clud-bug 0.5.10 → 0.5.12

package/bin/clud-bug.js

@@ -183,7 +183,9 @@ async function runInit(args) {
 
   // Install the audit workflow alongside the per-PR review one.
   // Manual-trigger by default; users opt into the cron by uncommenting.
-  const auditTmpl = await readFile(join(TEMPLATES, 'audit.yml.tmpl'), 'utf8');
+  // Routed through renderFile so {{CCA_VERSION}} substitution pins
+  // claude-code-action consistently with the review workflow.
+  const auditTmpl = await renderFile(join(TEMPLATES, 'audit.yml.tmpl'), {});
   const auditPath = join(cwd, '.github', 'workflows', 'clud-bug-audit.yml');
   await writeFile(auditPath, auditTmpl);
   log(`    wrote ${rel(cwd, auditPath)}`);
@@ -191,7 +193,9 @@ async function runInit(args) {
   // Install the self-update workflow. Cron weekly Mondays 12:00 UTC; opens
   // a PR if a newer clud-bug version is published. Disable by deleting the
   // file or pinning via .claude/skills/.clud-bug.json.
-  const selfUpdateTmpl = await readFile(join(TEMPLATES, 'self-update.yml.tmpl'), 'utf8');
+  // Routed through renderFile for parity (no CCA ref today but future
+  // tokens should propagate uniformly).
+  const selfUpdateTmpl = await renderFile(join(TEMPLATES, 'self-update.yml.tmpl'), {});
   const selfUpdatePath = join(cwd, '.github', 'workflows', 'clud-bug-self-update.yml');
   await writeFile(selfUpdatePath, selfUpdateTmpl);
   log(`    wrote ${rel(cwd, selfUpdatePath)}`);

package/lib/render.js

@@ -2,12 +2,26 @@ import { readFile } from 'node:fs/promises';
 
 const PLACEHOLDER_RE = /\{\{([A-Z_]+)\}\}/g;
 
+// Default values for substitution tokens that every template uses.
+// Callers can override per-render by passing the same key in `vars`.
+//
+// CCA_VERSION pins `anthropics/claude-code-action` to a specific tag in
+// every shipped workflow. Without this, templates resolved `@v1` (the
+// floating major), so upstream changes could silently land in installed
+// workflows mid-cycle. Bumping the pin requires a clud-bug release, which
+// makes the upgrade visible + lets users opt out by pinning a different
+// version in their own forked workflow.
+export const DEFAULTS = {
+  CCA_VERSION: 'v1.0.133',
+};
+
 export function render(template, vars) {
+  const merged = { ...DEFAULTS, ...vars };
   return template.replace(PLACEHOLDER_RE, (match, key) => {
-    if (!(key in vars)) {
+    if (!(key in merged)) {
       throw new Error(`Missing template variable: ${key}`);
     }
-    return vars[key];
+    return merged[key];
   });
 }
 

package/lib/skills.js

@@ -428,6 +428,98 @@ export function extractPerSkillLine(comment, skillName) {
   return m ? m[1] : null;
 }
 
