@krotovm/gitlab-ai-review 1.0.21 → 1.0.23

package/dist/cli/ci-review.js

@@ -1,6 +1,6 @@
 /** @format */
 import OpenAI from "openai";
-import { AI_MAX_OUTPUT_TOKENS, buildAnswer, buildConsolidatePrompt, buildFileReviewPrompt, buildPrompt, buildTriagePrompt, buildVerificationPrompt, extractCompletionText, parseTriageResponse, } from "../prompt/index.js";
+import { buildAnswer, buildConsolidatePrompt, buildFileReviewPrompt, buildPrompt, buildTriagePrompt, buildVerificationPrompt, extractCompletionText, parseTriageResponse, } from "../prompt/index.js";
 import { fetchFileAtRef, searchRepository, } from "../gitlab/services.js";
 import { logToolUsageMinimal, MAX_FILE_TOOL_ROUNDS, MAX_TOOL_ROUNDS, TOOL_NAME_GET_FILE, TOOL_NAME_GREP, } from "./tooling.js";
 function buildReviewMetadata(changes, refs) {
@@ -219,7 +219,6 @@ export async function reviewMergeRequestWithTools(params) {
     const finalCompletion = await openaiInstance.chat.completions.create({
         model: aiModel,
         temperature: 0.2,
-        max_tokens: AI_MAX_OUTPUT_TOKENS,
         stream: false,
         messages,
     });
@@ -330,7 +329,6 @@ async function runFileReviewWithTools(params) {
     const final = await openaiInstance.chat.completions.create({
         model: aiModel,
         temperature: 0.2,
-        max_tokens: AI_MAX_OUTPUT_TOKENS,
         stream: false,
         messages,
     });
@@ -421,7 +419,6 @@ export async function reviewMergeRequestMultiPass(params) {
         const consolidateCompletion = await openaiInstance.chat.completions.create({
             model: aiModel,
             temperature: 0.1,
-            max_tokens: AI_MAX_OUTPUT_TOKENS,
             stream: false,
             messages: consolidateMessages,
         });
@@ -440,7 +437,6 @@ export async function reviewMergeRequestMultiPass(params) {
             const verificationCompletion = await openaiInstance.chat.completions.create({
                 model: aiModel,
                 temperature: 0.0,
-                max_tokens: AI_MAX_OUTPUT_TOKENS,
                 stream: false,
                 messages: verificationMessages,
             });

package/dist/gitlab/services.js

@@ -1,6 +1,6 @@
 /** @format */
 import OpenAI from "openai";
-import { AI_MAX_OUTPUT_TOKENS, AI_MODEL_TEMPERATURE } from "../prompt/index.js";
+import { AI_MODEL_TEMPERATURE } from "../prompt/index.js";
 import { GitLabError, OpenAIError, } from "./types.js";
 export const fetchPreEditFiles = async ({ gitLabBaseUrl, headers, changesOldPaths, ref }) => {
     const oldFilesRequestUrls = changesOldPaths.map((filePath) => {
@@ -87,7 +87,6 @@ export async function generateAICompletion(messages, openaiInstance, aiModel) {
         completion = await openaiInstance.chat.completions.create({
             model: aiModel,
             temperature: AI_MODEL_TEMPERATURE,
-            max_tokens: AI_MAX_OUTPUT_TOKENS,
             stream: false,
             messages,
         });
@@ -164,10 +163,18 @@ export const searchRepository = async ({ gitLabBaseUrl, headers, query, ref, pro
     if (res instanceof Error || !res.ok) {
         const responseDetails = await (async () => {
             if (res instanceof Error) {
-                return { url: url.toString(), error: { name: res.name, message: res.message } };
+                return {
+                    url: url.toString(),
+                    error: { name: res.name, message: res.message },
+                };
             }
             const bodyText = await res.text().catch(() => "");
-            return { url: url.toString(), status: res.status, statusText: res.statusText, body: bodyText.slice(0, 1000) };
+            return {
+                url: url.toString(),
+                status: res.status,
+                statusText: res.statusText,
+                body: bodyText.slice(0, 1000),
+            };
         })();
         return new GitLabError({
             name: "SEARCH_FAILED",

