@motivation-labs/crosscheck 0.7.0 → 0.7.1-beta.07ebaac.0

package/dist/commands/onboard.js

@@ -1,285 +1,376 @@
-import { existsSync, mkdirSync } from 'fs';
-import { join } from 'path';
+import { existsSync, mkdirSync, writeFileSync, readFileSync, unlinkSync } from 'fs';
+import { join, dirname } from 'path';
 import { homedir } from 'os';
-import { createInterface } from 'readline';
 import chalk from 'chalk';
-import { loadConfig, resolveConfigPath, getGithubToken, detectGitHubLogin, writeOnboardConfig, } from '../config/loader.js';
-import { listUserOrgs, fetchActiveRepos } from '../github/client.js';
-import { promptRepoPicker, promptOrgPicker } from '../lib/repo-picker.js';
-import { runChecks } from './init.js';
-// ── Prompt helpers ────────────────────────────────────────────────────────────
-async function ask(question) {
-    if (!process.stdin.isTTY)
-        return '';
+import { createInterface } from 'readline';
+import yaml from 'js-yaml';
+import { getGithubToken, loadConfig, resolveConfigPath, detectGitHubLogin, promptDeploymentMode, patchDeploymentConfig, } from '../config/loader.js';
+import { listUserRepos, listUserOrgs, listOrgRepos } from '../github/client.js';
+import { checkCodexAuth } from '../reviewers/codex.js';
+import { checkClaudeAuth } from '../reviewers/claude.js';
+import { execSync } from 'child_process';
+import { promptRepoPicker } from '../lib/repo-picker.js';
+function ask(question) {
     return new Promise(resolve => {
         const rl = createInterface({ input: process.stdin, output: process.stdout });
         rl.question(question, answer => { rl.close(); resolve(answer.trim()); });
     });
 }
-// Print numbered choices and return the chosen 1-based index (defaultIdx if user presses Enter).
-async function pickOne(prompt, options, defaultIdx) {
-    console.log(`\n${prompt}\n`);
-    options.forEach(o => console.log(o));
-    console.log();
-    const answer = await ask(chalk.dim(`  Choice [${defaultIdx}]: `));
-    const n = parseInt(answer, 10);
-    return Number.isInteger(n) && n >= 1 && n <= options.length ? n : defaultIdx;
-}
-async function confirmWrite() {
-    const answer = await ask('  Write config? [Y/n]: ');
-    return answer === '' || /^y/i.test(answer);
-}
-async function confirmOptIn(question) {
-    const answer = await ask(`${question} [y/N]: `);
-    return /^y/i.test(answer);
+async function checkEnv() {
+    let codexOk = false;
+    let claudeOk = false;
+    try {
+        execSync('codex --version 2>&1', { encoding: 'utf8' });
+        const auth = await checkCodexAuth();
+        codexOk = auth.ok;
+        const icon = auth.ok ? chalk.green('✓') : chalk.red('✗');
+        console.log(`  ${icon} ${'codex CLI'.padEnd(20)} ${auth.detail}`);
+        if (!auth.ok)
+            console.log(`      ${chalk.dim('→')} ${chalk.yellow('Run: codex login --device-auth')}`);
+    }
+    catch {
+        console.log(`  ${chalk.red('✗')} ${'codex CLI'.padEnd(20)} not found`);
+        console.log(`      ${chalk.dim('→')} ${chalk.yellow('Install: npm install -g @openai/codex')}`);
+    }
+    try {
+        const auth = await checkClaudeAuth();
+        claudeOk = auth.ok;
+        const icon = auth.ok ? chalk.green('✓') : chalk.red('✗');
+        console.log(`  ${icon} ${'claude CLI'.padEnd(20)} ${auth.detail}`);
+        if (!auth.ok)
+            console.log(`      ${chalk.dim('→')} ${chalk.yellow('Run: claude auth login')}`);
+    }
+    catch {
+        console.log(`  ${chalk.red('✗')} ${'claude CLI'.padEnd(20)} not found`);
