ira-review 3.0.1 → 3.1.0

package/README.github.md

@@ -98,7 +98,7 @@ flowchart LR
 
 ```
 src/
-  ai/           AI provider abstraction (OpenAI, Anthropic, Azure, Ollama, AMP)
+  ai/           AI provider abstraction (OpenAI, Anthropic, Azure, Ollama, AMP, Copilot CLI)
   core/         Review engine, risk scorer, acceptance validator, test generator
   scm/          GitHub and Bitbucket clients (diff, comments, labels, build status)
   integrations/ JIRA client, Slack/Teams notifier
@@ -182,7 +182,7 @@ Each rule has a `message` (what to tell the developer), a `severity` (BLOCKER, C
 }
 ```
 
-Rules without `paths` apply to all files. Rules with `paths` are only checked against matching files. The file is validated at load time: invalid severity values and missing required fields are skipped with a warning. Maximum 100 rules per file. IRA rules are for nuanced, context-dependent standards that linters cannot express. Deterministic checks (naming conventions, import order, formatting) belong in ESLint.
+Rules without `paths` apply to all files. Rules with `paths` are only checked against matching files. The file is validated at load time: invalid severity values and missing required fields are skipped with a warning. There is no hard cap on the number of rules; a soft warning is logged above 500 since large rulesets can inflate the AI prompt. IRA rules are for nuanced, context-dependent standards that linters cannot express. Deterministic checks (naming conventions, import order, formatting) belong in ESLint.
 
 Rules are enforced in all review surfaces (CLI, CI/CD, VS Code extension) with no license gating. In the VS Code extension, run `IRA: Init Rules File` from the command palette to scaffold an empty `.ira-rules.json`. The extension ships a JSON Schema for the file, so you get autocomplete and validation as you edit.
 
@@ -210,7 +210,7 @@ IRA is not a SaaS product. There is no hosted service, no telemetry, no analytic
 | | CLI | VS Code Extension |
 |---|---|---|
 | **Use case** | CI pipelines, scripting, headless environments | Interactive development |
-| **AI default** | OpenAI (requires API key) | GitHub Copilot (zero config), AMP CLI also supported |
+| **AI default** | OpenAI (requires API key); GitHub Copilot CLI also supported for enterprise CI (`--ai-provider copilot-cli`, no API key) | GitHub Copilot (zero config), AMP CLI also supported |
 | **Auth** | Environment variables or CLI flags | VS Code OAuth + OS keychain |
 | **Output** | Terminal + PR comments | Inline diagnostics, CodeLens, TreeView, risk badge |
 | **JIRA/Sonar** | CLI flags or env vars | VS Code settings |
@@ -279,10 +279,10 @@ Suggested Fix: Use parameterized queries:
 
 1. Install from the [VS Code Marketplace](https://marketplace.visualstudio.com/items?itemName=ira-review.ira-review-vscode)
 2. Open a project with a GitHub or Bitbucket remote
-3. `Cmd+Shift+P` > `IRA: Review Current PR`
-4. Enter your PR number
+3. `Cmd+Shift+P` > `IRA: Quick Start` (auto-detects SCM, walks you through tokens, optionally sets up JIRA)
+4. `Cmd+Shift+P` > `IRA: Review Current PR` and enter your PR number
 
-If you have GitHub Copilot, that is all you need. No API keys, no configuration. Alternatively, set the AI provider to `amp` if you have the AMP CLI installed (`amp login`).
+If you have GitHub Copilot, Quick Start finishes in seconds — no API keys, no configuration. Alternatively, set the AI provider to `amp` if you have the AMP CLI installed (`amp login`). For Bitbucket Server / Data Center or JIRA, Quick Start gives you the right token-creation links inline.
 
 ### CLI
 
@@ -344,6 +344,101 @@ pipelines:
 
