npm - ira-review - Versions diffs - 0.6.0 → 0.7.0 - Mend

ira-review 0.6.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/README.github.md +287 -52
package/README.md +46 -43
package/README.npm.md +46 -43
package/dist/bitbucket-E3MONFK5.js +8 -0
package/dist/chunk-LOM46ZUL.js +250 -0
package/dist/chunk-P7ZBC4ST.js +195 -0
package/dist/chunk-WGON3I4J.js +98 -0
package/dist/cli.js +636 -450
package/dist/github-7UAV3HAA.js +8 -0
package/dist/index.cjs +559 -22
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +94 -29
package/dist/index.d.ts +94 -29
package/dist/index.js +557 -22
package/dist/index.js.map +1 -1
package/package.json +2 -1

package/README.github.md CHANGED Viewed

@@ -1,72 +1,199 @@
-# IRA — AI-Powered Code Reviews for Pull Requests
+# IRA - AI-Powered Code Reviews for Pull Requests
-IRA (Intelligent Review Assistant) reviews your pull requests using AI. It posts inline comments with explanations, impact assessments, and suggested fixes — directly on your PR.
+IRA (Intelligent Review Assistant) reviews your pull requests using AI. It posts inline comments with explanations, impact assessments, and suggested fixes directly on your PR.
-**Works with any language.** Supports GitHub and Bitbucket (Cloud & Server).
+**Works with any language.** Supports GitHub and Bitbucket Cloud.
-## Two review modes
+## What can IRA do?
-1. **AI-only** — IRA reads your PR diff and finds bugs, security issues, and performance problems.
-2. **Sonar + AI** — IRA pulls your SonarQube issues and enriches each one with AI explanations and fixes.
+- **Review your code** using AI and post inline comments with explanation, impact, and fix
+- **Score PR risk** from 0 to 100 and auto-label your PRs on GitHub
+- **Track requirement completion** against JIRA acceptance criteria with percentage and per-criterion status
+- **Generate test cases** from JIRA tickets in 8 frameworks (Jest, Vitest, Mocha, Playwright, Cypress, Gherkin, Pytest, JUnit)
+- **Enrich SonarQube issues** with AI-powered explanations when Sonar is connected
+- **Notify your team** via Slack or Microsoft Teams after each review
-## Try it now
+## Try it in 30 seconds
 ```bash
-export IRA_AI_API_KEY=your-key-here
 npx ira-review review \
   --pr 42 \
   --scm-provider github \
-  --github-token ghp_xxxxx \
+  --github-token 'ghp_xxxxx' \
   --github-repo owner/repo \
+  --ai-api-key 'sk-xxxxx' \
   --dry-run
 ```
-Drop `--dry-run` to post comments on the PR.
+This prints the review in your terminal. Drop `--dry-run` to post it on the PR.
 ## Install
 ```bash
-npx ira-review review --pr 42 --dry-run   # no install needed
-npm install -g ira-review                   # or install globally
-npm install --save-dev ira-review           # or add to your project
+npx ira-review review --help            # no install needed
+npm install -g ira-review                # or install globally
+npm install --save-dev ira-review        # or add to your project
+```
+## How to use IRA
+Pick the combination that fits your workflow. Each example builds on the previous one.
+### 1. AI-only review
+The simplest setup. IRA reads your PR diff and finds bugs, security issues, and performance problems.
+**GitHub:**
+```bash
+npx ira-review review \
+  --pr 42 \
+  --scm-provider github \
+  --github-token 'ghp_xxxxx' \
+  --github-repo owner/repo \
+  --ai-api-key 'sk-xxxxx'
+```
+**Bitbucket Cloud:**
+```bash
+npx ira-review review \
+  --pr 42 \
+  --bitbucket-token 'bb_xxxxx' \
+  --repo my-workspace/my-repo \
+  --ai-api-key 'sk-xxxxx'
 ```
-## Quick start
+### 2. Review with JIRA (requirement tracking + AC validation)
-### AI-only review (GitHub)
+Connect a JIRA ticket and IRA will tell you how much of the acceptance criteria is actually implemented, with per-criterion pass/fail and edge case warnings.
