create-openthrottle 1.0.0

package/index.mjs

@@ -0,0 +1,335 @@
+#!/usr/bin/env node
+// =============================================================================
+// create-openthrottle — Set up openthrottle in any Node.js project.
+//
+// Usage: npx create-openthrottle
+//
+// Detects the project, prompts for config, generates .openthrottle.yml +
+// wake-sandbox.yml, creates a Daytona snapshot + volume, prints next steps.
+// =============================================================================
+
+import { readFileSync, writeFileSync, existsSync, mkdirSync, copyFileSync, readdirSync, statSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+import { execFileSync } from 'node:child_process';
+import { fileURLToPath } from 'node:url';
+import prompts from 'prompts';
+import { stringify } from 'yaml';
+import { Daytona } from '@daytonaio/sdk';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const cwd = process.cwd();
+
+// ---------------------------------------------------------------------------
+// 1. Detect project
+// ---------------------------------------------------------------------------
+
+function detectProject() {
+  const pkgPath = join(cwd, 'package.json');
+  if (!existsSync(pkgPath)) {
+    console.error('No package.json found. create-openthrottle currently supports Node.js projects only.');
+    process.exit(1);
+  }
+
+  let pkg;
+  try {
+    pkg = JSON.parse(readFileSync(pkgPath, 'utf8'));
+  } catch {
+    console.error('Could not parse package.json. Is it valid JSON?');
+    process.exit(1);
+  }
+  const scripts = pkg.scripts || {};
+  const rawName = pkg.name?.replace(/^@[^/]+\//, '') || 'project';
+  const name = rawName.toLowerCase().replace(/[^a-z0-9-]/g, '-').replace(/-+/g, '-');
+
+  // Detect package manager
+  let pm = 'npm';
+  if (pkg.packageManager?.startsWith('pnpm')) pm = 'pnpm';
+  else if (pkg.packageManager?.startsWith('yarn')) pm = 'yarn';
+  else if (existsSync(join(cwd, 'pnpm-lock.yaml'))) pm = 'pnpm';
+  else if (existsSync(join(cwd, 'yarn.lock'))) pm = 'yarn';
+  else if (existsSync(join(cwd, 'package-lock.json'))) pm = 'npm';
+
+  // Detect base branch
+  let baseBranch = 'main';
+  try {
+    const head = execFileSync('git', ['remote', 'show', 'origin'], { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] });
+    const match = head.match(/HEAD branch:\s*(\S+)/);
+    if (match) baseBranch = match[1];
+  } catch {
+    // Not a git repo or no remote — default to main
+  }
+
+  return {
+    name,
+    pm,
+    baseBranch,
+    test: scripts.test ? `${pm} test` : '',
+    build: scripts.build ? `${pm} build` : '',
+    lint: scripts.lint ? `${pm} lint` : '',
+    format: scripts.format ? `${pm} run format` : (pkg.devDependencies?.prettier ? 'npx prettier --write .' : ''),
+    dev: scripts.dev ? `${pm} dev --port 8080 --hostname 0.0.0.0` : '',
+  };
+}
+
+// ---------------------------------------------------------------------------
+// 2. Prompt for config
+// ---------------------------------------------------------------------------
+
+async function promptConfig(detected) {
+  console.log(`\n  Detected: package.json (${detected.pm})\n`);
+
+  const response = await prompts([
+    { type: 'text', name: 'baseBranch', message: 'Base branch', initial: detected.baseBranch },
+    { type: 'text', name: 'test', message: 'Test command', initial: detected.test },
+    { type: 'text', name: 'build', message: 'Build command', initial: detected.build },
+    { type: 'text', name: 'lint', message: 'Lint command', initial: detected.lint },
+    { type: 'text', name: 'format', message: 'Format command', initial: detected.format },
+    { type: 'text', name: 'dev', message: 'Dev command', initial: detected.dev },
+    { type: 'text', name: 'postBootstrap', message: 'Post-bootstrap command', initial: `${detected.pm} install` },
+    {
+      type: 'select', name: 'agent', message: 'Agent runtime',
+      choices: [
+        { title: 'Claude', value: 'claude' },
+        { title: 'Codex', value: 'codex' },
+        { title: 'Aider', value: 'aider' },
+      ],
+      initial: 0,
+    },
+    {
+      type: 'select', name: 'notifications', message: 'Notifications',
+      choices: [
+        { title: 'Telegram', value: 'telegram' },
+        { title: 'None', value: 'none' },
+      ],
+      initial: 0,
+    },
+    { type: 'confirm', name: 'reviewEnabled', message: 'Enable automated PR review?', initial: true },
+    {
+      type: (prev) => prev ? 'number' : null,
