@theihtisham/review-agent 1.0.0

package/__tests__/fixtures/mock-data.ts

@@ -0,0 +1,120 @@
+import { FileDiff } from "../../src/types";
+
+export const SAMPLE_DIFF_SINGLE_FILE: FileDiff = {
+  filename: "src/auth.ts",
+  patch: `@@ -1,5 +1,12 @@
+ import { Request, Response } from 'express';
+-import { verifyToken } from './jwt';
++import { verifyToken } from './jwt';
++
++const ADMIN_PASSWORD = "super_secret_123";
++
++function login(req: Request, res: Response) {
++  const query = "SELECT * FROM users WHERE name = '" + req.body.username + "'";
++  db.query(query);
++  if (req.body.password === ADMIN_PASSWORD) {
++    res.redirect(req.query.returnUrl);
+   }
++}`,
+  additions: 8,
+  deletions: 1,
+  changeType: "modified",
+};
+
+export const SAMPLE_DIFF_MULTI_FILE: FileDiff[] = [
+  {
+    filename: "src/auth.ts",
+    patch: `@@ -1,3 +1,8 @@
++const API_KEY = "sk-1234567890abcdef";
++
++function getUser(id) {
++  return eval("users[" + id + "]");
++}`,
+    additions: 5,
+    deletions: 0,
+    changeType: "added",
+  },
+  {
+    filename: "src/utils.ts",
+    patch: `@@ -10,3 +10,5 @@
+ export function formatName(name: string): string {
+-  return name.trim();
++  // TODO: fix security issue with name handling
++  return name.trim();
+ }`,
+    additions: 2,
+    deletions: 1,
+    changeType: "modified",
+  },
+  {
+    filename: "package-lock.json",
+    patch: `@@ -1,1 +1,2 @@
++{"locked": true}`,
+    additions: 1,
+    deletions: 0,
+    changeType: "modified",
+  },
+  {
+    filename: "src/styles.css",
+    patch: `@@ -1,1 +1,2 @@
++.button { color: red; }`,
+    additions: 1,
+    deletions: 0,
+    changeType: "modified",
+  },
+];
+
+export const SAMPLE_PATCH_MULTILINE = `@@ -5,10 +5,15 @@
+ function processData(data: any) {
+-  return data;
++  if (!data) {
++    return null;
++  }
++  console.log("Processing data with password", data.password);
++  const result = eval(data.formula);
++  return result;
+ }`;
+
+export const MOCK_LLM_RESPONSE = {
+  comments: [
+    {
+      line: 6,
+      severity: "critical" as const,
+      category: "security" as const,
+      message: "The eval() call allows arbitrary code execution. Never eval user input.",
+    },
+    {
+      line: 5,
+      severity: "critical" as const,
+      category: "security" as const,
+      message: "Avoid logging sensitive data like passwords.",
+    },
+    {
+      line: 3,
+      severity: "warning" as const,
+      category: "bug" as const,
+      message: "Returning null instead of throwing or providing a default may cause downstream errors.",
+    },
+  ],
+  score: 35,
+  summary: "Critical security issues found: eval() usage and hardcoded secrets. Score: 35/100",
+};
+
+export const MOCK_PR_PAYLOAD = {
+  action: "opened",
+  number: 42,
+  pull_request: {
+    number: 42,
+    head: {
+      sha: "abc123def456789012345678901234567890abcd",
+      ref: "feature/review-agent",
+    },
+    base: {
+      ref: "main",
+    },
+  },
+  repository: {
+    owner: { login: "testowner" },
+    name: "testrepo",
+  },
+};

