ira-review 1.2.0 → 2.0.0

package/LICENSE

@@ -1,22 +1,21 @@
-IRA Review - Proprietary License
+MIT License
 
-Copyright (c) 2025-present Mayur Patil. All rights reserved.
+Copyright (c) 2024-present Mayur Patil (patilmayur5572@gmail.com)
 
-This software and associated documentation files (the "Software") are the
-proprietary property of Mayur Patil.
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
 
-1. The CLI tool ("ira-review" npm package) may be used freely for personal
-   and commercial purposes.
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
 
-2. You may not copy, modify, distribute, sell, sublicense, or create
-   derivative works based on the Software or its source code without prior
-   written permission.
-
-3. Pro features in the VS Code extension require a valid license key.
-   Circumventing license validation is prohibited.
-
-4. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-   IMPLIED. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
-   OTHER LIABILITY ARISING FROM THE USE OF THE SOFTWARE.
-
-For licensing inquiries: patilmayur5572@gmail.com
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/NOTICE

@@ -1,34 +1,7 @@
 IRA — Intelligent Review Assistant
 Copyright (c) 2024-present Mayur Patil (patilmayur5572@gmail.com)
 
-This software is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0).
-
-=== AGPL-3.0 OBLIGATIONS ===
-
-By using, modifying, or distributing this software, you agree to the following:
-
-1. SOURCE CODE DISCLOSURE
-   If you modify this software or use it as part of a network service,
-   you MUST make the complete source code of your modified version available
-   to all users under the AGPL-3.0 license.
-
-2. LICENSE PRESERVATION
-   You must retain all copyright notices, this NOTICE file, and the full
-   AGPL-3.0 license text in any copies or derivative works.
-
-3. NETWORK USE IS DISTRIBUTION
-   Under AGPL-3.0, providing this software as a network service (e.g., SaaS,
-   CI/CD pipeline service) counts as distribution. You must offer the source
-   code to all users who interact with the service.
-
-4. NO PROPRIETARY USE WITHOUT COMMERCIAL LICENSE
-   Using this software in proprietary/closed-source projects without releasing
-   your source code under AGPL-3.0 requires a commercial license.
-
-=== COMMERCIAL LICENSING ===
-
-For commercial licensing (use IRA in proprietary projects without AGPL obligations),
-contact: patilmayur5572@gmail.com
+This software is licensed under the MIT License. See LICENSE file for details.
 
 === THIRD-PARTY NOTICES ===
 

package/README.github.md

@@ -214,7 +214,7 @@ IRA is not a SaaS product. There is no hosted service, no telemetry, no analytic
 | **Auth** | Environment variables or CLI flags | VS Code OAuth + OS keychain |
 | **Output** | Terminal + PR comments | Inline diagnostics, CodeLens, TreeView, risk badge |
 | **JIRA/Sonar** | CLI flags or env vars | VS Code settings |
-| **Pro features** | Not applicable | Auto-review on save, one-click fix, history/trends |
+| **Extension features** | Not applicable | Auto-review on save, one-click fix, history/trends |
 
 Both surfaces use the same core review engine. The review logic, risk scoring, and AI prompts are identical.
 
@@ -425,7 +425,7 @@ CLI flags override environment variables, which override the config file. Token
 
 ## License
 
-[Proprietary](LICENSE). See LICENSE file for details.
+[MIT](LICENSE)
 