+      name: 'maxRounds', message: 'Max review rounds', initial: 3, min: 1, max: 10,
+    },
+    {
+      type: 'select', name: 'snapshotMode', message: 'Snapshot source',
+      choices: [
+        { title: 'Pre-built image (faster, recommended)', value: 'image' },
+        { title: 'Build from Dockerfile (customizable)', value: 'dockerfile' },
+      ],
+      initial: 0,
+    },
+  ], { onCancel: () => { console.log('\nCancelled.'); process.exit(0); } });
+
+  return { ...detected, ...response };
+}
+
+// ---------------------------------------------------------------------------
+// 3. Generate .openthrottle.yml
+// ---------------------------------------------------------------------------
+
+function generateConfig(config) {
+  const doc = {
+    base_branch: config.baseBranch,
+    test: config.test || undefined,
+    dev: config.dev || undefined,
+    format: config.format || undefined,
+    lint: config.lint || undefined,
+    build: config.build || undefined,
+    notifications: config.notifications === 'none' ? undefined : config.notifications,
+    agent: config.agent,
+    snapshot: `openthrottle`,
+    post_bootstrap: [config.postBootstrap],
+    mcp_servers: {},
+    review: {
+      enabled: config.reviewEnabled,
+      max_rounds: config.maxRounds ?? 3,
+    },
+  };
+
+  // Remove undefined fields
+  for (const key of Object.keys(doc)) {
+    if (doc[key] === undefined) delete doc[key];
+  }
+
+  const header = [
+    '# openthrottle.yml — project config for Open Throttle (Daytona runtime)',
+    '# Generated by npx create-openthrottle. Committed to the repo so the',
+    '# sandbox knows how to work with this project.',
+    '',
+  ].join('\n');
+
+  return header + stringify(doc);
+}
+
+// ---------------------------------------------------------------------------
+// 4. Copy wake-sandbox.yml
+// ---------------------------------------------------------------------------
+
+function copyWorkflow() {
+  const src = join(__dirname, 'templates', 'wake-sandbox.yml');
+  const destDir = join(cwd, '.github', 'workflows');
+  const dest = join(destDir, 'wake-sandbox.yml');
+  mkdirSync(destDir, { recursive: true });
+  copyFileSync(src, dest);
+  return dest;
+}
+
+// ---------------------------------------------------------------------------
+// 5 & 6. Create Daytona snapshot + volume
+// ---------------------------------------------------------------------------
+
+async function setupDaytona(config) {
+  const apiKey = process.env.DAYTONA_API_KEY;
+  if (!apiKey) {
+    console.error('\n  Missing DAYTONA_API_KEY env var. Get one at https://daytona.io/dashboard\n');
+    process.exit(1);
+  }
+
+  const daytona = new Daytona();
+  const snapshotName = `openthrottle`;
+  const volumeName = `openthrottle-${config.name}`;
+
+  // Create snapshot — from pre-built image or from Dockerfile
+  if (config.snapshotMode === 'dockerfile') {
+    // Copy Dockerfile + runtime scripts into user's project for customization
+    const dockerDir = join(cwd, '.openthrottle', 'docker');
+    mkdirSync(dockerDir, { recursive: true });
+
+    const templateDir = join(__dirname, 'templates', 'docker');
+    if (existsSync(templateDir)) {
+      for (const file of readdirSync(templateDir, { recursive: true })) {
+        const src = join(templateDir, file);
+        const dest = join(dockerDir, file);
+        const stat = statSync(src);
+        if (stat.isDirectory()) {
+          mkdirSync(dest, { recursive: true });
+        } else {
+          mkdirSync(dirname(dest), { recursive: true });
+          copyFileSync(src, dest);
+        }
+      }
+    }
+    console.log('  ✓ Copied Dockerfile + runtime to .openthrottle/docker/');
+    console.log('    Customize the Dockerfile, then create snapshot:');
+    console.log(`    daytona snapshot create ${snapshotName} --dockerfile .openthrottle/docker/Dockerfile --build-arg AGENT=${config.agent}`);
+  } else {
+    const image = `ghcr.io/openthrottle/doer-${config.agent}:node-1.0.0`;
+    try {
+      await daytona.snapshot.create({
+        name: snapshotName,
+        image,
+        resources: { cpu: 2, memory: 4, disk: 10 },
+      });
+      console.log(`  ✓ Created Daytona snapshot: ${snapshotName}`);
+    } catch (err) {
+      if (err.status === 409 || err.message?.includes('already exists')) {
+        console.log(`  ✓ Snapshot already exists: ${snapshotName}`);
+      } else {
+        console.error(`  ✗ Failed to create snapshot: ${err.message}`);
+        process.exit(1);
