claude-dev-env 1.39.0 → 1.41.0

package/_shared/pr-loop/scripts/reviews_disabled.py

@@ -0,0 +1,59 @@
+"""Shared helper for the CLAUDE_REVIEWS_DISABLED opt-out gate.
+
+Both ``skills/bugteam/scripts/bugteam_preflight.py`` and
+``_shared/pr-loop/scripts/preflight.py`` consume this helper so the parsing
+rules and disabled-token taxonomy live in exactly one place.
+"""
+
+from __future__ import annotations
+
+import os
+import sys
+from pathlib import Path
+
+for each_cached_module_name in [
+    each_module_key
+    for each_module_key in list(sys.modules)
+    if each_module_key == "config" or each_module_key.startswith("config.")
+]:
+    sys.modules.pop(each_cached_module_name, None)
+_shared_pr_loop_scripts_directory = str(Path(__file__).absolute().parent)
+while _shared_pr_loop_scripts_directory in sys.path:
+    sys.path.remove(_shared_pr_loop_scripts_directory)
+if _shared_pr_loop_scripts_directory not in sys.path:
+    sys.path.insert(0, _shared_pr_loop_scripts_directory)
+
+from config.reviews_disabled_constants import (
+    CLAUDE_REVIEWS_DISABLED_BUGTEAM_TOKEN,
+    CLAUDE_REVIEWS_DISABLED_ENV_VAR_NAME,
+    CLAUDE_REVIEWS_DISABLED_TOKEN_SEPARATOR,
+    EXIT_CODE_BUGTEAM_DISABLED_VIA_ENV,
+)
+
+
+__all__ = [
+    "CLAUDE_REVIEWS_DISABLED_BUGTEAM_TOKEN",
+    "CLAUDE_REVIEWS_DISABLED_ENV_VAR_NAME",
+    "CLAUDE_REVIEWS_DISABLED_TOKEN_SEPARATOR",
+    "EXIT_CODE_BUGTEAM_DISABLED_VIA_ENV",
+    "is_bugteam_disabled_via_env",
+]
+
+
+def is_bugteam_disabled_via_env() -> bool:
+    """Check whether CLAUDE_REVIEWS_DISABLED opts the bug-audit family out of running.
+
+    Returns:
+        True when the env var contains the literal ``bugteam`` token
+        (comma-separated, case-insensitive, whitespace-tolerant).
+    """
+    reviews_disabled_env_var_name = CLAUDE_REVIEWS_DISABLED_ENV_VAR_NAME
+    reviews_disabled_token_separator = CLAUDE_REVIEWS_DISABLED_TOKEN_SEPARATOR
+    reviews_disabled_bugteam_token = CLAUDE_REVIEWS_DISABLED_BUGTEAM_TOKEN
+    raw_value = os.environ.get(reviews_disabled_env_var_name, "")
+    all_disabled_tokens = frozenset(
+        each_raw_token.strip().lower()
+        for each_raw_token in raw_value.split(reviews_disabled_token_separator)
+        if each_raw_token.strip()
+    )
+    return reviews_disabled_bugteam_token in all_disabled_tokens

package/_shared/pr-loop/scripts/revoke_project_claude_permissions.py

@@ -10,9 +10,22 @@ autoMode sections so repeated grant/revoke cycles leave no dead structure.
 import sys
 from pathlib import Path
 
-sys.modules.pop("config", None)
-if str(Path(__file__).resolve().parent) not in sys.path:
-    sys.path.insert(0, str(Path(__file__).resolve().parent))
+parent_directory = str(Path(__file__).absolute().parent)
+try:
+    sys.path.remove(parent_directory)
+except ValueError:
+    pass
+if parent_directory not in sys.path:
+    sys.path.insert(0, parent_directory)
+
+for each_cached_module_name in [
+    each_module_key
+    for each_module_key in list(sys.modules)
+    if each_module_key == "config"
+    or each_module_key.startswith("config.")
+    or each_module_key == "_claude_permissions_common"
+]:
+    sys.modules.pop(each_cached_module_name, None)
 