 Full CLI reference: `npx ira-review review --help`
 

package/README.md

@@ -15,28 +15,66 @@ No install required. Drop `--dry-run` to post comments directly on the PR. For B
 ## What You Get
 
 ```
-IRA: Found 3 issues (Risk: MEDIUM - 47/100)
-
-src/routes/todos.ts
-  [BLOCKER]  SQL injection risk - user input passed directly to query
-  [MAJOR]    Missing database index on frequently queried column
-
-src/middleware/auth.ts
-  [CRITICAL] JWT secret hardcoded - move to environment variable
-
-JIRA AC Validation (PROJ-1234):          # when --jira-ticket is provided
-  [PASS] User can create a todo item
-  [FAIL] Input is validated before save
-  [PASS] Error returns 422 with details
+🔍 IRA — Scanning PR before your reviewers do
+
+  ✓ Config loaded — AI-only mode, openai, PR #42
+  ✓ Diff loaded — 4 files changed
+  ✓ Review complete — 3 issues found
+
+────────────────────────────────────────────────────────────
+📄 src/routes/auth.ts:31
+   Rule:     IRA/security (CRITICAL)
+   Message:  User input passed directly to SQL query
+   Explain:  The username parameter is concatenated into a SQL string,
+             creating a SQL injection vector.
+   Impact:   Attacker could execute arbitrary SQL and gain database control.
+   Fix:      BEFORE: `db.query(`SELECT * FROM users WHERE name = ${username}`)`
+             → AFTER: `db.query('SELECT * FROM users WHERE name = $1', [username])`
+
+────────────────────────────────────────────────────────────
+📄 src/middleware/cors.ts:8
+   Rule:     IRA/error-handling (MAJOR)
+   Message:  Empty catch block swallows CORS validation errors
+   Explain:  fetch() failure in CORS preflight is caught and ignored,
+             leaving the request in an undefined state.
+   Impact:   Silent CORS failures in production with no logging.
+   Fix:      BEFORE: `} catch {}`
+             → AFTER: `} catch (err) { logger.error('CORS preflight failed', err); throw err; }`
+
+# 🔍 IRA Review Summary
+
+## 🟡 Risk: MEDIUM (38/100)
+
+| Metric        | Value    |
+|---------------|----------|
+| Review mode   | AI-only  |
+| Total issues  | 3        |
+| Reviewed (AI) | 3        |
+| Framework     | react    |
+
+## ✅ Requirements: AUTH-234 — 83% Complete (5/6)
+
+  ✅ OAuth2 login flow implemented with Google provider
+  ✅ JWT tokens generated on successful authentication
+  ✅ Refresh token rotation with 7-day expiry
+  ❌ Input validation on login endpoint — no email format check
+  ✅ Logout endpoint clears session and revokes token
+  ✅ Rate limiting on login attempts
+
+  ⚠️ Edge Cases Not Covered
+  - What happens when Google OAuth is unreachable?
+  - Token refresh during concurrent requests?
 ```
 
-Each issue is posted as an inline comment on the exact PR line with explanation, impact, and suggested fix.
+Each issue is posted as an inline comment on the exact PR line with explanation, impact, and a minimal BEFORE → AFTER fix.
 
 **Features:**
 
+- Evidence-based reviews — 7 categories (security, business logic, race conditions, data consistency, async, error handling, defensive coding), each with explicit false-positive exclusions. Issues without concrete evidence are filtered out.
 - Risk scoring (0-100) with severity breakdown and PR labels
-- Inline AI comments with explanation, impact, and suggested fix
-- JIRA acceptance criteria validation with per-criterion pass/fail
+- Inline AI comments with explanation, impact, and minimal BEFORE → AFTER fix
+- JIRA acceptance criteria validation with per-criterion pass/fail and edge case detection
+- JIRA AC auto-detection — finds AC from custom field or description automatically
 - Custom team review rules via `.ira-rules.json` (see below)
 - Test case generation from JIRA tickets (Jest, Vitest, Playwright, etc.)
 - Comment deduplication across re-runs
@@ -53,6 +91,8 @@ Commit a `.ira-rules.json` to your repo root. Rules are injected into the AI pro
   "rules": [
     {
       "message": "Use parameterized queries for all SQL operations",
+      "bad": "db.query(`SELECT * FROM users WHERE id = ${userId}`)",
+      "good": "db.query('SELECT * FROM users WHERE id = $1', [userId])",
       "severity": "CRITICAL",
       "paths": ["src/db/**", "src/api/**"]
     },
@@ -62,16 +102,27 @@ Commit a `.ira-rules.json` to your repo root. Rules are injected into the AI pro
       "good": "logger.info('User created', { userId: user.id });",
       "severity": "MINOR"
     }
+  ],
+  "sensitiveAreas": [
+    "src/services/payment/**",
+    "**/auth/**",
+    "src/config/database.*"
   ]
 }
 ```
 
+**Rules:**
 - `message` + `severity` required. `bad`/`good` examples and `paths` are optional.
 - Rules without `paths` apply to all files. Rules with `paths` match only those directories.
-- Maximum 30 rules. Deterministic checks (naming, formatting) belong in ESLint.
+- Maximum 50 rules. Deterministic checks (naming, formatting) belong in ESLint.
 - Invalid rules are skipped with a warning, not a crash.
 - No license gating. Works in CLI, CI/CD, and VS Code extension.
 
+**Sensitive Areas:**
+- Files matching a sensitive area glob get extra scrutiny during review and Apply Fix.
+- Labels are derived from the glob automatically (`src/services/payment/**` → "payment").
+- Sensitive file findings get a higher weight in risk scoring.
+
 ---
 
 ## Use Cases
@@ -170,7 +221,7 @@ Tokens are read from environment variables or CLI flags at runtime. Nothing is w
 
 ## License
 
-[Proprietary](LICENSE)
+[MIT](LICENSE)
 
 ---
 

package/README.npm.md

@@ -15,28 +15,66 @@ No install required. Drop `--dry-run` to post comments directly on the PR. For B
 ## What You Get
 