+      }
+    }
+  }
+
+  // Create volume (idempotent)
+  try {
+    await daytona.volume.create({ name: volumeName });
+    console.log(`  ✓ Created Daytona volume: ${volumeName}`);
+  } catch (err) {
+    if (err.status === 409 || err.message?.includes('already exists')) {
+      console.log(`  ✓ Volume already exists: ${volumeName}`);
+    } else {
+      console.error(`  ✗ Failed to create volume: ${err.message}`);
+      process.exit(1);
+    }
+  }
+
+  return { snapshotName, volumeName };
+}
+
+// ---------------------------------------------------------------------------
+// 7. Print next steps
+// ---------------------------------------------------------------------------
+
+function printNextSteps(config) {
+  const agentSecret =
+    config.agent === 'claude'
+      ? '     ANTHROPIC_API_KEY            ← option a: pay-per-use API key\n     CLAUDE_CODE_OAUTH_TOKEN      ← option b: subscription token (claude setup-token)'
+      : config.agent === 'codex'
+        ? '     OPENAI_API_KEY               ← required for Codex'
+        : '     OPENAI_API_KEY               ← or ANTHROPIC_API_KEY (depends on your Aider model)';
+  const secrets = [
+    '     DAYTONA_API_KEY              ← required',
+    agentSecret,
+  ];
+
+  console.log(`
+  Next steps:
+
+  1. Set GitHub repo secrets:
+${secrets.join('\n')}
+     TELEGRAM_BOT_TOKEN            ← optional (notifications)
+     TELEGRAM_CHAT_ID              ← optional (notifications)
+
+  2. Commit and push:
+     git add .openthrottle.yml .github/workflows/wake-sandbox.yml
+     git commit -m "feat: add openthrottle config"
+     git push
+
+  3. Ship your first prompt:
+     gh issue create --title "My first feature" \\
+       --body-file docs/prds/my-feature.md \\
+       --label prd-queued
+`);
+}
+
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+
+async function main() {
+  console.log('\n  create-openthrottle\n');
+
+  // Step 1: Detect
+  const detected = detectProject();
+
+  // Step 2: Prompt
+  const config = await promptConfig(detected);
+
+  // Step 3: Generate config
+  const configPath = join(cwd, '.openthrottle.yml');
+  if (existsSync(configPath)) {
+    const { overwrite } = await prompts({
+      type: 'confirm', name: 'overwrite',
+      message: '.openthrottle.yml already exists. Overwrite?', initial: false,
+    }, { onCancel: () => { console.log('\nCancelled.'); process.exit(0); } });
+    if (!overwrite) { console.log('  Skipped .openthrottle.yml'); }
+    else { writeFileSync(configPath, generateConfig(config)); console.log('  ✓ Generated .openthrottle.yml'); }
+  } else {
+    writeFileSync(configPath, generateConfig(config));
+    console.log('  ✓ Generated .openthrottle.yml');
+  }
+
+  // Step 4: Copy workflow
+  const workflowPath = join(cwd, '.github', 'workflows', 'wake-sandbox.yml');
+  if (existsSync(workflowPath)) {
+    const { overwrite } = await prompts({
+      type: 'confirm', name: 'overwrite',
+      message: 'wake-sandbox.yml already exists. Overwrite?', initial: false,
+    }, { onCancel: () => { console.log('\nCancelled.'); process.exit(0); } });
+    if (!overwrite) { console.log('  Skipped wake-sandbox.yml'); }
+    else { copyWorkflow(); console.log('  ✓ Copied .github/workflows/wake-sandbox.yml'); }
+  } else {
+    copyWorkflow();
+    console.log('  ✓ Copied .github/workflows/wake-sandbox.yml');
+  }
+
+  // Steps 5 & 6: Daytona setup
+  await setupDaytona(config);
+
+  // Step 7: Next steps
+  printNextSteps(config);
+}
+
+main().catch((err) => {
+  console.error(`\n  Error: ${err.message}\n`);
+  process.exit(1);
+});

package/package.json

@@ -0,0 +1,33 @@
+{
+  "name": "create-openthrottle",
+  "version": "1.0.0",
+  "description": "Set up openthrottle in any Node.js project — agent-agnostic, config-driven.",
+  "type": "module",
+  "bin": {
+    "create-openthrottle": "./index.mjs"
+  },
+  "files": [
+    "index.mjs",
+    "templates/"
+  ],
+  "dependencies": {
+    "@daytonaio/sdk": "^0.153.0",
+    "prompts": "^2.4.2",
+    "yaml": "^2.4.0"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/knoxgraeme/sodaprompts"
+  },
+  "keywords": [
+    "openthrottle",
+    "daytona",
+    "agent",
+    "scaffolder",
+    "create"
+  ]
+}

package/templates/docker/Dockerfile

@@ -0,0 +1,25 @@
+FROM daytonaio/sandbox:0.6.0
+
+# Base image includes: Chromium, Xvfb, xfce4, Node.js, Claude Code, Python, git, curl
+# Build remotely: daytona snapshot create openthrottle --dockerfile ./Dockerfile --context .
