@warpmetrics/review 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 WarpMetrics
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,80 @@
+# warp-review
+
+AI code reviewer that learns your codebase. Powered by [WarpMetrics](https://warpmetrics.com).
+
+![warp-review](https://img.shields.io/badge/warp--review---%25%20accepted-purple)
+
+## Quickstart
+
+```
+npx @warpmetrics/review init
+```
+
+That's it. Open a PR and warp-review will post its first review.
+
+## What it does
+
+- Reviews every PR with AI (Claude)
+- Posts inline comments on specific lines with suggested fixes
+- Tracks which comments get accepted or ignored
+- Learns your team's preferences via a local skills file
+- Sends telemetry to WarpMetrics so you can see review effectiveness over time
+
+## How it works
+
+```
+PR opened/synchronize          PR closed
+       |                           |
+       v                           v
+ Review Job                  Outcome Job
+ 1. Fetch diff + files       1. Find run via WM API
+ 2. Read skills.md           2. Log PR outcome (merged/closed)
+ 3. One LLM call             3. Check thread resolution
+ 4. Post inline comments     4. Log comment outcomes
+ 5. Log to WarpMetrics          (accepted/ignored)
+```
+
+Each review posts inline comments directly on the lines that need attention. When the PR closes, warp-review checks which comments were resolved (accepted) and which were ignored, logging everything to WarpMetrics.
+
+## Configuration
+
+### `.warp-review/config.json`
+
+| Option | Default | Description |
+|--------|---------|-------------|
+| `model` | `claude-sonnet-4-20250514` | Anthropic model to use |
+| `maxFilesPerReview` | `15` | Maximum files to review per PR |
+| `ignorePatterns` | `["*.lock", ...]` | Glob patterns for files to skip |
+
+### `.warp-review/skills.md`
+
+This file is the repo-local brain of warp-review. It ships with sensible defaults covering bugs, security issues, and common pitfalls. Edit it to teach warp-review your team's conventions.
+
+See [`defaults/skills.md`](defaults/skills.md) for the full default file.
+
+## Analytics
+
+warp-review sends review telemetry to [WarpMetrics](https://warpmetrics.com). See which comments get accepted, how much each review costs, and how your acceptance rate changes over time.
+
+Get your API key at [warpmetrics.com/app/api-keys](https://warpmetrics.com/app/api-keys).
+
+## FAQ
+
+**Does it review every PR?**
+Yes, on every `opened` and `synchronize` (new commits pushed) event.
+
+**What if I don't want it to review certain files?**
+Add glob patterns to `ignorePatterns` in `.warp-review/config.json`.
+
+**Can I use it without WarpMetrics?**
+No — WarpMetrics is required for outcome tracking and the review lifecycle. It's free to sign up.
+
+**Does it work on PRs from forks?**
+No. GitHub doesn't expose repository secrets to fork PRs for security reasons, so the API keys aren't available. This is a GitHub limitation.
+
+**Is my code sent to WarpMetrics?**
+No. Your code goes to Anthropic's API. WarpMetrics only receives metadata: token counts, latency, cost, comment text, and outcomes.
+
+## License
+
+MIT

