ira-review 2.0.1 → 3.0.0

package/README.github.md

@@ -39,7 +39,7 @@ IRA runs a 13-step pipeline for each review. Every step after step 1 is designed
 7.  Fetch source files for changed files (for full-file context)
 8.  Run AI review on each file/issue (concurrent, configurable model)
 9.  Calculate risk score (0-100) from issue severity, complexity, and security signals
-10. Validate JIRA acceptance criteria against the diff (if configured)
+10. Automatically validate or generate JIRA acceptance criteria (if configured)
 11. Deduplicate: skip issues already commented on in previous runs
 12. Post summary + inline comments to the PR
 13. Send Slack/Teams notification (if configured, respects risk threshold)
@@ -98,7 +98,7 @@ flowchart LR
 
 ```
 src/
-  ai/           AI provider abstraction (OpenAI, Anthropic, Azure, Ollama)
+  ai/           AI provider abstraction (OpenAI, Anthropic, Azure, Ollama, AMP)
   core/         Review engine, risk scorer, acceptance validator, test generator
   scm/          GitHub and Bitbucket clients (diff, comments, labels, build status)
   integrations/ JIRA client, Slack/Teams notifier
@@ -182,7 +182,7 @@ Each rule has a `message` (what to tell the developer), a `severity` (BLOCKER, C
 }
 ```
 
-Rules without `paths` apply to all files. Rules with `paths` are only checked against matching files. The file is validated at load time: invalid severity values and missing required fields are skipped with a warning. Maximum 30 rules per file. IRA rules are for nuanced, context-dependent standards that linters cannot express. Deterministic checks (naming conventions, import order, formatting) belong in ESLint.
+Rules without `paths` apply to all files. Rules with `paths` are only checked against matching files. The file is validated at load time: invalid severity values and missing required fields are skipped with a warning. Maximum 100 rules per file. IRA rules are for nuanced, context-dependent standards that linters cannot express. Deterministic checks (naming conventions, import order, formatting) belong in ESLint.
 
 Rules are enforced in all review surfaces (CLI, CI/CD, VS Code extension) with no license gating. In the VS Code extension, run `IRA: Init Rules File` from the command palette to scaffold an empty `.ira-rules.json`. The extension ships a JSON Schema for the file, so you get autocomplete and validation as you edit.
 
@@ -210,7 +210,7 @@ IRA is not a SaaS product. There is no hosted service, no telemetry, no analytic
 | | CLI | VS Code Extension |
 |---|---|---|
 | **Use case** | CI pipelines, scripting, headless environments | Interactive development |
-| **AI default** | OpenAI (requires API key) | GitHub Copilot (zero config) |
+| **AI default** | OpenAI (requires API key) | GitHub Copilot (zero config), AMP CLI also supported |
 | **Auth** | Environment variables or CLI flags | VS Code OAuth + OS keychain |
 | **Output** | Terminal + PR comments | Inline diagnostics, CodeLens, TreeView, risk badge |
 | **JIRA/Sonar** | CLI flags or env vars | VS Code settings |
@@ -282,7 +282,7 @@ Suggested Fix: Use parameterized queries:
 3. `Cmd+Shift+P` > `IRA: Review Current PR`
 4. Enter your PR number
 
-If you have GitHub Copilot, that is all you need. No API keys, no configuration.
+If you have GitHub Copilot, that is all you need. No API keys, no configuration. Alternatively, set the AI provider to `amp` if you have the AMP CLI installed (`amp login`).
 