+        console.log(`      ${chalk.dim('→')} ${chalk.yellow('Install: npm install -g @anthropic-ai/claude-code')}`);
+    }
+    const envToken = process.env.GITHUB_TOKEN ?? process.env.GH_TOKEN;
+    let ghAuthed = false;
+    try {
+        execSync('gh --version 2>&1', { encoding: 'utf8' });
+        let authOutput = '';
+        try {
+            authOutput = execSync('gh auth status 2>&1', { encoding: 'utf8' });
+        }
+        catch { /* GITHUB_TOKEN in use */ }
+        ghAuthed = authOutput.includes('Logged in') || !!envToken;
+        const icon = ghAuthed ? chalk.green('✓') : chalk.red('✗');
+        console.log(`  ${icon} ${'gh CLI'.padEnd(20)} ${ghAuthed ? 'authenticated' : 'not authenticated'}`);
+        if (!ghAuthed)
+            console.log(`      ${chalk.dim('→')} ${chalk.yellow('Run: gh auth login')}`);
+    }
+    catch {
+        console.log(`  ${chalk.red('✗')} ${'gh CLI'.padEnd(20)} not found`);
+        console.log(`      ${chalk.dim('→')} ${chalk.yellow('Install: brew install gh && gh auth login')}`);
+    }
+    if (!claudeOk && !codexOk) {
+        console.log(chalk.red('\nAt least one AI CLI (codex or claude) must be authenticated.\n'));
+        return { ok: false, claudeOk, codexOk };
+    }
+    if (!ghAuthed) {
+        console.log(chalk.red('\nGitHub auth is required to fetch repos and register webhooks.\n'));
+        return { ok: false, claudeOk, codexOk };
+    }
+    return { ok: true, claudeOk, codexOk };
 }
-// ── Fast-mode: skip all questions ────────────────────────────────────────────
-async function runFastMode(deployment, configPath, login, orgs) {
-    const users = deployment === 'personal' && login ? [login] : [];
-    const allowedAuthors = deployment === 'personal' && login ? [login] : [];
-    const authorRoutes = deployment === 'personal' && login ? { [login]: 'claude' } : {};
-    writeOnboardConfig(configPath, {
-        deployment, login, orgs, users, repos: [],
-        allowedAuthors, authorRoutes,
-        autoFix: false, deliveryMode: 'pull_request',
-        brand: { service_name: 'crosscheck', comment_header: '', comment_footer: '', reviewer_attribution: '' },
-    });
-    console.log(chalk.green(`\n  ✓ config written  (${deployment} mode, auto-detected scopes)\n`));
-    if (orgs.length)
-        console.log(`  ${'orgs'.padEnd(12)}${orgs.join(', ')}`);
-    if (users.length)
-        console.log(`  ${'users'.padEnd(12)}${users.join(', ')}`);
-    console.log(chalk.dim(`\n  config  ${configPath}`));
-    console.log(chalk.dim('  Run  crosscheck watch  to start.\n'));
+async function promptVendorMode(claudeOk, codexOk, currentMode, currentClaudeEnabled, currentCodexEnabled, opts) {
+    const bothAvailable = claudeOk && codexOk;
+    if (!bothAvailable) {
+        // Only one CLI is available — auto-select single-vendor
+        const vendor = claudeOk ? 'claude' : 'codex';
+        console.log(`  Mode: ${chalk.cyan('single-vendor')} (only ${chalk.bold(vendor)} is available)`);
+        return { mode: 'single-vendor', claudeEnabled: claudeOk, codexEnabled: codexOk };
+    }
+    if (opts.yes && currentMode) {
+        console.log(`  Using existing mode: ${chalk.cyan(currentMode)}`);
+        return {
+            mode: currentMode,
+            claudeEnabled: currentClaudeEnabled,
+            codexEnabled: currentCodexEnabled,
+        };
+    }
+    if (currentMode && !opts.yes) {
+        const keep = await ask(`  Current mode: ${chalk.cyan(currentMode)}. Keep this? [Y/n]: `);
+        if (keep.toLowerCase() !== 'n') {
+            return {
+                mode: currentMode,
