clud-bug 0.5.9 → 0.5.11

package/bin/clud-bug.js

@@ -183,7 +183,9 @@ async function runInit(args) {
 
   // Install the audit workflow alongside the per-PR review one.
   // Manual-trigger by default; users opt into the cron by uncommenting.
-  const auditTmpl = await readFile(join(TEMPLATES, 'audit.yml.tmpl'), 'utf8');
+  // Routed through renderFile so {{CCA_VERSION}} substitution pins
+  // claude-code-action consistently with the review workflow.
+  const auditTmpl = await renderFile(join(TEMPLATES, 'audit.yml.tmpl'), {});
   const auditPath = join(cwd, '.github', 'workflows', 'clud-bug-audit.yml');
   await writeFile(auditPath, auditTmpl);
   log(`    wrote ${rel(cwd, auditPath)}`);
@@ -191,7 +193,9 @@ async function runInit(args) {
   // Install the self-update workflow. Cron weekly Mondays 12:00 UTC; opens
   // a PR if a newer clud-bug version is published. Disable by deleting the
   // file or pinning via .claude/skills/.clud-bug.json.
-  const selfUpdateTmpl = await readFile(join(TEMPLATES, 'self-update.yml.tmpl'), 'utf8');
+  // Routed through renderFile for parity (no CCA ref today but future
+  // tokens should propagate uniformly).
+  const selfUpdateTmpl = await renderFile(join(TEMPLATES, 'self-update.yml.tmpl'), {});
   const selfUpdatePath = join(cwd, '.github', 'workflows', 'clud-bug-self-update.yml');
   await writeFile(selfUpdatePath, selfUpdateTmpl);
   log(`    wrote ${rel(cwd, selfUpdatePath)}`);

package/lib/render.js

@@ -2,12 +2,26 @@ import { readFile } from 'node:fs/promises';
 
 const PLACEHOLDER_RE = /\{\{([A-Z_]+)\}\}/g;
 
+// Default values for substitution tokens that every template uses.
+// Callers can override per-render by passing the same key in `vars`.
+//
+// CCA_VERSION pins `anthropics/claude-code-action` to a specific tag in
+// every shipped workflow. Without this, templates resolved `@v1` (the
+// floating major), so upstream changes could silently land in installed
+// workflows mid-cycle. Bumping the pin requires a clud-bug release, which
+// makes the upgrade visible + lets users opt out by pinning a different
+// version in their own forked workflow.
+export const DEFAULTS = {
+  CCA_VERSION: 'v1.0.133',
+};
+
 export function render(template, vars) {
+  const merged = { ...DEFAULTS, ...vars };
   return template.replace(PLACEHOLDER_RE, (match, key) => {
-    if (!(key in vars)) {
+    if (!(key in merged)) {
       throw new Error(`Missing template variable: ${key}`);
     }
-    return vars[key];
+    return merged[key];
   });
 }
 

package/lib/skills.js

@@ -400,4 +400,72 @@ export function partitionByReviewMode(skills) {
   return { shared, dedicated };
 }
 