 ### CLI
 
@@ -393,6 +393,7 @@ npx ira-review review \
 | Provider | Notes |
 |---|---|
 | GitHub Copilot | VS Code only, zero config, uses existing session |
+| AMP CLI | VS Code only, requires `amp` CLI installed and authenticated (`amp login`) |
 | OpenAI | Default for CLI |
 | Azure OpenAI | Requires `--ai-base-url` and `--ai-deployment` |
 | Anthropic | Pass key with `--ai-api-key` |
@@ -420,7 +421,7 @@ CLI flags override environment variables, which override the config file. Token
 ## Requirements
 
 - Node.js 18+
-- An AI provider API key (or Ollama running locally, or GitHub Copilot for the VS Code extension)
+- An AI provider API key (or Ollama running locally, or GitHub Copilot / AMP CLI for the VS Code extension)
 - A GitHub or Bitbucket repo with an open PR
 
 ## License

package/README.md

@@ -15,55 +15,19 @@ No install required. Drop `--dry-run` to post comments directly on the PR. For B
 ## What You Get
 
 ```
-🔍 IRA — Scanning PR before your reviewers do
-
-  ✓ Config loaded — AI-only mode, openai, PR #42
-  ✓ Diff loaded — 4 files changed
-  ✓ Review complete — 3 issues found
-
-────────────────────────────────────────────────────────────
-📄 src/routes/auth.ts:31
-   Rule:     IRA/security (CRITICAL)
-   Message:  User input passed directly to SQL query
-   Explain:  The username parameter is concatenated into a SQL string,
-             creating a SQL injection vector.
-   Impact:   Attacker could execute arbitrary SQL and gain database control.
-   Fix:      BEFORE: `db.query(`SELECT * FROM users WHERE name = ${username}`)`
-             → AFTER: `db.query('SELECT * FROM users WHERE name = $1', [username])`
-
-────────────────────────────────────────────────────────────
-📄 src/middleware/cors.ts:8
-   Rule:     IRA/error-handling (MAJOR)
-   Message:  Empty catch block swallows CORS validation errors
-   Explain:  fetch() failure in CORS preflight is caught and ignored,
-             leaving the request in an undefined state.
-   Impact:   Silent CORS failures in production with no logging.
-   Fix:      BEFORE: `} catch {}`
-             → AFTER: `} catch (err) { logger.error('CORS preflight failed', err); throw err; }`
-
-# 🔍 IRA Review Summary
-
-## 🟡 Risk: MEDIUM (38/100)
-
-| Metric        | Value    |
-|---------------|----------|
-| Review mode   | AI-only  |
-| Total issues  | 3        |
-| Reviewed (AI) | 3        |
-| Framework     | react    |
-
-## ✅ Requirements: AUTH-234 — 83% Complete (5/6)
-
-  ✅ OAuth2 login flow implemented with Google provider
-  ✅ JWT tokens generated on successful authentication
-  ✅ Refresh token rotation with 7-day expiry
-  ❌ Input validation on login endpoint — no email format check
-  ✅ Logout endpoint clears session and revokes token
-  ✅ Rate limiting on login attempts
-
-  ⚠️ Edge Cases Not Covered
-  - What happens when Google OAuth is unreachable?
-  - Token refresh during concurrent requests?
+IRA: Found 3 issues (Risk: MEDIUM - 47/100)
+
+src/routes/todos.ts
+  [BLOCKER] SQL injection risk - user input passed directly to query
+  [MAJOR]   Missing database index on frequently queried column
+
+src/middleware/auth.ts
+  [CRITICAL] JWT secret hardcoded - move to environment variable
+
+JIRA AC Validation (PROJ-1234):
+  AC 1: User can create a todo item        COVERED
+  AC 2: Input is validated before save      NOT COVERED
+  AC 3: Error returns 422 with details      COVERED
 ```
 
 Each issue is posted as an inline comment on the exact PR line with explanation, impact, and a minimal BEFORE → AFTER fix.
@@ -114,7 +78,7 @@ Commit a `.ira-rules.json` to your repo root. Rules are injected into the AI pro
 **Rules:**
 - `message` + `severity` required. `bad`/`good` examples and `paths` are optional.
 - Rules without `paths` apply to all files. Rules with `paths` match only those directories.
-- Maximum 50 rules. Deterministic checks (naming, formatting) belong in ESLint.
+- Maximum 100 rules. Deterministic checks (naming, formatting) belong in ESLint.
 - Invalid rules are skipped with a warning, not a crash.
 - No license gating. Works in CLI, CI/CD, and VS Code extension.
 