+                claudeEnabled: currentClaudeEnabled,
+                codexEnabled: currentCodexEnabled,
+            };
+        }
+        console.log();
+    }
+    console.log('  How should reviews be assigned?\n');
+    console.log(`  [1] cross-vendor   — ${chalk.dim('Claude reviews Codex PRs; Codex reviews Claude PRs')}`);
+    console.log(`  [2] single-vendor  — ${chalk.dim('one AI reviews all PRs')}`);
+    console.log();
+    const choice = await ask('  Choice [1]: ');
+    console.log();
+    if (choice === '2') {
+        console.log('  Which AI should review all PRs?\n');
+        console.log(`  [1] claude`);
+        console.log(`  [2] codex`);
+        console.log();
+        const vendorChoice = await ask('  Choice [1]: ');
+        console.log();
+        const vendor = vendorChoice === '2' ? 'codex' : 'claude';
+        return {
+            mode: 'single-vendor',
+            claudeEnabled: vendor === 'claude',
+            codexEnabled: vendor === 'codex',
+        };
+    }
+    return { mode: 'cross-vendor', claudeEnabled: true, codexEnabled: true };
 }
-// ── Branding step (shared by all personas) ────────────────────────────────────
-async function askBranding(existingBrand) {
-    const brand = {
-        service_name: existingBrand?.service_name ?? 'crosscheck',
-        comment_header: existingBrand?.comment_header ?? '',
-        comment_footer: existingBrand?.comment_footer ?? '',
-        reviewer_attribution: existingBrand?.reviewer_attribution ?? '',
-    };
-    const wantBranding = await confirmOptIn('\nAdd custom branding to review comments? (for teams, services, or personal flair)');
-    if (!wantBranding)
-        return brand;
-    const name = await ask(`  Name or label shown in comments (${brand.service_name}): `);
-    if (name)
-        brand.service_name = name;
-    const header = await ask('  Comment header (prepended to every review, Enter to skip): ');
-    brand.comment_header = header;
-    const footer = await ask('  Comment footer (appended to every review, Enter to skip): ');
-    brand.comment_footer = footer;
-    const attr = await ask('  Reviewer attribution line (replaces "Reviewed by {vendor}", Enter to skip): ');
-    brand.reviewer_attribution = attr;
-    return brand;
+async function promptWorkflowPipeline(currentAutoFixEnabled, opts) {
+    if (opts.yes) {
+        const preset = currentAutoFixEnabled === true ? 'review-fix' : 'review-only';
+        console.log(`  Using existing pipeline: ${chalk.cyan(preset)}`);
+        return preset;
+    }
+    console.log('  What should happen after a review?\n');
+    console.log(`  [1] review only              — ${chalk.dim('AI posts a comment; you handle fixes')}`);
+    console.log(`  [2] review → fix             — ${chalk.dim('AI reviews, then auto-applies fixes')}  ${chalk.green('(recommended)')}`);
+    console.log(`  [3] review → fix → re-check  — ${chalk.dim('full loop: review, fix, re-review to confirm')}`);
+    console.log();
+    const choice = await ask('  Choice [2]: ');
+    console.log();
+    if (choice === '1')
+        return 'review-only';
+    if (choice === '3')
+        return 'review-fix-recheck';
+    return 'review-fix';
 }
-// ── Main ──────────────────────────────────────────────────────────────────────
-export async function runOnboard(opts) {
+// Workflow YAML for the recheck preset — written to ~/.crosscheck/workflow.yml
+const WORKFLOW_RECHECK_YAML = `# crosscheck workflow — generated by crosscheck onboard
+# Place a .crosscheck/workflow.yml in your project root to override this global file.