+// Pull the line for `skillName` from a clud-bug review's `### Per-skill scan`
+// block. The block format (set by the v3+ prompt) is one line per loaded skill:
+//
+//   ### Per-skill scan
+//   - [critical-issues-only]: scanned all paths. 2 critical findings below.
+//   - [brand-voice-review]: scanned 3 microcopy changes. 1 finding (below).
+//   - [pii-and-compliance]: scanned analytics + logging. 0 findings.
+//
+// Returns the OUTCOME portion (everything after the `- [name]: ` prefix), with
+// trailing whitespace stripped. Returns null if the skill isn't mentioned, the
+// comment has no Per-skill scan block, or `comment` is empty.
+//
+// The brackets in the line prefix anchor the match so a partial-name collision
+// (e.g. `brand-voice` finding `brand-voice-review`) is impossible.
+export function extractPerSkillLine(comment, skillName) {
+  if (typeof comment !== 'string' || !comment) return null;
+  if (typeof skillName !== 'string' || !skillName) return null;
+  // Escape regex metacharacters in the skill name. A skill name with a `.` or
+  // `+` would otherwise alter the match. Skills are conventionally kebab-case,
+  // but defense in depth is cheap.
+  const escaped = skillName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+  // Anchor on the bracket-prefix; tolerate optional leading whitespace and
+  // dash. The OUTCOME is everything from after `]:` to end-of-line.
+  const re = new RegExp(`^\\s*-\\s*\\[${escaped}\\]:\\s*(.+?)\\s*$`, 'm');
+  const m = comment.match(re);
+  return m ? m[1] : null;
+}
+
+// Classify a Per-skill scan outcome line into the check-run conclusion the
+// composite action will emit for that skill. Source of truth for the BB.3
+// gate decision — the v0.5.10 composite shells out to node + this helper
+// rather than parsing in bash, so the gate has unit-test coverage and the
+// v0.6 App can reuse the same classification when it routes its own
+// parallel calls.
+//
+// Contract:
+//   - `null` (skill not mentioned in the review) → 'failure'
+//   - line contains "0 findings" / "0 finding" as a STANDALONE TOKEN → 'success'
+//   - line contains "n/a" as a standalone token → 'success'
+//   - empty line (bot emitted "- [name]:" with no outcome) → 'failure'
+//   - otherwise (typically "N finding" / "N findings" with N>0) → 'failure'
+//
+// Why null → failure (not neutral): GitHub's branch-protection contract
+// treats `conclusion: neutral` as PASSING for required status checks —
+// only `failure`, `cancelled`, `timed_out`, `action_required` block merge.
+// A strictSkills entry that doesn't appear in the per-skill scan block
+// (typo, prompt regression, mid-review race) emitting `neutral` would
+// silently pass branch protection, defeating the gate the user opted into.
+// Failing loud is the right posture for a gate that ships with "strict" in
+// its name; the cost is a re-run if a bot mid-review somehow drops a skill.
+//
+// The "0 findings" match is anchored on a leading word boundary so "10
+// findings" / "100 findings" don't substring-match to success — the exact
+// bug that v0.5.10's first revision had, caught by clud-bug-review + claude-
+// review on PR #57.
+export function classifyPerSkillOutcome(outcomeLine) {
+  if (outcomeLine == null) return 'failure';
+  const text = String(outcomeLine);
+  // 0 findings / 0 finding — anchored: NOT preceded by a digit. So "10 findings"
+  // doesn't match (the `0 findings` substring has `1` before it), and "0
+  // findings" / " 0 findings." both match.
+  if (/(^|[^0-9])0\s+findings?\b/i.test(text)) return 'success';
+  // n/a — anchored on word boundaries either side (so "n/a." at sentence end
+  // matches but "diagnostics" would not contain a matching n/a).
+  if (/\bn\/a\b/i.test(text)) return 'success';
+  return 'failure';
+}
+
 export const _internal = { normalizeList, sanitizeSlug, entryKey, MAX_SKILLS, API_BASE, MANIFEST_FILE };

package/lib/update.js

@@ -51,16 +51,20 @@ export async function runUpdate({
   await maybeRefreshVersioned(join(cwd, '.github/workflows/clud-bug-review.yml'), newReview, changed, unchanged, skipped, 'review workflow');
 
   // 2. Re-render audit workflow if it's installed (init from v0.3+ ships it).
+  // Routed through renderFile (was raw readFile pre-v0.5.11) so
+  // {{CCA_VERSION}} substitution lands in audit alongside review.
   const auditPath = join(cwd, '.github/workflows/clud-bug-audit.yml');
   if (await pathExists(auditPath)) {
-    const newAudit = await readFile(join(templatesDir, 'audit.yml.tmpl'), 'utf8');
+    const newAudit = await renderFile(join(templatesDir, 'audit.yml.tmpl'), {});
     await maybeRefreshVersioned(auditPath, newAudit, changed, unchanged, skipped, 'audit workflow');
   }
 
   // 2b. Re-render self-update workflow if installed (init from v0.4+ ships it).
+  // Routed through renderFile for parity — no CCA ref in self-update today
+  // but future tokens should propagate uniformly without another refactor.
   const selfUpdatePath = join(cwd, '.github/workflows/clud-bug-self-update.yml');
   if (await pathExists(selfUpdatePath)) {
-    const newSelfUpdate = await readFile(join(templatesDir, 'self-update.yml.tmpl'), 'utf8');
+    const newSelfUpdate = await renderFile(join(templatesDir, 'self-update.yml.tmpl'), {});
     await maybeRefreshVersioned(selfUpdatePath, newSelfUpdate, changed, unchanged, skipped, 'self-update workflow');
   }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clud-bug",
-  "version": "0.5.9",
+  "version": "0.5.11",
   "description": "Claude PR review with project-aware skills. CLI installs a working GitHub Actions workflow and curates skills from skills.sh.",
   "homepage": "https://cludbug.dev",
   "bugs": "https://github.com/thrillmot/clud-bug/issues",

package/templates/audit.yml.tmpl

@@ -1,4 +1,4 @@
-# clud-bug-template-version: v1
+# clud-bug-template-version: v2
 name: Clud Bug 🐛 Audit
 
