jinzd-ai-cli 0.4.143 → 0.4.145

package/dist/{batch-FTCB7YHA.js → batch-ZMDHCPMO.js}

@@ -1,9 +1,9 @@
 #!/usr/bin/env node
 import {
   ConfigManager
-} from "./chunk-DX5JYNVN.js";
+} from "./chunk-MII3VYZ7.js";
 import "./chunk-2ZD3YTVM.js";
-import "./chunk-VXFBUMWG.js";
+import "./chunk-EYUL75S4.js";
 import "./chunk-PDX44BCA.js";
 
 // src/cli/batch.ts

package/dist/{chunk-YPFCJ5KC.js → chunk-A3RPBWBF.js}

@@ -5,12 +5,14 @@ import {
 } from "./chunk-UQQJWHRV.js";
 import {
   runTestsTool
-} from "./chunk-IMYOBDJG.js";
+} from "./chunk-QWP4RFMS.js";
 import {
-  getDangerLevel,
-  isFileWriteTool,
   runTool
-} from "./chunk-2JLVHUMU.js";
+} from "./chunk-GZNBAFTO.js";
+import {
+  getDangerLevel,
+  isFileWriteTool
+} from "./chunk-OWPFDHKC.js";
 import {
   EnvLoader,
   NetworkError,
@@ -23,7 +25,7 @@ import {
   SUBAGENT_ALLOWED_TOOLS,
   SUBAGENT_DEFAULT_MAX_ROUNDS,
   SUBAGENT_MAX_ROUNDS_LIMIT
-} from "./chunk-VXFBUMWG.js";
+} from "./chunk-EYUL75S4.js";
 import {
   fileCheckpoints
 } from "./chunk-4BKXL7SM.js";

package/dist/{chunk-VXFBUMWG.js → chunk-EYUL75S4.js}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 // src/core/constants.ts
-var VERSION = "0.4.143";
+var VERSION = "0.4.145";
 var APP_NAME = "ai-cli";
 var CONFIG_DIR_NAME = ".aicli";
 var CONFIG_FILE_NAME = "config.json";

package/dist/{chunk-2JLVHUMU.js → chunk-GZNBAFTO.js}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   CONFIG_DIR_NAME
-} from "./chunk-VXFBUMWG.js";
+} from "./chunk-EYUL75S4.js";
 
 // src/diagnostics/tool-stats.ts
 import { existsSync, readFileSync, writeFileSync, mkdirSync, renameSync } from "fs";
@@ -118,69 +118,11 @@ function installFlushOnExit() {
   process.on("exit", () => flush());
 }
 
-// src/tools/types.ts
-function isFileWriteTool(name) {
-  return name === "write_file" || name === "edit_file" || name === "notebook_edit";
-}
-function getDangerLevel(toolName, args) {
-  if (toolName.startsWith("mcp__")) return "safe";
-  if (toolName === "bash") {
-    const cmd = String(args["command"] ?? "");
-    if (/\brm\s+[^\n]*(?:-\w*[rRfF]\w*|--recursive|--force)\b/.test(cmd)) return "destructive";
-    if (/\brm\s+\S/.test(cmd)) return "destructive";
-    if (/\brmdir\b|\bformat\b|\bmkfs\b|\bdd\s+if=|\bshred\b|\bfdisk\b|\bparted\b/.test(cmd)) return "destructive";
-    if (/\bshutdown\b|\breboot\b|\bhalt\b|\bpoweroff\b/.test(cmd)) return "destructive";
-    if (/\bkill\s+-9\b|\bkillall\b/.test(cmd)) return "destructive";
-    if (/\bRemove-Item\b|\bri\s+\S/i.test(cmd)) return "destructive";
-    if (/\brd\s+\/s\b|\brmdir\s+\/s\b/i.test(cmd)) return "destructive";
-    if (/\bdel\s+\S/.test(cmd)) return "destructive";
-    if (/\bShutdown(-Computer)?\b|\bRestart-Computer\b/i.test(cmd)) return "destructive";
-    if (/(?:^|[\s|;&])>>?\s*\S/.test(cmd)) return "write";
-    if (/\btee\b|\bcp\b|\bmv\b|\bln\s+-s/.test(cmd)) return "write";
-    if (/\bchmod\b|\bchown\b/.test(cmd)) return "write";
-    if (/\bSet-Content\b|\bOut-File\b|\bAdd-Content\b|\bCopy-Item\b|\bMove-Item\b|\bSet-ItemProperty\b|\bNew-ItemProperty\b/i.test(cmd)) return "write";
-    return "safe";
-  }
-  if (toolName === "write_file") return "write";
-  if (toolName === "edit_file") return "write";
-  if (toolName === "save_last_response") return "write";
-  if (toolName === "run_interactive") {
-    const exe = String(args["executable"] ?? "").toLowerCase();
-    if (/\b(rm|rmdir|del|format|mkfs|Remove-Item)\b/i.test(exe)) return "destructive";
-    if (/\b(bash|sh|zsh|cmd|powershell|pwsh|python|node|ruby|perl)\b/i.test(exe)) return "write";
-    return "write";
-  }
-  if (toolName === "task_create" || toolName === "task_stop") return "write";
-  if (toolName === "task_list") return "safe";
-  if (toolName === "git_commit") return "write";
-  if (toolName === "git_status" || toolName === "git_diff" || toolName === "git_log") return "safe";
-  if (toolName === "notebook_edit") return "write";
-  if (toolName === "read_file" || toolName === "list_dir" || toolName === "grep_files" || toolName === "glob_files" || toolName === "web_fetch" || toolName === "save_memory" || toolName === "ask_user" || toolName === "write_todos" || toolName === "google_search" || toolName === "spawn_agent" || toolName === "run_tests") return "safe";
-  return "write";
-}
-function schemaToJsonSchema(schema) {
-  const result = {
-    type: schema.type,
-    description: schema.description
-  };
-  if (schema.enum) result["enum"] = schema.enum;
-  if (schema.items) result["items"] = schemaToJsonSchema(schema.items);
-  if (schema.properties) {
-    result["properties"] = Object.fromEntries(
-      Object.entries(schema.properties).map(([k, v]) => [k, schemaToJsonSchema(v)])
-    );
-  }
-  return result;
-}
-
 export {
   runTool,
   getStatsSnapshot,
   getTopFailingTools,
   getTopUsedTools,
   resetStats,
-  installFlushOnExit,
-  isFileWriteTool,
-  getDangerLevel,
-  schemaToJsonSchema
+  installFlushOnExit
 };