package/dist/prompt/index.js

@@ -1,6 +1,6 @@
 /** @format */
 import { buildMainSystemMessages, FILE_REVIEW_SYSTEM, TRIAGE_SYSTEM, } from "./messages.js";
-import { sanitizeGitLabMarkdown, truncateWithMarker } from "./utils.js";
+import { normalizeReviewFindingsMarkdown, sanitizeGitLabMarkdown, truncateWithMarker, } from "./utils.js";
 export const DEFAULT_PROMPT_LIMITS = {
     maxDiffs: 50,
     maxDiffChars: 16000,
@@ -273,6 +273,7 @@ export const buildAnswer = (completion) => {
     if (content === "") {
         return `${ERROR_ANSWER}\n\nError: Model returned an empty response body. Try another model (for example, gpt-4o-mini) or a different provider endpoint.\n\n---\n_${DISCLAIMER}_`;
     }
-    const safe = sanitizeGitLabMarkdown(content);
+    const normalizedFindings = normalizeReviewFindingsMarkdown(content);
+    const safe = sanitizeGitLabMarkdown(normalizedFindings);
     return `${safe}\n\n---\n_${DISCLAIMER}_`;
 };

package/dist/prompt/messages.js

@@ -1,66 +1,26 @@
 /** @format */
 export const MAIN_SYSTEM_LINES = [
-    "You are a senior developer reviewing a git diff for correctness bugs, security issues, and performance regressions.",
-    "Return at most 3 findings. Prefer no finding over a weakly supported one.",
+    "You are an AI code reviewer for pull requests.",
+    "Find only real bugs introduced by the diff.",
+    "Return at most 3 findings. Prefer no finding over a weak one.",
     "",
-    "WORKFLOW:",
-    "1. Parse diff: identify all changed files and note any truncation markers (`[... diff #N truncated ...]` or `[... prompt payload truncated ...]`).",
-    "2. Triage files: skim every `diff --git` header to classify each file — files that modify logic or functionality need analysis; files with only cosmetic changes (formatting, renaming for clarity, comments) can be skipped. Prioritize files that alter exported function/method signatures, shared data structures, auth, data access, or concurrency.",
-    "3. Analyze: for each triaged file, inspect `+` (added) and changed lines for wrong conditions, missing await, off-by-one, type mismatches, cross-file inconsistencies (renamed symbols with stale callers, changed exported signatures with mismatched callers, updated interfaces with mismatched implementations), security gaps, and clear perf regressions.",
-    "4. Tool-assisted verification (when tools are available): use get_file_at_ref to read full files (especially truncated ones) and grep_repository to confirm symbol usage or find callers. Do not guess when you can verify.",
-    "5. Report only issues that are tool-confirmed or visually obvious from the diff.",
-    "",
-    "SCOPE:",
-    "- Only flag issues introduced by this diff.",
-    "- Focus on added/changed lines (`+`). Context lines (` `) and removed lines (`-`) are reference only.",
-    "- Do not comment on untouched code unless required for a proven bug path.",
-    "- If you cannot point to a concrete problematic added/changed line and explain in one sentence why it is definitely wrong, skip the finding.",
-    "",
-    "ACCURACY:",
-    "- Only report issues directly supported by diff lines and/or visible imports/exports.",
-    "- Do not invent behavior, fields, or code paths not visible in evidence.",
-    "- Removed (`-`) lines are historical; do not claim current usage based solely on them.",
-    "- If a concept is consistently renamed across files (e.g. `*Type` -> `*Percent`), do not flag missing old-name checks without explicit conflicting evidence in current (`+`) lines.",
-    "- Do not report `missing dependency` when the dependency is removed from both usage and declarations in these diffs.",
-    "- Truncated diffs may hide context. State uncertainty rather than assuming correctness or incorrectness. If tools are available, fetch the full file before reporting.",
-    "- If any part of the execution path depends on code you cannot see in the diff (truncated sections, omitted files, missing context), treat it as uncertainty and do not report a finding.",
-    "- If truncation markers indicate omitted context, assume missing context might make the change correct.",
-    "",
-    "ANTI-HALLUCINATION (mandatory — violations make the review harmful):",
-    "- SYNTAX ERRORS: Do not claim syntax errors unless you can quote the exact invalid token from the diff. Count parentheses/brackets on the actual line before reporting.",