+
+on: [opened, synchronize]
+steps:
+  - name: review
+    type: review
+    reviewer: auto
+    max_rounds: 1
+
+  - name: fix
+    type: fix
+    reviewer: origin
+    when: "review.verdict != 'APPROVE'"
+    max_rounds: 1
+
+  - name: recheck
+    type: recheck
+    reviewer: auto
+    when: "fix.applied_count > 0"
+    max_rounds: 1
+`;
+export async function runOnboard(opts = {}) {
+    if (!process.stdin.isTTY) {
+        console.error(chalk.red('onboard requires an interactive terminal.'));
+        console.error(chalk.dim('Run crosscheck init and edit crosscheck.config.yml manually.'));
+        process.exit(1);
+    }
     console.log(chalk.bold('\ncrosscheck onboard\n'));
-    // Resolve config path — prefer explicit, then project-local, then global default
-    const configPath = resolveConfigPath(opts.config) ?? join(homedir(), '.crosscheck', 'config.yml');
-    const hasFile = existsSync(configPath);
-    const existing = hasFile ? loadConfig(configPath) : null;
-    // If already fully configured and user didn't request reconfigure or fast-mode, show summary
-    if (hasFile && existing?.deployment && !opts.reconfigure && !opts.personal && !opts.team) {
-        console.log(chalk.dim(`  Found existing config at ${configPath}\n`));
-        console.log(`  ${'deployment'.padEnd(14)}${existing.deployment}`);
-        if (existing.orgs.length)
-            console.log(`  ${'orgs'.padEnd(14)}${existing.orgs.join(', ')}`);
-        if (existing.users.length)
-            console.log(`  ${'users'.padEnd(14)}${existing.users.join(', ')}`);
-        if (existing.repos.length)
-            console.log(`  ${'repos'.padEnd(14)}${existing.repos.length} configured`);
-        console.log();
-        console.log(chalk.dim('  Already configured. Run  crosscheck watch  to start.'));
-        console.log(chalk.dim('  Use --reconfigure to change settings.\n'));
-        return;
-    }
-    // ── Step 0: Environment checks (compact) ──────────────────────────────────
-    console.log(chalk.dim('Checking environment...\n'));
-    const { results: checks } = await runChecks();
-    for (const c of checks) {
-        const icon = c.ok ? chalk.green('✓') : chalk.red('✗');
-        const detail = c.ok ? chalk.dim(c.detail) : chalk.yellow(c.detail);
-        console.log(`  ${icon} ${c.label.padEnd(22)} ${detail}`);
-        if (!c.ok && c.fix)
-            console.log(`      ${chalk.dim('→')} ${chalk.dim(c.fix)}`);
-    }
-    const failures = checks.filter(c => !c.ok && c.fix);
-    console.log(failures.length === 0
-        ? chalk.green('\n  ✓ environment ready — proceeding to setup\n')
-        : chalk.yellow(`\n  ⚠ ${failures.length} issue(s) to address — see above; continuing setup\n`));
-    // ── Resolve GitHub identity ──────────────────────────────────────────────
-    let token = '';
-    let login = '';
-    let detectedOrgs = [];
+    // ── Step 1: Auth check ─────────────────────────────────────────────────────
+    console.log(chalk.bold('Step 1 — environment check'));
+    const env = await checkEnv();
+    if (!env.ok)
+        process.exit(1);
+    console.log();
+    // ── Step 2: Deployment mode ────────────────────────────────────────────────
+    console.log(chalk.bold('Step 2 — deployment mode'));
+    const configPath = opts.config ?? resolveConfigPath() ?? join(homedir(), '.crosscheck', 'config.yml');
+    const existingConfig = existsSync(configPath) ? loadConfig(configPath) : null;
+    const currentDeployment = existingConfig?.deployment;
+    let deployment;
+    if (opts.personal) {
+        deployment = 'personal';
+        console.log(`  Mode: ${chalk.cyan('personal')} (--personal flag)`);
+    }
+    else if (opts.team) {
+        deployment = 'team';
+        console.log(`  Mode: ${chalk.cyan('team')} (--team flag)`);
+    }
+    else if (currentDeployment && !opts.yes) {
+        const keep = await ask(`  Current mode: ${chalk.cyan(currentDeployment)}. Keep this? [Y/n]: `);
+        deployment = keep.toLowerCase() === 'n' ? await promptDeploymentMode() : currentDeployment;
+    }
+    else if (currentDeployment && opts.yes) {
+        deployment = currentDeployment;
+        console.log(`  Using existing mode: ${chalk.cyan(deployment)}`);