package/dist/chunk-HLWUDRBO.js

@@ -0,0 +1,74 @@
+#!/usr/bin/env node
+
+// src/cli/review-prompts.ts
+function buildReviewPrompt(diff, gitContextStr, detailed) {
+  const level = detailed ? "Please perform a detailed in-depth review covering: security, performance, maintainability, error handling, naming conventions, and code duplication." : "Please perform a concise code review focusing on bugs, security issues, and key improvement suggestions.";
+  return `# Code Review Request
+
+${level}
+
+## Git Status
+${gitContextStr}
+
+## Code Changes (diff)
+\`\`\`diff
+${diff}
+\`\`\`
+
+## Output Format
+Please structure your review as follows:
+1. **Overall Assessment**: One-sentence summary of the change quality
+2. **Issues** (if any): Each issue with [Severity] file:line \u2014 description + suggested fix
+3. **Improvement Suggestions** (if any): Non-critical but recommended optimizations
+4. **Highlights** (if any): Good practices worth acknowledging
+
+Severity levels: \u{1F534} Critical / \u{1F7E1} Warning / \u{1F535} Info`;
+}
+function buildSecurityReviewPrompt(diff, gitContextStr) {
+  return `# Security Vulnerability Review
+
+Analyze the following code changes **exclusively for security vulnerabilities**.
+
+## Categories to check:
+1. **Injection** \u2014 SQL, command, path traversal, XSS, template injection
+2. **Authentication & Authorization** \u2014 hardcoded credentials, missing auth checks, privilege escalation
+3. **Secrets & Sensitive Data** \u2014 API keys, tokens, passwords in code, logging sensitive data
+4. **Input Validation** \u2014 missing validation, unsafe deserialization, buffer issues
+5. **Cryptography** \u2014 weak algorithms, improper random, hardcoded IVs/salts
+6. **Dependencies** \u2014 known vulnerable packages, unsafe dynamic imports
+7. **File System** \u2014 path traversal, unsafe file permissions, symlink attacks
+8. **Network** \u2014 SSRF, insecure protocols, missing TLS validation
+
+## Git Status
+${gitContextStr}
+
+## Code Changes (diff)
+\`\`\`diff
+${diff}
+\`\`\`
+
+## Output Format
+For each finding:
+- **Severity**: \u{1F534} CRITICAL / \u{1F7E0} HIGH / \u{1F7E1} MEDIUM / \u{1F535} LOW / \u2139\uFE0F INFO
+- **Category**: (from list above)
+- **File & location**: file:line
+- **Description**: what the vulnerability is and how it could be exploited
+- **Recommended fix**: specific code change to resolve
+
+If no security issues found, state "\u2705 No security vulnerabilities detected" with a brief explanation of what was checked.`;
+}
+function truncateDiff(diff, maxChars) {
+  if (diff.length <= maxChars) return { diff, truncated: false };
+  const head = diff.slice(0, Math.floor(maxChars * 0.7));
+  const tail = diff.slice(diff.length - Math.floor(maxChars * 0.2));
+  return {
+    diff: head + "\n\n... [diff truncated, " + diff.length + " chars total] ...\n\n" + tail,
+    truncated: true
+  };
+}
+
+export {
+  buildReviewPrompt,
+  buildSecurityReviewPrompt,
+  truncateDiff
+};

package/dist/{chunk-GDCLDXEC.js → chunk-JFLT57TG.js}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   truncateForPersist
-} from "./chunk-YPFCJ5KC.js";
+} from "./chunk-A3RPBWBF.js";
 import {
   APP_NAME,
   CONFIG_DIR_NAME,
@@ -11,7 +11,7 @@ import {
   MCP_PROTOCOL_VERSION,
   MCP_TOOL_PREFIX,
   VERSION
-} from "./chunk-VXFBUMWG.js";
+} from "./chunk-EYUL75S4.js";
 import {
   redactJson
 } from "./chunk-7ZJN4KLV.js";

package/dist/{chunk-DX5JYNVN.js → chunk-MII3VYZ7.js}

@@ -8,7 +8,7 @@ import {
   CONFIG_FILE_NAME,
   HISTORY_DIR_NAME,
   PLUGINS_DIR_NAME
-} from "./chunk-VXFBUMWG.js";
+} from "./chunk-EYUL75S4.js";
 
 // src/config/config-manager.ts
 import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
@@ -235,7 +235,27 @@ var ConfigSchema = z.object({
       name: z.string().optional()
     })).default([]),
     fallback: z.string().optional()
-  }).default({ enabled: false, rules: [] })
+  }).default({ enabled: false, rules: [] }),
+  // Provider 容错（v0.4.144+）：网络抖动 / 5xx / 429 时，先在当前 provider 上做指数退避重试，
+  // 仍失败则按顺序尝试 chain 里的 fallback provider。auth / 400 / 422 等"硬失败"直接跳过同
+  // provider 重试，但仍会尝试 chain（不同 key/schema 可能能成功）。
+  // 关键约束：流式 API 一旦已经向终端 yield 过 chunk，错误立刻向上抛 —— 不能"已经吐了一半"再
+  // 重新发起请求，会撕裂用户看到的输出。
+  // enabled 默认 false：保持向前兼容，未配置 chain 的用户行为不变。
+  fallback: z.object({
+    enabled: z.boolean().default(false),
+    /** 同 provider 重试次数（不含首次调用）。0 = 不重试，直接走 chain。 */
+    retries: z.number().int().min(0).max(10).default(2),
+    /** 首次退避等待（ms），后续按 2 的幂指数增长。 */
+    initialBackoffMs: z.number().int().positive().default(500),
+    /** 单次退避的硬上限（ms）。 */
+    maxBackoffMs: z.number().int().positive().default(8e3),
+    /** 兜底 provider 链，每个 entry 仅尝试 1 次。model 省略则使用 provider 的 defaultModel。 */
+    chain: z.array(z.object({
+      provider: z.string(),
+      model: z.string().optional()
+    })).default([])
+  }).default({ enabled: false, retries: 2, initialBackoffMs: 500, maxBackoffMs: 8e3, chain: [] })
 });
 
 // src/config/config-manager.ts

package/dist/{chunk-2YEBAHAB.js → chunk-OH5HVL5O.js}

@@ -6,7 +6,7 @@ import { platform } from "os";
 import chalk from "chalk";
 
 // src/core/constants.ts
-var VERSION = "0.4.143";
+var VERSION = "0.4.145";
 var APP_NAME = "ai-cli";
 var CONFIG_DIR_NAME = ".aicli";
 var CONFIG_FILE_NAME = "config.json";