 ---
 
+## Enterprise: Bitbucket Server / Data Center
+
+For self-hosted Bitbucket Server (a.k.a. Data Center), pass `--bitbucket-type server`
+along with your Bitbucket base URL and a Personal Access Token. The `--repo` flag uses
+`PROJECT/repo-slug` format (project keys are usually uppercase).
+
+```bash
+npx ira-review review \
+  --pr 1234 \
+  --scm-provider bitbucket \
+  --bitbucket-type server \
+  --bitbucket-url https://bitbucket.example.com \
+  --bitbucket-token "$BITBUCKET_PAT" \
+  --repo MYPROJ/my-service \
+  --ai-api-key "$OPENAI_API_KEY"
+```
+
+The type is auto-detected from `--bitbucket-url` (anything other than `api.bitbucket.org`
+defaults to `server`), so the flag is usually optional. Set it explicitly if your
+Server instance sits behind a CDN whose hostname looks like Cloud.
+
+## Enterprise: JIRA Server / Data Center
+
+JIRA Server uses Bearer auth with a Personal Access Token (Profile → Personal Access
+Tokens) — the email field is ignored. Pass `--jira-type server` if your URL is not
+on `*.atlassian.net`:
+
+```bash
+npx ira-review review \
+  --pr 1234 \
+  --scm-provider bitbucket \
+  --bitbucket-type server \
+  --bitbucket-url https://bitbucket.example.com \
+  --bitbucket-token "$BITBUCKET_PAT" \
+  --repo MYPROJ/my-service \
+  --jira-url https://jira.example.com \
+  --jira-type server \
+  --jira-token "$JIRA_PAT" \
+  --jira-ticket PROJ-123 \
+  --ai-api-key "$OPENAI_API_KEY"
+```
+
+## Enterprise: Jenkins quickstart
+
+Works with Jenkins on Linux **and Windows agents** behind a corporate proxy. IRA
+auto-detects `JENKINS_URL` and skips the first-run safety prompt.
+
+```groovy
+stage('IRA Review') {
+  when { changeRequest() }
+  steps {
+    withCredentials([
+      string(credentialsId: 'bitbucket-pat',  variable: 'BB_TOKEN'),
+      string(credentialsId: 'jira-pat',       variable: 'JIRA_TOKEN'),
+      string(credentialsId: 'ai-api-key',     variable: 'AI_KEY'),
+    ]) {
+      sh '''
+        npx --yes ira-review@latest review \\
+          --pr "$CHANGE_ID" \\
+          --scm-provider bitbucket \\
+          --bitbucket-type server \\
+          --bitbucket-url "$BITBUCKET_URL" \\
+          --bitbucket-token "$BB_TOKEN" \\
+          --repo "$BITBUCKET_PROJECT/$BITBUCKET_REPO" \\
+          --jira-url "$JIRA_URL" \\
+          --jira-type server \\
+          --jira-token "$JIRA_TOKEN" \\
+          --ai-api-key "$AI_KEY"
+      '''
+    }
+  }
+  environment {
+    HTTPS_PROXY          = "${env.CORP_PROXY_URL}"
+    NODE_EXTRA_CA_CERTS  = "${env.CORP_CA_BUNDLE_PEM}"
+  }
+}
+```
+
+Tips for Jenkins / corporate networks:
+
+- **CI auto-detection** — IRA recognizes `JENKINS_URL`, `GITLAB_CI`, `GITHUB_ACTIONS`,
+  `TF_BUILD`, `BUILDKITE`, `CIRCLECI`, and `CI`.
+- **Proxy + corporate CA** — set `HTTPS_PROXY` and `NODE_EXTRA_CA_CERTS` (path to your
+  PEM bundle). IRA fails fast with a clear error if `NODE_EXTRA_CA_CERTS` points to
+  a missing file, and prints the resolved AI endpoint / proxy / CA bundle on startup.
+- **No full checkout?** — point `--rules-url` at the raw URL of your `.ira-rules.json`
+  in Bitbucket / GitHub instead of relying on a local file.
+- **AI gateway** — point `--ai-base-url` at any OpenAI-compatible endpoint (GitHub
+  Models, an internal LLM proxy, LiteLLM, vLLM…). Keep `--ai-provider openai`.
+- **Comment style** — use `--comment-style compact` (default) for terse,
+  severity-first inline comments. `--comment-style detailed` keeps the legacy
+  Explanation / Impact / Suggested Fix block.
+
+---
+
 ## Adding JIRA and SonarQube
 
 Both integrations are optional and additive. IRA works with just an SCM provider and an AI key.
@@ -393,8 +488,9 @@ npx ira-review review \
 | Provider | Notes |
 |---|---|
 | GitHub Copilot | VS Code only, zero config, uses existing session |
+| GitHub Copilot CLI | CLI/CI via `--ai-provider copilot-cli`. Requires `@github/copilot` installed (`npm i -g @github/copilot`) and `GITHUB_TOKEN` set to a PAT with **Copilot Requests** permission. Honours `GH_HOST` for GitHub Enterprise tenants. Officially-sanctioned path for using Copilot from non-IDE contexts. |
 | AMP CLI | VS Code only, requires `amp` CLI installed and authenticated (`amp login`) |
-| OpenAI | Default for CLI |
+| OpenAI | Default for CLI. Pass `--ai-base-url` to target any OpenAI-compatible gateway (GitHub Models, internal LLM proxy, LiteLLM, vLLM, …) |
 | Azure OpenAI | Requires `--ai-base-url` and `--ai-deployment` |
 | Anthropic | Pass key with `--ai-api-key` |
 | Ollama | Fully local, no API key needed |

package/README.md

@@ -10,6 +10,8 @@ npx ira-review review --pr 42 --scm-provider github \
 
 No install required. Drop `--dry-run` to post comments directly on the PR. For Bitbucket, replace the GitHub flags with `--bitbucket-token` and `--repo`.
 