 from _claude_permissions_common import (  # noqa: E402
     build_permission_rules,
@@ -40,6 +53,15 @@ from config.claude_settings_keys_constants import (  # noqa: E402
 def remove_values_from_list(
     all_target_list: list[object], all_values_to_remove: set[str]
 ) -> int:
+    """Remove matching values from a list in place.
+
+    Args:
+        all_target_list: The list to remove values from.
+        all_values_to_remove: Set of string values to remove.
+
+    Returns:
+        Number of values removed.
+    """
     original_length = len(all_target_list)
     all_target_list[:] = [
         each_value
@@ -52,6 +74,15 @@ def remove_values_from_list(
 def remove_rules_from_allow_list(
     all_settings: dict[str, object], all_rules_to_remove: list[str]
 ) -> int:
+    """Remove matching permission rules from the settings allow list.
+
+    Args:
+        all_settings: The parsed settings dictionary.
+        all_rules_to_remove: Permission rule strings to remove.
+
+    Returns:
+        Number of rules removed.
+    """
     permissions_section = all_settings.get(CLAUDE_SETTINGS_PERMISSIONS_KEY)
     if not isinstance(permissions_section, dict):
         return 0
@@ -64,6 +95,15 @@ def remove_rules_from_allow_list(
 def remove_directory_from_additional_directories(
     all_settings: dict[str, object], directory_path: str
 ) -> int:
+    """Remove a project path from the additionalDirectories list.
+
+    Args:
+        all_settings: The parsed settings dictionary.
+        directory_path: The project directory path to remove.
+
+    Returns:
+        1 when the entry was removed, 0 when not found.
+    """
     permissions_section = all_settings.get(CLAUDE_SETTINGS_PERMISSIONS_KEY)
     if not isinstance(permissions_section, dict):
         return 0
@@ -78,6 +118,15 @@ def remove_directory_from_additional_directories(
 def remove_auto_mode_environment_entry(
     all_settings: dict[str, object], entry_text: str
 ) -> int:
+    """Remove an auto-mode environment entry for the project.
+
+    Args:
+        all_settings: The parsed settings dictionary.
+        entry_text: The environment entry text to remove.
+
+    Returns:
+        1 when the entry was removed, 0 when not found.
+    """
     auto_mode_section = all_settings.get(CLAUDE_SETTINGS_AUTO_MODE_KEY)
     if not isinstance(auto_mode_section, dict):
         return 0
@@ -88,6 +137,11 @@ def remove_auto_mode_environment_entry(
 
 
 def prune_settings_after_revoke(all_settings: dict[str, object]) -> None:
+    """Remove empty lists and their parent sections after revoking entries.
+
+    Args:
+        all_settings: The parsed settings dictionary to prune in place.
+    """
     prune_empty_list_then_empty_section(
         all_settings,
         CLAUDE_SETTINGS_PERMISSIONS_KEY,
@@ -106,6 +160,17 @@ def prune_settings_after_revoke(all_settings: dict[str, object]) -> None:
 
 
 def revoke_permissions_for_current_directory() -> None:
+    """Revoke permissions previously granted for the current project directory.
+
+    Reads the current project path, constructs the matching permission rules,
+    removes them from ~/.claude/settings.json, and prunes any newly empty
+    sections.
+
+    Raises:
+        SystemExit: When the current directory is not a valid project root.
+        ValueError: Propagated from get_current_project_path() when the path
+                    contains glob metacharacters.
+    """
     claude_user_settings_path: Path = get_claude_user_settings_path()
     project_root_path = Path.cwd()
     if not is_valid_project_root(project_root_path):

package/_shared/pr-loop/scripts/tests/test_grant_project_claude_permissions.py

@@ -43,7 +43,7 @@ def test_grant_module_guards_sys_path_insert_against_duplicates() -> None:
     module_source = (
         Path(__file__).parent.parent / "grant_project_claude_permissions.py"
     ).read_text(encoding="utf-8")
-    assert "if str(Path(__file__).resolve().parent) not in sys.path:" in module_source, (
+    assert "if parent_directory not in sys.path:" in module_source, (
         "grant_project_claude_permissions.py must guard sys.path.insert against "
         "duplicate entries on reload (consistent with sibling modules)"
     )

package/_shared/pr-loop/scripts/tests/test_post_audit_thread.py

@@ -43,7 +43,9 @@ if str(SCRIPT_DIRECTORY) not in sys.path:
 from config.post_audit_thread_constants import (  # noqa: E402
     ALL_GH_AUTH_TOKEN_COMMAND_PARTS,
     ALL_RETRY_BACKOFF_SECONDS,
+    BUGTEAM_REVIEWER_ACCOUNT_ENV_VAR_NAME,
     GH_TOKEN_ENV_VAR_NAME,
+    GITHUB_TOKEN_ENV_VAR_NAME,
     CLI_FLAG_COMMIT,
     CLI_FLAG_FINDINGS_JSON,
     CLI_FLAG_OWNER,
@@ -69,7 +71,15 @@ from config.post_audit_thread_constants import (  # noqa: E402
     STATE_CLEAN,
     STATE_DIRTY,
 )
-from post_audit_thread import build_reviews_endpoint_url  # noqa: E402
+from post_audit_thread import (  # noqa: E402
+    UserInputError,
+    build_reviews_endpoint_url,
+    fetch_gh_token_for_account,
+    list_authenticated_gh_account_logins,
+    query_active_gh_user_login,
+    query_pull_request_author_login,
+    resolve_reviewer_token,
+)
 