 ```bash
 npx ira-review review \
   --pr 42 \
   --scm-provider github \
-  --github-token ghp_xxxxx \
-  --github-repo owner/repo
+  --github-token 'ghp_xxxxx' \
+  --github-repo owner/repo \
+  --ai-api-key 'sk-xxxxx' \
+  --jira-url https://yourcompany.atlassian.net \
+  --jira-email you@company.com \
+  --jira-token 'jira_xxxxx' \
+  --jira-ticket AUTH-234
 ```
-### Sonar + AI review (Bitbucket)
+Example output posted on your PR:
+```
+📊 Requirements: AUTH-234 - 67% Complete (4/6 AC met)
+  ✅ OAuth2 login flow implemented with Google provider
+  ✅ JWT tokens generated on successful authentication
+  ✅ Refresh token rotation with 7-day expiry
+  ❌ Input validation on login endpoint - no email format check
+  ✅ Logout endpoint clears session and revokes token
+  ❌ Rate limiting on login attempts - not implemented
+  ⚠️ Edge Cases Not Covered:
+     - What happens when Google OAuth is unreachable?
+     - Token refresh during concurrent requests?
+```
+### 3. Review with JIRA + test generation
+Add `--generate-tests` to any review command and IRA will generate test scaffolding alongside the code review.
 ```bash
 npx ira-review review \
   --pr 42 \
+  --scm-provider github \
+  --github-token 'ghp_xxxxx' \
+  --github-repo owner/repo \
+  --ai-api-key 'sk-xxxxx' \
+  --jira-url https://yourcompany.atlassian.net \
+  --jira-email you@company.com \
+  --jira-token 'jira_xxxxx' \
+  --jira-ticket AUTH-234 \
+  --generate-tests \
+  --test-framework vitest
+```
+### 4. Standalone test generation (no review)
+Don't need a review? Generate test cases directly from a JIRA ticket.
+```bash
+npx ira-review generate-tests \
+  --jira-ticket AUTH-234 \
+  --jira-url https://yourcompany.atlassian.net \
+  --jira-email you@company.com \
+  --jira-token 'jira_xxxxx' \
+  --ai-api-key 'sk-xxxxx' \
+  --test-framework playwright
+```
+Add `--pr 42 --scm-provider github --github-repo owner/repo` to include code context from a PR for higher precision.
+Add `--output tests/auth.test.ts` to save the generated tests to a file.
+### 5. Sonar + AI review
+Already using SonarQube? IRA pulls your Sonar issues and enriches each one with AI explanations and suggested fixes.
+```bash
+npx ira-review review \
+  --pr 42 \
+  --scm-provider github \
+  --github-token 'ghp_xxxxx' \
+  --github-repo owner/repo \
+  --ai-api-key 'sk-xxxxx' \
   --sonar-url https://sonarcloud.io \
-  --sonar-token sqa_xxxxx \
-  --project-key my-org_my-project \
-  --bitbucket-token bb_xxxxx \
-  --repo my-workspace/my-repo
+  --sonar-token 'sqa_xxxxx' \
+  --project-key my-org_my-project
 ```
-## Choose your AI provider
+You can combine this with JIRA, test generation, and notifications too.
+## Quick reference
+| What you want | What to add | Example |
+|---|---|---|
+| AI-only review | `--pr`, SCM token, `--ai-api-key` | `npx ira-review review --pr 42 --scm-provider github --github-token ghp_xxx --github-repo owner/repo --ai-api-key sk-xxx` |
+| + SonarQube | `--sonar-url`, `--sonar-token`, `--project-key` | `... --sonar-url https://sonarcloud.io --sonar-token sqa_xxx --project-key my-org_my-project` |
+| + JIRA validation | `--jira-url`, `--jira-email`, `--jira-token`, `--jira-ticket` | `... --jira-url https://acme.atlassian.net --jira-email dev@acme.com --jira-token xxx --jira-ticket AUTH-234` |
+| + Test generation | `--generate-tests`, `--test-framework` | `... --generate-tests --test-framework vitest` |
+| + Slack notifications | `--slack-webhook` | `... --slack-webhook https://hooks.slack.com/services/xxx` |
+| + Teams notifications | `--teams-webhook` | `... --teams-webhook https://outlook.office.com/webhook/xxx` |
+| Notify only high risk | `--notify-min-risk` | `... --slack-webhook https://hooks.slack.com/xxx --notify-min-risk high` (only HIGH and CRITICAL trigger a notification) |
+| Notify on AC failure | `--notify-on-ac-fail` | `... --slack-webhook https://hooks.slack.com/xxx --notify-on-ac-fail` (notify when JIRA acceptance criteria fail, regardless of risk) |