+
+ARG AGENT=claude
+
+USER root
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+      gh jq gosu \
+    && rm -rf /var/lib/apt/lists/* \
+    && npm install -g pnpm agent-browser \
+    && if [ "$AGENT" = "codex" ]; then npm install -g @openai/codex; fi \
+    && if [ "$AGENT" = "aider" ]; then pip install --no-cache-dir aider-chat; fi \
+    && curl -sL "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64" \
+       -o /usr/local/bin/yq && chmod +x /usr/local/bin/yq
+
+COPY entrypoint.sh run-builder.sh run-reviewer.sh task-adapter.sh agent-lib.sh /opt/openthrottle/
+COPY hooks/ /opt/openthrottle/hooks/
+COPY git-hooks/ /opt/openthrottle/git-hooks/
+
+RUN chmod +x /opt/openthrottle/*.sh /opt/openthrottle/hooks/*.sh /opt/openthrottle/git-hooks/*
+
+ENTRYPOINT ["/opt/openthrottle/entrypoint.sh"]

package/templates/docker/agent-lib.sh

@@ -0,0 +1,223 @@
+#!/usr/bin/env bash
+# =============================================================================
+# agent-lib.sh — Shared library for Daytona sandbox runners
+#
+# Sourced by run-builder.sh and run-reviewer.sh. Contains:
+#   - log / notify — logging and Telegram notifications
+#   - sanitize_secrets — redact secrets from text
+#   - invoke_agent — runtime-specific agent invocation with session management
+#
+# Requires: SANDBOX_HOME, LOG_DIR, SESSIONS_DIR, AGENT_RUNTIME, GITHUB_REPO
+# =============================================================================
+
+# ---------------------------------------------------------------------------
+# Logging and notifications
+# ---------------------------------------------------------------------------
+RUNNER_NAME="${RUNNER_NAME:-agent}"
+
+log() { echo "[${RUNNER_NAME} $(date +%H:%M:%S)] $1" | tee -a "${LOG_DIR}/${RUNNER_NAME}.log"; }
+
+notify() {
+  if [[ -n "${TELEGRAM_BOT_TOKEN:-}" ]] && [[ -n "${TELEGRAM_CHAT_ID:-}" ]]; then
+    local HTTP_CODE
+    HTTP_CODE=$(curl -s -o /dev/null -w '%{http_code}' \
+      -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \
+      -d "chat_id=${TELEGRAM_CHAT_ID}" \
+      -d "text=$1") || true
+    if [[ "$HTTP_CODE" != "200" ]] && [[ "${_NOTIFY_WARNED:-}" != "1" ]]; then
+      log "WARNING: Telegram notification failed (HTTP ${HTTP_CODE}). Check TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID."