package/__tests__/llm-client.test.ts

@@ -0,0 +1,166 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { LLMClient } from "../src/llm-client";
+import { ReviewAgentConfig, FileDiff } from "../src/types";
+
+const mockConfig: ReviewAgentConfig = {
+  llm: {
+    provider: "openai",
+    apiKey: "test-key-12345678",
+    model: "gpt-4o",
+    baseUrl: "https://api.openai.com/v1",
+  },
+  review: {
+    severity: "info",
+    maxComments: 50,
+    reviewType: "comment",
+    languageHints: [],
+    learnConventions: true,
+  },
+  ignore: { paths: [], extensions: [] },
+  rules: [],
+};
+
+const mockDiff: FileDiff = {
+  filename: "src/app.ts",
+  patch: `@@ -1,3 +1,5 @@
+ import express from 'express';
++const app = express();
++app.listen(3000);`,
+  additions: 2,
+  deletions: 0,
+  changeType: "modified",
+};
+
+describe("LLMClient", () => {
+  let client: LLMClient;
+
+  beforeEach(() => {
+    client = new LLMClient(mockConfig);
+  });
+
+  it("creates client with provided config", () => {
+    expect(client).toBeDefined();
+  });
+
+  it("parses valid JSON response correctly", async () => {
+    // Access the private parseResponse method via any
+    const parseResponse = (client as any).parseResponse.bind(client);
+
+    const validResponse = JSON.stringify({
+      comments: [
+        {
+          line: 2,
+          severity: "warning",
+          category: "performance",
+          message: "Consider adding error handling.",
+        },
+      ],
+      score: 80,
+      summary: "Good code with minor issues.",
+    });
+
+    const result = parseResponse(validResponse);
+    expect(result.comments).toHaveLength(1);
+    expect(result.comments[0].line).toBe(2);
+    expect(result.score).toBe(80);
+    expect(result.summary).toBe("Good code with minor issues.");
+  });
+
+  it("handles empty comments array", async () => {
+    const parseResponse = (client as any).parseResponse.bind(client);
+
+    const response = JSON.stringify({
+      comments: [],
+      score: 95,
+      summary: "Clean code!",
+    });
+
+    const result = parseResponse(response);
+    expect(result.comments).toEqual([]);
+    expect(result.score).toBe(95);
+  });
+
+  it("handles malformed JSON response gracefully", async () => {
+    const parseResponse = (client as any).parseResponse.bind(client);
+
+    const result = parseResponse("not valid json");
+    expect(result.comments).toEqual([]);
+    expect(result.score).toBe(75);
+  });
+
+  it("clamps score to 0-100 range", async () => {
+    const parseResponse = (client as any).parseResponse.bind(client);
+
+    const result1 = parseResponse(
+      JSON.stringify({ comments: [], score: 150, summary: "" })
+    );
+    expect(result1.score).toBe(100);
+
+    const result2 = parseResponse(
+      JSON.stringify({ comments: [], score: -10, summary: "" })
+    );
+    expect(result2.score).toBe(0);
+  });
+
+  it("filters out comments with missing required fields", async () => {
+    const parseResponse = (client as any).parseResponse.bind(client);
+
+    const response = JSON.stringify({
+      comments: [
+        { line: 1, severity: "warning", category: "bug", message: "valid" },
+        { line: 2, severity: "warning" }, // missing category and message
+        { severity: "info", category: "style", message: "no line" }, // missing line
+        { line: "not a number", severity: "info", category: "style", message: "bad line" },
+      ],
+      score: 60,
+      summary: "Some issues.",
+    });
+
+    const result = parseResponse(response);
+    expect(result.comments).toHaveLength(1);
+    expect(result.comments[0].message).toBe("valid");
+  });
+
+  it("builds system prompt with conventions", () => {
+    const buildSystemPrompt = (client as any).buildSystemPrompt.bind(client);
+
+    const prompt = buildSystemPrompt(
+      "typescript",
+      [
+        {
+          language: "typescript",
+          patterns: ["ES module imports"],
+          namingStyle: "camelCase",
+          examples: ["import { foo } from './bar'"],
+        },
+      ],
+      mockConfig
+    );
+
+    expect(prompt).toContain("code reviewer");
+    expect(prompt).toContain("typescript");
+    expect(prompt).toContain("camelCase");
+    expect(prompt).toContain("ES module imports");
+  });
+
+  it("builds system prompt with custom rules", () => {
+    const buildSystemPrompt = (client as any).buildSystemPrompt.bind(client);
+
+    const configWithRules: ReviewAgentConfig = {
+      ...mockConfig,
+      rules: [
+        {
+          name: "no-console",
+          pattern: "console\\.log",
+          message: "Use logger instead of console.log",
+          severity: "warning",
+          category: "convention",
+        },
+      ],
+    };
+
+    const prompt = buildSystemPrompt("javascript", [], configWithRules);
+    expect(prompt).toContain("no-console");
+    expect(prompt).toContain("logger instead");
+  });
+});

