@mechanai/deepreview 1.0.1 → 2.0.1

package/src/post-review.ts

@@ -0,0 +1,325 @@
+import { readFile, realpath } from "node:fs/promises";
+import { resolve } from "node:path";
+import { parseThreads } from "./parse-threads.ts";
+import { classifyFindings } from "./diff-classifier.ts";
+import type { Finding, ClassifiedFinding } from "./diff-classifier.ts";
+import { type PrInfo, getPrInfo, execFileAsync } from "./graphql.ts";
+import {
+  type PendingReview,
+  findPendingReview,
+  createPendingReview,
+  updateReviewBody,
+  addLineThread,
+  addFileThread,
+  updateReviewComment,
+} from "./review-api.ts";
+import {
+  escapeHtml,
+  isValidPath,
+  isRateLimitError,
+  findingId,
+  embedFindingId,
+  extractFindingId,
+} from "./review-helpers.ts";
+
+export interface PostReviewOptions {
+  threadsPath: string;
+  prNumber: number;
+  dryRun?: boolean;
+  skipIds?: string[];
+  expectedSha?: string;
+  cwd?: string;
+  diffText?: string;
+}
+
+export interface PostReviewResult {
+  summary: string;
+  failed: string[];
+}
+
+const AI_TRAILER = "\n\n---\n🤖 Review generated by AI";
+
+function buildReviewBody(
+  tier3Findings: ClassifiedFinding[],
+  owner: string,
+  name: string,
+  headOid: string,
+): string {
+  let body = "";
+  for (const f of tier3Findings) {
+    if (!isValidPath(f.path)) {
+      console.warn(`WARN: Skipping finding with suspicious path: ${f.path}`);
+      continue;
+    }
+    const permalink = `https://github.com/${encodeURIComponent(owner)}/${encodeURIComponent(name)}/blob/${headOid}/${f.path.split("/").map(encodeURIComponent).join("/")}#L${f.line}`;
+    // Neutralize all HTML tags — GitHub re-renders markdown inside <details>.
+    body += `<details>\n<summary><a href="${permalink}"><code>${escapeHtml(f.path)}:${f.line}</code></a></summary>\n\n${f.body}\n</details>\n\n`;
+  }
+  body += AI_TRAILER;
+  return body;
+}
+
+async function updateExistingThreads(
+  existingReview: PendingReview,
+  findings: ClassifiedFinding[],
+): Promise<Set<string>> {
+  const existingComments = existingReview.comments.nodes;
+  const existingById = new Map<string, { id: string; body: string }>();
+  for (const c of existingComments) {
+    const id = extractFindingId(c.body);
+    if (id !== null) existingById.set(id, c);
+  }
+
+  const toUpdate: Array<{ finding: ClassifiedFinding; commentId: string; id: string }> = [];
+  for (const f of findings) {
+    const id = findingId(f.path, f.startLine, f.line, f.body);
+    const existing = existingById.get(id);
+    if (existing) {
+      toUpdate.push({ finding: f, commentId: existing.id, id });
+    }
+  }
+
+  for (const { finding, commentId, id } of toUpdate) {
+    const body = embedFindingId(finding.body, id);
+    await updateReviewComment(commentId, body);
+  }
+
+  console.log(`Updated ${toUpdate.length} existing threads.`);
+  return new Set(toUpdate.map(({ id }) => id));
+}
+
+async function postThread(
+  reviewId: string,
+  finding: ClassifiedFinding,
+  body: string,
+): Promise<void> {
+  if (finding.tier === 1) {
+    await addLineThread(reviewId, finding.path, finding.line, finding.startLine, body);
+  } else {
+    await addFileThread(reviewId, finding.path, body);
+  }
+}
+
+async function postWithRetry(
+  reviewId: string,
+  finding: ClassifiedFinding,
+  body: string,
+): Promise<boolean> {
+  try {
+    await postThread(reviewId, finding, body);
+    return true;