@@ -208,12 +172,12 @@ CLI flags override env vars, which override the config file. Token fields are bl
 
 **SCM:** GitHub, GitHub Enterprise, Bitbucket Cloud, Bitbucket Server/Data Center
 
-**AI:** OpenAI (default), Azure OpenAI, Anthropic, Ollama (local, no key needed)
+**AI:** OpenAI (default), Azure OpenAI, Anthropic, Ollama (local, no key needed), AMP CLI (VS Code extension)
 
 ## Requirements
 
 - Node.js 18+
-- An AI provider API key (or Ollama running locally)
+- An AI provider API key (or Ollama running locally, or AMP CLI / GitHub Copilot for the VS Code extension)
 
 ## Security
 

package/README.npm.md

@@ -15,55 +15,19 @@ No install required. Drop `--dry-run` to post comments directly on the PR. For B
 ## What You Get
 
 ```
-🔍 IRA — Scanning PR before your reviewers do
-
-  ✓ Config loaded — AI-only mode, openai, PR #42
-  ✓ Diff loaded — 4 files changed
-  ✓ Review complete — 3 issues found
-
-────────────────────────────────────────────────────────────
-📄 src/routes/auth.ts:31
-   Rule:     IRA/security (CRITICAL)
-   Message:  User input passed directly to SQL query
-   Explain:  The username parameter is concatenated into a SQL string,
-             creating a SQL injection vector.
-   Impact:   Attacker could execute arbitrary SQL and gain database control.
-   Fix:      BEFORE: `db.query(`SELECT * FROM users WHERE name = ${username}`)`
-             → AFTER: `db.query('SELECT * FROM users WHERE name = $1', [username])`
-
-────────────────────────────────────────────────────────────
-📄 src/middleware/cors.ts:8
-   Rule:     IRA/error-handling (MAJOR)
-   Message:  Empty catch block swallows CORS validation errors
-   Explain:  fetch() failure in CORS preflight is caught and ignored,
-             leaving the request in an undefined state.
-   Impact:   Silent CORS failures in production with no logging.
-   Fix:      BEFORE: `} catch {}`
-             → AFTER: `} catch (err) { logger.error('CORS preflight failed', err); throw err; }`
-
-# 🔍 IRA Review Summary
-
-## 🟡 Risk: MEDIUM (38/100)
-
-| Metric        | Value    |
-|---------------|----------|
-| Review mode   | AI-only  |
-| Total issues  | 3        |
-| Reviewed (AI) | 3        |
-| Framework     | react    |
-
-## ✅ Requirements: AUTH-234 — 83% Complete (5/6)
-
-  ✅ OAuth2 login flow implemented with Google provider
-  ✅ JWT tokens generated on successful authentication
-  ✅ Refresh token rotation with 7-day expiry
-  ❌ Input validation on login endpoint — no email format check
-  ✅ Logout endpoint clears session and revokes token
-  ✅ Rate limiting on login attempts
-
-  ⚠️ Edge Cases Not Covered
-  - What happens when Google OAuth is unreachable?
-  - Token refresh during concurrent requests?
+IRA: Found 3 issues (Risk: MEDIUM - 47/100)
+
+src/routes/todos.ts
+  [BLOCKER] SQL injection risk - user input passed directly to query
+  [MAJOR]   Missing database index on frequently queried column
+
+src/middleware/auth.ts
+  [CRITICAL] JWT secret hardcoded - move to environment variable
+
+JIRA AC Validation (PROJ-1234):
+  AC 1: User can create a todo item        COVERED
+  AC 2: Input is validated before save      NOT COVERED
+  AC 3: Error returns 422 with details      COVERED
 ```
 
 Each issue is posted as an inline comment on the exact PR line with explanation, impact, and a minimal BEFORE → AFTER fix.
@@ -114,7 +78,7 @@ Commit a `.ira-rules.json` to your repo root. Rules are injected into the AI pro
 **Rules:**
 - `message` + `severity` required. `bad`/`good` examples and `paths` are optional.
 - Rules without `paths` apply to all files. Rules with `paths` match only those directories.
-- Maximum 50 rules. Deterministic checks (naming, formatting) belong in ESLint.
+- Maximum 100 rules. Deterministic checks (naming, formatting) belong in ESLint.
 - Invalid rules are skipped with a warning, not a crash.
 - No license gating. Works in CLI, CI/CD, and VS Code extension.
 