+// Find the latest clud-bug review header line from a list of PR comments.
+// Source of truth for the v0.5.x strict-mode-gate header selection — the
+// composite action shells out to node + this helper rather than parsing
+// in bash, so the gate has unit-test coverage and the v0.6 App can reuse
+// the same logic.
+//
+// Contract (called by .github/actions/strict-mode-gate/action.yml):
+//   - Walk `comments` (newest-first per gh api ?sort=created&direction=desc).
+//   - Skip comments not authored by `botLogin`.
+//   - For each remaining comment, find the FIRST line starting with the
+//     H2 sentinel `## 🐛 Clud Bug review`. If present, return that line.
+//   - Return null if no matching comment exists.
+//
+// Why this isn't `comments.find(c => c.body.startsWith("## 🐛 Clud Bug review"))`:
+// claude-code-action prepends a `**Claude finished @user's task in Nm Ns**`
+// preamble to every bot comment, so the H2 review header never appears at
+// body position 0. The pre-v0.5.12 composite used `.body | startswith(...)`
+// in jq and matched ZERO comments in practice — silently disabling strict
+// mode on every install with strictMode: true. Caught when this repo
+// dogfooded BB.3 on PR #60: bot wrote "— critical findings" header, gate
+// passed anyway.
+//
+// The line-anchored extraction preserves the original "don't trip on
+// quoted sentinels in body text" property: a comment that mentions the
+// strict-mode header in prose (inline-code, blockquote) won't match
+// because the quoted version isn't at start-of-line.
+export function selectReviewHeader(comments, botLogin) {
+  if (!Array.isArray(comments)) return null;
+  if (typeof botLogin !== 'string' || !botLogin) return null;
+  for (const c of comments) {
+    if (!c || typeof c !== 'object') continue;
+    const author = c.user?.login;
+    const body = c.body;
+    if (author !== botLogin || typeof body !== 'string') continue;
+    const headerLine = extractFirstReviewHeaderLine(body);
+    if (headerLine) return headerLine;
+  }
+  return null;
+}
+
+// Pull the FIRST line of `body` that starts with the H2 sentinel.
+// Exported separately so callers can extract a header from a known body
+// without re-running the comment filter (useful in tests + the v0.6 App).
+export function extractFirstReviewHeaderLine(body) {
+  if (typeof body !== 'string') return null;
+  const m = body.match(/^## 🐛 Clud Bug review[^\n]*/m);
+  return m ? m[0] : null;
+}
+
+// Companion to selectReviewHeader: returns the FULL BODY of the latest
+// clud-bug review comment from `botLogin`, not just its header line.
+// Same filter contract (line-anchored H2 sentinel, claude-code-action
+// preamble tolerated). Used by the BB.3 per-skill check-runs step,
+// which needs the body to extract per-skill outcome lines from the
+// "### Per-skill scan" block — the header alone isn't enough.
+//
+// Returns null if no matching comment exists. The composite action
+// treats null as "no review yet; emit no check-runs" (the same posture
+// that pre-v0.5.12 bash code intended via the `[ -z "$LATEST" ]` branch,
+// only now actually reachable instead of always-fires-due-to-bug).
+//
+// Same-bug fix as selectReviewHeader: PR #61 caught that BB.3 step 2
+// of the composite still used the broken `.body | startswith(...)` jq
+// filter even after step 1 was refactored, leaving per-skill check-runs
+// silently disabled on every install with strictSkills since v0.5.10.
+export function selectReviewBody(comments, botLogin) {
+  if (!Array.isArray(comments)) return null;
+  if (typeof botLogin !== 'string' || !botLogin) return null;
+  for (const c of comments) {
+    if (!c || typeof c !== 'object') continue;
+    const author = c.user?.login;
+    const body = c.body;
+    if (author !== botLogin || typeof body !== 'string') continue;
+    if (extractFirstReviewHeaderLine(body)) return body;
+  }
+  return null;
+}
+
+// Decide whether a review-header line is the strict-mode "critical findings"
+// verdict that should fail the gate. Mirrors the v0.5.x bash predicate
+// `grep -q "Clud Bug review — critical findings"`.
+//
+// Returns false for null/non-string input so a "no header found" path
+// (selectReviewHeader returning null) safely falls through to the gate
+// passing — which is the right posture: if the bot didn't post a review
+// with the strict-mode header, there's nothing for the gate to fail on.
+// "Loud failure for missing manifest" is handled upstream in the composite.
+export function isCriticalReviewHeader(headerLine) {
+  if (typeof headerLine !== 'string') return false;
+  return /Clud Bug review — critical findings/.test(headerLine);
+}
+
 // Classify a Per-skill scan outcome line into the check-run conclusion the
 // composite action will emit for that skill. Source of truth for the BB.3
 // gate decision — the v0.5.10 composite shells out to node + this helper

package/lib/update.js

@@ -51,16 +51,20 @@ export async function runUpdate({
   await maybeRefreshVersioned(join(cwd, '.github/workflows/clud-bug-review.yml'), newReview, changed, unchanged, skipped, 'review workflow');
 
   // 2. Re-render audit workflow if it's installed (init from v0.3+ ships it).
+  // Routed through renderFile (was raw readFile pre-v0.5.11) so
+  // {{CCA_VERSION}} substitution lands in audit alongside review.
   const auditPath = join(cwd, '.github/workflows/clud-bug-audit.yml');
   if (await pathExists(auditPath)) {
-    const newAudit = await readFile(join(templatesDir, 'audit.yml.tmpl'), 'utf8');
+    const newAudit = await renderFile(join(templatesDir, 'audit.yml.tmpl'), {});
     await maybeRefreshVersioned(auditPath, newAudit, changed, unchanged, skipped, 'audit workflow');
   }
 