package/__tests__/rate-limiter.test.ts

@@ -0,0 +1,95 @@
+import { describe, it, expect } from "vitest";
+import { RateLimiter, RetryHandler } from "../src/utils/rate-limiter";
+
+describe("RateLimiter", () => {
+  it("allows requests within concurrency limit", async () => {
+    const limiter = new RateLimiter(3, 0);
+
+    const p1 = limiter.acquire();
+    const p2 = limiter.acquire();
+    const p3 = limiter.acquire();
+
+    await Promise.all([p1, p2, p3]);
+
+    expect(limiter.activeRequests).toBe(3);
+
+    limiter.release();
+    limiter.release();
+    limiter.release();
+
+    expect(limiter.activeRequests).toBe(0);
+  });
+
+  it("queues requests over concurrency limit", async () => {
+    const limiter = new RateLimiter(1, 0);
+    const order: number[] = [];
+
+    const run = async (id: number) => {
+      await limiter.acquire();
+      order.push(id);
+      limiter.release();
+    };
+
+    await Promise.all([run(1), run(2), run(3)]);
+
+    expect(order).toEqual([1, 2, 3]);
+  });
+
+  it("reports pending count correctly", () => {
+    const limiter = new RateLimiter(1, 100000);
+
+    expect(limiter.pendingCount).toBe(0);
+    expect(limiter.activeRequests).toBe(0);
+  });
+
+  it("respects minimum interval between calls", async () => {
+    const limiter = new RateLimiter(2, 50);
+    const timestamps: number[] = [];
+
+    const measure = async () => {
+      await limiter.acquire();
+      timestamps.push(Date.now());
+      // Hold for a moment
+      await new Promise<void>((r) => setTimeout(r, 10));
+      limiter.release();
+    };
+
+    await Promise.all([measure(), measure()]);
+
+    // Both should have completed
+    expect(timestamps.length).toBe(2);
+  });
+});
+
+describe("RetryHandler", () => {
+  it("returns result on first success", async () => {
+    const result = await RetryHandler.withRetry(() => Promise.resolve(42));
+    expect(result).toBe(42);
+  });
+
+  it("retries on failure and eventually succeeds", async () => {
+    let attempts = 0;
+    const result = await RetryHandler.withRetry(() => {
+      attempts++;
+      if (attempts < 3) {
+        throw new Error("fail");
+      }
+      return Promise.resolve("success");
+    }, 3, 10);
+
+    expect(result).toBe("success");
+    expect(attempts).toBe(3);
+  });
+
+  it("throws after max retries exceeded", async () => {
+    await expect(
+      RetryHandler.withRetry(() => Promise.reject(new Error("always fail")), 2, 10)
+    ).rejects.toThrow("always fail");
+  });
+
+  it("works with zero retries", async () => {
+    await expect(
+      RetryHandler.withRetry(() => Promise.reject(new Error("fail")), 0, 10)
+    ).rejects.toThrow("fail");
+  });
+});

