@theihtisham/review-agent 1.0.0

package/src/github.ts

@@ -0,0 +1,180 @@
+import * as core from "@actions/core";
+import * as github from "@actions/github";
+import {
+  GitHubPRContext,
+  FileDiff,
+  ReviewResult,
+  ReviewType,
+} from "./types";
+import { formatCommentBody, buildSummaryComment } from "./utils/security";
+import { RateLimiter, RetryHandler } from "./utils/rate-limiter";
+
+const apiLimiter = new RateLimiter(5, 300);
+
+export class GitHubClient {
+  private octokit: ReturnType<typeof github.getOctokit>;
+  private context: GitHubPRContext;
+
+  constructor(token: string) {
+    this.octokit = github.getOctokit(token);
+    const ctx = github.context;
+
+    if (!ctx.payload.pull_request) {
+      throw new Error(
+        "This action can only be run on pull_request events. No pull_request in payload."
+      );
+    }
+
+    this.context = {
+      owner: ctx.repo.owner,
+      repo: ctx.repo.repo,
+      pullNumber: ctx.payload.pull_request.number,
+      commitId:
+        ctx.payload.pull_request.head?.sha ||
+        ctx.payload.after ||
+        "",
+    };
+
+    core.info(
+      `GitHub context: ${this.context.owner}/${this.context.repo}#${this.context.pullNumber} @ ${this.context.commitId.substring(0, 7)}`
+    );
+  }
+
+  getContext(): GitHubPRContext {
+    return { ...this.context };
+  }
+
+  async getDiff(): Promise<FileDiff[]> {
+    await apiLimiter.acquire();
+    try {
+      return await RetryHandler.withRetry(async () => {
+        const response = await this.octokit.rest.pulls.listFiles({
+          owner: this.context.owner,
+          repo: this.context.repo,
+          pull_number: this.context.pullNumber,
+        });
+
+        return response.data
+          .filter((file) => file.patch)
+          .map((file) => ({
+            filename: file.filename,
+            patch: file.patch || "",
+            additions: file.additions,
+            deletions: file.deletions,
+            changeType: file.status,
+          }));
+      }, 2, 1000);
+    } finally {
+      apiLimiter.release();
+    }
+  }
+
+  async getFileContent(path: string, ref?: string): Promise<string | null> {
+    await apiLimiter.acquire();
+    try {
+      return await RetryHandler.withRetry(async () => {
+        try {
+          const response = await this.octokit.rest.repos.getContent({
+            owner: this.context.owner,
+            repo: this.context.repo,
+            path,
+            ref: ref || this.context.commitId,
+          });
+
+          if ("content" in response.data && response.data.content) {
+            return Buffer.from(response.data.content, "base64").toString(
+              "utf-8"
+            );
+          }
+          return null;
+        } catch (err: unknown) {
+          if (
+            err instanceof Error &&
+            "status" in err &&
+            (err as { status: number }).status === 404
+          ) {
+            return null;
+          }
+          throw err;
+        }
+      }, 1, 500);
+    } finally {
+      apiLimiter.release();
+    }
+  }
+
+  async postReview(
+    result: ReviewResult,
+    reviewType: ReviewType,
+    filesReviewed: number
+  ): Promise<{ reviewId: number; commentsPosted: number }> {
+    const event = reviewType === "request-changes" ? "REQUEST_CHANGES" :
+                  reviewType === "approve" ? "APPROVE" : "COMMENT";
+
+    const body = buildSummaryComment(
+      result.score,
+      result.breakdown,
+      result.summary,
+      filesReviewed,
+      result.comments.length
+    );
+
+    const reviewComments = result.comments.map((c) => ({
+      path: c.path,
+      line: c.line,
+      side: c.side as "LEFT" | "RIGHT",
+      body: formatCommentBody(c.body, c.severity, c.category),
+      ...(c.startLine ? { start_line: c.startLine, start_side: c.side as "LEFT" | "RIGHT" } : {}),
+    }));
+
+    await apiLimiter.acquire();
+    try {
+      core.info(`Posting review with ${reviewComments.length} comments (event: ${event})`);
+
+      const response = await RetryHandler.withRetry(
+        () =>
+          this.octokit.rest.pulls.createReview({
+            owner: this.context.owner,
+            repo: this.context.repo,
+            pull_number: this.context.pullNumber,
+            commit_id: this.context.commitId,
+            body,
+            event,
+            comments: reviewComments,