 # A scheduled / on-demand walk through the whole habitat (or a recent slice).
@@ -89,7 +89,7 @@ jobs:
           git push -u origin "$BRANCH"
           echo "stub_written=true" >> "$GITHUB_OUTPUT"
 
-      - uses: anthropics/claude-code-action@v1
+      - uses: anthropics/claude-code-action@{{CCA_VERSION}}
         if: steps.prep.outputs.stub_written == 'true'
         env:
           AUDIT_DATE: ${{ steps.prep.outputs.date }}

package/templates/workflow-py.yml.tmpl

@@ -1,4 +1,4 @@
-# clud-bug-template-version: v3
+# clud-bug-template-version: v5
 name: Clud Bug 🐛 Crawls Your Code
 
 on:
@@ -12,6 +12,8 @@ jobs:
       contents: read
       pull-requests: write
       id-token: write
+      # checks: write — composite emits per-skill check-runs (BB.3).
+      checks: write
 
     steps:
       - uses: actions/checkout@v6
@@ -48,7 +50,7 @@ jobs:
           echo "::error::Set it: Settings → Secrets and variables → Actions → New repository secret."
           exit 1
 
-      - uses: anthropics/claude-code-action@v1
+      - uses: anthropics/claude-code-action@{{CCA_VERSION}}
         if: steps.guard.outputs.skip != 'true'
         env:
           PR_NUMBER: ${{ github.event.pull_request.number }}
@@ -220,6 +222,6 @@ jobs:
       # Strict-mode gate — composite action; see workflow.yml.tmpl for design notes.
       - name: Strict mode — fail check on critical findings
         if: success()
-        uses: thrillmot/clud-bug/.github/actions/strict-mode-gate@v0.5.8
+        uses: thrillmot/clud-bug/.github/actions/strict-mode-gate@v0.5.10
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}

package/templates/workflow-ts.yml.tmpl

@@ -1,4 +1,4 @@
-# clud-bug-template-version: v3
+# clud-bug-template-version: v5
 name: Clud Bug 🐛 Crawls Your Code
 
 on:
@@ -12,6 +12,8 @@ jobs:
       contents: read
       pull-requests: write
       id-token: write
+      # checks: write — composite emits per-skill check-runs (BB.3).
+      checks: write
 
     steps:
       - uses: actions/checkout@v6
@@ -48,7 +50,7 @@ jobs:
           echo "::error::Set it: Settings → Secrets and variables → Actions → New repository secret."
           exit 1
 
-      - uses: anthropics/claude-code-action@v1
+      - uses: anthropics/claude-code-action@{{CCA_VERSION}}
         if: steps.guard.outputs.skip != 'true'
         env:
           PR_NUMBER: ${{ github.event.pull_request.number }}
@@ -221,6 +223,6 @@ jobs:
       # Strict-mode gate — composite action; see workflow.yml.tmpl for design notes.
       - name: Strict mode — fail check on critical findings
         if: success()
-        uses: thrillmot/clud-bug/.github/actions/strict-mode-gate@v0.5.8
+        uses: thrillmot/clud-bug/.github/actions/strict-mode-gate@v0.5.10
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}

package/templates/workflow.yml.tmpl

@@ -1,4 +1,4 @@
-# clud-bug-template-version: v3
+# clud-bug-template-version: v5
 name: Clud Bug 🐛 Crawls Your Code
 
 on:
@@ -12,6 +12,10 @@ jobs:
       contents: read
       pull-requests: write
       id-token: write
+      # checks: write — composite action emits per-skill check-runs via
+      # the GitHub Checks API for any skill in .clud-bug.json's strictSkills
+      # list (BB.3, v0.5.10+). No-op when strictSkills is unset.
+      checks: write
 
     steps:
       - uses: actions/checkout@v6
@@ -71,7 +75,7 @@ jobs:
           echo "::error::Without it, Clud Bug review is a silent no-op."
           exit 1
 
-      - uses: anthropics/claude-code-action@v1
+      - uses: anthropics/claude-code-action@{{CCA_VERSION}}
         # Skip the action when guard already posted the bot/fork advisory.
         if: steps.guard.outputs.skip != 'true'
         env:
@@ -253,6 +257,6 @@ jobs:
       # Letting the action's own failure fail the check is louder and right.
       - name: Strict mode — fail check on critical findings
         if: success()
-        uses: thrillmot/clud-bug/.github/actions/strict-mode-gate@v0.5.8
+        uses: thrillmot/clud-bug/.github/actions/strict-mode-gate@v0.5.10
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}