 ```
-IRA: Found 3 issues (Risk: MEDIUM - 47/100)
-
-src/routes/todos.ts
-  [BLOCKER]  SQL injection risk - user input passed directly to query
-  [MAJOR]    Missing database index on frequently queried column
-
-src/middleware/auth.ts
-  [CRITICAL] JWT secret hardcoded - move to environment variable
-
-JIRA AC Validation (PROJ-1234):          # when --jira-ticket is provided
-  [PASS] User can create a todo item
-  [FAIL] Input is validated before save
-  [PASS] Error returns 422 with details
+🔍 IRA — Scanning PR before your reviewers do
+
+  ✓ Config loaded — AI-only mode, openai, PR #42
+  ✓ Diff loaded — 4 files changed
+  ✓ Review complete — 3 issues found
+
+────────────────────────────────────────────────────────────
+📄 src/routes/auth.ts:31
+   Rule:     IRA/security (CRITICAL)
+   Message:  User input passed directly to SQL query
+   Explain:  The username parameter is concatenated into a SQL string,
+             creating a SQL injection vector.
+   Impact:   Attacker could execute arbitrary SQL and gain database control.
+   Fix:      BEFORE: `db.query(`SELECT * FROM users WHERE name = ${username}`)`
+             → AFTER: `db.query('SELECT * FROM users WHERE name = $1', [username])`
+
+────────────────────────────────────────────────────────────
+📄 src/middleware/cors.ts:8
+   Rule:     IRA/error-handling (MAJOR)
+   Message:  Empty catch block swallows CORS validation errors
+   Explain:  fetch() failure in CORS preflight is caught and ignored,
+             leaving the request in an undefined state.
+   Impact:   Silent CORS failures in production with no logging.
+   Fix:      BEFORE: `} catch {}`
+             → AFTER: `} catch (err) { logger.error('CORS preflight failed', err); throw err; }`
+
+# 🔍 IRA Review Summary
+
+## 🟡 Risk: MEDIUM (38/100)
+
+| Metric        | Value    |
+|---------------|----------|
+| Review mode   | AI-only  |
+| Total issues  | 3        |
+| Reviewed (AI) | 3        |
+| Framework     | react    |
+
+## ✅ Requirements: AUTH-234 — 83% Complete (5/6)
+
+  ✅ OAuth2 login flow implemented with Google provider
+  ✅ JWT tokens generated on successful authentication
+  ✅ Refresh token rotation with 7-day expiry
+  ❌ Input validation on login endpoint — no email format check
+  ✅ Logout endpoint clears session and revokes token
+  ✅ Rate limiting on login attempts
+
+  ⚠️ Edge Cases Not Covered
+  - What happens when Google OAuth is unreachable?
+  - Token refresh during concurrent requests?
 ```
 
-Each issue is posted as an inline comment on the exact PR line with explanation, impact, and suggested fix.
+Each issue is posted as an inline comment on the exact PR line with explanation, impact, and a minimal BEFORE → AFTER fix.
 
 **Features:**
 
+- Evidence-based reviews — 7 categories (security, business logic, race conditions, data consistency, async, error handling, defensive coding), each with explicit false-positive exclusions. Issues without concrete evidence are filtered out.
 - Risk scoring (0-100) with severity breakdown and PR labels
-- Inline AI comments with explanation, impact, and suggested fix
-- JIRA acceptance criteria validation with per-criterion pass/fail
+- Inline AI comments with explanation, impact, and minimal BEFORE → AFTER fix
+- JIRA acceptance criteria validation with per-criterion pass/fail and edge case detection
+- JIRA AC auto-detection — finds AC from custom field or description automatically
 - Custom team review rules via `.ira-rules.json` (see below)
 - Test case generation from JIRA tickets (Jest, Vitest, Playwright, etc.)
 - Comment deduplication across re-runs
@@ -53,6 +91,8 @@ Commit a `.ira-rules.json` to your repo root. Rules are injected into the AI pro
   "rules": [
     {
       "message": "Use parameterized queries for all SQL operations",
+      "bad": "db.query(`SELECT * FROM users WHERE id = ${userId}`)",
+      "good": "db.query('SELECT * FROM users WHERE id = $1', [userId])",
       "severity": "CRITICAL",
       "paths": ["src/db/**", "src/api/**"]
     },
@@ -62,16 +102,27 @@ Commit a `.ira-rules.json` to your repo root. Rules are injected into the AI pro
       "good": "logger.info('User created', { userId: user.id });",
       "severity": "MINOR"
     }
+  ],
+  "sensitiveAreas": [
+    "src/services/payment/**",
+    "**/auth/**",
+    "src/config/database.*"
   ]
 }
 ```
 