package/__tests__/security-utils.test.ts

@@ -0,0 +1,152 @@
+import { describe, it, expect } from "vitest";
+import {
+  sanitizeForLog,
+  truncateString,
+  validateApiKey,
+  formatCommentBody,
+  buildSummaryComment,
+} from "../src/utils/security";
+
+describe("sanitizeForLog", () => {
+  it("redacts GitHub tokens", () => {
+    const input = 'token=ghp_1234567890abcdefghijklmnopqrstuvwxyz';
+    const result = sanitizeForLog(input);
+    expect(result).not.toContain("ghp_1234567890");
+    expect(result).toContain("[REDACTED]");
+  });
+
+  it("redacts OpenAI API keys", () => {
+    const input = 'key=sk-abcdefghijklmnopqrstuvwxyz1234567890';
+    const result = sanitizeForLog(input);
+    expect(result).not.toContain("sk-abcdefghijklmno");
+    expect(result).toContain("[REDACTED]");
+  });
+
+  it("redacts generic password assignments", () => {
+    const input = 'password: "mySecretPassword123"';
+    const result = sanitizeForLog(input);
+    expect(result).not.toContain("mySecretPassword123");
+    expect(result).toContain("[REDACTED]");
+  });
+
+  it("redacts JWT tokens", () => {
+    const input = "Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyIn0.abc123";
+    const result = sanitizeForLog(input);
+    expect(result).toContain("[REDACTED]");
+  });
+
+  it("leaves safe strings untouched", () => {
+    const input = "User logged in successfully from 192.168.1.1";
+    const result = sanitizeForLog(input);
+    expect(result).toBe(input);
+  });
+
+  it("handles empty string", () => {
+    expect(sanitizeForLog("")).toBe("");
+  });
+});
+
+describe("truncateString", () => {
+  it("does not truncate strings within limit", () => {
+    expect(truncateString("hello", 10)).toBe("hello");
+  });
+
+  it("truncates long strings", () => {
+    const result = truncateString("a".repeat(100), 50);
+    expect(result.length).toBeLessThan(100);
+    expect(result).toContain("truncated");
+  });
+
+  it("handles exact length", () => {
+    expect(truncateString("hello", 5)).toBe("hello");
+  });
+});
+
+describe("validateApiKey", () => {
+  it("throws for missing OpenAI key", () => {
+    expect(() => validateApiKey("", "openai")).toThrow("required");
+  });
+
+  it("throws for missing Anthropic key", () => {
+    expect(() => validateApiKey("", "anthropic")).toThrow("required");
+  });
+
+  it("allows Ollama without key", () => {
+    expect(() => validateApiKey("", "ollama")).not.toThrow();
+  });
+
+  it("throws for very short key", () => {
+    expect(() => validateApiKey("abc", "openai")).toThrow("too short");
+  });
+
+  it("accepts valid key", () => {
+    expect(() => validateApiKey("sk-validapikey123456", "openai")).not.toThrow();
+  });
+});
+
+describe("formatCommentBody", () => {
+  it("includes severity emoji", () => {
+    const result = formatCommentBody("test message", "critical", "security");
+    expect(result).toContain("🔴");
+  });
+
+  it("includes category label", () => {
+    const result = formatCommentBody("test message", "warning", "performance");
+    expect(result).toContain("Performance");
+  });
+
+  it("includes the message", () => {
+    const result = formatCommentBody("Fix this bug", "info", "bug");
+    expect(result).toContain("Fix this bug");
+  });
+
+  it("includes ReviewAgent attribution", () => {
+    const result = formatCommentBody("test", "info", "style");
+    expect(result).toContain("ReviewAgent");
+  });
+});
+
+describe("buildSummaryComment", () => {
+  it("builds a summary with score and breakdown", () => {
+    const result = buildSummaryComment(
+      75,
+      { bug: 2, security: 1, performance: 0, style: 3, convention: 0 },
+      "Found some issues.",
+      5,
+      6
+    );
+
+    expect(result).toContain("75/100");
+    expect(result).toContain("Bug");
+    expect(result).toContain("Security");
+    expect(result).toContain("Style");
+    expect(result).toContain("5");
+    expect(result).toContain("6");
+  });
+
+  it("handles clean review with no issues", () => {
+    const result = buildSummaryComment(
+      100,
+      { bug: 0, security: 0, performance: 0, style: 0, convention: 0 },
+      "All good!",
+      3,
+      0
+    );
+
+    expect(result).toContain("100/100");
+    expect(result).toContain("Great");
+    expect(result).toContain("No issues found");
+  });
+
+  it("shows appropriate label for low scores", () => {
+    const result = buildSummaryComment(
+      25,
+      { bug: 5, security: 3, performance: 2, style: 1, convention: 1 },
+      "Major issues.",
+      10,
+      12
+    );
+
+    expect(result).toContain("Poor");
+  });
+});