+    }
+    else {
+        deployment = await promptDeploymentMode();
+    }
+    console.log();
+    // ── Step 3: Repo selection ─────────────────────────────────────────────────
+    console.log(chalk.bold('Step 3 — select repos to monitor'));
+    let token;
     try {
         token = getGithubToken();
-        login = detectGitHubLogin() ?? '';
-        detectedOrgs = await listUserOrgs(token);
     }
-    catch {
-        console.log(chalk.dim('  (GitHub not authenticated — scope detection skipped)\n'));
+    catch (err) {
+        console.error(chalk.red(err instanceof Error ? err.message : String(err)));
+        process.exit(1);
     }
-    // ── Fast mode: skip questionnaire, write immediately ─────────────────────
-    if (opts.personal || opts.team) {
-        const deployment = opts.personal ? 'personal' : 'team';
-        mkdirSync(join(homedir(), '.crosscheck'), { recursive: true });
-        await runFastMode(deployment, configPath, login, detectedOrgs);
-        return;
-    }
-    // ── Step 1: Persona ───────────────────────────────────────────────────────
-    const currentPersonaDefault = existing?.deployment === 'team' ? 2 : 1;
-    const personaIdx = await pickOne('How will you use crosscheck?', [
-        `  ${chalk.bold('[1] personal')}  — I author PRs; review only my own work across my repos and orgs`,
-        `  ${chalk.bold('[2] team')}      — shared CR workflow; review PRs from multiple authors in org repos`,
-    ], currentPersonaDefault);
-    const deployment = personaIdx === 2 ? 'team' : 'personal';
-    let orgs = [];
-    let users = [];
-    let repos = [];
-    let allowedAuthors = [];
-    let authorRoutes = {};
-    let autoFix = false;
-    let deliveryMode = 'pull_request';
-    // ── Personal path ─────────────────────────────────────────────────────────
-    if (deployment === 'personal') {
-        // Step 2: Scope
-        const orgPreview = detectedOrgs.slice(0, 2).map(o => `github.com/${o}/*`).join(', ') || 'your org repos';
-        const orgSuffix = detectedOrgs.length ? `  (detected: ${detectedOrgs.join(', ')})` : '';
-        const existingScope = existing
-            ? (existing.users.length > 0 && existing.orgs.length > 0 ? 3
-                : existing.users.length > 0 ? 1
-                    : existing.orgs.length > 0 ? 2
-                        : existing.repos.length > 0 ? 1 // curated repos-only = personal scope
-                            : 3)
-            : 3;
-        const scopeIdx = await pickOne(`What should crosscheck monitor?${orgSuffix}`, [
-            `  ${chalk.bold('[1] My personal repos only')}     — github.com/${login || 'you'}/* — side projects you own directly`,
-            `  ${chalk.bold('[2] My org repos only')}          — ${orgPreview}`,
-            `  ${chalk.bold('[3] Both personal repos + orgs')} — everything across your GitHub account  ← recommended`,
-        ], existingScope);
-        const includePersonal = scopeIdx !== 2;
-        const includeOrgs = scopeIdx !== 1;
-        if (includeOrgs && detectedOrgs.length > 0) {
-            orgs = await promptOrgPicker(detectedOrgs, existing?.orgs.length ? existing.orgs : undefined);
-        }
-        if (includePersonal && token && login) {
-            if (scopeIdx === 1) {
-                // Curated mode (UC-01): pick specific repos
-                console.log(chalk.dim('\n  Fetching your repos...'));
-                try {
-                    const repoList = await fetchActiveRepos(login, token);
-                    const existingNames = existing?.repos.map(r => `${r.owner}/${r.name}`) ?? [];
-                    const picked = await promptRepoPicker(repoList, existingNames.length ? existingNames : undefined);
-                    repos = picked.map(full => {
-                        const [owner, name] = full.split('/');
-                        return { owner: owner ?? login, name: name ?? full };
-                    });
-                }
-                catch {
-                    console.log(chalk.dim('  (Could not fetch repos — add them manually to config.repos)\n'));
-                }
-            }
-            else {
-                // "Both" mode (UC-02): monitor all personal repos via users field