+**Rules:**
 - `message` + `severity` required. `bad`/`good` examples and `paths` are optional.
 - Rules without `paths` apply to all files. Rules with `paths` match only those directories.
-- Maximum 30 rules. Deterministic checks (naming, formatting) belong in ESLint.
+- Maximum 50 rules. Deterministic checks (naming, formatting) belong in ESLint.
 - Invalid rules are skipped with a warning, not a crash.
 - No license gating. Works in CLI, CI/CD, and VS Code extension.
 
+**Sensitive Areas:**
+- Files matching a sensitive area glob get extra scrutiny during review and Apply Fix.
+- Labels are derived from the glob automatically (`src/services/payment/**` → "payment").
+- Sensitive file findings get a higher weight in risk scoring.
+
 ---
 
 ## Use Cases
@@ -170,7 +221,7 @@ Tokens are read from environment variables or CLI flags at runtime. Nothing is w
 
 ## License
 
-[Proprietary](LICENSE)
+[MIT](LICENSE)
 
 ---
 

package/dist/{bitbucket-TSFJF5KS.js → bitbucket-TQU3E6SG.js}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   BitbucketClient
-} from "./chunk-6G34PNVI.js";
+} from "./chunk-XOR6EFZE.js";
 import "./chunk-AHCFDKK4.js";
 export {
   BitbucketClient

package/dist/{chunk-NVWGRWNH.js → chunk-NIAFIXU4.js}

@@ -54,6 +54,21 @@ var GitHubClient = class {
       }
     });
   }
+  async getPRState(pullRequestId) {
+    const url = `${this.baseUrl}/repos/${this.owner}/${this.repo}/pulls/${pullRequestId}`;
+    const response = await fetchWithTimeout(url, { headers: this.headers });
+    if (response.status === 404) {
+      throw new Error(
+        `PR #${pullRequestId} was not found \u2014 it may have been deleted.
+  \u{1F4A1} Double-check the PR number and try again.`
+      );
+    }
+    if (!response.ok) return "unknown";
+    const data = await response.json();
+    if (data.merged) return "merged";
+    if (data.state === "closed") return "closed";
+    return "open";
+  }
   async getDiff(pullRequestId) {
     const url = `${this.baseUrl}/repos/${this.owner}/${this.repo}/pulls/${pullRequestId}`;
     return withRetry(async () => {
@@ -73,6 +88,32 @@ var GitHubClient = class {
       return response.text();
     });
   }
+  async getDiffPerFile(pullRequestId) {
+    const fileMap = /* @__PURE__ */ new Map();
+    let page = 1;
+    while (true) {
+      const url = `${this.baseUrl}/repos/${this.owner}/${this.repo}/pulls/${pullRequestId}/files?per_page=100&page=${page}`;
+      const data = await withRetry(async () => {
+        const response = await fetchWithTimeout(url, { headers: this.headers });
+        if (!response.ok) {
+          const text = await response.text();
+          throw new RetryableError(`GitHub API error (${response.status}): ${text}`, response.status);
+        }
+        return response.json();
+      });
+      for (const file of data) {
+        if (file.status === "removed" || !file.patch) continue;
+        const unified = `diff --git a/${file.filename} b/${file.filename}
+--- a/${file.filename}
++++ b/${file.filename}
+${file.patch}`;
+        fileMap.set(file.filename, unified);
+      }
+      if (data.length < 100) break;
+      page++;
+    }
+    return fileMap;
+  }
   async getFileContent(filePath, pullRequestId) {
     const sha = await this.getHeadSha(pullRequestId);
     const encodedPath = filePath.split("/").map(encodeURIComponent).join("/");