+  } catch (err: unknown) {
+    if (!isRateLimitError(err)) {
+      const message = err instanceof Error ? err.message : String(err);
+      console.error(`FAIL: ${finding.path}:${finding.line} — ${message}`);
+      return false;
+    }
+    for (let attempt = 0; attempt < 2; attempt++) {
+      console.warn(
+        `Rate limited on ${finding.path}:${finding.line}. Waiting 60s (retry ${attempt + 1}/2)...`,
+      );
+      await Bun.sleep(60_000 + Math.floor(Math.random() * 10_000));
+      try {
+        await postThread(reviewId, finding, body);
+        return true;
+      } catch (retryErr: unknown) {
+        if (!isRateLimitError(retryErr)) {
+          const message = retryErr instanceof Error ? retryErr.message : String(retryErr);
+          console.error(`FAIL: ${finding.path}:${finding.line} — ${message}`);
+          return false;
+        }
+      }
+    }
+    console.error(`FAIL: ${finding.path}:${finding.line} — rate limited after retries`);
+    return false;
+  }
+}
+
+async function postInlineThreads(
+  reviewId: string,
+  inlineFindings: ClassifiedFinding[],
+  updatedIds: Set<string>,
+): Promise<string[]> {
+  const CONCURRENCY = 2;
+  const failedFindings: string[] = [];
+  const pending = inlineFindings.filter(
+    (f) => !updatedIds.has(findingId(f.path, f.startLine, f.line, f.body)),
+  );
+
+  for (let i = 0; i < pending.length; i += CONCURRENCY) {
+    if (i > 0) await Bun.sleep(1000);
+    const batch = pending.slice(i, i + CONCURRENCY);
+    const results = await Promise.all(
+      batch.map(async (f) => {
+        const id = findingId(f.path, f.startLine, f.line, f.body);
+        // Trust boundary: body content is rendered by GitHub's Markdown sanitizer
+        const body = embedFindingId(f.body, id);
+        const ok = await postWithRetry(reviewId, f, body);
+        return ok ? null : id;
+      }),
+    );
+    for (const id of results) {
+      if (id !== null) failedFindings.push(id);
+    }
+  }
+  return failedFindings;
+}
+
+function classifyAndLog(
+  findings: Finding[],
+  diff: string,
+): { tier1: ClassifiedFinding[]; tier2: ClassifiedFinding[]; tier3: ClassifiedFinding[] } {
+  const validated = findings.filter((f) => {
+    if (!isValidPath(f.path)) {
+      console.warn(`WARN: Skipping finding with suspicious path: ${f.path}`);
+      return false;
+    }
+    return true;
+  });
+  const classified = classifyFindings(validated, diff);
+  const tier1 = classified.filter((f) => f.tier === 1);
+  const tier2 = classified.filter((f) => f.tier === 2);
+  const tier3 = classified.filter((f) => f.tier === 3);
+
+  for (const f of tier2) {
+    console.warn(`WARN: ${f.path}:${f.line} demoted to file-level`);
+  }
+  for (const f of tier3) {
+    console.warn(`WARN: ${f.path}:${f.line} demoted to review body`);
+  }
+  return { tier1, tier2, tier3 };
+}
+
+async function ensureReview(
+  prNodeId: string,
+  headOid: string,
+  tier1: ClassifiedFinding[],
+  tier2: ClassifiedFinding[],
+  tier3: ClassifiedFinding[],
+  owner: string,
+  name: string,
+): Promise<{ reviewId: string; updatedFindings: Set<string> }> {
+  const existingReview = await findPendingReview(prNodeId);
+  if (existingReview) {
+    console.log(`Found existing pending review: ${existingReview.id}`);
+    await updateReviewBody(existingReview.id, buildReviewBody(tier3, owner, name, headOid));
+    const updated = await updateExistingThreads(existingReview, [...tier1, ...tier2]);