-    "- MISSING EXPORTS/FUNCTIONS: Do not report missing functions/variables/types/exports unless there is direct usage in added lines and you can see full relevant context. If the diff is truncated or incomplete, you CANNOT claim missing.",
-    "- UNDEFINED VARIABLES: Do not claim a variable is undefined unless you verified it is absent in visible added/context lines of the same scope.",
-    "- SIGNATURE CHANGES: A function signature change is NOT a bug by itself. Only flag it if you can point to a specific caller in the diff that passes wrong arguments or uses a stale return value.",
-    "- REFACTORING: When a diff consistently renames/replaces a concept (e.g. type→percent, contributionType→contributionPercent), this is intentional refactoring. Do not flag the removal of old code or the new pattern as a bug without contradictory evidence.",
-    "- If you are not sure that something is a real bug introduced by added/changed lines, do not report it.",
-    '- When in doubt between "some issue" and "No confirmed bugs or high-value optimizations found.", choose the no-issues output.',
-    "",
-    "SELF-CHECK (before outputting any finding):",
-    "- Re-read the specific diff lines you cite. Is the evidence actually there?",
-    "- Could this be intentional or context-dependent? If yes, skip it.",
-    "",
-    "PRIORITY: (1) correctness (typo, wrong var, missing await, off-by-one), (2) security (secrets, unsafe eval, unvalidated input), (3) perf regressions (N+1 queries, unbounded loops, missing pagination).",
-    "",
-    "SEVERITY:",
-    "- [high] = deterministic runtime or security issue with a concrete execution path visible in the diff. You must be able to describe exactly what breaks and why.",
-    "- [medium] = well-supported but probabilistic issue.",
+    "Rules:",
+    "- Focus on changed lines.",
+    "- Ignore style, refactoring suggestions, and general best practices.",
+    "- If uncertain, use tools: get_file_at_ref and grep_repository.",
+    "- Report only issues clearly visible in diff or verified by tools.",
+    '- If uncertain after checking, return exactly: "No confirmed bugs or high-value optimizations found."',
     "",
-    "QUICK CHECKS (always perform):",
-    "- Compare added function/method calls against imports/exports for spelling mismatches.",
-    "- Flag identifier typos only when there is a clearly similar identifier in the same hunk/file.",
-    "- Do not infer typos from names not present in visible evidence.",
-    "- Pay special attention to alterations in signatures of exported functions, shared types/interfaces, and global data structures — these have the highest cross-file breakage potential.",
-    "- On multi-file diffs: verify cross-file consistency — if a signature, interface, type, or enum changes in one file, check that callers/implementers in other changed files still match.",
+    "Severity:",
+    "- [high]: deterministic runtime/security breakage with clear path.",
+    "- [medium]: likely bug with strong evidence.",
     "",
-    "OUTPUT FORMAT:",
-    "- Each finding must use this 4-line markdown block:",
+    "Output format (strict):",
     "- `- [high|medium] <title>`",
     "- `  File: <path>`",
     "- `  Line: ~<N>`",
-    "- `  Why: <one concise sentence with key evidence>`",
-    "- No headings, no praise, no code blocks. Do not summarize or explain what changed — only report confirmed issues.",
-    '- If no confirmed issues: exactly "No confirmed bugs or high-value optimizations found."',
-    "- GitLab-flavoured markdown.",
+    "- `  Why: <one concise sentence with evidence>`",
+    '- If no issues: exactly "No confirmed bugs or high-value optimizations found."',
 ];
 export const TRIAGE_SYSTEM_LINES = [
     "You are a senior developer triaging files in a merge request.",
@@ -79,55 +39,27 @@ export const TRIAGE_SYSTEM_LINES = [
     "- Config/CI/docs files are SKIP unless they modify build targets, env vars, or secrets.",
 ];
 export const FILE_REVIEW_SYSTEM_LINES = [
-    "You are a senior developer reviewing a single file's git diff for correctness bugs, security issues, and performance regressions.",
-    "Return at most 2 findings for this file. Prefer no finding over a weakly supported one.",