@@ -208,12 +172,12 @@ CLI flags override env vars, which override the config file. Token fields are bl
 
 **SCM:** GitHub, GitHub Enterprise, Bitbucket Cloud, Bitbucket Server/Data Center
 
-**AI:** OpenAI (default), Azure OpenAI, Anthropic, Ollama (local, no key needed)
+**AI:** OpenAI (default), Azure OpenAI, Anthropic, Ollama (local, no key needed), AMP CLI (VS Code extension)
 
 ## Requirements
 
 - Node.js 18+
-- An AI provider API key (or Ollama running locally)
+- An AI provider API key (or Ollama running locally, or AMP CLI / GitHub Copilot for the VS Code extension)
 
 ## Security
 

package/dist/{bitbucket-TQU3E6SG.js → bitbucket-TXGRB3VV.js}

@@ -1,8 +1,8 @@
 #!/usr/bin/env node
 import {
   BitbucketClient
-} from "./chunk-XOR6EFZE.js";
-import "./chunk-AHCFDKK4.js";
+} from "./chunk-ZKADAXVW.js";
+import "./chunk-AFLVYFZ2.js";
 export {
   BitbucketClient
 };

package/dist/{chunk-AHCFDKK4.js → chunk-AFLVYFZ2.js}

@@ -88,6 +88,41 @@ async function fetchWithTimeout(url, init = {}, timeoutMs = 3e4) {
     clearTimeout(timer);
   }
 }
+function parseApiError(status, body, provider) {
+  const statusMessages = {
+    400: "Bad request",
+    401: "Authentication failed \u2014 check your token or credentials",
+    403: "Access denied \u2014 you may not have permission for this resource",
+    404: "Not found \u2014 check the URL, project key, or PR number",
+    408: "Request timed out \u2014 try again in a moment",
+    409: "Conflict \u2014 the resource may have been modified",
+    422: "Invalid request \u2014 the server couldn't process it",
+    429: "Rate limited \u2014 too many requests, try again shortly",
+    500: "Server error \u2014 the service is having issues",
+    502: "Bad gateway \u2014 the service is temporarily unavailable",
+    503: "Service unavailable \u2014 try again in a moment",
+    504: "Gateway timeout \u2014 the service took too long to respond"
+  };
+  const friendlyStatus = statusMessages[status] ?? `HTTP ${status}`;
+  const trimmed = body.trim();
+  if (trimmed.startsWith("{") || trimmed.startsWith("[")) {
+    try {
+      const json = JSON.parse(trimmed);
+      const msg = json.message ?? json.error?.message ?? json.error ?? json.errors?.[0]?.message ?? json.detail;
+      if (typeof msg === "string" && msg.length > 0 && msg.length < 200) {
+        return `${provider} (${status}): ${msg}`;
+      }
+    } catch {
+    }
+  }
+  if (trimmed.startsWith("<!") || trimmed.startsWith("<html") || trimmed.includes("<body")) {
+    return `${provider} (${status}): ${friendlyStatus}`;
+  }
+  if (trimmed.length > 0 && trimmed.length < 150) {
+    return `${provider} (${status}): ${trimmed}`;
+  }
+  return `${provider} (${status}): ${friendlyStatus}`;
+}
 function sleep(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));
 }
@@ -95,5 +130,6 @@ function sleep(ms) {
 export {
   RetryableError,
   withRetry,
-  fetchWithTimeout
+  fetchWithTimeout,
+  parseApiError
 };

package/dist/{chunk-NIAFIXU4.js → chunk-SC7RXB4Y.js}

@@ -2,8 +2,9 @@
 import {
   RetryableError,
   fetchWithTimeout,
+  parseApiError,
   withRetry
-} from "./chunk-AHCFDKK4.js";
+} from "./chunk-AFLVYFZ2.js";
 