package/dist/chunk-OWPFDHKC.js

@@ -0,0 +1,62 @@
+#!/usr/bin/env node
+
+// src/tools/types.ts
+function isFileWriteTool(name) {
+  return name === "write_file" || name === "edit_file" || name === "notebook_edit";
+}
+function getDangerLevel(toolName, args) {
+  if (toolName.startsWith("mcp__")) return "safe";
+  if (toolName === "bash") {
+    const cmd = String(args["command"] ?? "");
+    if (/\brm\s+[^\n]*(?:-\w*[rRfF]\w*|--recursive|--force)\b/.test(cmd)) return "destructive";
+    if (/\brm\s+\S/.test(cmd)) return "destructive";
+    if (/\brmdir\b|\bformat\b|\bmkfs\b|\bdd\s+if=|\bshred\b|\bfdisk\b|\bparted\b/.test(cmd)) return "destructive";
+    if (/\bshutdown\b|\breboot\b|\bhalt\b|\bpoweroff\b/.test(cmd)) return "destructive";
+    if (/\bkill\s+-9\b|\bkillall\b/.test(cmd)) return "destructive";
+    if (/\bRemove-Item\b|\bri\s+\S/i.test(cmd)) return "destructive";
+    if (/\brd\s+\/s\b|\brmdir\s+\/s\b/i.test(cmd)) return "destructive";
+    if (/\bdel\s+\S/.test(cmd)) return "destructive";
+    if (/\bShutdown(-Computer)?\b|\bRestart-Computer\b/i.test(cmd)) return "destructive";
+    if (/(?:^|[\s|;&])>>?\s*\S/.test(cmd)) return "write";
+    if (/\btee\b|\bcp\b|\bmv\b|\bln\s+-s/.test(cmd)) return "write";
+    if (/\bchmod\b|\bchown\b/.test(cmd)) return "write";
+    if (/\bSet-Content\b|\bOut-File\b|\bAdd-Content\b|\bCopy-Item\b|\bMove-Item\b|\bSet-ItemProperty\b|\bNew-ItemProperty\b/i.test(cmd)) return "write";
+    return "safe";
+  }
+  if (toolName === "write_file") return "write";
+  if (toolName === "edit_file") return "write";
+  if (toolName === "save_last_response") return "write";
+  if (toolName === "run_interactive") {
+    const exe = String(args["executable"] ?? "").toLowerCase();
+    if (/\b(rm|rmdir|del|format|mkfs|Remove-Item)\b/i.test(exe)) return "destructive";
+    if (/\b(bash|sh|zsh|cmd|powershell|pwsh|python|node|ruby|perl)\b/i.test(exe)) return "write";
+    return "write";
+  }
+  if (toolName === "task_create" || toolName === "task_stop") return "write";
+  if (toolName === "task_list") return "safe";
+  if (toolName === "git_commit") return "write";
+  if (toolName === "git_status" || toolName === "git_diff" || toolName === "git_log") return "safe";
+  if (toolName === "notebook_edit") return "write";
+  if (toolName === "read_file" || toolName === "list_dir" || toolName === "grep_files" || toolName === "glob_files" || toolName === "web_fetch" || toolName === "save_memory" || toolName === "ask_user" || toolName === "write_todos" || toolName === "google_search" || toolName === "spawn_agent" || toolName === "run_tests") return "safe";
+  return "write";
+}
+function schemaToJsonSchema(schema) {
+  const result = {
+    type: schema.type,
+    description: schema.description
+  };
+  if (schema.enum) result["enum"] = schema.enum;
+  if (schema.items) result["items"] = schemaToJsonSchema(schema.items);
+  if (schema.properties) {
+    result["properties"] = Object.fromEntries(
+      Object.entries(schema.properties).map(([k, v]) => [k, schemaToJsonSchema(v)])
+    );
+  }
+  return result;
+}
+
+export {
+  isFileWriteTool,
+  getDangerLevel,
+  schemaToJsonSchema
+};

package/dist/{chunk-IMYOBDJG.js → chunk-QWP4RFMS.js}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   TEST_TIMEOUT
-} from "./chunk-VXFBUMWG.js";
+} from "./chunk-EYUL75S4.js";
 
 // src/tools/builtin/run-tests.ts
 import { execSync, spawnSync } from "child_process";

package/dist/{chunk-YCIJZ2XS.js → chunk-XZBA3NHG.js}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   schemaToJsonSchema
-} from "./chunk-2JLVHUMU.js";
+} from "./chunk-OWPFDHKC.js";
 import {
   AuthError,
   ProviderError,

package/dist/{chunk-CSWA553M.js → chunk-ZFEFS5HS.js}

@@ -2,7 +2,7 @@
 import {
   CONFIG_DIR_NAME,
   VERSION
-} from "./chunk-VXFBUMWG.js";
+} from "./chunk-EYUL75S4.js";
 