+    "You are an AI reviewer for a single-file diff.",
+    "Find only real bugs introduced by changed lines.",
+    "Return at most 2 findings. Prefer no finding over a weak one.",
     "",
-    "SCOPE:",
-    "- Only flag issues introduced by this diff.",
-    "- Focus on added/changed lines (`+`). Context lines (` `) and removed lines (`-`) are reference only.",
-    "- Do not comment on untouched code unless required for a proven bug path.",
-    "- If you cannot point to a concrete problematic added/changed line and explain in one sentence why it is definitely wrong, skip the finding.",
-    "",
-    "ACCURACY:",
-    "- Only report issues directly supported by diff lines and/or visible imports/exports.",
-    "- Do not invent behavior, fields, or code paths not visible in evidence.",
-    "- Removed (`-`) lines are historical; do not claim current usage based solely on them.",
-    "- If a concept is consistently renamed (e.g. `*Type` -> `*Percent`), do not flag missing old-name checks without conflicting evidence in current (`+`) lines.",
-    "- Do not report `missing dependency` when the dependency is removed from both usage and declarations.",
-    "- If any part of the execution path depends on code you cannot see (truncated sections/missing files), treat this as uncertainty and do not report a finding.",
-    "",
-    "ANTI-HALLUCINATION (mandatory):",
-    "- SYNTAX ERRORS: Do not claim syntax errors unless you can quote the exact invalid token. Count parentheses/brackets on the actual line.",
-    "- MISSING EXPORTS/FUNCTIONS: Do not report missing functions/variables/types/exports unless there is direct usage in added lines and full relevant context is visible. If truncated, you CANNOT claim missing.",
-    "- UNDEFINED VARIABLES: Do not claim undefined unless the variable is absent from visible lines in the same scope.",
-    "- SIGNATURE CHANGES: A changed signature is NOT a bug. Only flag if a caller in the diff passes wrong arguments.",
-    "- REFACTORING: Consistent rename/replace across files is intentional. Do not flag it without contradictory evidence.",
-    "- If you are not sure it is a real bug introduced by added/changed lines, do not report it.",
-    '- When in doubt between "some issue" and "No issues found.", choose "No issues found."',
-    "",
-    "SELF-CHECK before each finding: re-read cited lines; if interpretation depends on missing context, drop it.",
-    "",
-    "PRIORITY: (1) correctness (typo, wrong var, missing await, off-by-one), (2) security (secrets, unsafe eval, unvalidated input), (3) perf regressions (N+1 queries, unbounded loops, missing pagination).",
-    "",
-    "SEVERITY:",
-    "- [high] = deterministic runtime or security issue with a concrete execution path visible in the diff.",
-    "- [medium] = well-supported but probabilistic issue.",
+    "Rules:",
+    "- Focus on changed lines only.",
+    "- Ignore style/refactor/general improvement comments.",
+    "- If uncertain, use tools: get_file_at_ref and grep_repository.",
+    "- Report only issues clearly visible in diff or verified by tools.",
+    '- If uncertain after checking, return exactly: "No issues found."',
     "",
-    "QUICK CHECKS:",
-    "- Compare added function/method calls against imports/exports for spelling mismatches.",
-    "- Flag identifier typos only when a clearly similar identifier exists in the same hunk/file.",
-    "- Do not infer typos from imagined names.",
-    "- Check changes to exported function signatures, shared types, and global data structures for cross-file breakage.",
+    "Severity:",
+    "- [high]: deterministic runtime/security breakage with clear path.",
+    "- [medium]: likely bug with strong evidence.",
     "",
-    "OUTPUT FORMAT:",
-    "- Each finding must use this 4-line markdown block:",
+    "Output format (strict):",
     "- `- [high|medium] <title>`",
     "- `  File: <path>`",
     "- `  Line: ~<N>`",
-    "- `  Why: <one concise sentence with key evidence>`",
-    "- No headings, no praise, no code blocks. Do not summarize what changed.",
-    '- If no confirmed issues: exactly "No issues found."',
-    "- GitLab-flavoured markdown.",
+    "- `  Why: <one concise sentence with evidence>`",
+    '- If no issues: exactly "No issues found."',
 ];
 export const buildMainSystemMessages = () => [
     {

