jinzd-ai-cli 0.4.144 → 0.4.146

package/dist/{batch-64YESATH.js → batch-GMCR2YE6.js}

@@ -1,9 +1,9 @@
 #!/usr/bin/env node
 import {
   ConfigManager
-} from "./chunk-WPYKTLP2.js";
+} from "./chunk-AQQSYFTU.js";
 import "./chunk-2ZD3YTVM.js";
-import "./chunk-XW4EP5IE.js";
+import "./chunk-EUE7FFIO.js";
 import "./chunk-PDX44BCA.js";
 
 // src/cli/batch.ts

package/dist/{chunk-WPYKTLP2.js → chunk-AQQSYFTU.js}

@@ -8,7 +8,7 @@ import {
   CONFIG_FILE_NAME,
   HISTORY_DIR_NAME,
   PLUGINS_DIR_NAME
-} from "./chunk-XW4EP5IE.js";
+} from "./chunk-EUE7FFIO.js";
 
 // src/config/config-manager.ts
 import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";

package/dist/{chunk-HUILGJNB.js → chunk-AWRXHBW2.js}

@@ -2,7 +2,7 @@
 import {
   CONFIG_DIR_NAME,
   VERSION
-} from "./chunk-XW4EP5IE.js";
+} from "./chunk-EUE7FFIO.js";
 
 // src/diagnostics/crash-log.ts
 import {

package/dist/{chunk-PWCPOHZ4.js → chunk-BOQ4YWRM.js}

@@ -5,12 +5,14 @@ import {
 } from "./chunk-UQQJWHRV.js";
 import {
   runTestsTool
-} from "./chunk-2JPLV25X.js";
+} from "./chunk-GB2KTJC2.js";
 import {
-  getDangerLevel,
-  isFileWriteTool,
   runTool
-} from "./chunk-QSGDXXE6.js";
+} from "./chunk-JB7LEZQO.js";
+import {
+  getDangerLevel,
+  isFileWriteTool
+} from "./chunk-OWPFDHKC.js";
 import {
   EnvLoader,
   NetworkError,
@@ -23,7 +25,7 @@ import {
   SUBAGENT_ALLOWED_TOOLS,
   SUBAGENT_DEFAULT_MAX_ROUNDS,
   SUBAGENT_MAX_ROUNDS_LIMIT
-} from "./chunk-XW4EP5IE.js";
+} from "./chunk-EUE7FFIO.js";
 import {
   fileCheckpoints
 } from "./chunk-4BKXL7SM.js";
@@ -418,6 +420,11 @@ function buildErrorHint(command, stderr) {
       `Hint: On Windows, "Remove-Item ... -ErrorAction SilentlyContinue" still makes the powershell process exit 1 when no files match (even though the error is silenced). Use Test-Path as a guard: @('tmp_a.sql','tmp_b.sql','tmp_c.csv') | Where-Object { Test-Path $_ } | Remove-Item -Force \u2014 Test-Path returns a bool without raising, so missing paths are filtered out and exit code is 0.`
     );
   }
+  if (IS_WINDOWS && /-(?:EA|ErrorAction)\s+(?:SilentlyContinue|Ignore)\b/i.test(command) && /\b(Get-ChildItem|Get-Item|Get-Content|gci|gi|gc|dir|ls)\b/i.test(command) && !/Remove-Item/i.test(command) && !/Test-Path/i.test(command) && /cannot find path|no such file|does not exist|exit 1|不存在|找不到/i.test(stderr || command)) {
+    hints.push(
+      `Hint: On Windows, "-ErrorAction SilentlyContinue" silences the error MESSAGE but does NOT change the exit code \u2014 the process still exits 1 when the path doesn't exist (because powershell.exe -NonInteractive flips the exit code on any non-terminating error, silenced or not). If you're just probing for existence, use Test-Path instead \u2014 it returns $true/$false without raising: \`if (Test-Path ./mydir) { Get-ChildItem ./mydir }\` or unconditionally use \`New-Item -ItemType Directory -Force -Path ./mydir\` which is idempotent. Don't retry the same -ErrorAction SilentlyContinue probe expecting a different result.`
+    );
+  }
   const colMissing = stderr.match(/column "([^"]+)" does not exist/i);
   if (colMissing) {
     hints.push(

package/dist/{chunk-XW4EP5IE.js → chunk-EUE7FFIO.js}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 // src/core/constants.ts
-var VERSION = "0.4.144";
+var VERSION = "0.4.146";
 var APP_NAME = "ai-cli";
 var CONFIG_DIR_NAME = ".aicli";
 var CONFIG_FILE_NAME = "config.json";

package/dist/{chunk-2JPLV25X.js → chunk-GB2KTJC2.js}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   TEST_TIMEOUT
-} from "./chunk-XW4EP5IE.js";
+} from "./chunk-EUE7FFIO.js";
 