+> 💡 **Prefer reviewing inside your editor?** IRA also ships as a [VS Code extension](https://marketplace.visualstudio.com/items?itemName=ira-review.ira-review-vscode) (available since earlier 3.x versions) — same engine, with inline diagnostics, codelens, and one-click "Post to PR".
+
 ---
 
 ## What You Get
@@ -37,6 +39,7 @@ Each issue is posted as an inline comment on the exact PR line with explanation,
 - Evidence-based reviews — 7 categories (security, business logic, race conditions, data consistency, async, error handling, defensive coding), each with explicit false-positive exclusions. Issues without concrete evidence are filtered out.
 - Risk scoring (0-100) with severity breakdown and PR labels
 - Inline AI comments with explanation, impact, and minimal BEFORE → AFTER fix
+- Two-pass critical review (`--ai-model-critical`) — bulk pass uses your everyday model; only `CRITICAL`/`BLOCKER` findings are re-run against a stronger model, keeping premium-request cost low while preserving deep analysis on what matters
 - JIRA acceptance criteria validation with per-criterion pass/fail and edge case detection
 - JIRA AC auto-detection — finds AC from custom field or description automatically
 - Custom team review rules via `.ira-rules.json` (see below)
@@ -78,7 +81,7 @@ Commit a `.ira-rules.json` to your repo root. Rules are injected into the AI pro
 **Rules:**
 - `message` + `severity` required. `bad`/`good` examples and `paths` are optional.
 - Rules without `paths` apply to all files. Rules with `paths` match only those directories.
-- Maximum 100 rules. Deterministic checks (naming, formatting) belong in ESLint.
+- No hard cap on rules (soft warning above 500). Deterministic checks (naming, formatting) belong in ESLint.
 - Invalid rules are skipped with a warning, not a crash.
 - No license gating. Works in CLI, CI/CD, and VS Code extension.
 
@@ -134,7 +137,9 @@ All optional. IRA works with just an SCM token and an AI key.
 
 | What you want | Flags to add |
 |---|---|
-| JIRA validation | `--jira-url` `--jira-email` `--jira-token` `--jira-ticket PROJ-123` |
+| JIRA Cloud validation | `--jira-url` `--jira-email` `--jira-token` `--jira-ticket PROJ-123` |
+| JIRA Server / DC | `--jira-url` `--jira-type server` `--jira-token <PAT>` `--jira-ticket PROJ-123` |
+| Bitbucket Server / DC | `--bitbucket-type server` `--bitbucket-url https://bitbucket.example.com` `--repo PROJECT/repo-slug` |
 | SonarQube enrichment | `--sonar-url` `--sonar-token` `--project-key my-project` |
 | Test generation | `--generate-tests --test-framework vitest` |
 | Slack notifications | `--slack-webhook https://hooks.slack.com/services/xxx` |
@@ -142,6 +147,10 @@ All optional. IRA works with just an SCM token and an AI key.
 | Only notify on high risk | `--notify-min-risk high` |
 | Use Anthropic | `--ai-provider anthropic` |
 | Use Ollama (free, local) | `--ai-provider ollama` |
+| Use GitHub Copilot CLI (CI) | `--ai-provider copilot-cli` (needs `@github/copilot` installed + `GITHUB_TOKEN` with Copilot Requests scope; respects `GH_HOST`) |
+| OpenAI-compatible gateway | `--ai-base-url https://your-llm-proxy/v1` (GitHub Models, LiteLLM, internal proxy…) |
+| Rules from URL (no checkout) | `--rules-url https://bitbucket.example.com/.../.ira-rules.json` |
+| Compact / detailed comments | `--comment-style compact` (default) or `--comment-style detailed` |
 
 ---
 
@@ -172,12 +181,12 @@ CLI flags override env vars, which override the config file. Token fields are bl
 
 **SCM:** GitHub, GitHub Enterprise, Bitbucket Cloud, Bitbucket Server/Data Center
 
-**AI:** OpenAI (default), Azure OpenAI, Anthropic, Ollama (local, no key needed), AMP CLI (VS Code extension)
+**AI:** OpenAI (default), Azure OpenAI, Anthropic, Ollama (local, no key needed), GitHub Copilot CLI (CI-friendly, uses your Copilot entitlement, no API key), AMP CLI (VS Code extension)
 
 ## Requirements
 
 - Node.js 18+
-- An AI provider API key (or Ollama running locally, or AMP CLI / GitHub Copilot for the VS Code extension)
+- An AI provider API key (or Ollama running locally, or GitHub Copilot CLI for headless / CI use, or AMP CLI / GitHub Copilot for the VS Code extension)
 
 ## Security
 

package/README.npm.md

@@ -10,6 +10,8 @@ npx ira-review review --pr 42 --scm-provider github \
 
 No install required. Drop `--dry-run` to post comments directly on the PR. For Bitbucket, replace the GitHub flags with `--bitbucket-token` and `--repo`.
 
