coderev-cli 1.0.17 → 1.0.19

package/README.md

@@ -26,6 +26,7 @@
   - [coderev cache（缓存管理）](#coderev-cache缓存管理)
   - [coderev config（配置管理）](#coderev-config配置管理)
   - [coderev init（初始化）](#coderev-init初始化)
+  - [coderev serve（GitHub App 自动审查）](#coderev-servegithub-app-自动审查)
 - [配置详解](#配置详解)
 - [平台集成](#平台集成)
 - [CI/CD 集成](#cicd-集成)
@@ -437,6 +438,49 @@ coderev init
 
 ---
 
+### coderev serve（GitHub App 自动审查）
+
+**作用**：启动 webhook 服务器，监听 GitHub App 的 pull_request 事件，自动对每个新 PR 进行代码审查。
+
+**适用场景**：团队仓库每个 PR 自动审查 / 开源项目自动反馈 / CI/CD 增强
+
+**参数**：
+
+| 参数 | 说明 | 示例 |
+|------|------|------|
+| `--port` | 服务器端口（默认 3000） | `--port 8080` |
+| `--app-id` | GitHub App ID | `--app-id 123456` |
+| `--private-key` | GitHub App 私钥 PEM | `--private-key "$(cat key.pem)"` |
+| `--webhook-secret` | Webhook 签名密钥 | `--webhook-secret xxx` |
+| `--review-mode` | 审查模式（comment/inline/check） | `--review-mode inline` |
+| `--auto-approve` | 无问题 PR 自动 approve | `--auto-approve` |
+| `--min-confidence` | 最低置信度阈值 | `--min-confidence 70` |
+
+**示例**：
+
+```bash
+# 启动服务器
+coderev serve --app-id 123456 --webhook-secret mysecret --private-key "$(cat /path/to/key.pem)"
+
+# 使用环境变量
+GITHUB_APP_ID=123456 GITHUB_APP_WEBHOOK_SECRET=mysecret coderev serve
+```
+
+**事件处理**：
+- `pull_request.opened` — 新 PR 自动审查
+- `pull_request.synchronize` — PR 更新时重新审查
+- `pull_request.reopened` — 重新审查
+- Draft PR 和 Bot PR 默认跳过
+
+**输出**：审查完成后自动：
+1. 发布 PR review comment（Markdown 格式）
+2. 设置 commit status（pending → success/failure/neutral）
+3. 可选 auto-approve（无问题的 PR）
+
+> 完整部署指南见 [docs/github-app.md](docs/github-app.md)
+
+---
+
 ## 配置详解
 
 ### 配置加载顺序

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "coderev-cli",
-  "version": "1.0.17",
+  "version": "1.0.19",
   "description": "Multi-agent AI code review for git -- parallel agents with confidence scoring",
   "main": "src/index.js",
   "bin": {
@@ -42,6 +42,7 @@
     "chalk": "^4.1.2",
     "commander": "^12.0.0",
     "diff": "^5.2.0",
-    "openai": "^4.0.0"
+    "openai": "^4.0.0",
+    "puppeteer": "^25.1.0"
   }
 }

package/src/cli.js

@@ -710,6 +710,27 @@ build/
     }
   });
 
+// ── Serve (GitHub App) ────────────────────────────────────────────
+program
+  .command('serve')
+  .description('Start GitHub App webhook server for automatic PR review')
+  .option('-p, --port <number>', 'Server port (default: 3000)')
+  .option('--webhook-secret <secret>', 'GitHub App webhook secret')
+  .option('--app-id <id>', 'GitHub App ID')
+  .option('--private-key <key>', 'GitHub App private key (PEM)')
+  .option('--review-mode <mode>', 'Review output: comment (default) | inline | check')
+  .option('--auto-approve', 'Auto-approve PRs with no issues')
+  .option('--min-confidence <number>', 'Minimum confidence threshold 0-100 (default: 60)')
+  .action(async (options) => {
+    try {
+      const { serveCommand } = require('./github-app');
+      await serveCommand(options);
+    } catch (err) {
+      console.error(chalk.red(`✖ ${err.message}`));
+      process.exit(1);
+    }
+  });
+
 program.parse(process.argv);
 