package/bin/init.js

@@ -0,0 +1,183 @@
+#!/usr/bin/env node
+
+import { createInterface } from 'readline';
+import { existsSync, mkdirSync, copyFileSync, readFileSync, writeFileSync } from 'fs';
+import { execSync } from 'child_process';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const defaultsDir = join(__dirname, '..', 'defaults');
+
+const rl = createInterface({ input: process.stdin, output: process.stdout });
+
+function ask(question) {
+  return new Promise(resolve => rl.question(question, resolve));
+}
+
+function log(msg) {
+  console.log(msg);
+}
+
+async function main() {
+  log('');
+  log('  warp-review \u2014 AI code reviewer powered by WarpMetrics');
+  log('');
+
+  // 1. Anthropic API key
+  const llmKey = await ask('  ? Anthropic API key: ');
+  if (!llmKey.startsWith('sk-ant-')) {
+    log('  \u26a0 Warning: key doesn\'t start with sk-ant- — make sure this is a valid Anthropic API key');
+  }
+
+  // 2. WarpMetrics API key
+  const wmKey = await ask('  ? WarpMetrics API key (get one at warpmetrics.com/app/api-keys): ');
+  if (!wmKey.startsWith('wm_')) {
+    log('  \u26a0 Warning: key doesn\'t start with wm_ — make sure this is a valid WarpMetrics API key');
+  }
+
+  // 3. Model
+  const modelInput = await ask('  ? Model (default: claude-sonnet-4-20250514): ');
+  const model = modelInput.trim() || 'claude-sonnet-4-20250514';
+
+  log('');
+
+  // 4. Set GitHub secrets
+  let ghAvailable = false;
+  try {
+    execSync('gh --version', { stdio: 'ignore' });
+    ghAvailable = true;
+  } catch {
+    ghAvailable = false;
+  }
+
+  if (ghAvailable) {
+    log('  Setting GitHub secrets...');
+    try {
+      execSync('gh secret set WARP_REVIEW_LLM_API_KEY', { input: llmKey, stdio: ['pipe', 'ignore', 'ignore'] });
+      log('  \u2713 WARP_REVIEW_LLM_API_KEY set');
+    } catch (e) {
+      log(`  \u2717 Failed to set WARP_REVIEW_LLM_API_KEY: ${e.message}`);
+    }
+    try {
+      execSync('gh secret set WARP_REVIEW_WARPMETRICS_API_KEY', { input: wmKey, stdio: ['pipe', 'ignore', 'ignore'] });
+      log('  \u2713 WARP_REVIEW_WARPMETRICS_API_KEY set');
+    } catch (e) {
+      log(`  \u2717 Failed to set WARP_REVIEW_WARPMETRICS_API_KEY: ${e.message}`);
+    }
+  } else {
+    log('  gh (GitHub CLI) not found. Set these secrets manually:');
+    log('');
+    log('  gh secret set WARP_REVIEW_LLM_API_KEY');
+    log('  gh secret set WARP_REVIEW_WARPMETRICS_API_KEY');
+    log('  (gh will prompt for the value interactively)');
+  }
+  log('');
+
+  // 5. Create .warp-review/skills.md
+  const warpReviewDir = '.warp-review';
+  if (existsSync(warpReviewDir)) {
+    const overwrite = await ask('  warp-review is already configured. Overwrite? (y/N): ');
+    if (overwrite.toLowerCase() !== 'y') {
+      log('  Skipping .warp-review/ creation');
+    } else {
+      createWarpReviewDir(model);
+    }
+  } else {
+    createWarpReviewDir(model);
+  }
+
+  // 6. Create workflow
+  const workflowPath = '.github/workflows/warp-review.yml';
+  if (existsSync(workflowPath)) {
+    const overwrite = await ask('  Workflow already exists. Overwrite? (y/N): ');
+    if (overwrite.toLowerCase() !== 'y') {
+      log('  Skipping workflow creation');
+    } else {
+      createWorkflow();
+    }
+  } else {
+    createWorkflow();
+  }
+
+  log('');
+
+  // 7. Register outcome classifications
+  log('  Registering outcome classifications with WarpMetrics...');
+  const classifications = [
+    { name: 'Accepted', classification: 'success' },
+    { name: 'Merged', classification: 'success' },
+    { name: 'Active', classification: 'neutral' },
+    { name: 'Superseded', classification: 'neutral' },
+    { name: 'Closed', classification: 'neutral' },
+    { name: 'Ignored', classification: 'failure' },
+  ];
+
+  let classOk = true;
+  for (const { name, classification } of classifications) {
+    try {
+      const res = await fetch(`https://api.warpmetrics.com/v1/outcomes/classifications/${encodeURIComponent(name)}`, {
+        method: 'PUT',
+        headers: {
+          Authorization: `Bearer ${wmKey}`,
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({ classification }),
+      });
+      if (!res.ok) {
+        classOk = false;
+        console.warn(`  \u26a0 Failed to set classification ${name}: ${res.status}`);
+      }
+    } catch (e) {
+      classOk = false;
+      console.warn(`  \u26a0 Failed to set classification ${name}: ${e.message}`);
+    }
+  }
+  if (classOk) {
+    log('  \u2713 Outcomes configured');
+  } else {
+    log('  \u26a0 Some classifications failed — you can set them manually in the WarpMetrics dashboard');
+  }
+
+  // 8. Print next steps
+  log('');
+  log('  Done! Next steps:');
+  log('  1. git add .warp-review .github/workflows/warp-review.yml');
+  log('  2. git commit -m "Add warp-review"');
+  log('  3. Open a PR to see your first AI review');
+  log('  4. View analytics at https://app.warpmetrics.com');
+  log('');
+  log('  Optional \u2014 add this badge to your README:');
+  log('  ![warp-review](https://img.shields.io/badge/warp--review---%25%20accepted-purple)');
+  log('  (copy the line above into your README.md)');
+  log('');
+
+  rl.close();
+}
+
+function createWarpReviewDir(model) {
+  mkdirSync('.warp-review', { recursive: true });
+
+  log('  Creating .warp-review/skills.md...');
+  copyFileSync(join(defaultsDir, 'skills.md'), '.warp-review/skills.md');
+  log('  \u2713 Default skills file created');
+
+  log('  Creating .warp-review/config.json...');
+  const config = JSON.parse(readFileSync(join(defaultsDir, 'config.json'), 'utf8'));
+  config.model = model;
+  writeFileSync('.warp-review/config.json', JSON.stringify(config, null, 2) + '\n');
+  log('  \u2713 Config created');
+}
+
+function createWorkflow() {
+  log('  Creating .github/workflows/warp-review.yml...');
+  mkdirSync('.github/workflows', { recursive: true });
+  copyFileSync(join(defaultsDir, 'warp-review.yml'), '.github/workflows/warp-review.yml');
+  log('  \u2713 Workflow created');
+}
+
+main().catch(err => {
+  console.error('init failed:', err.message);
+  process.exitCode = 1;
+  rl.close();
+});

package/defaults/config.json

@@ -0,0 +1,12 @@
+{
+  "model": "claude-sonnet-4-20250514",
+  "maxFilesPerReview": 15,
+  "ignorePatterns": [
+    "*.lock",
+    "*.min.js",
+    "*.map",
+    "dist/**",
+    "node_modules/**",
+    "*.generated.*"
+  ]
+}

