clud-bug 0.2.0 → 0.4.1

package/templates/workflow.yml.tmpl

@@ -13,16 +13,74 @@ jobs:
       id-token: write
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
+        with:
+          # fetch-depth: 0 so the strict-mode gate can `git show
+          # origin/<base_ref>:.claude/skills/.clud-bug.json` to read the base
+          # ref's manifest. Default depth=1 doesn't set up origin/<base_ref>
+          # and the gate would silently fall back to advisory.
+          fetch-depth: 0
+
+      # Three-way guard around the Claude action:
+      #   1. Secret present → no-op pass-through, action runs normally.
+      #   2. Secret missing AND PR is bot-authored or from a fork → post an
+      #      advisory comment explaining the skip, then exit 0 (green check).
+      #      GitHub deliberately withholds secrets from such PRs by design;
+      #      failing red is the wrong signal.
+      #   3. Secret missing AND PR is owner-authored → fail loud with an
+      #      actionable error so the maintainer knows to set the secret.
+      - name: Guard — require ANTHROPIC_API_KEY
+        id: guard
+        env:
+          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+          HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
+          BASE_REPO: ${{ github.repository }}
+        run: |
+          if [ -n "$ANTHROPIC_API_KEY" ]; then
+            echo "skip=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          IS_FORK=false
+          [ "$HEAD_REPO" != "$BASE_REPO" ] && IS_FORK=true
+          IS_BOT=false
+          case "$PR_AUTHOR" in *\[bot\]) IS_BOT=true ;; esac
+
+          if $IS_FORK || $IS_BOT; then
+            REASON=$($IS_BOT && echo "bot author ($PR_AUTHOR)" || echo "fork ($HEAD_REPO)")
+            # Dedup: don't post the advisory comment if one already exists.
+            # pull_request: synchronize on a long-running Dependabot PR would
+            # otherwise stack one identical comment per rebase.
+            EXISTING=$(gh api "repos/${BASE_REPO}/issues/${PR_NUMBER}/comments?per_page=100" \
+              --jq '[.[] | select(.user.login == "claude[bot]" and (.body | startswith("## 🐛 Clud Bug skipped")))] | length')
+            if [ "${EXISTING:-0}" = "0" ]; then
+              BODY=$(printf '## 🐛 Clud Bug skipped\n\nThis PR is from a %s. GitHub deliberately does not pass repository secrets to such workflows, so Clud Bug could not authenticate against Anthropic. Review the diff manually.' "$REASON")
+              gh pr comment "$PR_NUMBER" --body "$BODY" || true
+            fi
+            echo "::warning title=Clud Bug 🐛::Skipped — $REASON cannot access repository secrets."
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          echo "::error title=Clud Bug 🐛::ANTHROPIC_API_KEY secret is not set on this repository."
+          echo "::error::Set it: Settings → Secrets and variables → Actions → New repository secret."
+          echo "::error::Without it, Clud Bug review is a silent no-op."
+          exit 1
 
       - uses: anthropics/claude-code-action@v1
+        # Skip the action when guard already posted the bot/fork advisory.
+        if: steps.guard.outputs.skip != 'true'
         env:
           PR_NUMBER: ${{ github.event.pull_request.number }}
+          FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: 'true'
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           track_progress: true
           claude_args: |
-            --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr review:*),Bash(gh api graphql:*),Bash(gh api repos/:*)"
+            --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh api graphql:*),Bash(gh api repos/:*),Bash(cat .claude/skills/.clud-bug.json)"
           prompt: |
             {{PROJECT_DESCRIPTION}}
 
@@ -36,8 +94,38 @@ jobs:
             Skip style suggestions, minor naming issues, or anything that
             doesn't affect correctness, security, or performance.
 