   // 2b. Re-render self-update workflow if installed (init from v0.4+ ships it).
+  // Routed through renderFile for parity — no CCA ref in self-update today
+  // but future tokens should propagate uniformly without another refactor.
   const selfUpdatePath = join(cwd, '.github/workflows/clud-bug-self-update.yml');
   if (await pathExists(selfUpdatePath)) {
-    const newSelfUpdate = await readFile(join(templatesDir, 'self-update.yml.tmpl'), 'utf8');
+    const newSelfUpdate = await renderFile(join(templatesDir, 'self-update.yml.tmpl'), {});
     await maybeRefreshVersioned(selfUpdatePath, newSelfUpdate, changed, unchanged, skipped, 'self-update workflow');
   }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clud-bug",
-  "version": "0.5.10",
+  "version": "0.5.12",
   "description": "Claude PR review with project-aware skills. CLI installs a working GitHub Actions workflow and curates skills from skills.sh.",
   "homepage": "https://cludbug.dev",
   "bugs": "https://github.com/thrillmot/clud-bug/issues",

package/templates/audit.yml.tmpl

@@ -1,4 +1,4 @@
-# clud-bug-template-version: v1
+# clud-bug-template-version: v2
 name: Clud Bug 🐛 Audit
 
 # A scheduled / on-demand walk through the whole habitat (or a recent slice).
@@ -89,7 +89,7 @@ jobs:
           git push -u origin "$BRANCH"
           echo "stub_written=true" >> "$GITHUB_OUTPUT"
 
-      - uses: anthropics/claude-code-action@v1
+      - uses: anthropics/claude-code-action@{{CCA_VERSION}}
         if: steps.prep.outputs.stub_written == 'true'
         env:
           AUDIT_DATE: ${{ steps.prep.outputs.date }}

package/templates/workflow-py.yml.tmpl

@@ -1,4 +1,4 @@
-# clud-bug-template-version: v4
+# clud-bug-template-version: v6
 name: Clud Bug 🐛 Crawls Your Code
 
 on:
@@ -50,7 +50,7 @@ jobs:
           echo "::error::Set it: Settings → Secrets and variables → Actions → New repository secret."
           exit 1
 
-      - uses: anthropics/claude-code-action@v1
+      - uses: anthropics/claude-code-action@{{CCA_VERSION}}
         if: steps.guard.outputs.skip != 'true'
         env:
           PR_NUMBER: ${{ github.event.pull_request.number }}
@@ -222,6 +222,6 @@ jobs:
       # Strict-mode gate — composite action; see workflow.yml.tmpl for design notes.
       - name: Strict mode — fail check on critical findings
         if: success()
-        uses: thrillmot/clud-bug/.github/actions/strict-mode-gate@v0.5.10
+        uses: thrillmot/clud-bug/.github/actions/strict-mode-gate@v0.5.12
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}

package/templates/workflow-ts.yml.tmpl

@@ -1,4 +1,4 @@
-# clud-bug-template-version: v4
+# clud-bug-template-version: v6
 name: Clud Bug 🐛 Crawls Your Code
 
 on:
@@ -50,7 +50,7 @@ jobs:
           echo "::error::Set it: Settings → Secrets and variables → Actions → New repository secret."
           exit 1
 
-      - uses: anthropics/claude-code-action@v1
+      - uses: anthropics/claude-code-action@{{CCA_VERSION}}
         if: steps.guard.outputs.skip != 'true'
         env:
           PR_NUMBER: ${{ github.event.pull_request.number }}
@@ -223,6 +223,6 @@ jobs:
       # Strict-mode gate — composite action; see workflow.yml.tmpl for design notes.
       - name: Strict mode — fail check on critical findings
         if: success()
-        uses: thrillmot/clud-bug/.github/actions/strict-mode-gate@v0.5.10
+        uses: thrillmot/clud-bug/.github/actions/strict-mode-gate@v0.5.12
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}

package/templates/workflow.yml.tmpl

@@ -1,4 +1,4 @@
-# clud-bug-template-version: v4
+# clud-bug-template-version: v6
 name: Clud Bug 🐛 Crawls Your Code
 
 on:
@@ -75,7 +75,7 @@ jobs:
           echo "::error::Without it, Clud Bug review is a silent no-op."
           exit 1
 
-      - uses: anthropics/claude-code-action@v1
+      - uses: anthropics/claude-code-action@{{CCA_VERSION}}
         # Skip the action when guard already posted the bot/fork advisory.
         if: steps.guard.outputs.skip != 'true'
         env:
@@ -257,6 +257,6 @@ jobs:
       # Letting the action's own failure fail the check is louder and right.
       - name: Strict mode — fail check on critical findings
         if: success()
-        uses: thrillmot/clud-bug/.github/actions/strict-mode-gate@v0.5.10
+        uses: thrillmot/clud-bug/.github/actions/strict-mode-gate@v0.5.12
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}