+          }),
+        2,
+        2000
+      );
+
+      const reviewId = response.data.id;
+
+      core.info(`Review posted: ID=${reviewId}, comments=${reviewComments.length}`);
+      return { reviewId, commentsPosted: reviewComments.length };
+    } finally {
+      apiLimiter.release();
+    }
+  }
+
+  async postFallbackComment(result: ReviewResult, filesReviewed: number): Promise<void> {
+    const body = buildSummaryComment(
+      result.score,
+      result.breakdown,
+      result.summary,
+      filesReviewed,
+      result.comments.length
+    );
+
+    await apiLimiter.acquire();
+    try {
+      await this.octokit.rest.issues.createComment({
+        owner: this.context.owner,
+        repo: this.context.repo,
+        issue_number: this.context.pullNumber,
+        body,
+      });
+      core.info("Fallback summary comment posted");
+    } finally {
+      apiLimiter.release();
+    }
+  }
+}

package/src/llm-client.ts

@@ -0,0 +1,210 @@
+import OpenAI from "openai";
+import * as core from "@actions/core";
+import {
+  LLMProvider,
+  ReviewAgentConfig,
+  RepoConvention,
+  FileDiff,
+  LLMReviewResponse,
+} from "./types";
+import { formatDiffForReview, getFileLanguage } from "./utils/diff-parser";
+import { RateLimiter, RetryHandler } from "./utils/rate-limiter";
+
+const rateLimiter = new RateLimiter(3, 1000);
+
+export class LLMClient {
+  private client: OpenAI;
+  private model: string;
+  private provider: LLMProvider;
+
+  constructor(config: ReviewAgentConfig) {
+    this.provider = config.llm.provider;
+    this.model = config.llm.model;
+
+    const options: ConstructorParameters<typeof OpenAI>[0] = {
+      apiKey: config.llm.apiKey || "ollama-placeholder",
+      baseURL: config.llm.baseUrl,
+    };
+
+    if (this.provider === "anthropic") {
+      options.defaultHeaders = {
+        "anthropic-version": "2023-06-01",
+        "anthropic-dangerous-direct-browser-access": "true",
+      };
+    }
+
+    this.client = new OpenAI(options);
+  }
+
+  async reviewFile(
+    diff: FileDiff,
+    conventions: RepoConvention[],
+    config: ReviewAgentConfig
+  ): Promise<LLMReviewResponse> {
+    await rateLimiter.acquire();
+    try {
+      return await RetryHandler.withRetry(
+        () => this.doReviewFile(diff, conventions, config),
+        2,
+        1500
+      );
+    } finally {
+      rateLimiter.release();
+    }
+  }
+
+  private async doReviewFile(
+    diff: FileDiff,
+    conventions: RepoConvention[],
+    config: ReviewAgentConfig
+  ): Promise<LLMReviewResponse> {
+    const language = getFileLanguage(diff.filename);
+    const diffText = formatDiffForReview(diff);
+
+    const systemPrompt = this.buildSystemPrompt(language, conventions, config);
+    const userPrompt = this.buildUserPrompt(diffText, config);
+
+    core.info(`Reviewing ${diff.filename} (${language}) with ${this.provider}/${this.model}`);
+
+    const completion = await this.client.chat.completions.create({
+      model: this.model,
+      messages: [
+        { role: "system", content: systemPrompt },
+        { role: "user", content: userPrompt },
+      ],
+      temperature: 0.1,
+      max_tokens: 4096,
+      response_format: { type: "json_object" },
+    });
+
+    const content = completion.choices[0]?.message?.content;
+    if (!content) {
+      throw new Error("LLM returned empty response");
+    }
+
+    return this.parseResponse(content);
+  }
+
+  private buildSystemPrompt(
+    language: string,
+    conventions: RepoConvention[],
+    config: ReviewAgentConfig
+  ): string {
+    const conventionText =
+      conventions.length > 0
+        ? conventions
+            .map(
+              (c) =>
+                `- ${c.language}: naming=${c.namingStyle}, patterns=${c.patterns.join(", ")}${c.examples.length > 0 ? `, examples=${c.examples.join("; ")}` : ""}`
+            )
+            .join("\n")
+        : "No conventions learned.";
+
+    const customRulesText =
+      config.rules.length > 0
+        ? config.rules
+            .map(
+              (r) =>
+                `- "${r.name}": pattern=/${r.pattern}/, message="${r.message}", severity=${r.severity}, category=${r.category}`
+            )
+            .join("\n")
+        : "No custom rules.";
+
+    return `You are an expert code reviewer. Analyze the provided code diff and find issues.