-            Any project-specific skills loaded from .claude/skills/ should
-            shape your review — defer to their guidance over generic advice.
+            Skills are not background context — they are review rules with
+            authority. Before flagging any finding, scan the loaded skills in
+            .claude/skills/ for relevant guidance. If a skill applies, your
+            review MUST reference it by name in the finding (e.g. "[evidence-
+            based-review]: this claim isn't anchored to a line"). Generic
+            advice that contradicts a project skill is wrong by definition.
+
+            At the end of every review, append a single-line footer:
+              Skills referenced: [skill-name-1, skill-name-2, ...]
+            If you genuinely cited none, list "[none]" and explain why no
+            installed skill applied to this diff.
+
+            Strict-mode header (opt-in): if .claude/skills/.clud-bug.json
+            contains { "strictMode": true }, the comment header you post
+            MUST signal whether you flagged a critical issue:
+              IF you flagged any critical issue (bug, security,
+                  performance, missing test coverage):
+                  ## 🐛 Clud Bug review — critical findings
+              OTHERWISE:
+                  ## 🐛 Clud Bug review — clean
+            A post-step in this workflow greps your posted comment for
+            that header and fails the check on "critical findings." The
+            gate is deterministic on top of your judgment.
+
+            If strictMode is NOT set (or absent), keep the existing
+            "## 🐛 Clud Bug review" header — strict mode is opt-in and
+            other repos use the plain header.
+
+            Tone: address the author conversationally. A concise field-naturalist
+            voice is welcome (you are Clud Bug, examining specimens of code) but
+            never at the cost of clarity, evidence, or the critical-issues-only
+            discipline. Don't perform the bit; let the precision speak.
 
             When you finish, post your review as a single PR comment.
             The comment body MUST start with this exact line so the
@@ -66,3 +154,44 @@ jobs:
             For line-specific issues, use the github_inline_comment MCP tool
             with confirmed: true.
             If there are no critical issues, post a one-line comment saying so.
+
+      # Strict-mode gate. Fails the check when both
+      #   (a) the BASE ref's .claude/skills/.clud-bug.json has
+      #       { "strictMode": true } — read from base so a PR can't opt
+      #       itself out of strict mode by editing its own manifest, AND
+      #   (b) the LATEST clud-bug review comment on this PR has a body
+      #       whose FIRST LINE is "## 🐛 Clud Bug review — critical findings".
+      #
+      # if: success() — only run when claude-code-action succeeded. If the
+      # action errored, no new comment was posted for this run; falling back
+      # to a prior run's comment would fail open or fail on stale data.
+      # Letting the action's own failure fail the check is louder and right.
+      - name: Strict mode — fail check on critical findings
+        if: success()
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          # Loud failure if the base manifest can't be read — silently falling
+          # back to advisory would silently disable strict mode for every
+          # opted-in repo. (Requires fetch-depth: 0 on the checkout above.)
+          BASE_MANIFEST=$(git show "origin/${{ github.base_ref }}:.claude/skills/.clud-bug.json" 2>&1) || {
+            echo "::warning::Base manifest not found on ${{ github.base_ref }} — strict mode disabled for this run."
+            exit 0
+          }
+          STRICT=$(echo "$BASE_MANIFEST" | node -e "let s='';process.stdin.on('data',c=>s+=c);process.stdin.on('end',()=>{try{console.log(JSON.parse(s).strictMode===true)}catch(e){console.log('false')}})")
+          [ "$STRICT" = "true" ] || exit 0
+
+          # Use startswith (not regex contains) so comments that *quote* the
+          # sentinel header (other reviews, @claude responses, meta-PRs about
+          # strict mode itself) don't get picked up as "the latest review."
+          LATEST=$(gh api "repos/${{ github.repository }}/issues/${PR_NUMBER}/comments?sort=created&direction=desc&per_page=100" \
+            --jq '[.[] | select(.user.login == "claude[bot]" and (.body | startswith("## 🐛 Clud Bug review")))][0].body // ""')
+
+          # Scope the critical-findings match to the FIRST LINE so quoted
+          # sentinels deeper in the review can't trip the gate.
+          if echo "$LATEST" | head -n1 | grep -q "Clud Bug review — critical findings"; then
+            echo "::error title=Clud Bug 🐛::Critical issues found and strictMode is enabled — failing this check."
+            echo "::error::See the latest Clud Bug review comment for details. Push a fix and the gate will clear on the next run."
+            exit 1
+          fi