 LIVE_TEST_OWNER = "JonEcho"
 LIVE_TEST_REPO = "tests"
@@ -918,6 +928,189 @@ class LivePostAuditThreadTests(unittest.TestCase):
             f"(1s + 4s + 16s); elapsed={elapsed_seconds:.2f}s",
         )
 
+    def _isolate_auth_env_vars(self) -> dict[str, str | None]:
+        all_managed_env_var_names = (
+            GH_TOKEN_ENV_VAR_NAME,
+            GITHUB_TOKEN_ENV_VAR_NAME,
+            BUGTEAM_REVIEWER_ACCOUNT_ENV_VAR_NAME,
+        )
+        previous_env_state: dict[str, str | None] = {
+            each_name: os.environ.get(each_name)
+            for each_name in all_managed_env_var_names
+        }
+        for each_name in all_managed_env_var_names:
+            os.environ.pop(each_name, None)
+        return previous_env_state
+
+    def _restore_auth_env_vars(
+        self, previous_env_state: dict[str, str | None]
+    ) -> None:
+        for each_name, prior_value in previous_env_state.items():
+            if prior_value is None:
+                os.environ.pop(each_name, None)
+            else:
+                os.environ[each_name] = prior_value
+
+    def test_query_active_gh_user_login_matches_gh_api_user_login_field(self) -> None:
+        active_login = query_active_gh_user_login()
+        self.assertTrue(
+            active_login,
+            "query_active_gh_user_login() returned empty",
+        )
+        gh_api_user_response = gh_api_object_json("user")
+        self.assertEqual(active_login, gh_api_user_response.get("login"))
+
+    def test_query_pull_request_author_login_matches_throwaway_pr_author(self) -> None:
+        author_login = query_pull_request_author_login(
+            owner=LIVE_TEST_OWNER,
+            repo=LIVE_TEST_REPO,
+            pr_number=self.pr_number,
+        )
+        pr_detail_path = f"repos/{LIVE_TEST_OWNER}/{LIVE_TEST_REPO}/pulls/{self.pr_number}"
+        pr_detail_object = gh_api_object_json(pr_detail_path)
+        user_field_object = pr_detail_object.get("user")
+        self.assertIsInstance(user_field_object, dict)
+        if isinstance(user_field_object, dict):
+            self.assertEqual(author_login, user_field_object.get("login"))
+
+    def test_list_authenticated_gh_account_logins_includes_active_and_audit_accounts(
+        self,
+    ) -> None:
+        all_logins = list_authenticated_gh_account_logins()
+        active_login = query_active_gh_user_login()
+        self.assertIn(active_login, all_logins)
+        self.assertIn(LIVE_TEST_AUDIT_ACCOUNT_NAME, all_logins)
+
+    def test_fetch_gh_token_for_account_returns_audit_account_cached_token(self) -> None:
+        fetched_token = fetch_gh_token_for_account(LIVE_TEST_AUDIT_ACCOUNT_NAME)
+        self.assertEqual(fetched_token, self.audit_account_token)
+
+    def test_resolve_reviewer_token_returns_env_var_when_gh_token_is_set(self) -> None:
+        sentinel_env_token = "sentinel-gh-token-from-env-var-precedence-test"
+        previous_env_state = self._isolate_auth_env_vars()
+        try:
+            os.environ[GH_TOKEN_ENV_VAR_NAME] = sentinel_env_token
+            returned_token = resolve_reviewer_token(
+                owner=LIVE_TEST_OWNER,
+                repo=LIVE_TEST_REPO,
+                pr_number=self.pr_number,
+            )
+            self.assertEqual(returned_token, sentinel_env_token)
+        finally:
+            self._restore_auth_env_vars(previous_env_state)
+
+    def test_resolve_reviewer_token_toggles_to_alternate_token_on_self_pr(self) -> None:
+        previous_env_state = self._isolate_auth_env_vars()
+        try:
+            returned_token = resolve_reviewer_token(
+                owner=LIVE_TEST_OWNER,
+                repo=LIVE_TEST_REPO,
+                pr_number=self.pr_number,
+            )
+            active_login = query_active_gh_user_login()
+            pr_author_login = query_pull_request_author_login(
+                owner=LIVE_TEST_OWNER,
+                repo=LIVE_TEST_REPO,
+                pr_number=self.pr_number,
+            )
+            self.assertEqual(
+                active_login.lower(),
+                pr_author_login.lower(),
+                "throwaway PR author must equal active gh account so the "
