch (error) {
+            logStep(`Verification failed: ${error?.message ?? error}. Returning consolidated findings.`);
+            return buildAnswer(consolidateCompletion);
+        }
     }
     catch (error) {
         logStep(`Consolidation failed: ${error?.message ?? error}. Returning raw per-file findings.`);

package/dist/cli.js

@@ -30,7 +30,7 @@ function printHelp() {
         "  OPENAI_API_KEY (required)  OpenAI API key.",
         "  OPENAI_BASE_URL (optional)  Custom OpenAI-compatible API base URL.",
         "  AI_MODEL      (optional)  OpenAI chat model, e.g. gpt-4o. Default: gpt-4o-mini.",
-        "  PROJECT_ACCESS_TOKEN (optional)  GitLab Project/Personal Access Token for API calls (recommended for private projects).",
+        "  PROJECT_ACCESS_TOKEN (optional)  GitLab Project/Personal Access Token for API calls (required for most private repos; should have api scope).",
         "",
         "CI-only env vars (provided by GitLab):",
         "  CI_API_V4_URL, CI_PROJECT_ID, CI_MERGE_REQUEST_IID, CI_JOB_TOKEN (only if PROJECT_ACCESS_TOKEN is not set)",

package/dist/gitlab/services.js

@@ -1,6 +1,6 @@
 /** @format */
 import OpenAI from "openai";
-import { AI_MAX_OUTPUT_TOKENS, AI_MODEL_TEMPERATURE } from "../prompt/index.js";
+import { AI_MODEL_TEMPERATURE } from "../prompt/index.js";
 import { GitLabError, OpenAIError, } from "./types.js";
 export const fetchPreEditFiles = async ({ gitLabBaseUrl, headers, changesOldPaths, ref }) => {
     const oldFilesRequestUrls = changesOldPaths.map((filePath) => {
@@ -87,7 +87,6 @@ export async function generateAICompletion(messages, openaiInstance, aiModel) {
         completion = await openaiInstance.chat.completions.create({
             model: aiModel,
             temperature: AI_MODEL_TEMPERATURE,
-            max_tokens: AI_MAX_OUTPUT_TOKENS,
             stream: false,
             messages,
         });
@@ -164,10 +163,18 @@ export const searchRepository = async ({ gitLabBaseUrl, headers, query, ref, pro
     if (res instanceof Error || !res.ok) {
         const responseDetails = await (async () => {
             if (res instanceof Error) {
-                return { url: url.toString(), error: { name: res.name, message: res.message } };
+                return {
+                    url: url.toString(),
+                    error: { name: res.name, message: res.message },
+                };
             }
             const bodyText = await res.text().catch(() => "");
-            return { url: url.toString(), status: res.status, statusText: res.statusText, body: bodyText.slice(0, 1000) };
+            return {
+                url: url.toString(),
+                status: res.status,
+                statusText: res.statusText,
+                body: bodyText.slice(0, 1000),
+            };
         })();
         return new GitLabError({
             name: "SEARCH_FAILED",