package/dist/prompt/utils.js

@@ -12,3 +12,65 @@ export function sanitizeGitLabMarkdown(input) {
     const withClosedFence = fenceCount % 2 === 1 ? `${normalized}\n\`\`\`` : normalized;
     return withClosedFence;
 }
+const NO_ISSUES_SENTENCE = "No confirmed bugs or high-value optimizations found.";
+export function normalizeReviewFindingsMarkdown(input) {
+    const normalized = input.replace(/\r\n/g, "\n").trim();
+    if (normalized === "" || normalized === NO_ISSUES_SENTENCE)
+        return normalized;
+    const lines = normalized.split("\n");
+    const findings = [];
+    const headerRe = /^\s*-?\s*\[(high|medium)\]\s+(.+?)\s*$/i;
+    const fileRe = /^\s*[-*]?\s*File:\s*(.+?)\s*$/i;
+    const lineRe = /^\s*[-*]?\s*Line:\s*(.+?)\s*$/i;
+    const whyRe = /^\s*[-*]?\s*Why:\s*(.+?)\s*$/i;
+    for (let i = 0; i < lines.length; i += 1) {
+        const headerMatch = lines[i].match(headerRe);
+        if (headerMatch == null)
+            continue;
+        const severity = headerMatch[1].toLowerCase();
+        const title = headerMatch[2].trim();
+        let file = null;
+        let line = null;
+        let why = null;
+        let j = i + 1;
+        while (j < lines.length) {
+            const nextHeader = lines[j].match(headerRe);
+            if (nextHeader != null)
+                break;
+            if (file == null) {
+                const m = lines[j].match(fileRe);
+                if (m != null) {
+                    file = m[1].trim();
+                    j += 1;
+                    continue;
+                }
+            }
+            if (line == null) {
+                const m = lines[j].match(lineRe);
+                if (m != null) {
+                    line = m[1].trim();
+                    j += 1;
+                    continue;
+                }
+            }
+            if (why == null) {
+                const m = lines[j].match(whyRe);
+                if (m != null) {
+                    why = m[1].trim();
+                    j += 1;
+                    continue;
+                }
+            }
+            j += 1;
+        }
+        if (file != null && line != null && why != null) {
+            findings.push({ severity, title, file, line, why });
+            i = j - 1;
+        }
+    }
+    if (findings.length === 0)
+        return normalized;
+    return findings
+        .map((f) => `- [${f.severity}] ${f.title}\n  File: ${f.file}\n  Line: ${f.line}\n  Why: ${f.why}`)
+        .join("\n\n");
+}

package/package.json

@@ -1,7 +1,7 @@
 {
   "type": "module",
   "name": "@krotovm/gitlab-ai-review",
-  "version": "1.0.21",
+  "version": "1.0.23",
   "description": "CLI tool to generate AI code reviews for GitLab merge requests.",
   "main": "dist/cli.js",
   "bin": {