clud-bug 0.5.11 → 0.5.12

package/lib/skills.js

@@ -428,6 +428,98 @@ export function extractPerSkillLine(comment, skillName) {
   return m ? m[1] : null;
 }
 
+// Find the latest clud-bug review header line from a list of PR comments.
+// Source of truth for the v0.5.x strict-mode-gate header selection — the
+// composite action shells out to node + this helper rather than parsing
+// in bash, so the gate has unit-test coverage and the v0.6 App can reuse
+// the same logic.
+//
+// Contract (called by .github/actions/strict-mode-gate/action.yml):
+//   - Walk `comments` (newest-first per gh api ?sort=created&direction=desc).
+//   - Skip comments not authored by `botLogin`.
+//   - For each remaining comment, find the FIRST line starting with the
+//     H2 sentinel `## 🐛 Clud Bug review`. If present, return that line.
+//   - Return null if no matching comment exists.
+//
+// Why this isn't `comments.find(c => c.body.startsWith("## 🐛 Clud Bug review"))`:
+// claude-code-action prepends a `**Claude finished @user's task in Nm Ns**`
+// preamble to every bot comment, so the H2 review header never appears at
+// body position 0. The pre-v0.5.12 composite used `.body | startswith(...)`
+// in jq and matched ZERO comments in practice — silently disabling strict
+// mode on every install with strictMode: true. Caught when this repo
+// dogfooded BB.3 on PR #60: bot wrote "— critical findings" header, gate
+// passed anyway.
+//
+// The line-anchored extraction preserves the original "don't trip on
+// quoted sentinels in body text" property: a comment that mentions the
+// strict-mode header in prose (inline-code, blockquote) won't match
+// because the quoted version isn't at start-of-line.
+export function selectReviewHeader(comments, botLogin) {
+  if (!Array.isArray(comments)) return null;
+  if (typeof botLogin !== 'string' || !botLogin) return null;
+  for (const c of comments) {
+    if (!c || typeof c !== 'object') continue;
+    const author = c.user?.login;
+    const body = c.body;
+    if (author !== botLogin || typeof body !== 'string') continue;
+    const headerLine = extractFirstReviewHeaderLine(body);
+    if (headerLine) return headerLine;
+  }
+  return null;
+}
+
+// Pull the FIRST line of `body` that starts with the H2 sentinel.
+// Exported separately so callers can extract a header from a known body
+// without re-running the comment filter (useful in tests + the v0.6 App).
+export function extractFirstReviewHeaderLine(body) {
+  if (typeof body !== 'string') return null;
+  const m = body.match(/^## 🐛 Clud Bug review[^\n]*/m);
+  return m ? m[0] : null;
+}
+
+// Companion to selectReviewHeader: returns the FULL BODY of the latest
+// clud-bug review comment from `botLogin`, not just its header line.
+// Same filter contract (line-anchored H2 sentinel, claude-code-action
+// preamble tolerated). Used by the BB.3 per-skill check-runs step,
+// which needs the body to extract per-skill outcome lines from the
+// "### Per-skill scan" block — the header alone isn't enough.
+//
+// Returns null if no matching comment exists. The composite action
+// treats null as "no review yet; emit no check-runs" (the same posture
+// that pre-v0.5.12 bash code intended via the `[ -z "$LATEST" ]` branch,
+// only now actually reachable instead of always-fires-due-to-bug).
+//
+// Same-bug fix as selectReviewHeader: PR #61 caught that BB.3 step 2
+// of the composite still used the broken `.body | startswith(...)` jq
+// filter even after step 1 was refactored, leaving per-skill check-runs
+// silently disabled on every install with strictSkills since v0.5.10.
+export function selectReviewBody(comments, botLogin) {
+  if (!Array.isArray(comments)) return null;
+  if (typeof botLogin !== 'string' || !botLogin) return null;
+  for (const c of comments) {
+    if (!c || typeof c !== 'object') continue;
+    const author = c.user?.login;
+    const body = c.body;
+    if (author !== botLogin || typeof body !== 'string') continue;
+    if (extractFirstReviewHeaderLine(body)) return body;
+  }
+  return null;
+}
+
+// Decide whether a review-header line is the strict-mode "critical findings"
+// verdict that should fail the gate. Mirrors the v0.5.x bash predicate
+// `grep -q "Clud Bug review — critical findings"`.
+//
+// Returns false for null/non-string input so a "no header found" path
+// (selectReviewHeader returning null) safely falls through to the gate
+// passing — which is the right posture: if the bot didn't post a review
+// with the strict-mode header, there's nothing for the gate to fail on.
+// "Loud failure for missing manifest" is handled upstream in the composite.
+export function isCriticalReviewHeader(headerLine) {
+  if (typeof headerLine !== 'string') return false;
+  return /Clud Bug review — critical findings/.test(headerLine);
+}
+
 // Classify a Per-skill scan outcome line into the check-run conclusion the
 // composite action will emit for that skill. Source of truth for the BB.3
 // gate decision — the v0.5.10 composite shells out to node + this helper

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clud-bug",
-  "version": "0.5.11",
+  "version": "0.5.12",
   "description": "Claude PR review with project-aware skills. CLI installs a working GitHub Actions workflow and curates skills from skills.sh.",
   "homepage": "https://cludbug.dev",
   "bugs": "https://github.com/thrillmot/clud-bug/issues",

package/templates/workflow-py.yml.tmpl

@@ -1,4 +1,4 @@
-# clud-bug-template-version: v5
+# clud-bug-template-version: v6
 name: Clud Bug 🐛 Crawls Your Code
 
 on:
@@ -222,6 +222,6 @@ jobs:
       # Strict-mode gate — composite action; see workflow.yml.tmpl for design notes.
       - name: Strict mode — fail check on critical findings
         if: success()
-        uses: thrillmot/clud-bug/.github/actions/strict-mode-gate@v0.5.10
+        uses: thrillmot/clud-bug/.github/actions/strict-mode-gate@v0.5.12
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}

package/templates/workflow-ts.yml.tmpl

@@ -1,4 +1,4 @@
-# clud-bug-template-version: v5
+# clud-bug-template-version: v6
 name: Clud Bug 🐛 Crawls Your Code
 
 on:
@@ -223,6 +223,6 @@ jobs:
       # Strict-mode gate — composite action; see workflow.yml.tmpl for design notes.
       - name: Strict mode — fail check on critical findings
         if: success()
-        uses: thrillmot/clud-bug/.github/actions/strict-mode-gate@v0.5.10
+        uses: thrillmot/clud-bug/.github/actions/strict-mode-gate@v0.5.12
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}

package/templates/workflow.yml.tmpl

@@ -1,4 +1,4 @@
-# clud-bug-template-version: v5
+# clud-bug-template-version: v6
 name: Clud Bug 🐛 Crawls Your Code
 
 on:
@@ -257,6 +257,6 @@ jobs:
       # Letting the action's own failure fail the check is louder and right.
       - name: Strict mode — fail check on critical findings
         if: success()
-        uses: thrillmot/clud-bug/.github/actions/strict-mode-gate@v0.5.10
+        uses: thrillmot/clud-bug/.github/actions/strict-mode-gate@v0.5.12
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}