 // src/diagnostics/crash-log.ts
 import {

package/dist/ci-FCVBC4WJ.js

@@ -0,0 +1,232 @@
+#!/usr/bin/env node
+import {
+  buildReviewPrompt,
+  buildSecurityReviewPrompt,
+  truncateDiff
+} from "./chunk-HLWUDRBO.js";
+import {
+  ProviderRegistry
+} from "./chunk-XZBA3NHG.js";
+import {
+  ConfigManager
+} from "./chunk-MII3VYZ7.js";
+import "./chunk-OWPFDHKC.js";
+import "./chunk-2ZD3YTVM.js";
+import {
+  VERSION
+} from "./chunk-EYUL75S4.js";
+import "./chunk-PDX44BCA.js";
+
+// src/cli/ci.ts
+import { execFileSync, execSync } from "child_process";
+var CI_COMMENT_MARKER = "<!-- aicli-ci-review -->";
+function fetchDiff(opts) {
+  if (opts.diffOverride != null) return opts.diffOverride;
+  if (opts.pr != null) {
+    try {
+      return execFileSync("gh", ["pr", "diff", String(opts.pr)], {
+        encoding: "utf-8",
+        maxBuffer: 50 * 1024 * 1024
+      });
+    } catch (err) {
+      const msg = err.stderr?.toString() ?? err.message;
+      throw new Error(`gh pr diff ${opts.pr} failed: ${msg.trim()}`);
+    }
+  }
+  if (opts.base) {
+    try {
+      return execSync(`git diff ${shellQuote(opts.base)}...HEAD`, {
+        encoding: "utf-8",
+        maxBuffer: 50 * 1024 * 1024,
+        timeout: 3e4
+      });
+    } catch (err) {
+      throw new Error(`git diff ${opts.base}...HEAD failed: ${err.message}`);
+    }
+  }
+  throw new Error("aicli ci: must supply --pr <num> or --base <ref> to determine the diff source");
+}
+function shellQuote(ref) {
+  if (!/^[A-Za-z0-9._/\-]+$/.test(ref)) {
+    throw new Error(`unsafe ref: ${ref}`);
+  }
+  return ref;
+}
+function buildGitContextStr(opts) {
+  const parts = [];
+  if (opts.pr != null) parts.push(`PR: #${opts.pr}`);
+  if (opts.base) parts.push(`Base: ${opts.base}`);
+  try {
+    const branch = execSync("git rev-parse --abbrev-ref HEAD", { encoding: "utf-8", timeout: 5e3 }).trim();
+    if (branch) parts.push(`Branch: ${branch}`);
+  } catch {
+  }
+  parts.push(`Reviewer: aicli v${VERSION}`);
+  return parts.join(" | ");
+}
+function countSeverity(md) {
+  const count = (re) => (md.match(re) ?? []).length;
+  return {
+    critical: count(/🔴\s*(?:CRITICAL|Critical|critical)/g),
+    high: count(/🟠\s*(?:HIGH|High|high)/g),
+    warning: count(/🟡\s*(?:WARNING|Warning|warning|MEDIUM|Medium|medium)/g),
+    info: count(/🔵\s*(?:INFO|Info|info|LOW|Low|low)/g)
+  };
+}
+async function runOnePrompt(registry, providerId, modelId, prompt) {
+  const provider = registry.get(providerId);
+  const resp = await provider.chat({
+    messages: [{ role: "user", content: prompt }],
+    model: modelId,
+    stream: false,
+    temperature: 0.3,
+    maxTokens: 8192
+  });
+  return resp.content?.trim() ?? "";
+}
+function postOrUpdatePrComment(prNumber, body, update) {
+  const fullBody = `${body}
+
+${CI_COMMENT_MARKER}`;
+  if (update) {
+    let comments = [];
+    try {
+      const out = execFileSync("gh", ["pr", "view", String(prNumber), "--json", "comments"], {
+        encoding: "utf-8",
+        maxBuffer: 20 * 1024 * 1024
+      });
+      const parsed = JSON.parse(out);
+      comments = parsed.comments ?? [];
+    } catch {
+    }
+    const existing = comments.find((c) => c.body.includes(CI_COMMENT_MARKER));
+    if (existing) {
+      execFileSync(
+        "gh",
+        ["api", "--method", "PATCH", `repos/{owner}/{repo}/issues/comments/${gqlIdToRest(existing.id)}`, "-f", `body=${fullBody}`],
+        { stdio: "pipe" }
+      );
+      return { updated: true, id: existing.id };
+    }
+  }
+  execFileSync("gh", ["pr", "comment", String(prNumber), "--body-file", "-"], {
+    input: fullBody,
+    stdio: ["pipe", "pipe", "pipe"]
+  });
+  return { updated: false };
+}
+function gqlIdToRest(graphqlId) {
+  if (/^\d+$/.test(graphqlId)) return graphqlId;
+  const query = `query($id:ID!){ node(id:$id){ ... on IssueComment { databaseId } } }`;
+  const out = execFileSync("gh", ["api", "graphql", "-f", `query=${query}`, "-F", `id=${graphqlId}`], {
+    encoding: "utf-8"
+  });
+  const parsed = JSON.parse(out);
+  const id = parsed.data?.node?.databaseId;
+  if (!id) throw new Error(`could not resolve comment id ${graphqlId}`);
+  return String(id);
+}
+async function runCi(opts) {
+  const maxDiff = opts.maxDiffChars ?? 3e4;
+  let diff;
+  try {
+    diff = fetchDiff(opts).trim();
+  } catch (err) {
+    return {
+      exitCode: 2,
+      markdown: `\u274C ${err.message}`,
+      posted: false,
+      severity: { critical: 0, high: 0, warning: 0, info: 0 }
+    };
+  }
+  if (!diff) {
+    return {
+      exitCode: 0,
+      markdown: "\u2705 No changes to review.",
+      posted: false,
+      severity: { critical: 0, high: 0, warning: 0, info: 0 }
+    };
+  }
+  const { diff: trimmedDiff, truncated } = truncateDiff(diff, maxDiff);
+  const gitCtx = buildGitContextStr(opts);
+  const config = new ConfigManager();
+  await config.load();
+  const registry = new ProviderRegistry(config);
+  await registry.initialize();
+  const providerId = opts.provider ?? config.getDefaultProvider();
+  if (!registry.has(providerId)) {
+    return {
+      exitCode: 2,
+      markdown: `\u274C Provider '${providerId}' is not configured. Set the right AICLI_API_KEY_* env var or pass --provider.`,
+      posted: false,
+      severity: { critical: 0, high: 0, warning: 0, info: 0 }
+    };
+  }
+  const providerInfo = registry.get(providerId).info;
+  const modelId = opts.model ?? config.get("defaultModels")[providerId] ?? providerInfo.defaultModel;
+  const sections = [];
+  sections.push(`## \u{1F916} aicli code review`);
+  sections.push(`*Provider: \`${providerId}\` \xB7 Model: \`${modelId}\` \xB7 aicli v${VERSION}*`);
+  sections.push("");
+  try {
+    if (!opts.skipCode) {
+      const prompt = buildReviewPrompt(trimmedDiff, gitCtx, !!opts.detailed);
+      const review = await runOnePrompt(registry, providerId, modelId, prompt);
+      sections.push("### Code Review");
+      sections.push(review);
+      sections.push("");
+    }
+    if (!opts.skipSecurity) {
+      const prompt = buildSecurityReviewPrompt(trimmedDiff, gitCtx);
+      const review = await runOnePrompt(registry, providerId, modelId, prompt);
+      sections.push("### Security Review");
+      sections.push(review);
+      sections.push("");
+    }
+  } catch (err) {
+    return {
+      exitCode: 2,
+      markdown: `\u274C Review call failed: ${err.message}`,
+      posted: false,
+      severity: { critical: 0, high: 0, warning: 0, info: 0 }
+    };
+  }
+  if (truncated) {
+    sections.push(`> \u26A0 Diff was truncated to ${maxDiff} chars (original: ${diff.length}). Consider splitting large PRs.`);
+  }
+  const markdown = sections.join("\n");
+  const severity = countSeverity(markdown);
+  let posted = false;
+  let updatedCommentId;
+  if (opts.post && opts.pr != null && !opts.dryRun) {
+    try {
+      const result = postOrUpdatePrComment(opts.pr, markdown, opts.update !== false);
+      posted = true;
+      updatedCommentId = result.id;
+    } catch (err) {
+      return {
+        exitCode: 2,
+        markdown: `${markdown}
+
+---
+
+\u274C Failed to post comment: ${err.message}`,
+        posted: false,
+        severity
+      };
+    }
+  }
+  const hasBlocker = severity.critical > 0 || severity.high > 0;
+  return {
+    exitCode: hasBlocker ? 1 : 0,
+    markdown,
+    posted,
+    updatedCommentId,
+    severity
+  };
+}
+export {
+  CI_COMMENT_MARKER,
+  countSeverity,
+  runCi
+};

package/dist/{constants-YVTEGGKB.js → constants-MNI3S4EV.js}

@@ -36,7 +36,7 @@ import {
   TEST_TIMEOUT,
   VERSION,
   buildUserIdentityPrompt
-} from "./chunk-VXFBUMWG.js";
+} from "./chunk-EYUL75S4.js";
 import "./chunk-PDX44BCA.js";
 export {
   AGENTIC_BEHAVIOR_GUIDELINE,

package/dist/{doctor-cli-EGD6OLJO.js → doctor-cli-56AJTKP2.js}

@@ -2,25 +2,26 @@
 import {
   getConfigDirUsage,
   listRecentCrashes
-} from "./chunk-CSWA553M.js";
+} from "./chunk-ZFEFS5HS.js";
 import {
   ProviderRegistry
-} from "./chunk-YCIJZ2XS.js";
+} from "./chunk-XZBA3NHG.js";
 import {
   ConfigManager
-} from "./chunk-DX5JYNVN.js";
+} from "./chunk-MII3VYZ7.js";
 import {
   getStatsSnapshot,
   getTopFailingTools,
   getTopUsedTools,
   resetStats
-} from "./chunk-2JLVHUMU.js";
+} from "./chunk-GZNBAFTO.js";
+import "./chunk-OWPFDHKC.js";
 import "./chunk-2ZD3YTVM.js";
 import {
   DEV_STATE_FILE_NAME,
   MEMORY_FILE_NAME,
   VERSION
-} from "./chunk-VXFBUMWG.js";
+} from "./chunk-EYUL75S4.js";
 import "./chunk-PDX44BCA.js";
 
 // src/diagnostics/doctor-cli.ts

package/dist/electron-server.js

@@ -36,7 +36,7 @@ import {
   VERSION,
   buildUserIdentityPrompt,
   runTestsTool
-} from "./chunk-2YEBAHAB.js";
+} from "./chunk-OH5HVL5O.js";
 import {
   hasSemanticIndex,
   semanticSearch
@@ -286,7 +286,27 @@ var ConfigSchema = z.object({
       name: z.string().optional()
     })).default([]),
     fallback: z.string().optional()
-  }).default({ enabled: false, rules: [] })
+  }).default({ enabled: false, rules: [] }),
+  // Provider 容错（v0.4.144+）：网络抖动 / 5xx / 429 时，先在当前 provider 上做指数退避重试，
+  // 仍失败则按顺序尝试 chain 里的 fallback provider。auth / 400 / 422 等"硬失败"直接跳过同
+  // provider 重试，但仍会尝试 chain（不同 key/schema 可能能成功）。
+  // 关键约束：流式 API 一旦已经向终端 yield 过 chunk，错误立刻向上抛 —— 不能"已经吐了一半"再
+  // 重新发起请求，会撕裂用户看到的输出。
+  // enabled 默认 false：保持向前兼容，未配置 chain 的用户行为不变。
+  fallback: z.object({
+    enabled: z.boolean().default(false),
+    /** 同 provider 重试次数（不含首次调用）。0 = 不重试，直接走 chain。 */
+    retries: z.number().int().min(0).max(10).default(2),
+    /** 首次退避等待（ms），后续按 2 的幂指数增长。 */
+    initialBackoffMs: z.number().int().positive().default(500),
+    /** 单次退避的硬上限（ms）。 */
+    maxBackoffMs: z.number().int().positive().default(8e3),
+    /** 兜底 provider 链，每个 entry 仅尝试 1 次。model 省略则使用 provider 的 defaultModel。 */
+    chain: z.array(z.object({
+      provider: z.string(),
+      model: z.string().optional()
+    })).default([])
+  }).default({ enabled: false, retries: 2, initialBackoffMs: 500, maxBackoffMs: 8e3, chain: [] })
 });
 