package/defaults/skills.md

@@ -0,0 +1,44 @@
+# warp-review skills
+
+These rules guide how warp-review reviews your code. Edit this file to teach
+warp-review your team's preferences. The more specific you are, the better
+the reviews get.
+
+Check your review analytics at https://app.warpmetrics.com to see which
+comments lead to merged changes and which get ignored — then update these
+rules accordingly.
+
+---
+
+## General
+
+- Focus on bugs, logic errors, and security issues over style nitpicks
+- Don't comment on formatting — assume the repo has a formatter
+- If a pattern appears intentional and consistent, don't flag it
+- Limit to 5 comments per file maximum — prioritize by severity
+
+## What to flag
+
+- Null/undefined access without guards
+- Unhandled promise rejections or missing error handling
+- SQL injection, XSS, or other injection vulnerabilities
+- Race conditions in async code
+- Resource leaks (unclosed connections, file handles, streams)
+- Hardcoded secrets or credentials
+- Off-by-one errors in loops and array access
+- Missing input validation on public API boundaries
+
+## What to ignore
+
+- Import ordering
+- Variable naming preferences (unless misleading)
+- Comment style or missing comments
+- Minor type annotation differences
+- Whitespace or formatting
+
+## Repo-specific rules
+
+<!-- Add your own rules below. Examples: -->
+<!-- - We use Result<T, E> pattern for error handling, don't suggest try/catch -->
+<!-- - All database queries must go through the QueryBuilder, never raw SQL -->
+<!-- - React components must use named exports, not default exports -->

package/defaults/warp-review.yml

@@ -0,0 +1,32 @@
+name: warp-review
+
+on:
+  pull_request:
+    types: [opened, synchronize, closed]
+
+permissions:
+  pull-requests: write
+  contents: read
+
+jobs:
+  review:
+    if: github.event.action == 'opened' || github.event.action == 'synchronize'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: warpmetrics/warp-review@v1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          llm-api-key: ${{ secrets.WARP_REVIEW_LLM_API_KEY }}
+          warpmetrics-api-key: ${{ secrets.WARP_REVIEW_WARPMETRICS_API_KEY }}
+          mode: review
+
+  track-outcome:
+    if: github.event.action == 'closed'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: warpmetrics/warp-review@v1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          warpmetrics-api-key: ${{ secrets.WARP_REVIEW_WARPMETRICS_API_KEY }}
+          mode: outcome

package/package.json

@@ -0,0 +1,27 @@
+{
+  "name": "@warpmetrics/review",
+  "version": "0.1.0",
+  "type": "module",
+  "description": "AI code reviewer that learns your codebase. Powered by WarpMetrics.",
+  "bin": {
+    "warp-review": "./bin/init.js"
+  },
+  "files": [
+    "bin/",
+    "src/",
+    "defaults/",
+    "README.md",
+    "LICENSE"
+  ],
+  "dependencies": {
+    "@warpmetrics/warp": "latest",
+    "@anthropic-ai/sdk": "latest",
+    "minimatch": "^10.0.0"
+  },
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/warpmetrics/warp-review"
+  },
+  "keywords": ["code-review", "ai", "github-action", "warpmetrics", "llm"]
+}

package/src/context.js

@@ -0,0 +1,112 @@
+const DEFAULT_CONTEXT_WINDOW = 200_000;
+const RESERVED_SYSTEM = 4_000;
+const RESERVED_RESPONSE = 4_000;
+
+function estimateTokens(text) {
+  return Math.ceil(text.length / 4);
+}
+
+export function getValidLines(patch) {
+  if (!patch) return new Set();
+  const lines = patch.split('\n');
+  const valid = new Set();
+  let currentLine = 0;
+
+  for (const raw of lines) {
+    const hunkMatch = raw.match(/^@@ -\d+(?:,\d+)? \+(\d+)(?:,\d+)? @@/);
+    if (hunkMatch) {
+      currentLine = parseInt(hunkMatch[1], 10);
+      continue;
+    }
+    if (raw.startsWith('-')) continue;
+    if (raw.startsWith('\\')) continue;
+    valid.add(currentLine);
+    currentLine++;
+  }
+  return valid;
+}
+
+export function extractSnippet(patch, targetLine) {
+  if (!patch) return null;
+  const lines = patch.split('\n');
+  let currentLine = 0;
+  const patchLines = [];
+
+  for (const raw of lines) {
+    const hunkMatch = raw.match(/^@@ -\d+(?:,\d+)? \+(\d+)(?:,\d+)? @@/);
+    if (hunkMatch) {
+      currentLine = parseInt(hunkMatch[1], 10);
+      continue;
+    }
+    if (raw.startsWith('-')) continue;
+    if (raw.startsWith('\\')) continue;
+    patchLines.push({ line: currentLine, text: raw.startsWith('+') ? raw.slice(1) : raw });
+    currentLine++;
+  }
+
+  const idx = patchLines.findIndex(p => p.line === targetLine);
+  if (idx === -1) return null;
+  const start = Math.max(0, idx - 1);
+  const end = Math.min(patchLines.length, idx + 2);
+  return patchLines.slice(start, end).map(p => p.text).join('\n');
+}
+
+export function buildContext(files, config) {
+  const contextWindow = DEFAULT_CONTEXT_WINDOW;
+  const budget = contextWindow - RESERVED_SYSTEM - RESERVED_RESPONSE;
+
+  // Sort by diff size ascending — smaller diffs get full context first
+  const sorted = [...files].sort((a, b) => {
+    const aDiff = estimateTokens(a.patch || '');
+    const bDiff = estimateTokens(b.patch || '');
+    return aDiff - bDiff;
+  });
+
+  let usedTokens = 0;
+  let truncatedCount = 0;
+  const sections = [];
+
+  for (const file of sorted) {
+    const diffText = file.patch || '(no diff available)';
+    const diffTokens = estimateTokens(diffText);
+
+    // Always include the diff — skip if even the diff doesn't fit
+    if (usedTokens + diffTokens > budget) {
+      truncatedCount++;
+      continue;
+    }
+
+    let fullContent = file.content || null;
+    let fullContentIncluded = false;
+
+    if (fullContent) {
+      const fullTokens = estimateTokens(fullContent);
+      if (usedTokens + diffTokens + fullTokens <= budget) {
+        fullContentIncluded = true;
+        usedTokens += diffTokens + fullTokens;
+      } else {
+        // Diff fits, full content doesn't
+        usedTokens += diffTokens;
+        truncatedCount++;
+      }
+    } else {
+      usedTokens += diffTokens;
+    }
+
+    const ext = file.filename.split('.').pop() || '';
+    let section = `## File: ${file.filename} (${file.status})\n\n### Diff\n\`\`\`diff\n${diffText}\n\`\`\`\n`;
+
+    if (fullContentIncluded && fullContent) {
+      section += `\n### Full file content\n\`\`\`${ext}\n${fullContent}\n\`\`\`\n`;
+    } else if (fullContent) {
+      section += `\n### Full file content\n(full content omitted — file too large)\n`;
+    }
+
+    sections.push(section);
+  }
+
+  return {
+    userMessage: sections.join('\n---\n\n'),
+    truncatedCount,
+  };
+}