package/dist/prompt/index.js

@@ -1,6 +1,6 @@
 /** @format */
 import { buildMainSystemMessages, FILE_REVIEW_SYSTEM, TRIAGE_SYSTEM, } from "./messages.js";
-import { sanitizeGitLabMarkdown, truncateWithMarker } from "./utils.js";
+import { normalizeReviewFindingsMarkdown, sanitizeGitLabMarkdown, truncateWithMarker, } from "./utils.js";
 export const DEFAULT_PROMPT_LIMITS = {
     maxDiffs: 50,
     maxDiffChars: 16000,
@@ -9,7 +9,7 @@ export const DEFAULT_PROMPT_LIMITS = {
 const MESSAGES = buildMainSystemMessages();
 export const AI_MODEL_TEMPERATURE = 0.2;
 export const AI_MAX_OUTPUT_TOKENS = 600;
-export const buildPrompt = ({ changes, limits, allowTools = false, additionalContext, }) => {
+export const buildPrompt = ({ changes, limits, allowTools = false, }) => {
     const effectiveLimits = {
         ...DEFAULT_PROMPT_LIMITS,
         ...(limits ?? {}),
@@ -36,9 +36,6 @@ export const buildPrompt = ({ changes, limits, allowTools = false, additionalCon
     const userContent = [
         `Review the following code changes (git diff format). ${stats}`,
         toolNote,
-        additionalContext?.trim()
-            ? `\nAdditional local context (best-effort snippets):\n${additionalContext}`
-            : "",
         "",
         "Changes:",
         changesText || "(no changes provided)",
@@ -169,6 +166,47 @@ export function buildConsolidatePrompt(params) {
         },
     ];
 }
+export function buildVerificationPrompt(params) {
+    const { perFileFindings, summary, consolidatedFindings, maxFindings } = params;
+    const findingsText = perFileFindings
+        .map((f) => `### ${f.path}\n${f.findings}`)
+        .join("\n\n");
+    return [
+        {
+            role: "system",
+            content: [
+                "You are a skeptical verifier of a merge request review.",
+                "Your job is to remove weak, speculative, or unsupported findings from the draft list.",
+                "Do not add new findings. Keep, rewrite for clarity, or remove existing findings only.",
+                "A finding can stay only if it is directly supported by evidence from the per-file findings.",
+                "If confidence is not high, drop the finding.",
+                "Preserve this exact per-finding markdown block:",
+                "`- [high|medium] <title>`",
+                "`  File: <path>`",
+                "`  Line: ~<N>`",
+                "`  Why: <one concise sentence with key evidence>`",
+                "Do not add headings, summaries, or extra commentary.",
+                `Return at most ${maxFindings} findings.`,
+                'If no findings survive verification, return exactly: "No confirmed bugs or high-value optimizations found."',
+                "GitLab-flavoured markdown.",
+            ].join("\n"),
+        },
+        {
+            role: "user",
+            content: [
+                `MR Summary: ${summary}`,
+                "",
+                "Per-file findings (evidence pool):",
+                findingsText,
+                "",
+                "Draft consolidated findings to verify:",
+                consolidatedFindings,
+                "",
+                "Return only the verified final findings.",
+            ].join("\n"),
+        },
+    ];
+}
 export function extractCompletionText(completion) {
     if (completion instanceof Error || completion == null)
         return null;
@@ -235,6 +273,7 @@ export const buildAnswer = (completion) => {
     if (content === "") {
         return `${ERROR_ANSWER}\n\nError: Model returned an empty response body. Try another model (for example, gpt-4o-mini) or a different provider endpoint.\n\n---\n_${DISCLAIMER}_`;
     }
-    const safe = sanitizeGitLabMarkdown(content);
+    const normalizedFindings = normalizeReviewFindingsMarkdown(content);
+    const safe = sanitizeGitLabMarkdown(normalizedFindings);
     return `${safe}\n\n---\n_${DISCLAIMER}_`;
 };

package/dist/prompt/utils.js

@@ -12,3 +12,65 @@ export function sanitizeGitLabMarkdown(input) {
     const withClosedFence = fenceCount % 2 === 1 ? `${normalized}\n\`\`\`` : normalized;
     return withClosedFence;
 }
+const NO_ISSUES_SENTENCE = "No confirmed bugs or high-value optimizations found.";
+export function normalizeReviewFindingsMarkdown(input) {
+    const normalized = input.replace(/\r\n/g, "\n").trim();
+    if (normalized === "" || normalized === NO_ISSUES_SENTENCE)
+        return normalized;
+    const lines = normalized.split("\n");
+    const findings = [];
+    const headerRe = /^\s*-?\s*\[(high|medium)\]\s+(.+?)\s*$/i;
+    const fileRe = /^\s*[-*]?\s*File:\s*(.+?)\s*$/i;
+    const lineRe = /^\s*[-*]?\s*Line:\s*(.+?)\s*$/i;
+    const whyRe = /^\s*[-*]?\s*Why:\s*(.+?)\s*$/i;
+    for (let i = 0; i < lines.length; i += 1) {
+        const headerMatch = lines[i].match(headerRe);
+        if (headerMatch == null)
+            continue;
+        const severity = headerMatch[1].toLowerCase();
+        const title = headerMatch[2].trim();
+        let file = null;
+        let line = null;
+        let why = null;
+        let j = i + 1;
+        while (j < lines.length) {
+            const nextHeader = lines[j].match(headerRe);
+            if (nextHeader != null)
+                break;
+            if (file == null) {
+                const m = lines[j].match(fileRe);
+                if (m != null) {
+                    file = m[1].trim();
+                    j += 1;
+                    continue;
+                }
+            }
+            if (line == null) {
+                const m = lines[j].match(lineRe);
+                if (m != null) {
+                    line = m[1].trim();
+                    j += 1;
+                    continue;
+                }
+            }
+            if (why == null) {
+                const m = lines[j].match(whyRe);
+                if (m != null) {
+                    why = m[1].trim();
+                    j += 1;
+                    continue;
+                }
+            }
+            j += 1;
+        }
+        if (file != null && line != null && why != null) {
+            findings.push({ severity, title, file, line, why });
+            i = j - 1;
+        }
+    }
+    if (findings.length === 0)
+        return normalized;
+    return findings
+        .map((f) => `- [${f.severity}] ${f.title}\n  File: ${f.file}\n  Line: ${f.line}\n  Why: ${f.why}`)
+        .join("\n\n");
+}

package/package.json

@@ -1,8 +1,8 @@
 {
   "type": "module",
   "name": "@krotovm/gitlab-ai-review",
-  "version": "1.0.19",
-  "description": "CLI tool to generate AI code reviews for GitLab merge requests and local diffs.",
+  "version": "1.0.22",
+  "description": "CLI tool to generate AI code reviews for GitLab merge requests.",
   "main": "dist/cli.js",
   "bin": {
     "gitlab-ai-review": "dist/cli.js"