 // src/config/env-loader.ts
@@ -12548,7 +12568,7 @@ ${undoResults.map((r) => `  \u2022 ${r}`).join("\n")}` });
       case "test": {
         this.send({ type: "info", message: "\u{1F9EA} Running tests..." });
         try {
-          const { executeTests } = await import("./run-tests-VK2S7V3X.js");
+          const { executeTests } = await import("./run-tests-MDJLWONR.js");
           const argStr = args.join(" ").trim();
           let testArgs = {};
           if (argStr) {

package/dist/{hub-YNT2PVCA.js → hub-DEZX2PAA.js}

@@ -386,7 +386,7 @@ ${content}`);
   }
 }
 async function runTaskMode(config, providers, configManager, topic) {
-  const { TaskOrchestrator } = await import("./task-orchestrator-E46H7NUK.js");
+  const { TaskOrchestrator } = await import("./task-orchestrator-5N4WD2VT.js");
   const orchestrator = new TaskOrchestrator(config, providers, configManager);
   let interrupted = false;
   const onSigint = () => {

package/dist/index.js

@@ -1,4 +1,8 @@
 #!/usr/bin/env node
+import {
+  buildReviewPrompt,
+  buildSecurityReviewPrompt
+} from "./chunk-HLWUDRBO.js";
 import {
   McpManager,
   SNAPSHOT_PROMPT,
@@ -16,12 +20,12 @@ import {
   saveDevState,
   sessionHasMeaningfulContent,
   setupProxy
-} from "./chunk-GDCLDXEC.js";
+} from "./chunk-JFLT57TG.js";
 import {
   getConfigDirUsage,
   listRecentCrashes,
   writeCrashLog
-} from "./chunk-CSWA553M.js";
+} from "./chunk-ZFEFS5HS.js";
 import {
   CONTENT_ONLY_STREAM_REMINDER,
   HALLUCINATION_CORRECTION_MESSAGE,
@@ -39,10 +43,10 @@ import {
   looksLikeDocumentBody,
   stripPseudoToolCalls,
   stripToolCallReminder
-} from "./chunk-YCIJZ2XS.js";
+} from "./chunk-XZBA3NHG.js";
 import {
   ConfigManager
-} from "./chunk-DX5JYNVN.js";
+} from "./chunk-MII3VYZ7.js";
 import {
   ToolExecutor,
   ToolRegistry,
@@ -61,17 +65,22 @@ import {
   spawnAgentContext,
   theme,
   undoStack
-} from "./chunk-YPFCJ5KC.js";
+} from "./chunk-A3RPBWBF.js";
 import "./chunk-UQQJWHRV.js";
 import "./chunk-2DXY7UGF.js";
-import "./chunk-IMYOBDJG.js";
+import "./chunk-QWP4RFMS.js";
 import {
   getStatsSnapshot,
   getTopFailingTools,
   getTopUsedTools,
   installFlushOnExit
-} from "./chunk-2JLVHUMU.js";
-import "./chunk-2ZD3YTVM.js";
+} from "./chunk-GZNBAFTO.js";
+import "./chunk-OWPFDHKC.js";
+import {
+  AuthError,
+  ProviderError,
+  RateLimitError
+} from "./chunk-2ZD3YTVM.js";
 import {
   AGENTIC_BEHAVIOR_GUIDELINE,
   AUTHOR,
@@ -93,7 +102,7 @@ import {
   SKILLS_DIR_NAME,
   VERSION,
   buildUserIdentityPrompt
-} from "./chunk-VXFBUMWG.js";
+} from "./chunk-EYUL75S4.js";
 import {
   formatGitContextForPrompt,
   getGitContext,
@@ -444,6 +453,8 @@ var Renderer = class {
     console.log(feat("Tool history ordering (v0.4.100+): preserve original tool-call order across multi-turn rounds \u2014 fixes reasoning drift on long agentic loops"));
     console.log(feat("save_last_response Web mode (v0.4.101\u20130.4.102+): hidden from CLI-only contexts and tee-streams chunks to disk in Web UI as the response arrives"));
     console.log(feat("write_file long-content guidance (v0.4.103+): tool description no longer encourages AI to chunk long files \u2014 single-shot writes prevented from being split into truncated parts"));
+    console.log(feat("Provider retry + fallback chain (v0.4.144+): transient network / 5xx / 429 errors retry on the same provider with exponential backoff; persistent failures walk config.fallback.chain (per-entry provider+model). Opt-in via config.fallback.enabled. Stream-safe: never retries after first chunk yielded"));
+    console.log(feat("aicli ci \u2014 headless PR review for GitHub Actions (v0.4.145+): `aicli ci --pr <num> --post` reads diff via gh CLI, runs code + security review, posts/updates a single PR comment via sentinel marker. Drop-in workflow YAML at docs/github-actions-example.yml. Critical/high findings \u2192 exit 1 (CI gate)"));
     console.log();
   }
   printPrompt(provider, _model) {
@@ -988,62 +999,6 @@ function copyToClipboard(text) {
     }
   }
 }
-function buildReviewPrompt(diff, gitContextStr, detailed) {
-  const level = detailed ? "Please perform a detailed in-depth review covering: security, performance, maintainability, error handling, naming conventions, and code duplication." : "Please perform a concise code review focusing on bugs, security issues, and key improvement suggestions.";
-  return `# Code Review Request
-
-${level}
-
-## Git Status
-${gitContextStr}
-
-## Code Changes (diff)
-\`\`\`diff
-${diff}
-\`\`\`
-
-## Output Format
-Please structure your review as follows:
-1. **Overall Assessment**: One-sentence summary of the change quality
-2. **Issues** (if any): Each issue with [Severity] file:line \u2014 description + suggested fix
-3. **Improvement Suggestions** (if any): Non-critical but recommended optimizations
-4. **Highlights** (if any): Good practices worth acknowledging
-
-Severity levels: \u{1F534} Critical / \u{1F7E1} Warning / \u{1F535} Info`;
-}
-function buildSecurityReviewPrompt(diff, gitContextStr) {
-  return `# Security Vulnerability Review
-
-Analyze the following code changes **exclusively for security vulnerabilities**.
-
-## Categories to check:
-1. **Injection** \u2014 SQL, command, path traversal, XSS, template injection
-2. **Authentication & Authorization** \u2014 hardcoded credentials, missing auth checks, privilege escalation
-3. **Secrets & Sensitive Data** \u2014 API keys, tokens, passwords in code, logging sensitive data
-4. **Input Validation** \u2014 missing validation, unsafe deserialization, buffer issues
-5. **Cryptography** \u2014 weak algorithms, improper random, hardcoded IVs/salts
-6. **Dependencies** \u2014 known vulnerable packages, unsafe dynamic imports
-7. **File System** \u2014 path traversal, unsafe file permissions, symlink attacks
-8. **Network** \u2014 SSRF, insecure protocols, missing TLS validation
-
-## Git Status
-${gitContextStr}
-
-## Code Changes (diff)
-\`\`\`diff
-${diff}
-\`\`\`
-
-## Output Format
-For each finding:
-- **Severity**: \u{1F534} CRITICAL / \u{1F7E0} HIGH / \u{1F7E1} MEDIUM / \u{1F535} LOW / \u2139\uFE0F INFO
-- **Category**: (from list above)
-- **File & location**: file:line
-- **Description**: what the vulnerability is and how it could be exploited
-- **Recommended fix**: specific code change to resolve
-
-If no security issues found, state "\u2705 No security vulnerabilities detected" with a brief explanation of what was checked.`;
-}
 var CommandRegistry = class {
   commands = /* @__PURE__ */ new Map();
   register(command) {
@@ -1814,7 +1769,7 @@ No tools match "${filter}".
           const { join: join6 } = await import("path");
           const { existsSync: existsSync6 } = await import("fs");
           const { getGitRoot: getGitRoot2 } = await import("./git-context-7KIP4X2V.js");
-          const { MCP_PROJECT_CONFIG_NAME: MCP_PROJECT_CONFIG_NAME2 } = await import("./constants-YVTEGGKB.js");
+          const { MCP_PROJECT_CONFIG_NAME: MCP_PROJECT_CONFIG_NAME2 } = await import("./constants-MNI3S4EV.js");
           const { approveProject, hashMcpFile } = await import("./project-trust-IFM7FXEV.js");
           const cwd = process.cwd();
           const projectRoot = getGitRoot2(cwd) ?? cwd;
@@ -2875,7 +2830,7 @@ ${hint}` : "")
       usage: "/test [command|filter]",
       async execute(args, ctx) {
         try {
-          const { executeTests } = await import("./run-tests-3KUDRXXZ.js");
+          const { executeTests } = await import("./run-tests-MYF3A4YR.js");
           const argStr = args.join(" ").trim();
           let testArgs = {};
           if (argStr) {
@@ -4464,6 +4419,154 @@ function stripRoutingTags(message) {
   return message.replace(/(?:^|\s)#(fast|deep|default)\b/gi, " ").replace(/\s{2,}/g, " ").trim();
 }
 