+| Risk labels | Automatic on GitHub | Labels like `ira:critical`, `ira:high`, `ira:medium`, `ira:low` are applied automatically |
+| Preview in terminal | `--dry-run` | `... --dry-run` (prints output, doesn't post on PR) |
+| Use Anthropic | `--ai-provider anthropic` | `... --ai-provider anthropic --ai-api-key sk-ant-xxx` |
+| Use Ollama (free) | `--ai-provider ollama` | `... --ai-provider ollama` (no API key needed) |
+| Save on AI costs | `--ai-model` + `--ai-model-critical` | `... --ai-model gpt-4o-mini --ai-model-critical gpt-4o` |
+| Generate tests only | `generate-tests` command | `npx ira-review generate-tests --jira-ticket AUTH-234 --test-framework jest --ai-api-key sk-xxx` |
+| Save tests to file | `--output` | `... generate-tests --jira-ticket AUTH-234 --test-framework vitest --output tests/auth.test.ts` |
+## Supported test frameworks
+| Framework | Language | Style |
+|---|---|---|
+| `jest` | JavaScript/TypeScript | `describe` / `it` / `expect` |
+| `vitest` | JavaScript/TypeScript | `describe` / `it` / `expect` |
+| `mocha` | JavaScript/TypeScript | `describe` / `it` + Chai |
+| `playwright` | TypeScript | `test` / `page` / E2E |
+| `cypress` | JavaScript | `cy.visit` / `cy.get` / E2E |
+| `gherkin` | Any (BDD) | `Given` / `When` / `Then` |
+| `pytest` | Python | `def test_` / `assert` |
+| `junit` | Java/Kotlin | `@Test` / `assertEquals` |
+## AI providers
 | Provider | Flag | Notes |
 |---|---|---|
-| **OpenAI** (default) | `--ai-provider openai` | Set `IRA_AI_API_KEY` |
+| **OpenAI** (default) | `--ai-provider openai` | Pass key with `--ai-api-key` or set `IRA_AI_API_KEY` |
 | **Azure OpenAI** | `--ai-provider azure-openai` | Also needs `--ai-base-url` and `--ai-deployment` |
-| **Anthropic** | `--ai-provider anthropic` | Set `IRA_AI_API_KEY` |
-| **Google Gemini** | `--ai-provider gemini` | Set `IRA_AI_API_KEY` |
-| **Ollama** (local) | `--ai-provider ollama` | No API key needed |
+| **Anthropic** | `--ai-provider anthropic` | Pass key with `--ai-api-key` or set `IRA_AI_API_KEY` |
+| **Ollama** (local) | `--ai-provider ollama` | Runs locally, no API key needed |
-> **Tip:** Use `--ai-model-critical gpt-4o` to send high-severity issues to a stronger model while keeping costs low.
+> **Tip:** Use `--ai-model gpt-4o-mini` for most issues and `--ai-model-critical gpt-4o` for blockers. This keeps costs low without sacrificing quality on critical findings.
 ## CI/CD setup
@@ -85,16 +212,26 @@ jobs:
       - uses: actions/setup-node@v4
         with:
           node-version: 20
-      - run: npx ira-review review
-             --pr ${{ github.event.pull_request.number }}
-             --scm-provider github
-             --github-token ${{ secrets.GITHUB_TOKEN }}
-             --github-repo ${{ github.repository }}
-             --no-config-file
+      - run: |
+          npx ira-review review \
+            --pr ${{ github.event.pull_request.number }} \
+            --scm-provider github \
+            --github-token ${{ secrets.GITHUB_TOKEN }} \
+            --github-repo ${{ github.repository }} \
+            --no-config-file
         env:
           IRA_AI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
 ```
+Want JIRA validation in CI? Add these flags to the run command:
+```
+--jira-url ${{ vars.JIRA_URL }} \
+--jira-email ${{ vars.JIRA_EMAIL }} \
+--jira-token ${{ secrets.JIRA_TOKEN }} \
+--jira-ticket AUTH-234
+```
 ### Bitbucket Pipelines
 ```yaml
@@ -113,16 +250,121 @@ pipelines:
             IRA_BITBUCKET_TOKEN: $BB_TOKEN
 ```
-> **Note:** Use `--no-config-file` in CI pipelines that run on untrusted PRs (forks, external contributors).
+> Use `--no-config-file` in CI pipelines that run on untrusted PRs (forks, external contributors).
+## Smart notifications
-## Optional integrations
+By default, IRA sends a Slack or Teams notification after every review. You can control exactly when notifications fire so your team only hears about what matters.