+    return { reviewId: existingReview.id, updatedFindings: updated };
+  }
+  const reviewId = await createPendingReview(
+    prNodeId,
+    headOid,
+    buildReviewBody(tier3, owner, name, headOid),
+  );
+  console.log(`Created pending review: ${reviewId}`);
+  return { reviewId, updatedFindings: new Set() };
+}
+
+async function loadAndValidatePr(
+  threadsPath: string,
+  prNumber: number,
+  expectedSha: string | undefined,
+  cwd: string | undefined,
+): Promise<{ findings: Finding[]; prInfo: PrInfo } | null> {
+  if (!isValidPath(threadsPath)) {
+    throw new Error(`Invalid threadsPath: ${threadsPath}`);
+  }
+  const base = await realpath(resolve(cwd ?? process.cwd()));
+  const candidatePath = resolve(base, threadsPath);
+  let resolved: string;
+  try {
+    resolved = await realpath(candidatePath);
+  } catch {
+    throw new Error(`Threads file not found: ${candidatePath}`);
+  }
+  if (!resolved.startsWith(base + "/") && resolved !== base) {
+    throw new Error(`threadsPath escapes working directory: ${threadsPath}`);
+  }
+  const content = await readFile(resolved, "utf8");
+  const findings = parseThreads(content);
+  if (findings.length === 0) return null;
+
+  const prInfo = await getPrInfo(prNumber, { cwd });
+  if (prInfo.state !== "OPEN") {
+    throw new Error(`PR is ${prInfo.state}. Aborting.`);
+  }
+
+  const resolvedSha = expectedSha ?? process.env.PR_HEAD_SHA;
+  if (resolvedSha !== undefined && resolvedSha !== "" && resolvedSha !== prInfo.headOid) {
+    throw new Error(`ABORT: PR head moved (expected ${resolvedSha}, got ${prInfo.headOid}).`);
+  }
+
+  return { findings, prInfo };
+}
+
+async function postFindings(
+  tier1: ClassifiedFinding[],
+  tier2: ClassifiedFinding[],
+  tier3: ClassifiedFinding[],
+  prInfo: PrInfo,
+  skipIds: string[],
+): Promise<PostReviewResult> {
+  const { owner, name, prNodeId, headOid } = prInfo;
+  const { reviewId, updatedFindings } = await ensureReview(
+    prNodeId,
+    headOid,
+    tier1,
+    tier2,
+    tier3,
+    owner,
+    name,
+  );
+
+  const skipSet = new Set(skipIds);
+  const inlineFindings = [...tier1, ...tier2].filter((f) => {
+    const id = findingId(f.path, f.startLine, f.line, f.body);
+    return !skipSet.has(id);
+  });
+
+  const failedIds = await postInlineThreads(reviewId, inlineFindings, updatedFindings);
+  const skipped = inlineFindings.filter((f) =>
+    updatedFindings.has(findingId(f.path, f.startLine, f.line, f.body)),
+  ).length;
+  const posted = inlineFindings.length - skipped - failedIds.length;
+  const totalFindings = [...tier1, ...tier2].length;
+  const skippedByUser = totalFindings - inlineFindings.length;
+  const summary =
+    `Posted ${posted}/${totalFindings} inline threads (${skipped} up-to-date, ${skippedByUser} skipped, ${failedIds.length} failed). ` +
+    `${tier3.length} findings in review body.`;
+
+  console.log(summary);
+
+  return { summary, failed: failedIds };
+}
+
+/**
+ * Post a review to a GitHub PR.
+ */
+export async function postReview(opts: PostReviewOptions): Promise<PostReviewResult> {
+  const { threadsPath, prNumber, dryRun = false, skipIds = [], expectedSha } = opts;
+
+  const result = await loadAndValidatePr(threadsPath, prNumber, expectedSha, opts.cwd);
+  if (!result) return { summary: "No findings to post.", failed: [] };
+
+  const { findings, prInfo } = result;
+  const diff =
+    opts.diffText ??