 // src/scm/github.ts
 var GitHubClient = class {
@@ -48,12 +49,26 @@ var GitHubClient = class {
       if (!response.ok) {
         const text = await response.text();
         throw new RetryableError(
-          `GitHub API error (${response.status}): ${text}`,
+          parseApiError(response.status, text, "GitHub"),
           response.status
         );
       }
     });
   }
+  async getIssueComments(pullRequestId) {
+    const bodies = [];
+    let page = 1;
+    while (true) {
+      const url = `${this.baseUrl}/repos/${this.owner}/${this.repo}/issues/${pullRequestId}/comments?per_page=100&page=${page}`;
+      const response = await fetchWithTimeout(url, { headers: this.headers });
+      if (!response.ok) break;
+      const comments = await response.json();
+      for (const c of comments) bodies.push(c.body);
+      if (comments.length < 100) break;
+      page++;
+    }
+    return bodies;
+  }
   async getPRState(pullRequestId) {
     const url = `${this.baseUrl}/repos/${this.owner}/${this.repo}/pulls/${pullRequestId}`;
     const response = await fetchWithTimeout(url, { headers: this.headers });
@@ -81,7 +96,7 @@ var GitHubClient = class {
       if (!response.ok) {
         const text = await response.text();
         throw new RetryableError(
-          `GitHub API error (${response.status}): ${text}`,
+          parseApiError(response.status, text, "GitHub"),
           response.status
         );
       }
@@ -97,7 +112,7 @@ var GitHubClient = class {
         const response = await fetchWithTimeout(url, { headers: this.headers });
         if (!response.ok) {
           const text = await response.text();
-          throw new RetryableError(`GitHub API error (${response.status}): ${text}`, response.status);
+          throw new RetryableError(parseApiError(response.status, text, "GitHub"), response.status);
         }
         return response.json();
       });
@@ -125,7 +140,7 @@ ${file.patch}`;
       if (!response.ok) {
         const text = await response.text();
         throw new RetryableError(
-          `GitHub API error (${response.status}): ${text}`,
+          parseApiError(response.status, text, "GitHub"),
           response.status
         );
       }
@@ -154,7 +169,7 @@ ${file.patch}`;
       if (!response.ok) {
         const text = await response.text();
         throw new RetryableError(
-          `GitHub API error (${response.status}): ${text}`,
+          parseApiError(response.status, text, "GitHub"),
           response.status
         );
       }
@@ -171,7 +186,7 @@ ${file.patch}`;
       if (!response.ok) {
         const text = await response.text();
         throw new RetryableError(
-          `GitHub API error (${response.status}): ${text}`,
+          parseApiError(response.status, text, "GitHub"),
           response.status
         );
       }
@@ -188,7 +203,7 @@ ${file.patch}`;
       if (!response.ok) {
         const text = await response.text();
         throw new RetryableError(
-          `GitHub API error (${response.status}): ${text}`,
+          parseApiError(response.status, text, "GitHub"),
           response.status
         );
       }
@@ -221,7 +236,7 @@ ${file.patch}`;
         if (!response.ok && response.status !== 422) {
           const text = await response.text();
           throw new RetryableError(
-            `GitHub API error (${response.status}): ${text}`,
+            parseApiError(response.status, text, "GitHub"),
             response.status
           );
         }
@@ -258,7 +273,7 @@ ${file.patch}`;
       if (!response.ok) {
         const text = await response.text();
         throw new RetryableError(
-          `GitHub API error (${response.status}): ${text}`,
+          parseApiError(response.status, text, "GitHub"),
           response.status
         );
       }

package/dist/{chunk-XOR6EFZE.js → chunk-ZKADAXVW.js}

@@ -2,8 +2,9 @@
 import {
   RetryableError,
   fetchWithTimeout,
+  parseApiError,
   withRetry
-} from "./chunk-AHCFDKK4.js";
+} from "./chunk-AFLVYFZ2.js";
 