 // ── Helpers ───────────────────────────────────────────────────

package/src/github-app.js

@@ -0,0 +1,511 @@
+#!/usr/bin/env node
+
+/**
+ * coderev GitHub App Server
+ *
+ * 一个独立的 webhook 服务器，接收 GitHub App 的 pull_request 事件，
+ * 自动运行 coderev 审查并将结果作为 PR review 发布。
+ *
+ * 运行方式:
+ *   coderev serve --port 3000 --webhook-secret your-secret --app-id 123456 --private-key ./key.pem
+ *   或
+ *   GITHUB_APP_ID=123456 GITHUB_APP_PRIVATE_KEY="$(cat key.pem)" coderev serve
+ *
+ * 部署建议:
+ *   - Railway / Render / Fly.io / 自建 VPS
+ *   - 配合 PM2 持久化运行
+ *   - 设置 GitHub App Webhook URL → https://your-domain.com/webhook
+ */
+
+const http = require('http');
+const crypto = require('crypto');
+const { loadConfig, getApiKey } = require('./config');
+const { reviewDiff } = require('./reviewer');
+const chalk = require('chalk');
+
+// ── 配置 ─────────────────────────────────────────────────────
+
+/**
+ * Load GitHub App config from env vars (or .coderevrc.json later).
+ */
+function loadAppConfig() {
+  const config = loadConfig();
+  const appConfig = config.githubApp || {};
+
+  return {
+    // Required
+    appId: process.env.GITHUB_APP_ID || appConfig.appId,
+    privateKey: process.env.GITHUB_APP_PRIVATE_KEY || process.env.GITHUB_APP_PRIVATE_KEY_FILE ? require('fs').readFileSync(process.env.GITHUB_APP_PRIVATE_KEY_FILE, 'utf8') : appConfig.privateKey,
+    webhookSecret: process.env.GITHUB_APP_WEBHOOK_SECRET || appConfig.webhookSecret || '',
+
+    // Optional
+    port: parseInt(process.env.PORT || appConfig.port || 3000, 10),
+    host: process.env.HOST || appConfig.host || '0.0.0.0',
+    autoApprove: process.env.AUTO_APPROVE === 'true' || appConfig.autoApprove === true,
+    minConfidence: parseInt(process.env.MIN_CONFIDENCE || appConfig.minConfidence || 60, 10),
+    reviewMode: process.env.REVIEW_MODE || appConfig.reviewMode || 'comment',
+    // 'comment' — single PR comment summary
+    // 'inline' — inline review comments (needs file SHA mapping)
+    // 'check' — commit status check (set pending → success/failure)
+    skipDrafts: process.env.SKIP_DRAFTS !== 'false',
+    skipBotPRs: process.env.SKIP_BOT_PRS !== 'false',
+  };
+}
+
+// ── GitHub App JWT Token ────────────────────────────────────
+
+/**
+ * Generate a JWT for GitHub App authentication.
+ * @param {string} appId - GitHub App ID
+ * @param {string} privateKeyPem - RSA private key in PEM format
+ * @returns {{ token: string, expiresAt: number }}
+ */
+function generateAppJWT(appId, privateKeyPem) {
+  if (!appId || !privateKeyPem) {
+    throw new Error('Missing GITHUB_APP_ID or GITHUB_APP_PRIVATE_KEY');
+  }
+
+  const now = Math.floor(Date.now() / 1000);
+  const payload = {
+    iat: now - 60,            // 1 minute leeway
+    exp: now + 600,            // 10 minute expiry (GitHub max)
+    iss: parseInt(appId, 10),
+  };
+
+  const header = {
+    alg: 'RS256',
+    typ: 'JWT',
+  };
+
+  // Base64url encode
+  const b64u = (obj) => Buffer.from(JSON.stringify(obj))
+    .toString('base64')
+    .replace(/=/g, '')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_');
+
+  const headerEnc = b64u(header);
+  const payloadEnc = b64u(payload);
+
+  const sign = crypto.createSign('RSA-SHA256');
+  sign.update(headerEnc + '.' + payloadEnc);
+  const sig = sign.sign(privateKeyPem, 'base64')
+    .replace(/=/g, '')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_');
+
+  return {
+    token: headerEnc + '.' + payloadEnc + '.' + sig,
+    expiresAt: payload.exp,
+  };
+}
+
+// ── GitHub API 调用（已认证） ──────────────────────────────
+
+/**
+ * Call GitHub API with JWT or installation token.
+ */