+      _NOTIFY_WARNED=1
+    fi
+  fi
+}
+
+# ---------------------------------------------------------------------------
+# Sanitize secrets from text before posting to GitHub or logs
+# ---------------------------------------------------------------------------
+sanitize_secrets() {
+  local TEXT="$1"
+  [[ -n "${GITHUB_TOKEN:-}" ]]             && TEXT="${TEXT//$GITHUB_TOKEN/[REDACTED]}"
+  [[ -n "${TELEGRAM_BOT_TOKEN:-}" ]]       && TEXT="${TEXT//$TELEGRAM_BOT_TOKEN/[REDACTED]}"
+  [[ -n "${ANTHROPIC_API_KEY:-}" ]]        && TEXT="${TEXT//$ANTHROPIC_API_KEY/[REDACTED]}"
+  [[ -n "${CLAUDE_CODE_OAUTH_TOKEN:-}" ]]  && TEXT="${TEXT//$CLAUDE_CODE_OAUTH_TOKEN/[REDACTED]}"
+  [[ -n "${SUPABASE_ACCESS_TOKEN:-}" ]]    && TEXT="${TEXT//$SUPABASE_ACCESS_TOKEN/[REDACTED]}"
+  [[ -n "${OPENAI_API_KEY:-}" ]]           && TEXT="${TEXT//$OPENAI_API_KEY/[REDACTED]}"
+  TEXT=$(echo "$TEXT" | sed \
+    -e 's/ghp_[A-Za-z0-9_]\{36,\}/[REDACTED]/g' \
+    -e 's/ghs_[A-Za-z0-9_]\{36,\}/[REDACTED]/g' \
+    -e 's/sk-[A-Za-z0-9_-]\{20,\}/[REDACTED]/g' \
+    -e 's/Bearer [^ ]*/Bearer [REDACTED]/g')
+  echo "$TEXT"
+}
+
+# ---------------------------------------------------------------------------
+# Invoke the agent — runtime-specific command with session management
+#
+# Usage: invoke_agent PROMPT TIMEOUT SESSION_LOG [TASK_KEY]
+#   TASK_KEY — unique key for session persistence (e.g. "prd-42", "review-7").
+#              Session files are stored on the volume at SESSIONS_DIR.
+#              If RESUME_SESSION env var is set, it takes precedence (review-fix flow).
+# ---------------------------------------------------------------------------
+invoke_agent() {
+  local PROMPT="$1"
+  local AGENT_TIMEOUT="$2"
+  local SESSION_LOG="$3"
+  local TASK_KEY="${4:-}"
+
+  local -a SESSION_FLAGS=()
+  local ACTIVE_SESSION_ID=""
+
+  # Priority 1: RESUME_SESSION env var (set by GitHub Action for review-fix flow)
+  if [[ -n "${RESUME_SESSION:-}" ]]; then
+    SESSION_FLAGS=(--resume "$RESUME_SESSION")
+    ACTIVE_SESSION_ID="$RESUME_SESSION"
+    log "Resuming session from workflow: ${RESUME_SESSION}"
+
+  # Priority 2: Session file on volume (cross-sandbox resume)
+  elif [[ -n "$TASK_KEY" ]]; then
+    local SESSION_FILE="${SESSIONS_DIR}/${TASK_KEY}.id"
+    if [[ -f "$SESSION_FILE" ]]; then
+      local EXISTING_ID
+      EXISTING_ID=$(<"$SESSION_FILE")
+      if [[ -n "$EXISTING_ID" ]]; then
+        touch "$SESSION_FILE"  # refresh mtime to prevent 7-day pruning
+        SESSION_FLAGS=(--resume "$EXISTING_ID")
+        ACTIVE_SESSION_ID="$EXISTING_ID"
+        log "Resuming session from volume: ${EXISTING_ID}"
+      else
+        log "WARNING: Empty session file for ${TASK_KEY} — starting fresh"
+        rm -f "$SESSION_FILE"
+      fi
+    fi
+
+    # Create new session if not resuming
+    if [[ ${#SESSION_FLAGS[@]} -eq 0 ]]; then
+      local NEW_ID
+      NEW_ID=$(uuidgen 2>/dev/null || cat /proc/sys/kernel/random/uuid)
+      echo "$NEW_ID" > "${SESSIONS_DIR}/${TASK_KEY}.id"
+      SESSION_FLAGS=(--session-id "$NEW_ID")
+      ACTIVE_SESSION_ID="$NEW_ID"
+      log "New session: ${NEW_ID}"
+    fi
+  fi
+
+  # Export session ID for post_session_report
+  export LAST_SESSION_ID="$ACTIVE_SESSION_ID"
+
+  case "$AGENT_RUNTIME" in
+    claude)
+      timeout "${AGENT_TIMEOUT}" claude \
+        "${SESSION_FLAGS[@]}" \
+        --dangerously-skip-permissions \