-| Integration | What it does | Key flags |
+### How it works
+| Setup | What happens | Best for |
+|---|---|---|
+| No flags set | Every review triggers a notification | Small teams that want full visibility |
+| `--notify-min-risk high` | Only HIGH (40+) and CRITICAL (60+) PRs trigger notifications. LOW and MEDIUM stay silent | Reducing noise, focusing on risky PRs |
+| `--notify-min-risk high --notify-on-ac-fail` | Notifies on HIGH/CRITICAL risk **or** when JIRA acceptance criteria fail, even on low risk PRs | **Recommended for tech leads.** Catches both risky code and incomplete requirements |
+| `--notify-on-ac-fail` alone | Every review still triggers a notification (no risk filter), but AC failures are guaranteed to notify | Teams that want full visibility but never want to miss an AC failure |
+### Example: only ping on high risk PRs
+```bash
+npx ira-review review \
+  --pr 42 \
+  --scm-provider github \
+  --github-token 'ghp_xxxxx' \
+  --github-repo owner/repo \
+  --ai-api-key 'sk-xxxxx' \
+  --slack-webhook 'https://hooks.slack.com/services/xxx' \
+  --notify-min-risk high
+```
+Your `#code-reviews` channel only gets pinged for HIGH and CRITICAL PRs. Everything else reviews silently.
+### Example: catch risky PRs and incomplete requirements
+```bash
+--notify-min-risk high --notify-on-ac-fail
+```
+Tech leads get notified for two things: risky PRs and PRs that don't fully implement the JIRA requirements. Low risk, well-implemented PRs stay quiet.
+### What triggers a notification?
+Here's exactly when your Slack or Teams channel gets a message:
+| PR risk | AC status | No flags | `--notify-min-risk high` | `+ --notify-on-ac-fail` |
+|---|---|---|---|---|
+| LOW (5) | AC passes | ✅ Notified | Silent | Silent |
+| LOW (12) | AC fails | ✅ Notified | Silent | ✅ Notified |
+| MEDIUM (25) | AC passes | ✅ Notified | Silent | Silent |
+| HIGH (45) | AC passes | ✅ Notified | ✅ Notified | ✅ Notified |
+| CRITICAL (72) | AC fails | ✅ Notified | ✅ Notified | ✅ Notified |
+### Configuration
+All three ways to set this up:
+```bash
+# CLI flags
+--notify-min-risk high --notify-on-ac-fail
+# Environment variables (works in CI)
+IRA_NOTIFY_MIN_RISK=high
+IRA_NOTIFY_ON_AC_FAIL=true
+# Config file (.irarc.json)
+{ "notifyMinRisk": "high", "notifyOnAcFail": true }
+```
+## PR risk visibility
+IRA makes risk visible directly in your PR list so tech leads can prioritize without opening each PR.
+### GitHub: risk labels
+IRA applies color-coded labels to your PRs after each review:
+| Label | Score | Color |
 |---|---|---|
-| **SonarQube** | Enriches Sonar issues with AI analysis | `--sonar-url`, `--sonar-token`, `--project-key` |
-| **JIRA** | Validates PR against acceptance criteria | `--jira-url`, `--jira-email`, `--jira-token`, `--jira-ticket` |
-| **Slack** | Sends review summary to a channel | `--slack-webhook` |
-| **Teams** | Sends review summary to a channel | `--teams-webhook` |
+| `ira:critical` | 60 to 100 | 🔴 Red |
+| `ira:high` | 40 to 59 | 🟠 Orange |
+| `ira:medium` | 20 to 39 | 🟡 Yellow |
+| `ira:low` | 0 to 19 | 🟢 Green |
+Labels update automatically when risk changes. Filter your PR list with `label:ira:critical label:ira:high` to prioritize reviews.
+### Bitbucket: build status
+Bitbucket doesn't support PR labels, so IRA posts a **build status** on the PR commit instead. This shows as a status icon (✅ ❌ 🟡) in the PR list.
+| Risk level | Build status | Icon in PR list |
+|---|---|---|
+| CRITICAL | FAILED | 🔴 Red X |
+| HIGH | FAILED | 🔴 Red X |
+| MEDIUM | INPROGRESS | 🟡 Yellow dot |
+| LOW | SUCCESSFUL | 🟢 Green check |
+Hover over the icon to see the full risk score. You can also configure Bitbucket branch permissions to **block merging** when the IRA Risk status is FAILED, preventing high-risk PRs from being merged without review.