+// src/providers/fallback.ts
+var TRANSIENT_CODES = /* @__PURE__ */ new Set([
+  "ECONNRESET",
+  "ETIMEDOUT",
+  "EAI_AGAIN",
+  "EHOSTUNREACH",
+  "ENOTFOUND",
+  "EPIPE",
+  "ECONNREFUSED",
+  "EHOSTDOWN",
+  "ENETUNREACH",
+  "UND_ERR_SOCKET",
+  // undici socket errors
+  "UND_ERR_CONNECT_TIMEOUT"
+]);
+function classifyError(err) {
+  if (err == null) return "unknown";
+  const seen = /* @__PURE__ */ new Set();
+  let cur = err;
+  for (let i = 0; i < 5 && cur && !seen.has(cur); i++) {
+    seen.add(cur);
+    const e = cur;
+    if (e.name === "AbortError" || e.code === "ABORT_ERR") return "aborted";
+    if (err instanceof AuthError) return "auth";
+    if (err instanceof RateLimitError) return "rate_limit";
+    const status = e.status ?? e.statusCode;
+    if (typeof status === "number") {
+      if (status === 429) return "rate_limit";
+      if (status === 401 || status === 403) return "auth";
+      if (status === 400 || status === 422) return "bad_request";
+      if (status >= 500 && status < 600) return "transient";
+    }
+    if (e.code && TRANSIENT_CODES.has(e.code)) return "transient";
+    cur = e.cause;
+  }
+  return "unknown";
+}
+function planAttempts(initialProvider, initialModel, registry, opts) {
+  const out = [];
+  for (let i = 0; i <= opts.retries; i++) {
+    out.push({ providerId: initialProvider, model: initialModel, retryNumber: i });
+  }
+  for (const entry of opts.chain) {
+    if (entry.provider === initialProvider) continue;
+    if (!registry.has(entry.provider)) continue;
+    const p = registry.get(entry.provider);
+    const model = entry.model ?? p.info.defaultModel;
+    out.push({ providerId: entry.provider, model, retryNumber: 0 });
+  }
+  return out;
+}
+function backoffDelay(retryNumber, opts, klass) {
+  const base = klass === "rate_limit" ? Math.max(opts.initialBackoffMs, 2e3) : opts.initialBackoffMs;
+  const expo = base * Math.pow(2, retryNumber);
+  const jitter = Math.random() * (base / 2);
+  return Math.min(opts.maxBackoffMs, expo + jitter);
+}
+function sleep(ms) {
+  return new Promise((r) => setTimeout(r, ms));
+}
+async function withFallback(initialProvider, initialModel, registry, opts, call) {
+  if (!opts.enabled) {
+    return call(registry.get(initialProvider), initialModel);
+  }
+  const attempts = planAttempts(initialProvider, initialModel, registry, opts);
+  let lastErr;
+  for (let i = 0; i < attempts.length; i++) {
+    const a = attempts[i];
+    const prev = i > 0 ? attempts[i - 1] : void 0;
+    if (prev && prev.providerId !== a.providerId) {
+      opts.onFallback?.(prev.providerId, a.providerId, a.model, lastErr);
+    } else if (a.retryNumber > 0) {
+      opts.onRetry?.(a.retryNumber, opts.retries, a.providerId, lastErr);
+      await sleep(backoffDelay(a.retryNumber - 1, opts, classifyError(lastErr)));
+    }
+    try {
+      return await call(registry.get(a.providerId), a.model);
+    } catch (err) {
+      lastErr = err;
+      const klass = classifyError(err);
+      if (klass === "aborted") throw err;
+      if (klass === "auth" || klass === "bad_request") {
+        let j = i + 1;
+        while (j < attempts.length && attempts[j].providerId === a.providerId) j++;
+        if (j >= attempts.length) throw err;
+        i = j - 1;
+        continue;
+      }
+      if (i === attempts.length - 1) throw err;
+    }
+  }
+  throw lastErr;
+}
+async function* withFallbackStream(initialProvider, initialModel, registry, opts, createStream) {
+  if (!opts.enabled) {
+    yield* createStream(registry.get(initialProvider), initialModel);
+    return;
+  }
+  const attempts = planAttempts(initialProvider, initialModel, registry, opts);
+  let lastErr;
+  for (let i = 0; i < attempts.length; i++) {
+    const a = attempts[i];
+    const prev = i > 0 ? attempts[i - 1] : void 0;
+    if (prev && prev.providerId !== a.providerId) {
+      opts.onFallback?.(prev.providerId, a.providerId, a.model, lastErr);
+    } else if (a.retryNumber > 0) {
+      opts.onRetry?.(a.retryNumber, opts.retries, a.providerId, lastErr);
+      await sleep(backoffDelay(a.retryNumber - 1, opts, classifyError(lastErr)));
+    }
+    let yielded = false;
+    try {
+      const gen = createStream(registry.get(a.providerId), a.model);
+      for await (const chunk of gen) {
+        yielded = true;
+        yield chunk;
+      }
+      return;
+    } catch (err) {
+      lastErr = err;
+      if (yielded) throw err;
+      const klass = classifyError(err);
+      if (klass === "aborted") throw err;
+      if (klass === "auth" || klass === "bad_request") {
+        let j = i + 1;
+        while (j < attempts.length && attempts[j].providerId === a.providerId) j++;
+        if (j >= attempts.length) throw err;
+        i = j - 1;
+        continue;
+      }
+      if (i === attempts.length - 1) throw err;
+    }
+  }
+  throw lastErr;
+}
+function shortErrorTag(err) {
+  if (err == null) return "unknown";
+  const e = err;
+  if (e.code) return e.code;
+  const status = e.status ?? e.statusCode;
+  if (typeof status === "number") return `HTTP ${status}`;
+  if (e instanceof ProviderError && e.message) {
+    const m = e.message.match(/\[[^\]]+\]\s*(.{0,60})/);
+    if (m) return m[1].trim();
+  }
+  if (e instanceof Error && e.message) return e.message.slice(0, 60);
+  return "error";
+}
+
 // src/repl/notify.ts
 import { spawn } from "child_process";
 import { platform as platform2 } from "os";
@@ -5820,6 +5923,35 @@ Session '${this.resumeSessionId}' not found.
       thinkingBudget: params.thinkingBudget
     };
   }
+  /**
+   * Build FallbackOptions from config + wire one-line notice callbacks to stderr.
+   * v0.4.144+: when config.fallback.enabled is true, network/5xx/429 failures retry
+   * on the same provider with exponential backoff; persistent failures walk the
+   * config.fallback.chain. Returns disabled-opts if user hasn't opted in.
+   */
+  getFallbackOptions(spinner) {
+    const cfg = this.config.get("fallback");
+    const enabled = !!cfg?.enabled;
+    return {
+      enabled,
+      retries: cfg?.retries ?? 2,
+      initialBackoffMs: cfg?.initialBackoffMs ?? 500,
+      maxBackoffMs: cfg?.maxBackoffMs ?? 8e3,
+      chain: cfg?.chain ?? [],
+      onRetry: (attempt, total, providerId, err) => {
+        spinner.stop();
+        process.stderr.write(theme.warning(`  [${providerId}] retry ${attempt}/${total}: ${shortErrorTag(err)}
+`));
+        spinner.start("Retrying...");
+      },
+      onFallback: (from, to, toModel, err) => {
+        spinner.stop();
+        process.stderr.write(theme.warning(`  [${from} \u2192 ${to}] falling over to ${toModel}: ${shortErrorTag(err)}
+`));
+        spinner.start("Retrying...");
+      }
+    };
+  }
   /**
    * Compute smart-routing decision for this user turn.