package/src/github.js

@@ -0,0 +1,179 @@
+function ghHeaders() {
+  return {
+    Authorization: `token ${process.env.GITHUB_TOKEN}`,
+    Accept: 'application/vnd.github+json',
+    'Content-Type': 'application/json',
+  };
+}
+
+async function fetchWithRetry(url, options, maxRetries = 3) {
+  for (let attempt = 0; attempt < maxRetries; attempt++) {
+    const res = await fetch(url, options);
+    if (res.status === 429) {
+      const retryAfter = parseInt(res.headers.get('retry-after') || '5', 10);
+      const delay = retryAfter * 1000 * (attempt + 1);
+      console.warn(`Rate limited by GitHub API, retrying in ${delay / 1000}s...`);
+      await new Promise(r => setTimeout(r, delay));
+      continue;
+    }
+    return res;
+  }
+  throw new Error(`GitHub API rate limit exceeded after ${maxRetries} retries`);
+}
+
+export async function getChangedFiles(owner, repo, pr) {
+  const files = [];
+  let page = 1;
+  while (true) {
+    const res = await fetchWithRetry(
+      `https://api.github.com/repos/${owner}/${repo}/pulls/${pr}/files?per_page=100&page=${page}`,
+      { headers: ghHeaders() },
+    );
+    if (!res.ok) throw new Error(`Failed to fetch changed files: ${res.status}`);
+    const batch = await res.json();
+    files.push(...batch);
+    if (batch.length < 100) break;
+    page++;
+  }
+  return files;
+}
+
+export async function getFileContent(owner, repo, path, ref) {
+  const res = await fetchWithRetry(
+    `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${ref}`,
+    { headers: ghHeaders() },
+  );
+
+  if (res.status === 403) {
+    // File too large for contents API — try Git Blob API
+    // Need to get the file SHA first from the tree
+    return null;
+  }
+  if (!res.ok) return null;
+
+  const data = await res.json();
+  if (data.encoding === 'base64' && data.content) {
+    return Buffer.from(data.content, 'base64').toString('utf8');
+  }
+  // Binary file or unexpected encoding
+  return null;
+}
+
+export async function getFileViaBlob(owner, repo, sha) {
+  const res = await fetchWithRetry(
+    `https://api.github.com/repos/${owner}/${repo}/git/blobs/${sha}`,
+    { headers: ghHeaders() },
+  );
+  if (!res.ok) return null;
+  const data = await res.json();
+  if (data.encoding === 'base64' && data.content) {
+    return Buffer.from(data.content, 'base64').toString('utf8');
+  }
+  return null;
+}
+
+export async function postReview(owner, repo, pr, headSha, body, comments) {
+  const res = await fetchWithRetry(
+    `https://api.github.com/repos/${owner}/${repo}/pulls/${pr}/reviews`,
+    {
+      method: 'POST',
+      headers: ghHeaders(),
+      body: JSON.stringify({
+        commit_id: headSha,
+        body,
+        event: 'COMMENT',
+        comments: comments.map(c => ({
+          path: c.file,
+          line: c.line,
+          side: 'RIGHT',
+          body: c.body,
+        })),
+      }),
+    },
+  );
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(`Failed to post review: ${res.status} ${text}`);
+  }
+  return res.json();
+}
+
+export async function getReviewCommentIds(owner, repo, pr, reviewId) {
+  const res = await fetchWithRetry(
+    `https://api.github.com/repos/${owner}/${repo}/pulls/${pr}/reviews/${reviewId}/comments`,
+    { headers: ghHeaders() },
+  );
+  if (!res.ok) throw new Error(`Failed to fetch review comments: ${res.status}`);
+  const comments = await res.json();
+  return comments.map(c => c.id);
+}
+
+export async function dismissReview(owner, repo, pr, reviewId, headSha) {
+  const shortSha = headSha.slice(0, 7);
+  try {
+    const res = await fetch(
+      `https://api.github.com/repos/${owner}/${repo}/pulls/${pr}/reviews/${reviewId}/dismissals`,
+      {
+        method: 'PUT',
+        headers: ghHeaders(),
+        body: JSON.stringify({ message: `Superseded by new review after commit ${shortSha}` }),
+      },
+    );
+    if (!res.ok) {
+      console.warn(`Failed to dismiss review ${reviewId}: ${res.status} — posting new review alongside old one`);
+    }
+  } catch (e) {
+    console.warn(`Failed to dismiss review ${reviewId}: ${e.message} — continuing`);
+  }
+}
+
+export async function buildThreadMap(owner, repo, pr) {
+  const query = `query($owner: String!, $repo: String!, $pr: Int!) {
+    repository(owner: $owner, name: $repo) {
+      pullRequest(number: $pr) {
+        reviewThreads(first: 100) {
+          nodes { isResolved, comments(first: 1) { nodes { databaseId } } }
+        }
+      }
+    }
+  }`;
+  const res = await fetch('https://api.github.com/graphql', {
+    method: 'POST',
+    headers: ghHeaders(),
+    body: JSON.stringify({ query, variables: { owner, repo, pr } }),
+  });
+  if (!res.ok) throw new Error(`GitHub GraphQL error: ${res.status}`);
+  const { data } = await res.json();
+
+  const map = new Map();
+  const threads = data?.repository?.pullRequest?.reviewThreads?.nodes || [];
+  for (const thread of threads) {
+    const id = thread.comments.nodes[0]?.databaseId;
+    if (id) map.set(id, { resolved: thread.isResolved });
+  }
+  return map;
+}
+
+export async function getThreadStatus(commentId, threadMap, fullRepo) {
+  const thread = threadMap.get(commentId);
+  if (!thread) return { resolved: false, latestReply: null };
+
+  let latestReply = null;
+  if (!thread.resolved) {
+    try {
+      const res = await fetchWithRetry(
+        `https://api.github.com/repos/${fullRepo}/pulls/comments/${commentId}/replies`,
+        { headers: ghHeaders() },
+      );
+      if (res.ok) {
+        const replies = await res.json();
+        if (replies.length > 0) {
+          latestReply = replies[replies.length - 1].body.slice(0, 280);
+        }
+      }
+    } catch {
+      // Failed to fetch replies — leave latestReply as null
+    }
+  }
+  return { resolved: thread.resolved, latestReply };
+}