+> 💡 **Prefer reviewing inside your editor?** IRA also ships as a [VS Code extension](https://marketplace.visualstudio.com/items?itemName=ira-review.ira-review-vscode) (available since earlier 3.x versions) — same engine, with inline diagnostics, codelens, and one-click "Post to PR".
+
 ---
 
 ## What You Get
@@ -37,6 +39,7 @@ Each issue is posted as an inline comment on the exact PR line with explanation,
 - Evidence-based reviews — 7 categories (security, business logic, race conditions, data consistency, async, error handling, defensive coding), each with explicit false-positive exclusions. Issues without concrete evidence are filtered out.
 - Risk scoring (0-100) with severity breakdown and PR labels
 - Inline AI comments with explanation, impact, and minimal BEFORE → AFTER fix
+- Two-pass critical review (`--ai-model-critical`) — bulk pass uses your everyday model; only `CRITICAL`/`BLOCKER` findings are re-run against a stronger model, keeping premium-request cost low while preserving deep analysis on what matters
 - JIRA acceptance criteria validation with per-criterion pass/fail and edge case detection
 - JIRA AC auto-detection — finds AC from custom field or description automatically
 - Custom team review rules via `.ira-rules.json` (see below)
@@ -78,7 +81,7 @@ Commit a `.ira-rules.json` to your repo root. Rules are injected into the AI pro
 **Rules:**
 - `message` + `severity` required. `bad`/`good` examples and `paths` are optional.
 - Rules without `paths` apply to all files. Rules with `paths` match only those directories.
-- Maximum 100 rules. Deterministic checks (naming, formatting) belong in ESLint.
+- No hard cap on rules (soft warning above 500). Deterministic checks (naming, formatting) belong in ESLint.
 - Invalid rules are skipped with a warning, not a crash.
 - No license gating. Works in CLI, CI/CD, and VS Code extension.
 
@@ -134,7 +137,9 @@ All optional. IRA works with just an SCM token and an AI key.
 
 | What you want | Flags to add |
 |---|---|
-| JIRA validation | `--jira-url` `--jira-email` `--jira-token` `--jira-ticket PROJ-123` |
+| JIRA Cloud validation | `--jira-url` `--jira-email` `--jira-token` `--jira-ticket PROJ-123` |
+| JIRA Server / DC | `--jira-url` `--jira-type server` `--jira-token <PAT>` `--jira-ticket PROJ-123` |
+| Bitbucket Server / DC | `--bitbucket-type server` `--bitbucket-url https://bitbucket.example.com` `--repo PROJECT/repo-slug` |
 | SonarQube enrichment | `--sonar-url` `--sonar-token` `--project-key my-project` |
 | Test generation | `--generate-tests --test-framework vitest` |
 | Slack notifications | `--slack-webhook https://hooks.slack.com/services/xxx` |
@@ -142,6 +147,10 @@ All optional. IRA works with just an SCM token and an AI key.
 | Only notify on high risk | `--notify-min-risk high` |
 | Use Anthropic | `--ai-provider anthropic` |
 | Use Ollama (free, local) | `--ai-provider ollama` |
+| Use GitHub Copilot CLI (CI) | `--ai-provider copilot-cli` (needs `@github/copilot` installed + `GITHUB_TOKEN` with Copilot Requests scope; respects `GH_HOST`) |
+| OpenAI-compatible gateway | `--ai-base-url https://your-llm-proxy/v1` (GitHub Models, LiteLLM, internal proxy…) |
+| Rules from URL (no checkout) | `--rules-url https://bitbucket.example.com/.../.ira-rules.json` |
+| Compact / detailed comments | `--comment-style compact` (default) or `--comment-style detailed` |
 
 ---
 
@@ -172,12 +181,12 @@ CLI flags override env vars, which override the config file. Token fields are bl
 
 **SCM:** GitHub, GitHub Enterprise, Bitbucket Cloud, Bitbucket Server/Data Center
 
-**AI:** OpenAI (default), Azure OpenAI, Anthropic, Ollama (local, no key needed), AMP CLI (VS Code extension)
+**AI:** OpenAI (default), Azure OpenAI, Anthropic, Ollama (local, no key needed), GitHub Copilot CLI (CI-friendly, uses your Copilot entitlement, no API key), AMP CLI (VS Code extension)
 
 ## Requirements
 
 - Node.js 18+
-- An AI provider API key (or Ollama running locally, or AMP CLI / GitHub Copilot for the VS Code extension)
+- An AI provider API key (or Ollama running locally, or GitHub Copilot CLI for headless / CI use, or AMP CLI / GitHub Copilot for the VS Code extension)
 
 ## Security