-                users = [login];
-            }
-        }
-        else if (includePersonal) {
-            users = login ? [login] : [];
+    const login = detectGitHubLogin() ?? '';
+    console.log(chalk.dim(`  Fetching repos for ${login || 'your account'}...`));
+    const [personalRepos, orgs] = await Promise.all([
+        login ? listUserRepos(login, token, true).catch(() => []) : Promise.resolve([]),
+        listUserOrgs(token).catch(() => []),
+    ]);
+    const orgRepoLists = await Promise.all(orgs.map(org => listOrgRepos(org, token).catch(() => [])));
+    const allRepos = [];
+    for (const r of personalRepos)
+        allRepos.push(`${r.owner}/${r.name}`);
+    for (let i = 0; i < orgs.length; i++) {
+        for (const r of orgRepoLists[i])
+            allRepos.push(`${r.owner}/${r.name}`);
+    }
+    const currentRepoKeys = new Set((existingConfig?.repos ?? []).map(r => `${r.owner}/${r.name}`));
+    const currentOrgs = new Set(existingConfig?.orgs ?? []);
+    let selectedRepos;
+    let selectedOrgs;
+    if (opts.yes && existingConfig) {
+        selectedRepos = [...currentRepoKeys];
+        selectedOrgs = [...currentOrgs];
+        console.log(`  Using existing repo selection (${selectedRepos.length} repos, ${selectedOrgs.length} orgs)`);
+    }
+    else {
+        if (allRepos.length === 0) {
+            console.log(chalk.yellow('  No repos found. You can add repos manually in your config file.'));
+            selectedRepos = [];
+            selectedOrgs = [];
         }
-        // Step 3: Author filter
-        const currentFilterDefault = existing?.routing?.allowed_authors?.length === 0 ? 2 : 1;
-        const filterIdx = await pickOne('Whose PRs should be reviewed?', [
-            `  ${chalk.bold('[1] Only mine')}   (author = ${login || 'you'})    ← recommended`,
-            `  ${chalk.bold('[2] Everyone')} in the monitored scope`,
-        ], currentFilterDefault);
-        if (filterIdx === 1) {
-            if (login) {
-                allowedAuthors = [login];
-                authorRoutes = { [login]: 'claude' };
+        else {
+            const sorted = [
+                ...allRepos.filter(r => currentRepoKeys.has(r)),
+                ...allRepos.filter(r => !currentRepoKeys.has(r)),
+            ];
+            console.log(chalk.dim(`  Found ${sorted.length} repos. Use arrows + space to select, enter to confirm.\n`));
+            const picked = await promptRepoPicker(sorted, {
+                title: 'Select repos to monitor:',
+                initialSelected: [...currentRepoKeys],
+            });
+            console.log();
+            const orgSet = new Set(orgs);
+            const orgCounts = {};
+            for (const r of picked) {
+                const owner = r.split('/')[0];
+                if (orgSet.has(owner))
+                    orgCounts[owner] = (orgCounts[owner] ?? 0) + 1;
             }
-            else {
-                // Login undetectable — writing an empty allowed_authors would disable filtering entirely.
-                // Prompt so the user can provide their handle manually.
-                const manual = await ask('  GitHub login (needed for author filter, Enter to skip): ');
-                if (manual) {
-                    allowedAuthors = [manual];
-                    authorRoutes = { [manual]: 'claude' };
-                }
-                else {
-                    console.log(chalk.yellow('  ⚠ allowed_authors left empty — all authors in scope will be reviewed.'));
-                    console.log(chalk.dim('    Add routing.allowed_authors to your config to restrict later.\n'));
+            const orgOffers = Object.entries(orgCounts).filter(([, count]) => count >= 3).map(([org]) => org);
+            selectedOrgs = [...currentOrgs];
+            selectedRepos = picked;
+            for (const org of orgOffers) {
+                if (currentOrgs.has(org))
+                    continue;
+                const answer = opts.yes ? 'n' : await ask(`  Monitor all of ${chalk.cyan(org)} instead of individual repos? [y/N]: `);
+                if (answer.toLowerCase() === 'y') {
+                    selectedOrgs.push(org);