 // src/tools/builtin/run-tests.ts
 import { execSync, spawnSync } from "child_process";

package/dist/chunk-HLWUDRBO.js

@@ -0,0 +1,74 @@
+#!/usr/bin/env node
+
+// src/cli/review-prompts.ts
+function buildReviewPrompt(diff, gitContextStr, detailed) {
+  const level = detailed ? "Please perform a detailed in-depth review covering: security, performance, maintainability, error handling, naming conventions, and code duplication." : "Please perform a concise code review focusing on bugs, security issues, and key improvement suggestions.";
+  return `# Code Review Request
+
+${level}
+
+## Git Status
+${gitContextStr}
+
+## Code Changes (diff)
+\`\`\`diff
+${diff}
+\`\`\`
+
+## Output Format
+Please structure your review as follows:
+1. **Overall Assessment**: One-sentence summary of the change quality
+2. **Issues** (if any): Each issue with [Severity] file:line \u2014 description + suggested fix
+3. **Improvement Suggestions** (if any): Non-critical but recommended optimizations
+4. **Highlights** (if any): Good practices worth acknowledging
+
+Severity levels: \u{1F534} Critical / \u{1F7E1} Warning / \u{1F535} Info`;
+}
+function buildSecurityReviewPrompt(diff, gitContextStr) {
+  return `# Security Vulnerability Review
+
+Analyze the following code changes **exclusively for security vulnerabilities**.
+
+## Categories to check:
+1. **Injection** \u2014 SQL, command, path traversal, XSS, template injection
+2. **Authentication & Authorization** \u2014 hardcoded credentials, missing auth checks, privilege escalation
+3. **Secrets & Sensitive Data** \u2014 API keys, tokens, passwords in code, logging sensitive data
+4. **Input Validation** \u2014 missing validation, unsafe deserialization, buffer issues
+5. **Cryptography** \u2014 weak algorithms, improper random, hardcoded IVs/salts
+6. **Dependencies** \u2014 known vulnerable packages, unsafe dynamic imports
+7. **File System** \u2014 path traversal, unsafe file permissions, symlink attacks
+8. **Network** \u2014 SSRF, insecure protocols, missing TLS validation
+
+## Git Status
+${gitContextStr}
+
+## Code Changes (diff)
+\`\`\`diff
+${diff}
+\`\`\`
+
+## Output Format
+For each finding:
+- **Severity**: \u{1F534} CRITICAL / \u{1F7E0} HIGH / \u{1F7E1} MEDIUM / \u{1F535} LOW / \u2139\uFE0F INFO
+- **Category**: (from list above)
+- **File & location**: file:line
+- **Description**: what the vulnerability is and how it could be exploited
+- **Recommended fix**: specific code change to resolve
+
+If no security issues found, state "\u2705 No security vulnerabilities detected" with a brief explanation of what was checked.`;
+}
+function truncateDiff(diff, maxChars) {
+  if (diff.length <= maxChars) return { diff, truncated: false };
+  const head = diff.slice(0, Math.floor(maxChars * 0.7));
+  const tail = diff.slice(diff.length - Math.floor(maxChars * 0.2));
+  return {
+    diff: head + "\n\n... [diff truncated, " + diff.length + " chars total] ...\n\n" + tail,
+    truncated: true
+  };
+}
+
+export {
+  buildReviewPrompt,
+  buildSecurityReviewPrompt,
+  truncateDiff
+};

package/dist/{chunk-QSGDXXE6.js → chunk-JB7LEZQO.js}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   CONFIG_DIR_NAME
-} from "./chunk-XW4EP5IE.js";
+} from "./chunk-EUE7FFIO.js";
 
 // src/diagnostics/tool-stats.ts
 import { existsSync, readFileSync, writeFileSync, mkdirSync, renameSync } from "fs";
@@ -118,69 +118,11 @@ function installFlushOnExit() {
   process.on("exit", () => flush());
 }
 
