@octavio.bot/review 0.1.1 → 0.1.3

package/dist/index.mjs

@@ -15798,6 +15798,21 @@ var defaultResultPath = (pullNumber) => {
 };
 var truncateForLogs = (value) => value.length > REPORT_LOG_MAX_CHARS ? `${value.slice(0, REPORT_LOG_MAX_CHARS)}
 ...truncated...` : value;
+var ensureBinaryDirectoryOnPath = (binaryPath) => {
+  const directoryEnd = binaryPath.lastIndexOf("/");
+  if (directoryEnd <= 0) {
+    return;
+  }
+  const directory = binaryPath.slice(0, directoryEnd);
+  const currentPath = process.env.PATH ?? "";
+  const pathEntries = currentPath.split(":").filter((entry) => entry.length > 0);
+  if (pathEntries.includes(directory)) {
+    return;
+  }
+  process.env.PATH = currentPath.length > 0 ? `${directory}:${currentPath}` : directory;
+  process.stdout.write(`Added ${directory} to PATH for this process.
+`);
+};
 var knownOpenCodePaths = () => {
   const home = process.env.HOME;
   return [
@@ -15859,6 +15874,7 @@ var runOpenCodeInstall = async () => {
 var ensureOpenCodeInstalled = async (forceInstall) => {
   const detectedBeforeInstall = await detectOpenCode();
   if (detectedBeforeInstall) {
+    ensureBinaryDirectoryOnPath(detectedBeforeInstall.path);
     process.stdout.write(`OpenCode detected at ${detectedBeforeInstall.path} (${detectedBeforeInstall.version}).
 `);
     return detectedBeforeInstall;
@@ -15883,6 +15899,7 @@ var ensureOpenCodeInstalled = async (forceInstall) => {
   }
   process.stdout.write(`OpenCode installed at ${detectedAfterInstall.path} (${detectedAfterInstall.version}).
 `);
+  ensureBinaryDirectoryOnPath(detectedAfterInstall.path);
   return detectedAfterInstall;
 };
 var runDoctor = async () => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@octavio.bot/review",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "private": false,
   "description": "CLI for OpenCode-powered pull request review checks",
   "homepage": "https://github.com/rustydotwtf/octavio.bot/tree/main/apps/review-bot-cli",
@@ -16,14 +16,15 @@
     "octavio-review": "./dist/index.mjs"
   },
   "files": [
-    "dist"
+    "dist",
+    "prompts"
   ],
   "type": "module",
   "publishConfig": {
     "access": "public"
   },
   "scripts": {
-    "build": "bun build ./src/index.ts --outfile ./dist/index.mjs --target bun --banner '#!/usr/bin/env bun' && chmod +x ./dist/index.mjs",
+    "build": "bun build ./src/index.ts --outfile ./dist/index.mjs --target bun --banner '#!/usr/bin/env bun' && chmod +x ./dist/index.mjs && rm -rf ./prompts && mkdir -p ./prompts && cp ../../packages/prompts/prompts/*.md ./prompts/",
     "prepack": "bun run build"
   },
   "dependencies": {

package/prompts/code-review.md

@@ -0,0 +1,25 @@
+---
+policy:
+  fail_on:
+    - "new:critical"
+    - "new:high"
+---
+
+# Code Review Instructions
+
+Review this pull request with a focus on correctness, security, and maintainability.
+
+Prioritize findings that are:
+
+1. likely bugs or regressions,
+2. security-sensitive,
+3. likely to cause production issues,
+4. expensive to maintain later.
+
+Only report findings that can be tied to a changed file and line number.
+
+When suggesting comments, be concise and include:
+
+- what is wrong,
+- why it matters,
+- what to change.

package/prompts/security-review.md

@@ -0,0 +1,39 @@
+---
+policy:
+  fail_on:
+    - "new:critical"
+    - "new:high"
+    - "new:medium"
+---
+
+# Security Review Instructions
+
+Review this pull request with a focus on exploitable security risk, misuse of sensitive data, and unsafe defaults.
+
+Prioritize findings that are:
+
+1. externally exploitable or privilege escalating,
+2. likely to leak secrets, tokens, PII, or internal metadata,
+3. likely to expose identifying or environment-specific traces that can deanonymize contributors,
+4. missing validation, authorization, or integrity checks,
+5. introducing insecure cryptography, transport, or storage patterns,
+6. mismatches between PR title/description claims and changed code that could hide risky behavior.
+
+Treat threat-model relevance as required context: report issues that materially increase risk in this repository's runtime paths.
+
+Avoid speculative findings without a concrete abuse path tied to changed code.
+
+Treat deceptive PR metadata as a security signal when it materially reduces reviewer ability to detect risky changes.
+
+When a finding is about PR metadata itself, use:
+
+- `path: "PR_TITLE"`, `line: 1` for title issues.
+- `path: "PR_DESCRIPTION"`, `line: 1` for description issues.
+
+Only report findings that can be tied to a changed file and line number, or to PR metadata locations above.
+
+When suggesting comments, be concise and include:
+
+- what the security issue is and how it can be abused,
+- why the risk matters in practical terms,
+- what concrete mitigation should be applied.

package/prompts/styling-review.md

@@ -0,0 +1,27 @@
+---
+policy:
+  fail_on:
+    - "new:critical"
+    - "new:high"
+---
+
+# Styling Review Instructions
+
+Review this pull request with a focus on style consistency, readability, and maintainability.
+
+Prioritize findings that are:
+
+1. inconsistent with existing project conventions,
+2. likely to make code harder to read or maintain,
+3. likely to increase review friction in future changes,
+4. clear opportunities for simpler or clearer structure.
+
+Avoid purely subjective preferences unless they conflict with an existing convention in this repository.
+
+Only report findings that can be tied to a changed file and line number.
+
+When suggesting comments, be concise and include:
+
+- what is inconsistent or unclear,
+- why it matters for maintainability,
+- what concrete change would align with project style.