+                "self-PR toggle branch is exercised",
+            )
+            all_alternates = [
+                each_login
+                for each_login in list_authenticated_gh_account_logins()
+                if each_login.lower() != pr_author_login.lower()
+            ]
+            self.assertTrue(
+                all_alternates,
+                "test setup requires at least one alternate authenticated account",
+            )
+            expected_first_alternate_token = fetch_gh_token_for_account(
+                all_alternates[0]
+            )
+            self.assertEqual(returned_token, expected_first_alternate_token)
+            active_account_token = resolve_gh_auth_token()
+            self.assertNotEqual(
+                returned_token,
+                active_account_token,
+                "self-PR toggle must not return the active (author) token",
+            )
+        finally:
+            self._restore_auth_env_vars(previous_env_state)
+
+    def test_resolve_reviewer_token_honors_bugteam_reviewer_account_pin(self) -> None:
+        previous_env_state = self._isolate_auth_env_vars()
+        try:
+            pr_author_login = query_pull_request_author_login(
+                owner=LIVE_TEST_OWNER,
+                repo=LIVE_TEST_REPO,
+                pr_number=self.pr_number,
+            )
+            all_alternates_excluding_pr_author = [
+                each_login
+                for each_login in list_authenticated_gh_account_logins()
+                if each_login.lower() != pr_author_login.lower()
+            ]
+            self.assertTrue(
+                all_alternates_excluding_pr_author,
+                "test setup requires at least one authenticated account that "
+                "is not the PR author so the pin has a valid target",
+            )
+            chosen_pin_login = all_alternates_excluding_pr_author[0]
+            os.environ[BUGTEAM_REVIEWER_ACCOUNT_ENV_VAR_NAME] = chosen_pin_login
+            returned_token = resolve_reviewer_token(
+                owner=LIVE_TEST_OWNER,
+                repo=LIVE_TEST_REPO,
+                pr_number=self.pr_number,
+            )
+            expected_pinned_token = fetch_gh_token_for_account(chosen_pin_login)
+            self.assertEqual(returned_token, expected_pinned_token)
+        finally:
+            self._restore_auth_env_vars(previous_env_state)
+
+    def test_resolve_reviewer_token_error_excludes_pr_author_from_candidate_set(
+        self,
+    ) -> None:
+        unauthenticated_account_name = "intentionally-not-authenticated-account-zzz"
+        previous_env_state = self._isolate_auth_env_vars()
+        try:
+            os.environ[BUGTEAM_REVIEWER_ACCOUNT_ENV_VAR_NAME] = (
+                unauthenticated_account_name
+            )
+            with self.assertRaises(UserInputError) as raised_context:
+                resolve_reviewer_token(
+                    owner=LIVE_TEST_OWNER,
+                    repo=LIVE_TEST_REPO,
+                    pr_number=self.pr_number,
+                )
+            error_message_text = str(raised_context.exception)
+            self.assertIn(unauthenticated_account_name, error_message_text)
+            pr_author_login = query_pull_request_author_login(
+                owner=LIVE_TEST_OWNER,
+                repo=LIVE_TEST_REPO,
+                pr_number=self.pr_number,
+            )
+            all_alternates_at_call_time = [
+                each_login
+                for each_login in list_authenticated_gh_account_logins()
+                if each_login.lower() != pr_author_login.lower()
+            ]
+            self.assertIn(
+                repr(all_alternates_at_call_time),
+                error_message_text,
+                "error must show the alternate-reviewer set actually searched",
+            )
+            self.assertNotIn(
+                f"authenticated set [{repr(pr_author_login)}",
+                error_message_text,
+                "error must not show a set whose head is the excluded PR author",
+            )
+        finally:
+            self._restore_auth_env_vars(previous_env_state)
+
 
 if __name__ == "__main__":
     unittest.main()