+function githubApi(path, token, method = 'GET', body = null) {
+  return new Promise((resolve, reject) => {
+    const opts = {
+      hostname: 'api.github.com',
+      path,
+      method,
+      headers: {
+        'User-Agent': 'coderev-github-app',
+        'Accept': 'application/vnd.github.v3+json',
+        'Authorization': `Bearer ${token}`,
+      },
+    };
+    if (body) {
+      opts.headers['Content-Type'] = 'application/json';
+      opts.headers['Content-Length'] = Buffer.byteLength(JSON.stringify(body));
+    }
+
+    const req = https.request(opts, (res) => {
+      let data = '';
+      res.on('data', (c) => (data += c));
+      res.on('end', () => {
+        if (res.statusCode >= 200 && res.statusCode < 300) {
+          try { resolve(data ? JSON.parse(data) : {}); }
+          catch { resolve(data); }
+        } else if (res.statusCode === 204) {
+          resolve({});
+        } else {
+          reject(new Error(`GitHub API ${res.statusCode}: ${data.slice(0, 300)}`));
+        }
+      });
+    });
+    req.on('error', reject);
+    if (body) req.write(JSON.stringify(body));
+    req.end();
+  });
+}
+
+/**
+ * Exchange JWT for an installation access token.
+ * @param {string} jwt
+ * @param {number} installationId
+ * @returns {Promise<{ token: string, expiresAt: string }>}
+ */
+async function getInstallationToken(jwt, installationId) {
+  const result = await githubApi(`/app/installations/${installationId}/access_tokens`, jwt, 'POST');
+  return { token: result.token, expiresAt: result.expires_at };
+}
+
+// ── Webhook 处理 ────────────────────────────────────────────
+
+/**
+ * Verify webhook signature.
+ */
+function verifySignature(payload, signature, secret) {
+  if (!secret) return true; // No secret configured — skip verification
+  const sig = 'sha256=' + crypto.createHmac('sha256', secret).update(payload).digest('hex');
+  // Constant-time comparison
+  if (sig.length !== signature.length) return false;
+  return crypto.timingSafeEqual(Buffer.from(sig), Buffer.from(signature));
+}
+
+/**
+ * Handle pull_request.opened and pull_request.synchronize events.
+ */
+async function handlePREvent(event, payload, appConfig) {
+  const action = payload.action;
+  const pr = payload.pull_request;
+
+  // Validate event
+  if (!['opened', 'synchronize', 'reopened'].includes(action)) {
+    return { handled: false, reason: `unsupported action: ${action}` };
+  }
+
+  // Skip drafts
+  if (appConfig.skipDrafts !== false && pr.draft) {
+    return { handled: false, reason: 'draft PR, skipped' };
+  }
+
+  // Skip bot PRs
+  if (appConfig.skipBotPRs !== false && (pr.user?.type === 'Bot' || (pr.title || '').startsWith('[bot]'))) {
+    return { handled: false, reason: 'bot PR, skipped' };
+  }
+
+  const owner = payload.repository.owner.login;
+  const repo = payload.repository.name;
+  const prNumber = pr.number;
+  const ref = { owner, repo, pr: prNumber };
+  const installationId = payload.installation?.id;
+
+  if (!installationId) {
+    return { handled: false, reason: 'no installation id' };
+  }
+
+  console.error(chalk.blue(`[${owner}/${repo}#${prNumber}] Processing ${action}...`));
+
+  // 1. Get installation token
+  const jwt = generateAppJWT(appConfig.appId, appConfig.privateKey);
+  let instToken;
+  try {
+    instToken = await getInstallationToken(jwt.token, installationId);
+  } catch (err) {
+    console.error(chalk.red(`[${owner}/${repo}#${prNumber}] Failed to get installation token: ${err.message}`));
+    return { handled: false, error: err.message };
+  }
+
+  const token = instToken.token;
+
+  // 2. Fetch PR diff
+  const { fetchPrDiff } = require('./github');