    * Only considers models available for the current provider (rule skipped otherwise).
@@ -6515,9 +6647,19 @@ ${mcpBudgetNote}` : "");
         if (supportsStreamingTools) {
           const streamAc = this.setupStreamInterrupt();
           try {
-            const streamGen = provider.chatWithToolsStream(
-              { ...chatRequest, signal: streamAc.signal },
-              toolDefs
+            const fallbackOpts = this.getFallbackOptions(spinner);
+            const streamGen = withFallbackStream(
+              this.currentProvider,
+              effectiveModel,
+              this.providers,
+              fallbackOpts,
+              (p, m) => {
+                const tc = p;
+                if (typeof tc.chatWithToolsStream !== "function") {
+                  throw new Error(`provider ${p.info.id} does not support streaming tool calls`);
+                }
+                return tc.chatWithToolsStream({ ...chatRequest, model: m, signal: streamAc.signal }, toolDefs);
+              }
             );
             const streamResult = await this.consumeToolStream(streamGen, spinner);
             if (streamResult.toolCalls.length > 0) {
@@ -6546,7 +6688,14 @@ ${mcpBudgetNote}` : "");
             this.teardownStreamInterrupt();
           }
         } else {
-          result = await provider.chatWithTools(chatRequest, toolDefs);
+          const fallbackOpts = this.getFallbackOptions(spinner);
+          result = await withFallback(
+            this.currentProvider,
+            effectiveModel,
+            this.providers,
+            fallbackOpts,
+            (p, m) => p.chatWithTools({ ...chatRequest, model: m }, toolDefs)
+          );
         }
         if (result.usage) {
           roundUsage.inputTokens += result.usage.inputTokens;
@@ -7381,7 +7530,7 @@ program.command("web").description("Start Web UI server with browser-based chat
     console.error("Error: Invalid port number. Must be between 1 and 65535.");
     process.exit(1);
   }
-  const { startWebServer } = await import("./server-KZOHU7OE.js");
+  const { startWebServer } = await import("./server-RB4ACTOJ.js");
   await startWebServer({ port, host: options.host });
 });
 program.command("user [action] [username]").description("Manage Web UI users (list | create <name> | delete <name> | reset-password <name> | logout-all <name> | migrate <name>)").action(async (action, username) => {
@@ -7548,12 +7697,12 @@ program.command("sessions").description("List recent conversation sessions").opt
   console.log(footer + "\n");
 });
 program.command("doctor").description("Health check: API keys, config, MCP, recent crashes, tool usage, disk usage").option("--json", "Output as JSON (for scripting)").option("--reset-stats", "Reset accumulated tool usage statistics").action(async (options) => {
-  const { runDoctorCli } = await import("./doctor-cli-EGD6OLJO.js");
+  const { runDoctorCli } = await import("./doctor-cli-56AJTKP2.js");
   await runDoctorCli({ json: !!options.json, resetStats: !!options.resetStats });
 });
 program.command("batch <action> [arg] [arg2]").description("Anthropic Message Batches: submit | list | status <id> | results <id> [out] | cancel <id>").option("--dry-run", "Parse and validate input without submitting (submit only)").action(async (action, arg, arg2, options) => {
   try {
-    const batch = await import("./batch-FTCB7YHA.js");
+    const batch = await import("./batch-ZMDHCPMO.js");
     switch (action) {
       case "submit":
         if (!arg) {
@@ -7596,7 +7745,7 @@ program.command("batch <action> [arg] [arg2]").description("Anthropic Message Ba
   }
 });
 program.command("mcp-serve").description("Start an MCP server over STDIO, exposing aicli's built-in tools to Claude Desktop / Cursor / other MCP clients").option("--allow-destructive", "Allow bash / run_interactive / task_create (always destructive in MCP mode)").option("--allow-outside-cwd", "Allow tool path arguments to escape the sandbox root \u2014 disabled by default").option("--tools <list>", "Comma-separated whitelist of tools to expose (default: all eligible tools)").option("--cwd <path>", "Working directory AND sandbox root (default: current directory)").action(async (options) => {
-  const { startMcpServer } = await import("./server-7UH5SJSC.js");
+  const { startMcpServer } = await import("./server-IITOENMZ.js");
   await startMcpServer({
     allowDestructive: !!options.allowDestructive,
     allowOutsideCwd: !!options.allowOutsideCwd,
@@ -7604,6 +7753,29 @@ program.command("mcp-serve").description("Start an MCP server over STDIO, exposi
     cwd: options.cwd
   });
 });
+program.command("ci").description("Headless PR review (code + security) \u2014 reads git/gh diff, optionally posts to PR. Designed for GitHub Actions.").option("--pr <num>", "PR number; diff fetched via `gh pr diff <num>`", (v) => parseInt(v, 10)).option("--base <ref>", "Base ref for `git diff <ref>...HEAD` (ignored when --pr set)").option("--post", "Post review as a PR comment (requires gh CLI + GH_TOKEN, needs --pr)").option("--no-update", "Always create a new comment instead of updating the previous aicli review").option("--skip-code", "Skip the code review section").option("--skip-security", "Skip the security review section").option("--detailed", "Use the detailed code-review prompt").option("--max-diff <n>", "Max diff chars sent to the model (default 30000)", (v) => parseInt(v, 10)).option("--provider <id>", "Override provider (default: config.defaultProvider)").option("--model <id>", "Override model").option("--dry-run", "Print result to stdout instead of posting (overrides --post)").action(async (options) => {
+  const { runCi } = await import("./ci-FCVBC4WJ.js");
+  const result = await runCi({
+    pr: options.pr,
+    base: options.base,
+    post: !!options.post,
+    update: options.update !== false,
+    skipCode: !!options.skipCode,
+    skipSecurity: !!options.skipSecurity,
+    detailed: !!options.detailed,
+    maxDiffChars: options.maxDiff,
+    provider: options.provider,
+    model: options.model,
+    dryRun: !!options.dryRun
+  });
+  process.stdout.write(result.markdown + "\n");
+  if (result.posted) {
+    process.stderr.write(`
+\u2705 Posted review to PR #${options.pr}${result.updatedCommentId ? " (updated existing comment)" : ""}
+`);
+  }
+  process.exit(result.exitCode);
+});
 program.command("help").description("Show a comprehensive guide to all aicli features and commands").action(() => {
   const B = "\x1B[1m";
   const D = "\x1B[2m";
@@ -7723,7 +7895,7 @@ program.command("hub [topic]").description("Start multi-agent hub (discuss / bra
     }),
     config.get("customProviders")
   );
-  const { startHub } = await import("./hub-YNT2PVCA.js");
+  const { startHub } = await import("./hub-DEZX2PAA.js");
   await startHub(
     {
       topic: topic ?? "",