+                    selectedRepos = selectedRepos.filter(r => !r.startsWith(`${org}/`));
                 }
             }
         }
-        // ── Team path ─────────────────────────────────────────────────────────────
     }
-    else {
-        // Step 2: Org picker
-        if (detectedOrgs.length > 0) {
-            orgs = await promptOrgPicker(detectedOrgs, existing?.orgs.length ? existing.orgs : undefined);
-        }
-        else {
-            const manual = await ask('  Enter org names (comma-separated, or Enter to skip): ');
-            orgs = manual ? manual.split(',').map(s => s.trim()).filter(Boolean) : [];
-        }
-        // Step 3: Author filter
-        const authorIdx = await pickOne('Whose PRs should be reviewed?', [
-            `  ${chalk.bold('[1] All authors')} (no filter) — review every PR in the org`,
-            `  ${chalk.bold('[2] Specific logins')}  — restrict to listed team members`,
-        ], 1);
-        if (authorIdx === 2) {
-            const raw = await ask('  Enter logins (comma-separated): ');
-            allowedAuthors = raw.split(',').map(s => s.trim()).filter(Boolean);
-        }
-        // Step 4: Review depth
-        const depthIdx = await pickOne('How deep should the CR workflow go?', [
-            `  ${chalk.bold('[1] CR only')}       — post review comments; humans apply fixes`,
-            `  ${chalk.bold('[2] CR + Auto-fix')} — crosscheck also proposes and commits fixes`,
-        ], 1);
-        if (depthIdx === 2) {
-            autoFix = true;
-            const deliveryIdx = await pickOne('How should auto-fixes be delivered?', [
-                `  ${chalk.bold('[1] Open a fix PR')}   (human reviews and merges before merge)   ← recommended`,
-                `  ${chalk.bold('[2] Push directly')} onto the PR branch`,
-            ], 1);
-            deliveryMode = deliveryIdx === 2 ? 'commit' : 'pull_request';
-        }
+    console.log();
+    // ── Step 4: Review mode (cross-vendor vs single-vendor) ───────────────────
+    console.log(chalk.bold('Step 4 — review mode'));
+    const vendorConfig = await promptVendorMode(env.claudeOk, env.codexOk, existingConfig?.mode, existingConfig?.vendors?.claude?.enabled ?? true, existingConfig?.vendors?.codex?.enabled ?? true, opts);
+    console.log();
+    // ── Step 5: Workflow pipeline ──────────────────────────────────────────────
+    console.log(chalk.bold('Step 5 — workflow pipeline'));
+    const pipelinePreset = await promptWorkflowPipeline(existingConfig?.post_review?.auto_fix?.enabled, opts);
+    console.log();
+    // ── Step 6: Confirm and write ──────────────────────────────────────────────
+    console.log(chalk.bold('Step 6 — review and write config'));
+    console.log();
+    console.log(`  deployment   ${chalk.cyan(deployment)}`);
+    console.log(`  mode         ${chalk.cyan(vendorConfig.mode)}`);
+    if (vendorConfig.mode === 'single-vendor') {
+        const activeVendor = vendorConfig.claudeEnabled ? 'claude' : 'codex';
+        console.log(`  vendor       ${chalk.cyan(activeVendor)}`);
+    }
+    console.log(`  pipeline     ${chalk.cyan(pipelinePreset)}`);
+    if (selectedOrgs.length > 0) {
+        console.log(`  orgs         ${selectedOrgs.map(o => chalk.cyan(o)).join(', ')}`);
+    }
+    if (selectedRepos.length > 0) {
+        console.log(`  repos        ${selectedRepos.slice(0, 5).map(r => chalk.cyan(r)).join(', ')}${selectedRepos.length > 5 ? chalk.dim(` +${selectedRepos.length - 5} more`) : ''}`);
+    }
+    if (selectedOrgs.length === 0 && selectedRepos.length === 0) {
+        console.log(`  ${chalk.yellow('No repos or orgs selected. Config will have empty scope.')}`);
+    }
+    console.log(`  config       ${chalk.dim(configPath)}`);
+    if (pipelinePreset === 'review-fix-recheck') {
+        const workflowPath = join(homedir(), '.crosscheck', 'workflow.yml');
+        console.log(`  workflow     ${chalk.dim(workflowPath)}`);
     }
-    // ── Optional branding (all paths) ─────────────────────────────────────────
-    const brand = await askBranding(existing?.brand);
-    // ── Confirmation preview ──────────────────────────────────────────────────
-    const COL = 14;
-    console.log(chalk.bold('\n  Your crosscheck config:\n'));