+  let diff;
+  try {
+    diff = await fetchPrDiff(ref, token);
+  } catch (err) {
+    console.error(chalk.red(`[${owner}/${repo}#${prNumber}] Failed to fetch diff: ${err.message}`));
+    await setCommitStatus(token, ref, pr.head.sha, 'error', 'Failed to fetch diff');
+    return { handled: false, error: err.message };
+  }
+
+  // 3. Set commit status to pending
+  if (appConfig.reviewMode === 'check' || true) {
+    try {
+      await setCommitStatus(token, ref, pr.head.sha, 'pending', 'coderev is reviewing...');
+    } catch {}
+  }
+
+  // 4. Run review
+  let result;
+  try {
+    result = await reviewDiff(diff, null, {
+      noCache: true,
+      minConfidence: appConfig.minConfidence,
+    });
+  } catch (err) {
+    console.error(chalk.red(`[${owner}/${repo}#${prNumber}] Review failed: ${err.message}`));
+    await setCommitStatus(token, ref, pr.head.sha, 'error', 'Review failed: ' + err.message.slice(0, 100));
+    return { handled: false, error: err.message };
+  }
+
+  const issueCount = (result.issues || []).length;
+
+  console.error(chalk.cyan(`[${owner}/${repo}#${prNumber}] Review complete: ${result.score}/100, ${issueCount} issues`));
+
+  // 5. Post review
+  try {
+    if (appConfig.reviewMode === 'inline') {
+      // Inline mode — post review comments at file level
+      await postInlineReview(token, ref, pr, result);
+    } else {
+      // Default: post a PR comment summary
+      const { postPrComment } = require('./github');
+      const md = formatAppMarkdown(result, ref);
+      await postPrComment(ref, md, token);
+    }
+  } catch (err) {
+    console.error(chalk.yellow(`[${owner}/${repo}#${prNumber}] Failed to post comment: ${err.message}`));
+  }
+
+  // 6. Set final commit status (check mode or always)
+  try {
+    const state = issueCount === 0 ? 'success' : (result.score >= 60 ? 'neutral' : 'failure');
+    const description = issueCount === 0
+      ? '✅ coderev: no issues found'
+      : `⚠ coderev: ${issueCount} issues (score: ${result.score}/100)`;
+    await setCommitStatus(token, ref, pr.head.sha, state, description);
+  } catch {}
+
+  // 7. Auto-approve if configured and no issues
+  if (appConfig.autoApprove && issueCount === 0) {
+    try {
+      await approvePR(token, ref, pr.head.sha);
+      console.error(chalk.green(`[${owner}/${repo}#${prNumber}] Auto-approved`));
+    } catch (err) {
+      console.error(chalk.yellow(`[${owner}/${repo}#${prNumber}] Auto-approve failed: ${err.message}`));
+    }
+  }
+
+  return { handled: true, score: result.score, issues: issueCount };
+}
+
+/**
+ * Set a commit status on GitHub.
+ */
+async function setCommitStatus(token, ref, sha, state, description) {
+  const body = {
+    state, // 'pending', 'success', 'failure', 'error', 'neutral'
+    description: description || 'coderev review',
+    context: 'coderev/review',
+    target_url: `https://github.com/${ref.owner}/${ref.repo}/pull/${ref.pr}`,
+  };
+  return githubApi(`/repos/${ref.owner}/${ref.repo}/statuses/${sha}`, token, 'POST', body);
+}
+
+/**
+ * Approve a pull request.
+ */
+async function approvePR(token, ref, sha) {
+  const body = {
+    commit_id: sha,
+    event: 'APPROVE',
+    body: '✅ coderev: no issues found. Auto-approved.',
+  };
+  return githubApi(`/repos/${ref.owner}/${ref.repo}/pulls/${ref.pr}/reviews`, token, 'POST', body);
+}
+
+/**
+ * Post inline review comments.
+ */
+async function postInlineReview(token, ref, pr, result) {
+  const { fetchPrFiles } = require('./github');
+  const prFiles = await fetchPrFiles(ref, token);
+
+  const fileMap = {};
+  for (const f of prFiles) fileMap[f.filename] = f;
+