 // src/scm/bitbucket.ts
 var BitbucketClient = class {
@@ -55,14 +56,14 @@ var BitbucketClient = class {
           if (!retryResponse.ok) {
             const retryText = await retryResponse.text();
             throw new RetryableError(
-              `Bitbucket API error (${retryResponse.status}): ${retryText}`,
+              parseApiError(retryResponse.status, retryText, "Bitbucket"),
               retryResponse.status
             );
           }
           return;
         }
         throw new RetryableError(
-          `Bitbucket API error (${response.status}): ${text}`,
+          parseApiError(response.status, text, "Bitbucket"),
           response.status
         );
       }
@@ -82,12 +83,24 @@ var BitbucketClient = class {
       if (!response.ok) {
         const text = await response.text();
         throw new RetryableError(
-          `Bitbucket API error (${response.status}): ${text}`,
+          parseApiError(response.status, text, "Bitbucket"),
           response.status
         );
       }
     });
   }
+  async getIssueComments(pullRequestId) {
+    const bodies = [];
+    let url = `${this.baseUrl}/repositories/${this.workspace}/${this.repoSlug}/pullrequests/${pullRequestId}/comments?pagelen=100`;
+    while (url) {
+      const response = await fetchWithTimeout(url, { headers: this.headers });
+      if (!response.ok) break;
+      const data = await response.json();
+      for (const c of data.values) bodies.push(c.content.raw);
+      url = data.next;
+    }
+    return bodies;
+  }
   async getFileContent(filePath, pullRequestId) {
     const sourceHash = await this.getSourceHash(pullRequestId);
     const encodedPath = filePath.split("/").map(encodeURIComponent).join("/");
@@ -99,7 +112,7 @@ var BitbucketClient = class {
       if (!response.ok) {
         const text = await response.text();
         throw new RetryableError(
-          `Bitbucket API error (${response.status}): ${text}`,
+          parseApiError(response.status, text, "Bitbucket"),
           response.status
         );
       }
@@ -131,7 +144,7 @@ var BitbucketClient = class {
       if (!response.ok) {
         const text = await response.text();
         throw new RetryableError(
-          `Bitbucket API error (${response.status}): ${text}`,
+          parseApiError(response.status, text, "Bitbucket"),
           response.status
         );
       }
@@ -147,7 +160,7 @@ var BitbucketClient = class {
         const response = await fetchWithTimeout(nextUrl, { headers: this.headers });
         if (!response.ok) {
           const text = await response.text();
-          throw new RetryableError(`Bitbucket API error (${response.status}): ${text}`, response.status);
+          throw new RetryableError(parseApiError(response.status, text, "Bitbucket"), response.status);
         }
         return response.json();
       });
@@ -166,7 +179,7 @@ var BitbucketClient = class {
           const response = await fetchWithTimeout(url, { headers: this.headers }, 15e3);
           if (!response.ok) {
             const text = await response.text();
-            throw new RetryableError(`Bitbucket API error (${response.status}): ${text}`, response.status);
+            throw new RetryableError(parseApiError(response.status, text, "Bitbucket"), response.status);
           }
           return response.text();
         });
@@ -189,7 +202,7 @@ var BitbucketClient = class {
       if (!response.ok) {
         const text = await response.text();
         throw new RetryableError(
-          `Bitbucket API error (${response.status}): ${text}`,
+          parseApiError(response.status, text, "Bitbucket"),
           response.status
         );
       }
@@ -218,7 +231,7 @@ var BitbucketClient = class {
       if (!response.ok) {
         const text = await response.text();
         throw new RetryableError(
-          `Bitbucket API error (${response.status}): ${text}`,
+          parseApiError(response.status, text, "Bitbucket"),
           response.status
         );
       }