-// src/tools/types.ts
-function isFileWriteTool(name) {
-  return name === "write_file" || name === "edit_file" || name === "notebook_edit";
-}
-function getDangerLevel(toolName, args) {
-  if (toolName.startsWith("mcp__")) return "safe";
-  if (toolName === "bash") {
-    const cmd = String(args["command"] ?? "");
-    if (/\brm\s+[^\n]*(?:-\w*[rRfF]\w*|--recursive|--force)\b/.test(cmd)) return "destructive";
-    if (/\brm\s+\S/.test(cmd)) return "destructive";
-    if (/\brmdir\b|\bformat\b|\bmkfs\b|\bdd\s+if=|\bshred\b|\bfdisk\b|\bparted\b/.test(cmd)) return "destructive";
-    if (/\bshutdown\b|\breboot\b|\bhalt\b|\bpoweroff\b/.test(cmd)) return "destructive";
-    if (/\bkill\s+-9\b|\bkillall\b/.test(cmd)) return "destructive";
-    if (/\bRemove-Item\b|\bri\s+\S/i.test(cmd)) return "destructive";
-    if (/\brd\s+\/s\b|\brmdir\s+\/s\b/i.test(cmd)) return "destructive";
-    if (/\bdel\s+\S/.test(cmd)) return "destructive";
-    if (/\bShutdown(-Computer)?\b|\bRestart-Computer\b/i.test(cmd)) return "destructive";
-    if (/(?:^|[\s|;&])>>?\s*\S/.test(cmd)) return "write";
-    if (/\btee\b|\bcp\b|\bmv\b|\bln\s+-s/.test(cmd)) return "write";
-    if (/\bchmod\b|\bchown\b/.test(cmd)) return "write";
-    if (/\bSet-Content\b|\bOut-File\b|\bAdd-Content\b|\bCopy-Item\b|\bMove-Item\b|\bSet-ItemProperty\b|\bNew-ItemProperty\b/i.test(cmd)) return "write";
-    return "safe";
-  }
-  if (toolName === "write_file") return "write";
-  if (toolName === "edit_file") return "write";
-  if (toolName === "save_last_response") return "write";
-  if (toolName === "run_interactive") {
-    const exe = String(args["executable"] ?? "").toLowerCase();
-    if (/\b(rm|rmdir|del|format|mkfs|Remove-Item)\b/i.test(exe)) return "destructive";
-    if (/\b(bash|sh|zsh|cmd|powershell|pwsh|python|node|ruby|perl)\b/i.test(exe)) return "write";
-    return "write";
-  }
-  if (toolName === "task_create" || toolName === "task_stop") return "write";
-  if (toolName === "task_list") return "safe";
-  if (toolName === "git_commit") return "write";
-  if (toolName === "git_status" || toolName === "git_diff" || toolName === "git_log") return "safe";
-  if (toolName === "notebook_edit") return "write";
-  if (toolName === "read_file" || toolName === "list_dir" || toolName === "grep_files" || toolName === "glob_files" || toolName === "web_fetch" || toolName === "save_memory" || toolName === "ask_user" || toolName === "write_todos" || toolName === "google_search" || toolName === "spawn_agent" || toolName === "run_tests") return "safe";
-  return "write";
-}
-function schemaToJsonSchema(schema) {
-  const result = {
-    type: schema.type,
-    description: schema.description
-  };
-  if (schema.enum) result["enum"] = schema.enum;
-  if (schema.items) result["items"] = schemaToJsonSchema(schema.items);
-  if (schema.properties) {
-    result["properties"] = Object.fromEntries(
-      Object.entries(schema.properties).map(([k, v]) => [k, schemaToJsonSchema(v)])
-    );
-  }
-  return result;
-}
-
 export {
   runTool,
   getStatsSnapshot,
   getTopFailingTools,
   getTopUsedTools,
   resetStats,
-  installFlushOnExit,
-  isFileWriteTool,
-  getDangerLevel,
-  schemaToJsonSchema
+  installFlushOnExit
 };