package/src/index.js

@@ -0,0 +1,48 @@
+import { readFileSync } from 'fs';
+import { review } from './review.js';
+import { trackOutcome } from './outcome.js';
+
+function getContext() {
+  const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/');
+  const event = JSON.parse(readFileSync(process.env.GITHUB_EVENT_PATH, 'utf8'));
+  const pull = event.pull_request;
+
+  return {
+    owner,
+    repo,
+    fullRepo: `${owner}/${repo}`,
+    pr: pull.number,
+    action: event.action,
+    headSha: pull.head.sha,
+    baseSha: pull.base.sha,
+    title: pull.title,
+    body: pull.body || '',
+    htmlUrl: pull.html_url,
+    prAuthor: pull.user.login,
+    additions: pull.additions,
+    deletions: pull.deletions,
+    changedFiles: pull.changed_files,
+    baseBranch: pull.base.ref,
+    merged: pull.merged || false,
+    mergedBy: pull.merged_by?.login || null,
+  };
+}
+
+async function main() {
+  const mode = process.env.MODE || 'review';
+  const ctx = getContext();
+
+  if (mode === 'review') {
+    await review(ctx);
+  } else if (mode === 'outcome') {
+    await trackOutcome(ctx);
+  } else {
+    console.error(`Unknown mode: ${mode}. Use 'review' or 'outcome'.`);
+    process.exitCode = 1;
+  }
+}
+
+main().catch((err) => {
+  console.error('warp-review failed:', err.message);
+  process.exitCode = 1;
+});

package/src/llm.js

@@ -0,0 +1,6 @@
+import Anthropic from '@anthropic-ai/sdk';
+import { warp } from '@warpmetrics/warp';
+
+export function createClient(apiKey) {
+  return warp(new Anthropic({ apiKey }));
+}

package/src/outcome.js

@@ -0,0 +1,64 @@
+import { outcome, flush } from '@warpmetrics/warp';
+import { findRun } from './warpmetrics.js';
+import { buildThreadMap, getThreadStatus } from './github.js';
+
+export async function trackOutcome(ctx) {
+  const { owner, repo, fullRepo, pr, merged, mergedBy } = ctx;
+
+  // 1. Find the run
+  let runDetail;
+  try {
+    if (!process.env.WARPMETRICS_API_KEY) return;
+    runDetail = await findRun(fullRepo, pr);
+  } catch (e) {
+    console.warn(`WarpMetrics API unreachable during outcome tracking: ${e.message}`);
+    return;
+  }
+
+  // 2. No run found — exit silently
+  if (!runDetail) return;
+
+  try {
+    // 3. PR-level outcome
+    if (merged) {
+      outcome(runDetail.id, 'Merged', { merged_by: mergedBy });
+    } else {
+      outcome(runDetail.id, 'Closed');
+    }
+
+    // 4. Find active round (non-Superseded)
+    const activeRound = runDetail.groups
+      .filter(g => g.opts?.round)
+      .sort((a, b) => b.opts.round - a.opts.round)
+      .find(g => !g.outcomes?.some(o => o.name === 'Superseded'));
+
+    if (!activeRound) return;
+
+    // 5. Round-level outcome
+    outcome(activeRound.id, 'Active');
+
+    // 6. Comment-level outcomes
+    const threadMap = await buildThreadMap(owner, repo, pr);
+
+    const commentGroups = (activeRound.groups || []).filter(g => g.label !== '_summary');
+    for (const commentGroup of commentGroups) {
+      const commentId = commentGroup.opts?.github_comment_id;
+      if (!commentId) continue;
+
+      const thread = await getThreadStatus(commentId, threadMap, fullRepo);
+      if (thread.resolved) {
+        outcome(commentGroup.id, 'Accepted');
+      } else {
+        const opts = thread.latestReply ? { reason: thread.latestReply } : {};
+        outcome(commentGroup.id, 'Ignored', opts);
+      }
+    }
+  } finally {
+    // 7. Flush
+    try {
+      await flush();
+    } catch (e) {
+      console.warn(`Failed to flush WarpMetrics events: ${e.message}`);
+    }
+  }
+}