+
+## Review Categories
+- **bug**: Logic errors, null/undefined access, off-by-one errors, race conditions, unhandled edge cases
+- **security**: OWASP Top 10 (injection, XSS, CSRF, broken auth, sensitive data exposure, security misconfiguration, etc.), hardcoded secrets, unsafe deserialization
+- **performance**: N+1 queries, unnecessary re-renders, memory leaks, missing indexes, inefficient algorithms
+- **style**: Naming, formatting, code organization, readability
+- **convention**: Violations of project-specific patterns and conventions
+
+## Severity Levels
+- **critical**: Must fix before merge — security vulnerabilities, bugs that will cause failures
+- **warning**: Should fix — potential bugs, performance issues, bad practices
+- **info**: Nice to have — style improvements, minor optimizations
+
+## Repository Conventions
+${conventionText}
+
+## Custom Rules
+${customRulesText}
+
+## Language
+The code is primarily ${language}. Apply language-specific best practices.
+
+## Constraints
+- Only flag lines that appear in the diff (lines starting with +)
+- Minimum severity threshold: ${config.review.severity}
+- Be specific: reference the exact line and explain WHY it is an issue and HOW to fix it
+- Do not flag false positives
+- If the code looks good, return an empty comments array
+
+## Response Format
+Respond with a JSON object:
+{
+  "comments": [
+    {
+      "line": <line number in the new file>,
+      "endLine": <optional end line for multi-line issues>,
+      "severity": "critical" | "warning" | "info",
+      "category": "bug" | "security" | "performance" | "style" | "convention",
+      "message": "Clear description of the issue and suggested fix"
+    }
+  ],
+  "score": <0-100 overall quality score for this file>,
+  "summary": "Brief summary of findings"
+}`;
+  }
+
+  private buildUserPrompt(
+    diffText: string,
+    _config: ReviewAgentConfig
+  ): string {
+    return `Please review this code diff and provide feedback:
+
+${diffText}
+
+Return your review as a JSON object with "comments", "score", and "summary" fields.`;
+  }
+
+  private parseResponse(content: string): LLMReviewResponse {
+    try {
+      const parsed = JSON.parse(content);
+
+      const comments: LLMReviewResponse["comments"] = (parsed.comments || [])
+        .filter(
+          (c: Record<string, unknown>) =>
+            c.line &&
+            typeof c.line === "number" &&
+            c.severity &&
+            c.category &&
+            c.message
+        )
+        .map((c: Record<string, unknown>) => ({
+          line: c.line as number,
+          endLine: c.endLine as number | undefined,
+          severity: c.severity as LLMReviewResponse["comments"][0]["severity"],
+          category: c.category as LLMReviewResponse["comments"][0]["category"],
+          message: c.message as string,
+        }));
+
+      return {
+        comments,
+        score: typeof parsed.score === "number"
+          ? Math.max(0, Math.min(100, parsed.score))
+          : 75,
+        summary: typeof parsed.summary === "string" ? parsed.summary : "Review completed.",
+      };
+    } catch (err) {
+      core.warning(
+        `Failed to parse LLM response as JSON: ${err instanceof Error ? err.message : String(err)}`
+      );
+      return {
+        comments: [],
+        score: 75,
+        summary: "Review completed but response parsing failed.",
+      };
+    }
+  }
+}

package/src/main.ts

@@ -0,0 +1,106 @@
+import * as core from "@actions/core";
+import { parseActionInputs, buildConfig } from "./config";
+import { GitHubClient } from "./github";
+import { Reviewer } from "./reviewer";
+import { learnRepoConventions } from "./conventions";
+import { validateApiKey, sanitizeForLog } from "./utils/security";
+
+async function run(): Promise<void> {
+  try {
+    core.info("ReviewAgent starting...");
+
+    // 1. Parse and validate inputs
+    const inputs = parseActionInputs();
+    core.setSecret(inputs.githubToken);