+    (
+      await execFileAsync("gh", ["pr", "diff", String(prNumber)], {
+        encoding: "utf8",
+        maxBuffer: 10 * 1024 * 1024,
+        signal: AbortSignal.timeout(30_000),
+        cwd: opts.cwd,
+      })
+    ).stdout;
+  const { tier1, tier2, tier3 } = classifyAndLog(findings, diff);
+
+  if (dryRun) {
+    return {
+      summary: `Dry run: ${tier1.length} line-level, ${tier2.length} file-level, ${tier3.length} review-body findings.`,
+      failed: [],
+    };
+  }
+
+  return postFindings(tier1, tier2, tier3, prInfo, skipIds);
+}

package/src/review-api.ts

@@ -0,0 +1,253 @@
+import { graphql } from "./graphql.ts";
+
+const MAX_PAGES = 50;
+
+interface PageInfo {
+  hasNextPage: boolean;
+  endCursor: string;
+}
+
+export interface ReviewComment {
+  id: string;
+  body: string;
+  path: string;
+  startLine: number | null;
+  line: number;
+}
+
+export interface PendingReview {
+  id: string;
+  body: string;
+  comments: {
+    totalCount: number;
+    nodes: ReviewComment[];
+  };
+}
+
+interface CommentsPage {
+  node: {
+    comments: {
+      pageInfo: PageInfo;
+      nodes: ReviewComment[];
+    };
+  };
+}
+
+interface FindPendingReviewResponse {
+  node: {
+    viewerLatestReview: {
+      nodes: Array<{
+        id: string;
+        body: string;
+        comments: {
+          totalCount: number;
+          pageInfo: PageInfo;
+          nodes: ReviewComment[];
+        };
+      }>;
+    };
+  };
+}
+
+interface CreateReviewResponse {
+  addPullRequestReview: {
+    pullRequestReview: {
+      id: string;
+    };
+  };
+}
+
+async function fetchRemainingComments(
+  reviewId: string,
+  initialPageInfo: PageInfo,
+): Promise<ReviewComment[]> {
+  const comments: ReviewComment[] = [];
+  let pageInfo = initialPageInfo;
+  let pages = 0;
+  while (pageInfo.hasNextPage && pages++ < MAX_PAGES) {
+    const page = await graphql<CommentsPage>(
+      `
+        query ($reviewId: ID!, $after: String!) {
+          node(id: $reviewId) {
+            ... on PullRequestReview {
+              comments(first: 100, after: $after) {
+                pageInfo {
+                  hasNextPage
+                  endCursor
+                }
+                nodes {
+                  id
+                  body
+                  path
+                  startLine
+                  line
+                }
+              }
+            }
+          }
+        }
+      `,
+      { reviewId, after: pageInfo.endCursor },
+    );
+    const next = page.node.comments;
+    comments.push(...next.nodes);
+    pageInfo = next.pageInfo;
+  }
+  if (pages >= MAX_PAGES) {
+    console.warn(`WARN: Reached MAX_PAGES (${MAX_PAGES}) — review data may be incomplete.`);
+  }
+  return comments;
+}
+
+export async function findPendingReview(prNodeId: string): Promise<PendingReview | null> {
+  const data = await graphql<FindPendingReviewResponse>(
+    `
+      query ($prId: ID!) {
+        node(id: $prId) {
+          ... on PullRequest {
+            viewerLatestReview: reviews(last: 1, states: PENDING, author: "@me") {
+              nodes {
+                id
+                body
+                comments(first: 100) {
+                  totalCount
+                  pageInfo {
+                    hasNextPage
+                    endCursor
+                  }
+                  nodes {
+                    id
+                    body
+                    path
+                    startLine
+                    line
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    `,
+    { prId: prNodeId },
+  );
+  const reviews = data.node.viewerLatestReview.nodes;
+  if (reviews.length === 0) return null;
+
+  const review = reviews[0];
+  const comments: ReviewComment[] = [...review.comments.nodes];
+  const remaining = await fetchRemainingComments(review.id, review.comments.pageInfo);
+  comments.push(...remaining);
+
+  return { ...review, comments: { totalCount: review.comments.totalCount, nodes: comments } };
+}
+
+export async function createPendingReview(
+  prNodeId: string,
+  commitOid: string,
+  body: string,
+): Promise<string> {
+  const data = await graphql<CreateReviewResponse>(
+    `
+      mutation ($input: AddPullRequestReviewInput!) {
+        addPullRequestReview(input: $input) {
+          pullRequestReview {
+            id
+          }
+        }
+      }
+    `,
+    {
+      input: {