+        -p "$PROMPT" \
+        2>&1 | tee -a "$SESSION_LOG"
+      ;;
+    codex)
+      local -a MODEL_FLAGS=()
+      [[ -n "${AGENT_MODEL:-}" ]] && MODEL_FLAGS=(--model "$AGENT_MODEL")
+      timeout "${AGENT_TIMEOUT}" codex \
+        "${MODEL_FLAGS[@]}" \
+        --approval-mode full-auto \
+        --quiet \
+        "$PROMPT" \
+        2>&1 | tee -a "$SESSION_LOG"
+      ;;
+    aider)
+      local -a MODEL_FLAGS=()
+      [[ -n "${AGENT_MODEL:-}" ]] && MODEL_FLAGS=(--model "$AGENT_MODEL")
+      timeout "${AGENT_TIMEOUT}" aider \
+        "${MODEL_FLAGS[@]}" \
+        --yes \
+        --no-auto-commits \
+        --message "$PROMPT" \
+        2>&1 | tee -a "$SESSION_LOG"
+      ;;
+    *)
+      log "Unknown AGENT_RUNTIME: ${AGENT_RUNTIME}"
+      return 1
+      ;;
+  esac
+}
+
+# ---------------------------------------------------------------------------
+# Handle agent invocation result — common exit code handling
+# ---------------------------------------------------------------------------
+handle_agent_result() {
+  local EXIT_CODE=$1
+  local TASK_LABEL="$2"
+  local TIMEOUT_VAL="$3"
+
+  case $EXIT_CODE in
+    0) return 0 ;;
+    124)
+      log "${TASK_LABEL} timed out after ${TIMEOUT_VAL}s"
+      notify "${TASK_LABEL} timed out"
+      ;;
+    127)
+      log "FATAL: Agent binary '${AGENT_RUNTIME}' not found"
+      notify "${TASK_LABEL} failed — agent binary not found"
+      return 1
+      ;;
+    137)
+      log "Agent was OOM-killed during ${TASK_LABEL}"
+      notify "${TASK_LABEL} failed — out of memory"
+      ;;
+    *)
+      log "Agent failed with exit code ${EXIT_CODE} during ${TASK_LABEL}"
+      notify "${TASK_LABEL} — agent failed (exit ${EXIT_CODE})"
+      ;;
+  esac
+}
+
+# ---------------------------------------------------------------------------
+# Post session report as a PR comment
+# ---------------------------------------------------------------------------
+post_session_report() {
+  local PR_NUM="$1"
+  local TASK_ID="$2"
+  local DURATION="$3"
+  local SESSION_LOG="$4"
+
+  local COMMIT_COUNT FILES_CHANGED
+  COMMIT_COUNT=$(git -C "$REPO" rev-list --count "${BASE_BRANCH}..HEAD" 2>/dev/null || echo "0")
+  FILES_CHANGED=$(git -C "$REPO" diff --name-only "${BASE_BRANCH}..HEAD" 2>/dev/null | wc -l | tr -d ' ')
+
+  local CMD_TOTAL CMD_FAILED
+  CMD_TOTAL=$(grep -c "\[${TASK_ID}\]" "${LOG_DIR}/bash-commands.log" 2>/dev/null || echo "0")
+  CMD_FAILED=$(grep "\[${TASK_ID}\]" "${LOG_DIR}/bash-commands.log" 2>/dev/null \
+    | grep -cv '\[exit:0\]' || echo "0")
+
+  local LOG_TAIL
+  LOG_TAIL=$(tail -50 "$SESSION_LOG" 2>/dev/null || echo "(no log)")
+  LOG_TAIL=$(sanitize_secrets "$LOG_TAIL")
+
+  # Include session-id for review-fix resume
+  local SESSION_MARKER=""
+  if [[ -n "${LAST_SESSION_ID:-}" ]]; then
+    SESSION_MARKER="
+<!-- session-id: ${LAST_SESSION_ID} -->"
+  fi
+
+  local COMMENT_ERR
+  COMMENT_ERR=$(gh pr comment "$PR_NUM" --repo "$GITHUB_REPO" --body "$(cat <<EOF
+## Session Report
+${SESSION_MARKER}
+
+| Metric | Value |
+|---|---|
+| Duration | ${DURATION}m |
+| Commits | ${COMMIT_COUNT} |
+| Files changed | ${FILES_CHANGED} |
+| Bash commands | ${CMD_TOTAL} total, ${CMD_FAILED} failed |
+
+<details>
+<summary>Command log (last 50 lines)</summary>
+
+\`\`\`
+${LOG_TAIL}
+\`\`\`
+
+</details>
+EOF
+)" 2>&1) || log "WARNING: Failed to post session report to PR #${PR_NUM}: ${COMMENT_ERR}"
+}