package/dist/{run-tests-VK2S7V3X.js → run-tests-MDJLWONR.js}

@@ -1,7 +1,7 @@
 import {
   executeTests,
   runTestsTool
-} from "./chunk-2YEBAHAB.js";
+} from "./chunk-OH5HVL5O.js";
 import "./chunk-3RG5ZIWI.js";
 export {
   executeTests,

package/dist/{run-tests-3KUDRXXZ.js → run-tests-MYF3A4YR.js}

@@ -2,8 +2,8 @@
 import {
   executeTests,
   runTestsTool
-} from "./chunk-IMYOBDJG.js";
-import "./chunk-VXFBUMWG.js";
+} from "./chunk-QWP4RFMS.js";
+import "./chunk-EYUL75S4.js";
 import "./chunk-PDX44BCA.js";
 export {
   executeTests,

package/dist/{server-7UH5SJSC.js → server-IITOENMZ.js}

@@ -1,19 +1,21 @@
 #!/usr/bin/env node
 import {
   ToolRegistry
-} from "./chunk-YPFCJ5KC.js";
+} from "./chunk-A3RPBWBF.js";
 import "./chunk-UQQJWHRV.js";
 import "./chunk-2DXY7UGF.js";
-import "./chunk-IMYOBDJG.js";
+import "./chunk-QWP4RFMS.js";
+import {
+  runTool
+} from "./chunk-GZNBAFTO.js";
 import {
   getDangerLevel,
-  runTool,
   schemaToJsonSchema
-} from "./chunk-2JLVHUMU.js";
+} from "./chunk-OWPFDHKC.js";
 import "./chunk-2ZD3YTVM.js";
 import {
   VERSION
-} from "./chunk-VXFBUMWG.js";
+} from "./chunk-EYUL75S4.js";
 import "./chunk-4BKXL7SM.js";
 import "./chunk-7ZJN4KLV.js";
 import "./chunk-KHYD3WXE.js";

package/dist/{server-KZOHU7OE.js → server-RB4ACTOJ.js}

@@ -14,7 +14,7 @@ import {
   loadDevState,
   persistToolRound,
   setupProxy
-} from "./chunk-GDCLDXEC.js";
+} from "./chunk-JFLT57TG.js";
 import {
   CONTENT_ONLY_STREAM_REMINDER,
   HALLUCINATION_CORRECTION_MESSAGE,
@@ -28,10 +28,10 @@ import {
   looksLikeDocumentBody,
   stripPseudoToolCalls,
   stripToolCallReminder
-} from "./chunk-YCIJZ2XS.js";
+} from "./chunk-XZBA3NHG.js";
 import {
   ConfigManager
-} from "./chunk-DX5JYNVN.js";
+} from "./chunk-MII3VYZ7.js";
 import {
   ToolExecutor,
   ToolRegistry,
@@ -49,14 +49,16 @@ import {
   spawnAgentContext,
   truncateOutput,
   undoStack
-} from "./chunk-YPFCJ5KC.js";
+} from "./chunk-A3RPBWBF.js";
 import "./chunk-UQQJWHRV.js";
 import "./chunk-2DXY7UGF.js";
-import "./chunk-IMYOBDJG.js";
+import "./chunk-QWP4RFMS.js";
 import {
-  getDangerLevel,
   runTool
-} from "./chunk-2JLVHUMU.js";
+} from "./chunk-GZNBAFTO.js";
+import {
+  getDangerLevel
+} from "./chunk-OWPFDHKC.js";
 import "./chunk-2ZD3YTVM.js";
 import {
   AGENTIC_BEHAVIOR_GUIDELINE,
@@ -76,7 +78,7 @@ import {
   SKILLS_DIR_NAME,
   VERSION,
   buildUserIdentityPrompt
-} from "./chunk-VXFBUMWG.js";
+} from "./chunk-EYUL75S4.js";
 import {
   formatGitContextForPrompt,
   getGitContext,
@@ -2460,7 +2462,7 @@ ${undoResults.map((r) => `  \u2022 ${r}`).join("\n")}` });
       case "test": {
         this.send({ type: "info", message: "\u{1F9EA} Running tests..." });
         try {
-          const { executeTests } = await import("./run-tests-3KUDRXXZ.js");
+          const { executeTests } = await import("./run-tests-MYF3A4YR.js");
           const argStr = args.join(" ").trim();
           let testArgs = {};
           if (argStr) {

package/dist/{task-orchestrator-E46H7NUK.js → task-orchestrator-5N4WD2VT.js}

@@ -3,18 +3,20 @@ import {
   ToolRegistry,
   googleSearchContext,
   truncateOutput
-} from "./chunk-YPFCJ5KC.js";
+} from "./chunk-A3RPBWBF.js";
 import "./chunk-UQQJWHRV.js";
 import "./chunk-2DXY7UGF.js";
-import "./chunk-IMYOBDJG.js";
+import "./chunk-QWP4RFMS.js";
 import {
-  getDangerLevel,
   runTool
-} from "./chunk-2JLVHUMU.js";
+} from "./chunk-GZNBAFTO.js";
+import {
+  getDangerLevel
+} from "./chunk-OWPFDHKC.js";
 import "./chunk-2ZD3YTVM.js";
 import {
   SUBAGENT_ALLOWED_TOOLS
-} from "./chunk-VXFBUMWG.js";
+} from "./chunk-EYUL75S4.js";
 import "./chunk-4BKXL7SM.js";
 import "./chunk-7ZJN4KLV.js";
 import "./chunk-KHYD3WXE.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "jinzd-ai-cli",
-  "version": "0.4.143",
+  "version": "0.4.145",
   "description": "Cross-platform REPL-style AI CLI with multi-provider support",
   "type": "module",
   "main": "./dist/index.js",