+        pullRequestId: prNodeId,
+        commitOID: commitOid,
+        body,
+      },
+    },
+  );
+  return data.addPullRequestReview.pullRequestReview.id;
+}
+
+export async function updateReviewBody(reviewId: string, body: string): Promise<void> {
+  await graphql(
+    `
+      mutation ($input: UpdatePullRequestReviewInput!) {
+        updatePullRequestReview(input: $input) {
+          pullRequestReview {
+            id
+          }
+        }
+      }
+    `,
+    { input: { pullRequestReviewId: reviewId, body } },
+  );
+}
+
+export async function addLineThread(
+  reviewId: string,
+  path: string,
+  line: number,
+  startLine: number | undefined,
+  body: string,
+): Promise<void> {
+  const input: Record<string, unknown> = {
+    pullRequestReviewId: reviewId,
+    path,
+    line,
+    side: "RIGHT",
+    body,
+  };
+  if (startLine !== undefined && startLine > 0 && startLine < line) {
+    input.startLine = startLine;
+    input.startSide = "RIGHT";
+  }
+  await graphql(
+    `
+      mutation ($input: AddPullRequestReviewThreadInput!) {
+        addPullRequestReviewThread(input: $input) {
+          thread {
+            id
+          }
+        }
+      }
+    `,
+    { input },
+  );
+}
+
+export async function addFileThread(reviewId: string, path: string, body: string): Promise<void> {
+  await graphql(
+    `
+      mutation ($input: AddPullRequestReviewThreadInput!) {
+        addPullRequestReviewThread(input: $input) {
+          thread {
+            id
+          }
+        }
+      }
+    `,
+    {
+      input: {
+        pullRequestReviewId: reviewId,
+        path,
+        body,
+        subjectType: "FILE",
+      },
+    },
+  );
+}
+
+export async function updateReviewComment(commentId: string, body: string): Promise<void> {
+  await graphql(
+    `
+      mutation ($input: UpdatePullRequestReviewCommentInput!) {
+        updatePullRequestReviewComment(input: $input) {
+          pullRequestReviewComment {
+            id
+          }
+        }
+      }
+    `,
+    { input: { pullRequestReviewCommentId: commentId, body } },
+  );
+}

package/src/review-helpers.ts

@@ -0,0 +1,65 @@
+import crypto from "node:crypto";
+
+const FINDING_ID_RE = /<!-- finding:([a-f0-9]+) -->/u;
+
+export function escapeHtml(s: string): string {
+  return s
+    .replaceAll("&", "&amp;")
+    .replaceAll("<", "&lt;")
+    .replaceAll(">", "&gt;")
+    .replaceAll('"', "&quot;")
+    .replaceAll("'", "&#39;");
+}
+
+export function isValidPath(filePath: string): boolean {
+  if (filePath.includes("\0")) return false;
+  if (filePath.startsWith("/") || filePath.includes("..")) return false;
+  if (filePath === "") return false;
+  // Normalize away harmless . and trailing slashes before comparison
+  const normalized = filePath
+    .split("/")
+    .filter((s) => s !== "." && s !== "")
+    .join("/");
+  return normalized.length > 0;
+}
+
+export interface RateLimitLike {
+  status?: number;
+  type?: string;
+  message?: string;
+}
+
+export function isRateLimitError(err: unknown): boolean {
+  if (err === null || typeof err !== "object") return false;
+  // oxlint-disable-next-line typescript/no-unsafe-type-assertion -- Why: narrowed to object via typeof guard; property access checked individually below
+  const e = err as Record<string, unknown>;
+  const status = typeof e.status === "number" ? e.status : undefined;
+  const type = typeof e.type === "string" ? e.type : undefined;
+  const message = typeof e.message === "string" ? e.message.toLowerCase() : "";
+
+  if (status === 429) return true;
+  if (status === 403) {
+    return message.includes("rate limit") || message.includes("secondary rate limit");
+  }
+  if (type === "RATE_LIMITED") return true;
+  return message.includes("rate limit") || message.includes("secondary rate limit");
+}
+
+export function findingId(
+  path: string,
+  startLine: number | undefined,
+  line: number,
+  body = "",
+): string {
+  const key = `${path}:${startLine ?? 0}:${line}:${body.slice(0, 200)}`;
+  return crypto.createHash("sha256").update(key).digest("hex").slice(0, 12);
+}
+
+export function embedFindingId(body: string, id: string): string {
+  return `${body}\n<!-- finding:${id} -->`;
+}
+
+export function extractFindingId(body: string): string | null {
+  const match = FINDING_ID_RE.exec(body);
+  return match ? match[1] : null;
+}