package/__tests__/security.test.ts

@@ -0,0 +1,138 @@
+import { describe, it, expect } from "vitest";
+import { scanForSecurityIssues } from "../src/reviewers/security";
+import { FileDiff, ReviewAgentConfig } from "../src/types";
+
+const mockConfig: ReviewAgentConfig = {
+  llm: { provider: "openai", apiKey: "test", model: "gpt-4o", baseUrl: "" },
+  review: { severity: "info", maxComments: 50, reviewType: "comment", languageHints: [], learnConventions: true },
+  ignore: { paths: [], extensions: [] },
+  rules: [],
+};
+
+function makeDiff(patch: string, filename = "src/code.ts"): FileDiff {
+  return {
+    filename,
+    patch,
+    additions: 5,
+    deletions: 0,
+    changeType: "modified",
+  };
+}
+
+describe("scanForSecurityIssues", () => {
+  it("detects eval() usage", () => {
+    const diff = makeDiff(`@@ -1 +1,2 @@
++const result = eval(userInput);`);
+    const issues = scanForSecurityIssues(diff, mockConfig);
+    expect(issues.length).toBeGreaterThanOrEqual(1);
+    expect(issues.some((i) => i.body.includes("eval()"))).toBe(true);
+    expect(issues.some((i) => i.category === "security")).toBe(true);
+  });
+
+  it("detects SQL injection patterns", () => {
+    const diff = makeDiff(`@@ -1 +1,2 @@
++const query = "SELECT * FROM users WHERE id = " + userId;
++db.query(query);`);
+    const issues = scanForSecurityIssues(diff, mockConfig);
+    expect(issues.some((i) => i.body.toLowerCase().includes("sql"))).toBe(true);
+  });
+
+  it("detects hardcoded secrets", () => {
+    const diff = makeDiff(`@@ -1 +1,2 @@
++const password = "my_super_secret_password";`);
+    const issues = scanForSecurityIssues(diff, mockConfig);
+    expect(issues.some((i) => i.body.includes("Hardcoded secret"))).toBe(true);
+    expect(issues.some((i) => i.severity === "critical")).toBe(true);
+  });
+
+  it("detects innerHTML assignment", () => {
+    const diff = makeDiff(`@@ -1 +1,2 @@
++element.innerHTML = userInput;`);
+    const issues = scanForSecurityIssues(diff, mockConfig);
+    expect(issues.some((i) => i.body.includes("innerHTML"))).toBe(true);
+  });
+
+  it("detects unsafe redirects", () => {
+    const diff = makeDiff(`@@ -1 +1,2 @@
++res.redirect(req.query.returnUrl);`);
+    const issues = scanForSecurityIssues(diff, mockConfig);
+    expect(issues.some((i) => i.body.includes("redirect"))).toBe(true);
+  });
+
+  it("detects empty catch blocks", () => {
+    const diff = makeDiff(`@@ -1 +1,3 @@
++try { doSomething(); } catch(e) {}`);
+    const issues = scanForSecurityIssues(diff, mockConfig);
+    expect(issues.some((i) => i.body.includes("Empty catch"))).toBe(true);
+  });
+
+  it("detects console.log with sensitive data", () => {
+    const diff = makeDiff(`@@ -1 +1,2 @@
++console.log("User token:", user.token);`);
+    const issues = scanForSecurityIssues(diff, mockConfig);
+    expect(issues.some((i) => i.body.includes("sensitive data"))).toBe(true);
+  });
+
+  it("detects exec/spawn with string concatenation", () => {
+    const diff = makeDiff(`@@ -1 +1,2 @@
++exec("ls " + userInput);`);
+    const issues = scanForSecurityIssues(diff, mockConfig);
+    expect(issues.some((i) => i.body.includes("command injection"))).toBe(true);
+  });
+
+  it("does not flag clean code", () => {
+    const diff = makeDiff(`@@ -1 +1,3 @@
++function add(a: number, b: number): number {
++  return a + b;
++}`);
+    const issues = scanForSecurityIssues(diff, mockConfig);
+    expect(issues).toEqual([]);
+  });
+
+  it("respects severity threshold", () => {
+    const strictConfig: ReviewAgentConfig = {
+      ...mockConfig,
+      review: { ...mockConfig.review, severity: "critical" },
+    };
+    const diff = makeDiff(`@@ -1 +1,2 @@
++console.log("User token:", user.token);`);
+    const issues = scanForSecurityIssues(diff, strictConfig);
+    // console.log with sensitive is critical, should still be caught
+    expect(issues.some((i) => i.severity === "critical")).toBe(true);
+  });
+
+  it("detects HTTP URLs in fetch", () => {
+    const diff = makeDiff(`@@ -1 +1,2 @@
++fetch("http://api.example.com/data");`);
+    const issues = scanForSecurityIssues(diff, mockConfig);
+    expect(issues.some((i) => i.body.includes("HTTPS"))).toBe(true);
+  });
+
+  it("applies custom security rules", () => {
+    const configWithRules: ReviewAgentConfig = {
+      ...mockConfig,
+      rules: [
+        {
+          name: "no-process-env",
+          pattern: "process\\.env\\.SECRET",
+          message: "Use config module instead of process.env.SECRET",
+          severity: "critical",
+          category: "security",
+        },
+      ],
+    };
+    const diff = makeDiff(`@@ -1 +1,2 @@
++const key = process.env.SECRET;`);
+    const issues = scanForSecurityIssues(diff, configWithRules);
+    expect(issues.some((i) => i.body.includes("config module"))).toBe(true);
+  });
+
+  it("ignores removed lines", () => {
+    const diff = makeDiff(`@@ -1,2 +1 @@
+-const password = "old_secret";
+-const result = eval(oldCode);`);
+    const issues = scanForSecurityIssues(diff, mockConfig);
+    // Removed lines should not be flagged
+    expect(issues).toEqual([]);
+  });
+});