package/src/prompt.js

@@ -0,0 +1,45 @@
+export function buildSystemPrompt(skills, title, body) {
+  return `You are warp-review, an AI code reviewer. You review pull request diffs and
+post helpful, actionable comments.
+
+## Your review rules
+
+${skills}
+
+## Pull request context
+
+Title: ${title}
+Description: ${body}
+
+## Instructions
+
+- You are reviewing an entire pull request across multiple files
+- Use the PR title and description to understand the author's intent
+- For each file you receive: the unified diff AND the full file content for context
+- Look for cross-file issues: broken references, inconsistent signatures, missing imports
+- For each issue, respond with a JSON array of comments
+- Each comment must have: file (path), line (number in the new file), body (the comment text)
+- IMPORTANT: Only comment on lines that appear in the diff (added or modified lines marked with +). Do NOT comment on unchanged lines — they cannot receive inline comments.
+- Maximum 5 comments per file, 20 comments total — prioritize by severity
+- If everything looks fine, return an empty array []
+- Be concise. One comment = one issue. No preamble.
+- Every comment must suggest a fix or explain WHY something is wrong
+- Never comment on things covered by linters or formatters
+
+## Response format
+
+Respond with ONLY a JSON array. Each comment must include a \`category\` from this list:
+- \`bug\` — logic errors, null access, off-by-one, wrong return values
+- \`security\` — injection, XSS, auth bypass, hardcoded secrets
+- \`error-handling\` — missing try/catch, unhandled rejections, swallowed errors
+- \`performance\` — N+1 queries, unnecessary allocations, missing caching
+- \`concurrency\` — race conditions, deadlocks, missing locks
+- \`resource-leak\` — unclosed connections, file handles, streams
+- \`api-contract\` — breaking changes, missing validation, wrong types
+- \`other\` — anything not in the above categories
+
+[
+  {"file": "src/auth.js", "line": 42, "category": "bug", "body": "This can throw if \`user\` is null. Add a guard: \`if (!user) return;\`"},
+  {"file": "src/db.js", "line": 87, "category": "security", "body": "SQL injection risk — use parameterized query instead of string interpolation"}
+]`;
+}