+    if (inputs.llmApiKey) {
+      core.setSecret(inputs.llmApiKey);
+    }
+
+    validateApiKey(inputs.llmApiKey, inputs.llmProvider);
+
+    core.info(`Provider: ${inputs.llmProvider}, Model: ${inputs.llmModel}`);
+    core.info(`Severity threshold: ${inputs.severity}, Max comments: ${inputs.maxComments}`);
+
+    // 2. Build config (merge with .reviewagent.yml if present)
+    const workspaceDir =
+      process.env.GITHUB_WORKSPACE || process.cwd();
+    const config = buildConfig(inputs, workspaceDir);
+
+    // 3. Initialize GitHub client and get PR diff
+    const githubClient = new GitHubClient(inputs.githubToken);
+    const diffs = await githubClient.getDiff();
+
+    if (diffs.length === 0) {
+      core.info("No files changed in this PR. Nothing to review.");
+      setOutputs(0, "0", 100, "No files to review.");
+      return;
+    }
+
+    core.info(`Found ${diffs.length} changed files`);
+
+    // 4. Learn repo conventions from existing code
+    const conventions = await learnRepoConventions(
+      workspaceDir,
+      diffs,
+      config
+    );
+    if (conventions.length > 0) {
+      core.info(
+        `Learned conventions for: ${conventions.map((c) => c.language).join(", ")}`
+      );
+    }
+
+    // 5. Run the review
+    const reviewer = new Reviewer(config);
+    const result = await reviewer.review(diffs, conventions);
+
+    // 6. Post the review
+    const filesReviewed = diffs.filter(
+      (d) => !require("./utils/diff-parser").shouldIgnoreFile(d.filename, config)
+    ).length;
+
+    try {
+      const { reviewId, commentsPosted } = await githubClient.postReview(
+        result,
+        config.review.reviewType,
+        filesReviewed
+      );
+
+      setOutputs(
+        reviewId,
+        commentsPosted.toString(),
+        result.score,
+        result.summary
+      );
+    } catch (postErr) {
+      // If inline review fails (e.g., outdated diff), post as issue comment
+      core.warning(
+        `Inline review failed, posting as comment: ${postErr instanceof Error ? postErr.message : String(postErr)}`
+      );
+      await githubClient.postFallbackComment(result, filesReviewed);
+      setOutputs(0, "0", result.score, result.summary);
+    }
+
+    core.info(
+      `ReviewAgent complete: score=${result.score}, comments=${result.comments.length}`
+    );
+  } catch (err) {
+    const message =
+      err instanceof Error ? err.message : String(err);
+    core.setFailed(`ReviewAgent failed: ${sanitizeForLog(message)}`);
+  }
+}
+
+function setOutputs(
+  reviewId: number,
+  commentsPosted: string,
+  score: number,
+  summary: string
+): void {
+  core.setOutput("review-id", reviewId.toString());
+  core.setOutput("comments-posted", commentsPosted);
+  core.setOutput("score", score.toString());
+  core.setOutput("summary", summary);
+}
+
+run();

package/src/reviewer.ts

@@ -0,0 +1,161 @@
+import * as core from "@actions/core";
+import {
+  FileDiff,
+  ReviewAgentConfig,
+  ReviewComment,
+  ReviewResult,
+  RepoConvention,
+  ReviewCategory,
+} from "./types";
+import { LLMClient } from "./llm-client";
+import { scanForSecurityIssues } from "./reviewers/security";
+import { shouldIgnoreFile } from "./utils/diff-parser";
+import { severityMeetsThreshold } from "./config";
+
+export class Reviewer {
+  private llm: LLMClient;
+  private config: ReviewAgentConfig;
+
+  constructor(config: ReviewAgentConfig) {
+    this.llm = new LLMClient(config);
+    this.config = config;
+  }
+
+  async review(
+    diffs: FileDiff[],
+    conventions: RepoConvention[]
+  ): Promise<ReviewResult> {
+    const allComments: ReviewComment[] = [];
+    let totalScore = 0;
+    let scoredFiles = 0;
+    const breakdown: Record<ReviewCategory, number> = {
+      bug: 0,
+      security: 0,
+      performance: 0,
+      style: 0,
+      convention: 0,
+    };
+
+    const filteredDiffs = diffs.filter(
+      (d) => !shouldIgnoreFile(d.filename, this.config)