+  const comments = [];
+  for (const issue of result.issues || []) {
+    if (!issue.file) continue;
+    if (!fileMap[issue.file]) continue;
+    comments.push({
+      path: issue.file,
+      line: issue.line || 1,
+      side: 'RIGHT',
+      body: `**${issue.type.toUpperCase()}** [${issue.severity}]: ${issue.message}${issue.suggestion ? '\n\n> 💡 ' + issue.suggestion : ''}`,
+    });
+    if (comments.length >= 50) break; // GitHub limit
+  }
+
+  const body = {
+    commit_id: pr.head.sha,
+    event: 'COMMENT',
+    body: `## 📋 coderev review\n\n**Score: ${result.score}/100** | ${(result.issues || []).length} issues found\n\n${result.summary || ''}`,
+    comments,
+  };
+
+  return githubApi(`/repos/${ref.owner}/${ref.repo}/pulls/${ref.pr}/reviews`, token, 'POST', body);
+}
+
+// ── Webhook Server ──────────────────────────────────────────
+
+/**
+ * Start the GitHub App webhook server.
+ */
+function startServer(appConfig) {
+  const server = http.createServer(async (req, res) => {
+    // Health check
+    if (req.url === '/health') {
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ status: 'ok', version: '1.0.0', uptime: process.uptime() }));
+      return;
+    }
+
+    // Only accept POST /webhook
+    if (req.method !== 'POST' || req.url !== '/webhook') {
+      res.writeHead(404);
+      res.end('Not found');
+      return;
+    }
+
+    // Read payload
+    const buffers = [];
+    for await (const chunk of req) buffers.push(chunk);
+    const rawBody = Buffer.concat(buffers);
+
+    // Verify signature
+    const signature = req.headers['x-hub-signature-256'] || '';
+    if (!verifySignature(rawBody, signature, appConfig.webhookSecret)) {
+      console.error(chalk.red('✖ Invalid webhook signature'));
+      res.writeHead(401);
+      res.end('Invalid signature');
+      return;
+    }
+
+    const event = req.headers['x-github-event'];
+    let payload;
+    try {
+      payload = JSON.parse(rawBody.toString('utf-8'));
+    } catch {
+      res.writeHead(400);
+      res.end('Invalid JSON');
+      return;
+    }
+
+    // Ack immediately
+    res.writeHead(200, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ received: true }));
+
+    // Handle PR events
+    if (event === 'pull_request') {
+      try {
+        const result = await handlePREvent(event, payload, appConfig);
+        console.error(chalk.green(`✔ ${payload.repository?.full_name || '?'}#${payload.pull_request?.number || '?'}: ${result.handled ? 'Reviewed' : 'Skipped (' + result.reason + ')'}`));
+      } catch (err) {
+        console.error(chalk.red(`✖ Webhook handler error: ${err.message}`));
+      }
+    } else if (event === 'installation' || event === 'installation_repositories') {
+      const action = payload.action;
+      const account = payload.installation?.account?.login || payload.sender?.login || 'unknown';
+      const repos = (payload.repositories || []).map(r => r.full_name).join(', ') || 'N/A';
+      console.error(chalk.cyan(`📦 Installation ${action}: ${account} — ${repos}`));
+    } else {
+      console.error(chalk.gray(`ℹ Ignored event: ${event}`));
+    }
+  });
+
+  server.listen(appConfig.port, appConfig.host, () => {
+    console.error(chalk.bold.green('\n🚀 coderev GitHub App Server'));
+    console.error(chalk.gray('━').repeat(50));
+    console.error(chalk.cyan(`  Webhook URL: http://${appConfig.host}:${appConfig.port}/webhook`));
+    console.error(chalk.cyan(`  Health:      http://${appConfig.host}:${appConfig.port}/health`));
+    console.error(chalk.cyan(`  App ID:      ${appConfig.appId || '(not set)'}`));
+    console.error(chalk.cyan(`  Review mode: ${appConfig.reviewMode}`));