package/src/review.js

@@ -0,0 +1,299 @@
+import { readFileSync, existsSync } from 'fs';
+import { minimatch } from 'minimatch';
+import { run, group, call, outcome, flush } from '@warpmetrics/warp';
+import { createClient } from './llm.js';
+import { findRun } from './warpmetrics.js';
+import {
+  getChangedFiles, getFileContent, getFileViaBlob,
+  postReview, getReviewCommentIds, dismissReview,
+} from './github.js';
+import { buildContext, getValidLines, extractSnippet } from './context.js';
+import { buildSystemPrompt } from './prompt.js';
+
+const DEFAULT_SKILLS = readFileSync(new URL('../defaults/skills.md', import.meta.url), 'utf8');
+const DEFAULT_CONFIG = JSON.parse(readFileSync(new URL('../defaults/config.json', import.meta.url), 'utf8'));
+
+function readConfig() {
+  try {
+    if (existsSync('.warp-review/config.json')) {
+      return { ...DEFAULT_CONFIG, ...JSON.parse(readFileSync('.warp-review/config.json', 'utf8')) };
+    }
+  } catch { /* fall through */ }
+  return DEFAULT_CONFIG;
+}
+
+function readSkills() {
+  try {
+    if (existsSync('.warp-review/skills.md')) {
+      return readFileSync('.warp-review/skills.md', 'utf8');
+    }
+  } catch { /* fall through */ }
+  return DEFAULT_SKILLS;
+}
+
+function parseComments(text) {
+  // Strip markdown code fences
+  let cleaned = text.replace(/^```(?:json)?\s*\n?/m, '').replace(/\n?```\s*$/m, '').trim();
+
+  // Extract first [...] block
+  const start = cleaned.indexOf('[');
+  const end = cleaned.lastIndexOf(']');
+  if (start !== -1 && end !== -1 && end > start) {
+    cleaned = cleaned.slice(start, end + 1);
+  }
+
+  return JSON.parse(cleaned);
+}
+
+async function llmWithRetry(anthropic, params, maxRetries = 3) {
+  for (let attempt = 0; attempt < maxRetries; attempt++) {
+    try {
+      return await anthropic.messages.create(params);
+    } catch (e) {
+      const isRetryable = e.status === 429 || e.status === 529 || e.status >= 500 || e.code === 'ECONNREFUSED' || e.code === 'ETIMEDOUT' || e.code === 'ENOTFOUND';
+      if (!isRetryable || attempt === maxRetries - 1) throw e;
+      const delay = Math.pow(2, attempt) * 1000;
+      console.warn(`LLM API error (${e.status || e.code}), retrying in ${delay / 1000}s...`);
+      await new Promise(r => setTimeout(r, delay));
+    }
+  }
+}
+
+function buildSummary(commentsPosted, filesReviewed, runId, wmAvailable, { totalFiltered = 0, truncatedCount = 0 } = {}) {
+  const analyticsLink = wmAvailable && runId
+    ? `\n\n[View review analytics \u2192](https://app.warpmetrics.com/runs/${runId})`
+    : '';
+
+  const notes = [];
+  if (totalFiltered > filesReviewed) {
+    notes.push(`Reviewed ${filesReviewed}/${totalFiltered} files. Increase \`maxFilesPerReview\` in \`.warp-review/config.json\` to review more.`);
+  }
+  if (truncatedCount > 0) {
+    notes.push(`Context was truncated for ${truncatedCount} large file(s).`);
+  }
+  const notesText = notes.length > 0 ? '\n\n' + notes.join(' ') : '';
+
+  if (commentsPosted.length > 0) {
+    const fileCount = new Set(commentsPosted.map(c => c.file)).size;
+    const firstComment = commentsPosted[0].body.slice(0, 100);
+    return `**warp-review** found ${commentsPosted.length} issue(s) in ${fileCount} file(s).${notesText}\n\nMost critical: ${firstComment}${analyticsLink}\n\n<sub>Powered by [WarpMetrics](https://warpmetrics.com) \u00b7 Edit \`.warp-review/skills.md\` to customize</sub>`;
+  }
+
+  return `**warp-review** reviewed ${filesReviewed} file(s) \u2014 no issues found.${notesText}${analyticsLink}\n\n<sub>Powered by [WarpMetrics](https://warpmetrics.com)</sub>`;
+}
+
+export async function review(ctx) {
+  const { owner, repo, fullRepo, pr, headSha, htmlUrl, prAuthor, additions, deletions, changedFiles, baseBranch, title, body } = ctx;
+
+  // 1. Validate LLM API key
+  if (!process.env.LLM_API_KEY) {
+    console.error('LLM_API_KEY is required for review mode. Set WARP_REVIEW_LLM_API_KEY as a repository secret.');
+    process.exitCode = 1;
+    return;
+  }
+
+  // 2. Read config
+  const config = readConfig();
+
+  // 3. Query WarpMetrics for existing run
+  let runDetail = null;
+  let wmAvailable = true;
+  try {
+    if (process.env.WARPMETRICS_API_KEY) {
+      runDetail = await findRun(fullRepo, pr);
+    } else {
+      wmAvailable = false;
+    }
+  } catch (e) {
+    console.warn(`WarpMetrics API unreachable \u2014 skipping re-review detection: ${e.message}`);
+    wmAvailable = false;
+  }
+
+  // 4. Handle re-review: dismiss previous and supersede
+  let runRef;
+  let nextRoundNum = 1;
+
+  if (runDetail) {
+    const rounds = runDetail.groups.filter(g => g.opts?.round);
+    const prevRound = rounds.sort((a, b) => b.opts.round - a.opts.round)[0];
+    if (prevRound) {
+      nextRoundNum = prevRound.opts.round + 1;
+
+      // Find github_review_id in the _summary sub-group
+      const prevSummary = prevRound.groups?.find(g => g.label === '_summary');
+      const prevReviewId = prevSummary?.opts?.github_review_id;
+      if (prevReviewId) {
+        await dismissReview(owner, repo, pr, prevReviewId, headSha);
+      }
+
+      outcome(prevRound.id, 'Superseded');
+    }
+    runRef = runDetail.id;
+  } else {
+    // Create new run
+    if (wmAvailable) {
+      runRef = run('warp-review', {
+        name: `${fullRepo}#${pr}`, repo: fullRepo, pr, pr_url: htmlUrl,
+        pr_author: prAuthor, additions, deletions, changed_files: changedFiles, base_branch: baseBranch,
+      });
+    }
+  }
+
+  try {
+    // 5. Fetch changed files
+    const allFiles = await getChangedFiles(owner, repo, pr);
+
+    // 6. Filter files
+    const filtered = allFiles.filter(f => {
+      if (f.status === 'removed') return false;
+      for (const pattern of config.ignorePatterns || []) {
+        if (minimatch(f.filename, pattern, { matchBase: true })) return false;
+      }
+      return true;
+    });
+
+    const filesToReview = filtered.slice(0, config.maxFilesPerReview || 15);