+## What IRA posts on your PR
+**Inline comments** on the exact lines:
+```
+🔍 IRA Review - ai/security (CRITICAL)
+> User input used directly in SQL query without sanitization.
+Explanation: The username parameter is concatenated into a SQL string,
+creating a SQL injection vector.
+Impact: Attacker could execute arbitrary SQL and gain database control.
+Suggested Fix: Use parameterized queries:
+  db.query('SELECT * FROM users WHERE name = $1', [username])
+```
+**Summary comment** with risk score, issue breakdown, requirement completion (if JIRA is connected), and complexity hotspots (if Sonar is connected).
 ## Config file
@@ -139,17 +381,12 @@ Create `.irarc.json` in your project root to set defaults:
 CLI flags override env vars, which override the config file. Tokens and keys are blocked from config files for security.
-## What IRA posts
-- **Inline comments** on the exact lines with explanation, impact, and suggested fix.
-- **Summary comment** with a risk score (0–100), issue breakdown, and complexity hotspots.
 ## Security
-- Runs in your CI — tokens never leave your infrastructure
+- Runs in your CI. Tokens never leave your infrastructure
 - No telemetry, analytics, or tracking
 - Config files block sensitive fields automatically
-- Open source — every line is auditable
+- Open source. Every line is auditable
 ## Requirements
@@ -159,8 +396,6 @@ CLI flags override env vars, which override the config file. Tokens and keys are
 ## License
-[AGPL-3.0](LICENSE) — For commercial licensing, contact [patilmayur5572@gmail.com](mailto:patilmayur5572@gmail.com).
----
+[AGPL-3.0](LICENSE). For commercial licensing, contact [patilmayur5572@gmail.com](mailto:patilmayur5572@gmail.com).
 📖 **Full CLI reference:** Run `npx ira-review review --help`

package/README.md CHANGED Viewed

@@ -1,19 +1,18 @@
-# IRA — AI-Powered Code Reviews for Pull Requests
+# IRA - AI-Powered Code Reviews for Pull Requests
 IRA reviews your pull requests using AI and posts inline comments with explanations, impact assessments, and suggested fixes.
-**Works with any language.** Supports GitHub and Bitbucket.
+**Works with any language.** Supports GitHub and Bitbucket Cloud.
 ## Try it now
 ```bash
-export IRA_AI_API_KEY=your-key-here
 npx ira-review review \
   --pr 42 \
   --scm-provider github \
-  --github-token ghp_xxxxx \
+  --github-token 'ghp_xxxxx' \
   --github-repo owner/repo \
+  --ai-api-key 'sk-xxxxx' \
   --dry-run
 ```
@@ -22,36 +21,41 @@ Drop `--dry-run` to post comments on the PR.
 ## Install
 ```bash
-npx ira-review review --pr 42 --dry-run   # no install needed
-npm install -g ira-review                   # or install globally
-npm install --save-dev ira-review           # or add to your project
+npx ira-review review --help            # no install needed
+npm install -g ira-review                # or install globally
+npm install --save-dev ira-review        # or add to your project
 ```
-## Two review modes
-1. **AI-only** — finds bugs, security issues, and performance problems in your PR diff.
-2. **Sonar + AI** — pulls SonarQube issues and enriches them with AI explanations and fixes.
-## AI providers
-| Provider | Flag |
-|---|---|
-| **OpenAI** (default) | `--ai-provider openai` |
-| **Azure OpenAI** | `--ai-provider azure-openai` |
-| **Anthropic** | `--ai-provider anthropic` |
-| **Google Gemini** | `--ai-provider gemini` |
-| **Ollama** (local, no key) | `--ai-provider ollama` |
-## Key features
+## What can IRA do?