+    );
+
+    core.info(
+      `Reviewing ${filteredDiffs.length} files (${diffs.length - filteredDiffs.length} ignored)`
+    );
+
+    for (const diff of filteredDiffs) {
+      core.info(`Reviewing: ${diff.filename}`);
+
+      // 1. Static security scan (fast, local)
+      const securityComments = scanForSecurityIssues(diff, this.config);
+      for (const comment of securityComments) {
+        allComments.push(comment);
+        breakdown[comment.category]++;
+      }
+
+      // 2. LLM-powered deep review
+      try {
+        const llmResult = await this.llm.reviewFile(
+          diff,
+          conventions,
+          this.config
+        );
+
+        totalScore += llmResult.score;
+        scoredFiles++;
+
+        for (const llmComment of llmResult.comments) {
+          // Deduplicate: skip if static scanner already flagged this line for security
+          const isDuplicate =
+            llmComment.category === "security" &&
+            securityComments.some((sc) => sc.line === llmComment.line);
+
+          if (!isDuplicate && severityMeetsThreshold(llmComment.severity, this.config.review.severity)) {
+            allComments.push({
+              path: diff.filename,
+              line: llmComment.line,
+              side: "RIGHT",
+              body: llmComment.message,
+              severity: llmComment.severity,
+              category: llmComment.category,
+              startLine: llmComment.endLine,
+            });
+            breakdown[llmComment.category]++;
+          }
+        }
+      } catch (err) {
+        core.warning(
+          `LLM review failed for ${diff.filename}: ${err instanceof Error ? err.message : String(err)}`
+        );
+        // Continue reviewing other files
+      }
+    }
+
+    // Sort by severity (critical first), then by file and line
+    const sortedComments = allComments
+      .sort((a, b) => {
+        const severityOrder = { critical: 0, warning: 1, info: 2 };
+        const sevDiff = severityOrder[a.severity] - severityOrder[b.severity];
+        if (sevDiff !== 0) return sevDiff;
+        const pathDiff = a.path.localeCompare(b.path);
+        if (pathDiff !== 0) return pathDiff;
+        return a.line - b.line;
+      })
+      .slice(0, this.config.review.maxComments);
+
+    const avgScore =
+      scoredFiles > 0 ? Math.round(totalScore / scoredFiles) : 75;
+
+    // Deduct for issues found
+    const criticalCount = allComments.filter(
+      (c) => c.severity === "critical"
+    ).length;
+    const warningCount = allComments.filter(
+      (c) => c.severity === "warning"
+    ).length;
+    const finalScore = Math.max(
+      0,
+      Math.min(100, avgScore - criticalCount * 10 - warningCount * 3)
+    );
+
+    const summary = buildReviewSummary(sortedComments, filteredDiffs.length);
+
+    core.info(
+      `Review complete: score=${finalScore}, comments=${sortedComments.length}/${allComments.length}`
+    );
+
+    return {
+      comments: sortedComments,
+      score: finalScore,
+      summary,
+      breakdown,
+    };
+  }
+}
+
+function buildReviewSummary(
+  comments: ReviewComment[],
+  filesReviewed: number
+): string {
+  if (comments.length === 0) {
+    return `Reviewed ${filesReviewed} files. No issues found. Clean code!`;
+  }
+
+  const criticalCount = comments.filter((c) => c.severity === "critical").length;
+  const warningCount = comments.filter((c) => c.severity === "warning").length;
+  const infoCount = comments.filter((c) => c.severity === "info").length;
+
+  const parts: string[] = [];
+  if (criticalCount > 0) {
+    parts.push(`${criticalCount} critical issue${criticalCount > 1 ? "s" : ""}`);
+  }
+  if (warningCount > 0) {
+    parts.push(`${warningCount} warning${warningCount > 1 ? "s" : ""}`);
+  }
+  if (infoCount > 0) {
+    parts.push(`${infoCount} suggestion${infoCount > 1 ? "s" : ""}`);
+  }
+
+  return `Reviewed ${filesReviewed} files. Found ${parts.join(", ")}.`;
+}