+    console.error(chalk.cyan(`  Auto-approve: ${appConfig.autoApprove ? 'yes' : 'no'}`));
+    console.error(chalk.gray('━').repeat(50));
+    console.error(chalk.gray('  Listening...'));
+  });
+
+  return server;
+}
+
+// ── Markdown 格式化（App 版本） ─────────────────────────────
+
+function formatAppMarkdown(result, ref) {
+  const TAG = `<!-- coderev:${ref.owner}/${ref.repo}#${ref.pr} -->`;
+  let md = `## 📋 coderev review\n\n${TAG}\n`;
+  md += `**Score:** ${result.score}/100\n`;
+  md += `**Issues found:** ${(result.issues || []).length}\n\n`;
+
+  if (result.summary) md += `${result.summary}\n\n`;
+
+  if (result.issues && result.issues.length > 0) {
+    md += '### Issues\n\n';
+    for (const issue of result.issues) {
+      const icons = { error: '🔴', warning: '🟡', info: '🔵' };
+      md += `- ${icons[issue.type] || '⚪'} **${issue.type.toUpperCase()}**`;
+      if (issue.severity) md += ` [${issue.severity}]`;
+      md += `: ${issue.message}`;
+      if (issue.file) md += ` (\`${issue.file}\``;
+      if (issue.line) md += `:${issue.line}`;
+      if (issue.file) md += `)`;
+      md += '\n';
+      if (issue.suggestion) md += `  - 💡 ${issue.suggestion}\n`;
+    }
+  }
+
+  if (result.praise && result.praise.length > 0) {
+    md += '\n### ✅ Good Practices\n\n';
+    for (const p of result.praise) md += `- ${p}\n`;
+  }
+
+  if (result.score !== undefined) {
+    const scoreVal = result.score;
+    const emoji = scoreVal >= 80 ? '🟢' : scoreVal >= 50 ? '🟡' : '🔴';
+    md += `\n${emoji} **Overall Score:** ${result.score}/100\n`;
+  }
+
+  return md;
+}
+
+// ── CLI 入口 ────────────────────────────────────────────────
+
+/**
+ * Parse CLI args and start the server.
+ * Called from cli.js 'serve' command.
+ */
+async function serveCommand(options) {
+  const config = loadConfig();
+  const appConfig = loadAppConfig();
+
+  // CLI overrides
+  if (options.port) appConfig.port = parseInt(options.port, 10);
+  if (options.webhookSecret) appConfig.webhookSecret = options.webhookSecret;
+  if (options.appId) appConfig.appId = options.appId;
+  if (options.privateKey) appConfig.privateKey = options.privateKey;
+  if (options.reviewMode) appConfig.reviewMode = options.reviewMode;
+  if (options.autoApprove !== undefined) appConfig.autoApprove = options.autoApprove;
+  if (options.minConfidence) appConfig.minConfidence = parseInt(options.minConfidence, 10);
+
+  // Validate required fields
+  const missing = [];
+  if (!appConfig.appId) missing.push('--app-id / GITHUB_APP_ID');
+  if (!appConfig.privateKey) missing.push('--private-key / GITHUB_APP_PRIVATE_KEY');
+
+  if (missing.length > 0) {
+    console.error(chalk.red('✖ Missing required configuration:'));
+    for (const m of missing) console.error(chalk.red(`   ${m}`));
+    console.error('');
+    console.error(chalk.yellow('To create a GitHub App:'));
+    console.error(chalk.yellow('  1. Go to https://github.com/settings/apps/new'));
+    console.error(chalk.yellow('  2. Set Webhook URL to your server URL + /webhook'));
+    console.error(chalk.yellow('  3. Subscribe to "Pull requests" event'));
+    console.error(chalk.yellow('  4. Download the private key (.pem file)'));
+    console.error(chalk.yellow('  5. Run:'));
+    console.error(chalk.yellow('     coderev serve --app-id <ID> --private-key "$(cat key.pem)"'));
+    console.error('');
+    process.exit(1);
+  }
+
+  return startServer(appConfig);
+}
+
+module.exports = { serveCommand, handlePREvent, generateAppJWT, getInstallationToken, formatAppMarkdown };
+
+// Required for inline require('https') in functions
+const https = require('https');