 - **Inline PR comments** with explanation, impact, and suggested fix
-- **Risk scoring** (0–100) based on blockers, security, complexity, and more
-- **Framework detection** — tailors suggestions for React, Angular, Vue, NestJS
-- **Comment deduplication** — re-runs skip already-commented issues
-- **Optional integrations** — SonarQube, JIRA, Slack, Microsoft Teams
-- **CI-ready** — works with GitHub Actions, Bitbucket Pipelines, or any CI
-## Quick GitHub Actions setup
+- **Risk scoring** (0 to 100) based on blockers, security, complexity, and more
+- **Risk labels** on GitHub PRs (`ira:critical` / `ira:high` / `ira:medium` / `ira:low`)
+- **Requirement tracking** shows % completion of JIRA acceptance criteria per PR
+- **Test case generation** from JIRA AC in 8 frameworks: Jest, Vitest, Mocha, Playwright, Cypress, Gherkin, Pytest, JUnit
+- **Framework detection** tailors suggestions for React, Angular, Vue, NestJS
+- **Comment deduplication** so re-runs skip already-commented issues
+- **Smart notifications** via Slack and Teams with risk threshold filtering (`--notify-min-risk high --notify-on-ac-fail`)
+- **CI-ready** works with GitHub Actions, Bitbucket Pipelines, or any CI
+## Quick reference
+| What you want | What to add | Example |
+|---|---|---|
+| AI-only review | `--pr`, SCM token, `--ai-api-key` | `npx ira-review review --pr 42 --scm-provider github --github-token ghp_xxx --github-repo owner/repo --ai-api-key sk-xxx` |
+| + SonarQube | `--sonar-url`, `--sonar-token`, `--project-key` | `... --sonar-url https://sonarcloud.io --sonar-token sqa_xxx --project-key my-org_my-project` |
+| + JIRA validation | `--jira-url`, `--jira-email`, `--jira-token`, `--jira-ticket` | `... --jira-url https://acme.atlassian.net --jira-email dev@acme.com --jira-token xxx --jira-ticket AUTH-234` |
+| + Test generation | `--generate-tests`, `--test-framework` | `... --generate-tests --test-framework vitest` |
+| + Notifications | `--slack-webhook` or `--teams-webhook` | `... --slack-webhook https://hooks.slack.com/services/xxx` |
+| Notify only high risk | `--notify-min-risk` | `... --notify-min-risk high` (only HIGH and CRITICAL trigger a notification) |
+| Notify on AC failure | `--notify-on-ac-fail` | `... --notify-on-ac-fail` (notify when JIRA AC fails, regardless of risk) |
+| Risk labels | Automatic on GitHub | `ira:critical`, `ira:high`, `ira:medium`, `ira:low` applied automatically |
+| Preview only | `--dry-run` | `... --dry-run` (prints to terminal, doesn't post on PR) |
+| Use Anthropic | `--ai-provider anthropic` | `... --ai-provider anthropic --ai-api-key sk-ant-xxx` |
+| Use Ollama (free) | `--ai-provider ollama` | `... --ai-provider ollama` (no API key needed) |
+| Generate tests only | `generate-tests` command | `npx ira-review generate-tests --jira-ticket AUTH-234 --test-framework jest --ai-api-key sk-xxx` |
+## GitHub Actions setup
 ```yaml
 name: AI Code Review
@@ -66,12 +70,13 @@ jobs:
       - uses: actions/setup-node@v4
         with:
           node-version: 20
-      - run: npx ira-review review
-             --pr ${{ github.event.pull_request.number }}
-             --scm-provider github
-             --github-token ${{ secrets.GITHUB_TOKEN }}
-             --github-repo ${{ github.repository }}
-             --no-config-file
+      - run: |
+          npx ira-review review \
+            --pr ${{ github.event.pull_request.number }} \
+            --scm-provider github \
+            --github-token ${{ secrets.GITHUB_TOKEN }} \
+            --github-repo ${{ github.repository }} \
+            --no-config-file
         env:
           IRA_AI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
 ```
@@ -93,9 +98,9 @@ CLI flags > env vars > config file. Tokens and keys are blocked from config file
 ## Security
-- Runs in your CI — tokens never leave your infrastructure
+- Runs in your CI. Tokens never leave your infrastructure
 - No telemetry, analytics, or tracking
-- Open source — every line is auditable
+- Open source. Every line is auditable
 ## Requirements
@@ -104,8 +109,6 @@ CLI flags > env vars > config file. Tokens and keys are blocked from config file
 ## License
-[AGPL-3.0](LICENSE) — For commercial licensing, contact [patilmayur5572@gmail.com](mailto:patilmayur5572@gmail.com).
----
+[AGPL-3.0](LICENSE). For commercial licensing, contact [patilmayur5572@gmail.com](mailto:patilmayur5572@gmail.com).
-📖 **Full docs & examples:** [github.com/patilmayur5572/ira-review](https://github.com/patilmayur5572/ira-review)
+📖 **Full docs and examples:** [github.com/patilmayur5572/ira-review](https://github.com/patilmayur5572/ira-review)