+
+    // 7. Fetch full file content
+    for (const file of filesToReview) {
+      let content = await getFileContent(owner, repo, file.filename, headSha);
+      if (content === null && file.sha) {
+        content = await getFileViaBlob(owner, repo, file.sha);
+      }
+      file.content = content;
+    }
+
+    // 8. Read skills
+    const skills = readSkills();
+
+    // 9. Create WM round group
+    const languages = [...new Set(filesToReview.map(f => {
+      const parts = f.filename.split('.');
+      return parts.length > 1 ? `.${parts.pop()}` : '';
+    }).filter(Boolean))];
+
+    const { userMessage, truncatedCount } = buildContext(filesToReview, config);
+
+    let round = null;
+    if (runRef) {
+      round = group(runRef, `Review ${nextRoundNum}`, {
+        round: nextRoundNum, sha: headSha, model: config.model,
+        files_reviewed: filesToReview.length, context_truncated: truncatedCount,
+        languages, timestamp: new Date().toISOString(),
+      });
+    }
+
+    // 10. LLM call
+    const anthropic = createClient(process.env.LLM_API_KEY);
+    const systemPrompt = buildSystemPrompt(skills, title, body);
+
+    let response;
+    try {
+      response = await llmWithRetry(anthropic, {
+        model: config.model,
+        max_tokens: 4096,
+        system: systemPrompt,
+        messages: [{ role: 'user', content: userMessage }],
+      });
+    } catch (e) {
+      console.error(`LLM API unreachable after retries: ${e.message}`);
+      const summaryBody = '**warp-review** could not complete the review \u2014 LLM API unreachable.\n\n<sub>Powered by [WarpMetrics](https://warpmetrics.com)</sub>';
+      await postReview(owner, repo, pr, headSha, summaryBody, []);
+      return;
+    }
+
+    if (round) {
+      call(round, response);
+    }
+
+    // 11. Parse LLM response
+    const responseText = response.content?.[0]?.text || '[]';
+    let parsedComments;
+    try {
+      parsedComments = parseComments(responseText);
+    } catch {
+      // Retry once with correction
+      console.warn('LLM returned invalid JSON, retrying...');
+      try {
+        const retryResponse = await llmWithRetry(anthropic, {
+          model: config.model,
+          max_tokens: 4096,
+          system: systemPrompt,
+          messages: [
+            { role: 'user', content: userMessage },
+            { role: 'assistant', content: responseText },
+            { role: 'user', content: 'Your previous response was not valid JSON. Respond with ONLY a JSON array, no other text.' },
+          ],
+        });
+        if (round) call(round, retryResponse);
+        parsedComments = parseComments(retryResponse.content?.[0]?.text || '[]');
+      } catch {
+        console.warn('LLM retry also failed — posting summary only');
+        parsedComments = [];
+      }
+    }
+
+    if (!Array.isArray(parsedComments)) parsedComments = [];
+
+    // 12. Validate line numbers
+    const filePatches = new Map();
+    for (const f of filesToReview) {
+      filePatches.set(f.filename, f.patch);
+    }
+
+    const validComments = parsedComments.filter(c => {
+      if (!c.file || !c.line || !c.body) return false;
+      const validLines = getValidLines(filePatches.get(c.file));
+      return validLines.has(c.line);
+    });
+
+    // Derive runId for summary link
+    const runId = typeof runRef === 'string' ? runRef : runRef?.id;
+
+    // 13. Post review
+    const summaryBody = buildSummary(validComments, filesToReview.length, runId, wmAvailable, {
+      totalFiltered: filtered.length, truncatedCount,
+    });
+    const reviewResult = await postReview(owner, repo, pr, headSha, summaryBody, validComments);
+    const reviewId = reviewResult.id;
+
+    // 14. Get comment IDs (matched by array index order)
+    let commentIds = [];
+    if (validComments.length > 0) {
+      try {
+        commentIds = await getReviewCommentIds(owner, repo, pr, reviewId);
+      } catch (e) {
+        console.warn(`Failed to get review comment IDs: ${e.message}`);
+      }
+    }
+
+    // 15. Log comment groups + summary to WM
+    if (round) {
+      for (let i = 0; i < validComments.length; i++) {
+        const c = validComments[i];
+        const snippet = extractSnippet(filePatches.get(c.file), c.line);
+        const ghId = commentIds[i] || null;
+        group(round, `${c.file}:${c.line}`, {
+          file: c.file, line: c.line, body: c.body, category: c.category,
+          ...(snippet && { snippet }), github_comment_id: ghId,
+        });
+      }
+
+      group(round, '_summary', {
+        comments_generated: parsedComments.length,
+        comments_posted: validComments.length,
+        comments_dropped: parsedComments.length - validComments.length,
+        github_review_id: reviewId,
+      });
+    }
+
+    console.log(`warp-review: posted ${validComments.length} comment(s) on PR #${pr}`);
+  } finally {
+    // 16. Flush
+    try {
+      await flush();
+    } catch (e) {
+      console.warn(`Failed to flush WarpMetrics events: ${e.message}`);
+    }
+  }
+}

package/src/warpmetrics.js

@@ -0,0 +1,26 @@
+const API = 'https://api.warpmetrics.com/v1';
+
+function headers() {
+  return { Authorization: `Bearer ${process.env.WARPMETRICS_API_KEY}` };
+}
+
+export async function findRun(repo, pr) {
+  const name = `${repo}#${pr}`;
+  const res = await fetch(
+    `${API}/runs?label=warp-review&name=${encodeURIComponent(name)}&limit=1`,
+    { headers: headers() },
+  );
+  if (!res.ok) {
+    throw new Error(`WarpMetrics API error: ${res.status} ${res.statusText}`);
+  }
+  const { data } = await res.json();
+
+  if (!data || !data.length) return null;
+
+  const detail = await fetch(`${API}/runs/${data[0].id}`, { headers: headers() });
+  if (!detail.ok) {
+    throw new Error(`WarpMetrics API error fetching run detail: ${detail.status}`);
+  }
+  const result = await detail.json();
+  return result.data;
+}