-    console.log(`    ${'persona'.padEnd(COL)}${deployment}`);
-    if (orgs.length)
-        console.log(`    ${'orgs'.padEnd(COL)}${orgs.join(', ')}`);
-    if (users.length)
-        console.log(`    ${'users'.padEnd(COL)}${users.join(', ')}`);
-    if (repos.length)
-        console.log(`    ${'repos'.padEnd(COL)}${repos.map(r => `${r.owner}/${r.name}`).join(', ')}`);
-    console.log(`    ${'filter'.padEnd(COL)}${allowedAuthors.length ? `author = ${allowedAuthors.join(', ')}` : 'all authors'}`);
-    if (autoFix)
-        console.log(`    ${'auto-fix'.padEnd(COL)}${deliveryMode}`);
-    if (brand.service_name !== 'crosscheck')
-        console.log(`    ${'brand'.padEnd(COL)}${brand.service_name}`);
-    console.log(`    ${'config'.padEnd(COL)}${configPath}`);
     console.log();
-    const ok = await confirmWrite();
-    if (!ok) {
-        console.log(chalk.dim('  Cancelled. No files written.\n'));
-        return;
-    }
-    // ── Write ─────────────────────────────────────────────────────────────────
-    writeOnboardConfig(configPath, {
-        deployment, login, orgs, users, repos,
-        allowedAuthors, authorRoutes,
-        autoFix, deliveryMode, brand,
+    if (!opts.yes) {
+        const confirm = await ask(`  Write to config? [Y/n]: `);
+        if (confirm.toLowerCase() === 'n') {
+            console.log(chalk.dim('  Aborted — no changes written.'));
+            return;
+        }
+    }
+    mkdirSync(dirname(configPath), { recursive: true });
+    patchDeploymentConfig(configPath, deployment, login, selectedOrgs, true);
+    // Patch all fields after deployment config is written
+    const raw = (yaml.load(readFileSync(configPath, 'utf8')) ?? {});
+    // Repos
+    raw.repos = selectedRepos.map(r => {
+        const [owner, name] = r.split('/');
+        return { owner, name };
     });
-    console.log(chalk.green(`\n  ✓ config written → ${configPath}`));
-    console.log(chalk.dim('  Run  crosscheck watch  to start.\n'));
+    if (selectedRepos.length > 0 || selectedOrgs.length > 0)
+        delete raw.users;
+    // Vendor mode
+    raw.mode = vendorConfig.mode;
+    if (!raw.vendors || typeof raw.vendors !== 'object')
+        raw.vendors = {};
+    const vendors = raw.vendors;
+    if (!vendors.claude)
+        vendors.claude = {};
+    if (!vendors.codex)
+        vendors.codex = {};
+    vendors.claude.enabled = vendorConfig.claudeEnabled;
+    vendors.codex.enabled = vendorConfig.codexEnabled;
+    // Workflow pipeline
+    if (!raw.post_review || typeof raw.post_review !== 'object')
+        raw.post_review = {};
+    const postReview = raw.post_review;
+    if (!postReview.auto_fix || typeof postReview.auto_fix !== 'object')
+        postReview.auto_fix = {};
+    const autoFix = postReview.auto_fix;
+    if (pipelinePreset === 'review-only') {
+        autoFix.enabled = false;
+    }
+    else {
+        autoFix.enabled = true;
+        autoFix.trigger = 'on_issues';
+        if (!autoFix.delivery || typeof autoFix.delivery !== 'object')
+            autoFix.delivery = {};
+        const delivery = autoFix.delivery;
+        if (!delivery.mode)
+            delivery.mode = 'commit';
+    }
+    writeFileSync(configPath, yaml.dump(raw, { lineWidth: -1, noRefs: true }));
+    console.log(chalk.green(`  ✓ config written to ${configPath}`));
+    // Manage global workflow.yml — write for recheck preset, remove stale file otherwise
+    const globalWorkflowPath = join(homedir(), '.crosscheck', 'workflow.yml');
+    if (pipelinePreset === 'review-fix-recheck') {
+        mkdirSync(join(homedir(), '.crosscheck'), { recursive: true });
+        writeFileSync(globalWorkflowPath, WORKFLOW_RECHECK_YAML);
+        console.log(chalk.green(`  ✓ workflow written to ${globalWorkflowPath}`));
+    }
+    else if (existsSync(globalWorkflowPath)) {
+        unlinkSync(globalWorkflowPath);
+        console.log(chalk.dim(`  ✓ stale global workflow removed (pipeline changed to ${pipelinePreset})`));
+    }
+    console.log();
+    // ── Step 7: Next step hint ────────────────────────────────────────────────
+    console.log(chalk.dim('  Run crosscheck watch to start monitoring.\n'));
 }
 //# sourceMappingURL=onboard.js.map