package/dist/{chunk-6G34PNVI.js → chunk-XOR6EFZE.js}

@@ -106,6 +106,22 @@ var BitbucketClient = class {
       return response.text();
     });
   }
+  async getPRState(pullRequestId) {
+    const url = `${this.baseUrl}/repositories/${this.workspace}/${this.repoSlug}/pullrequests/${pullRequestId}`;
+    const response = await fetchWithTimeout(url, { headers: this.headers });
+    if (response.status === 404) {
+      throw new Error(
+        `PR #${pullRequestId} was not found \u2014 it may have been deleted.
+  \u{1F4A1} Double-check the PR number and try again.`
+      );
+    }
+    if (!response.ok) return "unknown";
+    const data = await response.json();
+    const state = data.state?.toUpperCase();
+    if (state === "MERGED") return "merged";
+    if (state === "DECLINED" || state === "SUPERSEDED") return "declined";
+    return "open";
+  }
   async getDiff(pullRequestId) {
     const url = `${this.baseUrl}/repositories/${this.workspace}/${this.repoSlug}/pullrequests/${pullRequestId}/diff`;
     return withRetry(async () => {
@@ -122,6 +138,46 @@ var BitbucketClient = class {
       return response.text();
     });
   }
+  async getDiffPerFile(pullRequestId) {
+    const fileMap = /* @__PURE__ */ new Map();
+    let nextUrl = `${this.baseUrl}/repositories/${this.workspace}/${this.repoSlug}/pullrequests/${pullRequestId}/diffstat?pagelen=100`;
+    const changedFiles = [];
+    while (nextUrl) {
+      const data = await withRetry(async () => {
+        const response = await fetchWithTimeout(nextUrl, { headers: this.headers });
+        if (!response.ok) {
+          const text = await response.text();
+          throw new RetryableError(`Bitbucket API error (${response.status}): ${text}`, response.status);
+        }
+        return response.json();
+      });
+      for (const entry of data.values) {
+        if (entry.status === "removed") continue;
+        const path = entry.new?.path ?? entry.old?.path;
+        if (path) changedFiles.push(path);
+      }
+      nextUrl = data.next ?? null;
+    }
+    for (const filePath of changedFiles) {
+      try {
+        const encodedPath = filePath.split("/").map(encodeURIComponent).join("/");
+        const url = `${this.baseUrl}/repositories/${this.workspace}/${this.repoSlug}/pullrequests/${pullRequestId}/diff?path=${encodedPath}`;
+        const diff = await withRetry(async () => {
+          const response = await fetchWithTimeout(url, { headers: this.headers }, 15e3);
+          if (!response.ok) {
+            const text = await response.text();
+            throw new RetryableError(`Bitbucket API error (${response.status}): ${text}`, response.status);
+          }
+          return response.text();
+        });
+        if (diff.trim()) {
+          fileMap.set(filePath, diff);
+        }
+      } catch {
+      }
+    }
+    return fileMap;
+  }
   getSourceHash(pullRequestId) {
     const cached = this.shaCache.get(pullRequestId);
     if (cached) return cached;