package/_shared/pr-loop/scripts/tests/test_preflight.py

@@ -690,3 +690,44 @@ def test_main_prints_no_related_tests_when_get_changed_files_returns_empty(
     assert exit_code == 0
     captured = capsys.readouterr()
     assert "no related tests found" in captured.err
+
+
+def test_main_should_halt_when_env_var_lists_bugteam(
+    monkeypatch: pytest.MonkeyPatch,
+    capsys: pytest.CaptureFixture[str],
+) -> None:
+    """CLAUDE_REVIEWS_DISABLED=bugteam must halt preflight with the dedicated exit code."""
+    monkeypatch.setenv("CLAUDE_REVIEWS_DISABLED", "bugteam")
+    monkeypatch.delenv("BUGTEAM_PREFLIGHT_SKIP", raising=False)
+    exit_code = preflight.main(["--no-pytest"])
+    assert exit_code == preflight.EXIT_CODE_BUGTEAM_DISABLED_VIA_ENV
+    captured = capsys.readouterr()
+    assert "CLAUDE_REVIEWS_DISABLED" in captured.err
+    assert "bugteam" in captured.err
+
+
+def test_main_should_continue_when_env_var_omits_bugteam(
+    monkeypatch: pytest.MonkeyPatch,
+    tmp_path: Path,
+) -> None:
+    """CLAUDE_REVIEWS_DISABLED without the bugteam token must not halt preflight."""
+    monkeypatch.setenv("CLAUDE_REVIEWS_DISABLED", "copilot,bugbot")
+    monkeypatch.delenv("BUGTEAM_PREFLIGHT_SKIP", raising=False)
+    claude_hooks_path = tmp_path / ".claude" / "hooks" / "git-hooks"
+    claude_hooks_path.mkdir(parents=True)
+    with patch("subprocess.run") as mock_run:
+        mock_run.return_value = _make_completed_process(
+            str(claude_hooks_path) + "\n", returncode=0
+        )
+        exit_code = preflight.main(["--no-pytest"])
+    assert exit_code != preflight.EXIT_CODE_BUGTEAM_DISABLED_VIA_ENV
+
+
+def test_main_should_halt_when_env_var_contains_uppercase_or_whitespace_bugteam_token(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    """Token matching must be case-insensitive and whitespace-tolerant."""
+    monkeypatch.setenv("CLAUDE_REVIEWS_DISABLED", " BugTeam , copilot ")
+    monkeypatch.delenv("BUGTEAM_PREFLIGHT_SKIP", raising=False)
+    exit_code = preflight.main(["--no-pytest"])
+    assert exit_code == preflight.EXIT_CODE_BUGTEAM_DISABLED_VIA_ENV

package/_shared/pr-loop/scripts/tests/test_reviews_disabled.py

@@ -0,0 +1,36 @@
+"""Direct unit tests for the shared reviews_disabled helper."""
+
+import importlib.util
+from pathlib import Path
+from types import ModuleType
+
+import pytest
+
+
+def _load_reviews_disabled_module() -> ModuleType:
+    module_path = Path(__file__).parent.parent / "reviews_disabled.py"
+    specification = importlib.util.spec_from_file_location(
+        "reviews_disabled", module_path
+    )
+    assert specification is not None
+    assert specification.loader is not None
+    module = importlib.util.module_from_spec(specification)
+    specification.loader.exec_module(module)
+    return module
+
+
+reviews_disabled = _load_reviews_disabled_module()
+
+
+def test_is_bugteam_disabled_via_env_returns_true_when_env_lists_bugteam(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    monkeypatch.setenv("CLAUDE_REVIEWS_DISABLED", "bugteam")
+    assert reviews_disabled.is_bugteam_disabled_via_env() is True
+
+
+def test_is_bugteam_disabled_via_env_returns_false_when_env_is_empty(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    monkeypatch.delenv("CLAUDE_REVIEWS_DISABLED", raising=False)
+    assert reviews_disabled.is_bugteam_disabled_via_env() is False

package/_shared/pr-loop/scripts/tests/test_revoke_project_claude_permissions.py

@@ -43,7 +43,7 @@ def test_revoke_module_guards_sys_path_insert_against_duplicates() -> None:
     module_source = (
         Path(__file__).parent.parent / "revoke_project_claude_permissions.py"
     ).read_text(encoding="utf-8")
-    assert "if str(Path(__file__).resolve().parent) not in sys.path:" in module_source, (
+    assert "if parent_directory not in sys.path:" in module_source, (
         "revoke_project_claude_permissions.py must guard sys.path.insert against "
         "duplicate entries on reload (consistent with sibling modules)"
     )