package/dist/chunk-OWPFDHKC.js

@@ -0,0 +1,62 @@
+#!/usr/bin/env node
+
+// src/tools/types.ts
+function isFileWriteTool(name) {
+  return name === "write_file" || name === "edit_file" || name === "notebook_edit";
+}
+function getDangerLevel(toolName, args) {
+  if (toolName.startsWith("mcp__")) return "safe";
+  if (toolName === "bash") {
+    const cmd = String(args["command"] ?? "");
+    if (/\brm\s+[^\n]*(?:-\w*[rRfF]\w*|--recursive|--force)\b/.test(cmd)) return "destructive";
+    if (/\brm\s+\S/.test(cmd)) return "destructive";
+    if (/\brmdir\b|\bformat\b|\bmkfs\b|\bdd\s+if=|\bshred\b|\bfdisk\b|\bparted\b/.test(cmd)) return "destructive";
+    if (/\bshutdown\b|\breboot\b|\bhalt\b|\bpoweroff\b/.test(cmd)) return "destructive";
+    if (/\bkill\s+-9\b|\bkillall\b/.test(cmd)) return "destructive";
+    if (/\bRemove-Item\b|\bri\s+\S/i.test(cmd)) return "destructive";
+    if (/\brd\s+\/s\b|\brmdir\s+\/s\b/i.test(cmd)) return "destructive";
+    if (/\bdel\s+\S/.test(cmd)) return "destructive";
+    if (/\bShutdown(-Computer)?\b|\bRestart-Computer\b/i.test(cmd)) return "destructive";
+    if (/(?:^|[\s|;&])>>?\s*\S/.test(cmd)) return "write";
+    if (/\btee\b|\bcp\b|\bmv\b|\bln\s+-s/.test(cmd)) return "write";
+    if (/\bchmod\b|\bchown\b/.test(cmd)) return "write";
+    if (/\bSet-Content\b|\bOut-File\b|\bAdd-Content\b|\bCopy-Item\b|\bMove-Item\b|\bSet-ItemProperty\b|\bNew-ItemProperty\b/i.test(cmd)) return "write";
+    return "safe";
+  }
+  if (toolName === "write_file") return "write";
+  if (toolName === "edit_file") return "write";
+  if (toolName === "save_last_response") return "write";
+  if (toolName === "run_interactive") {
+    const exe = String(args["executable"] ?? "").toLowerCase();
+    if (/\b(rm|rmdir|del|format|mkfs|Remove-Item)\b/i.test(exe)) return "destructive";
+    if (/\b(bash|sh|zsh|cmd|powershell|pwsh|python|node|ruby|perl)\b/i.test(exe)) return "write";
+    return "write";
+  }
+  if (toolName === "task_create" || toolName === "task_stop") return "write";
+  if (toolName === "task_list") return "safe";
+  if (toolName === "git_commit") return "write";
+  if (toolName === "git_status" || toolName === "git_diff" || toolName === "git_log") return "safe";
+  if (toolName === "notebook_edit") return "write";
+  if (toolName === "read_file" || toolName === "list_dir" || toolName === "grep_files" || toolName === "glob_files" || toolName === "web_fetch" || toolName === "save_memory" || toolName === "ask_user" || toolName === "write_todos" || toolName === "google_search" || toolName === "spawn_agent" || toolName === "run_tests") return "safe";
+  return "write";
+}
+function schemaToJsonSchema(schema) {
+  const result = {
+    type: schema.type,
+    description: schema.description
+  };
+  if (schema.enum) result["enum"] = schema.enum;
+  if (schema.items) result["items"] = schemaToJsonSchema(schema.items);
+  if (schema.properties) {
+    result["properties"] = Object.fromEntries(
+      Object.entries(schema.properties).map(([k, v]) => [k, schemaToJsonSchema(v)])
+    );
+  }
+  return result;
+}
+
+export {
+  isFileWriteTool,
+  getDangerLevel,
+  schemaToJsonSchema
+};

package/dist/{chunk-YGGW2D2V.js → chunk-QJWZ5G64.js}

@@ -6,7 +6,7 @@ import { platform } from "os";
 import chalk from "chalk";
 
 // src/core/constants.ts
-var VERSION = "0.4.144";
+var VERSION = "0.4.146";
 var APP_NAME = "ai-cli";
 var CONFIG_DIR_NAME = ".aicli";
 var CONFIG_FILE_NAME = "config.json";

package/dist/{chunk-IGZVCNGE.js → chunk-RJYVWTHV.js}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   truncateForPersist
-} from "./chunk-PWCPOHZ4.js";
+} from "./chunk-BOQ4YWRM.js";
 import {
   APP_NAME,
   CONFIG_DIR_NAME,
@@ -11,7 +11,7 @@ import {
   MCP_PROTOCOL_VERSION,
   MCP_TOOL_PREFIX,
   VERSION
-} from "./chunk-XW4EP5IE.js";
+} from "./chunk-EUE7FFIO.js";
 import {
   redactJson
 } from "./chunk-7ZJN4KLV.js";

package/dist/{chunk-EHLHWFZP.js → chunk-XZBA3NHG.js}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   schemaToJsonSchema
-} from "./chunk-QSGDXXE6.js";
+} from "./chunk-OWPFDHKC.js";
 import {
   AuthError,
   ProviderError,

package/dist/ci-CPXECTTZ.js

@@ -0,0 +1,232 @@
+#!/usr/bin/env node
+import {
+  buildReviewPrompt,
+  buildSecurityReviewPrompt,
+  truncateDiff
+} from "./chunk-HLWUDRBO.js";
+import {
+  ProviderRegistry
+} from "./chunk-XZBA3NHG.js";
+import {
+  ConfigManager
+} from "./chunk-AQQSYFTU.js";
+import "./chunk-OWPFDHKC.js";
+import "./chunk-2ZD3YTVM.js";
+import {
+  VERSION
+} from "./chunk-EUE7FFIO.js";
+import "./chunk-PDX44BCA.js";
+
+// src/cli/ci.ts
+import { execFileSync, execSync } from "child_process";
+var CI_COMMENT_MARKER = "<!-- aicli-ci-review -->";
+function fetchDiff(opts) {
+  if (opts.diffOverride != null) return opts.diffOverride;
+  if (opts.pr != null) {
+    try {
+      return execFileSync("gh", ["pr", "diff", String(opts.pr)], {
+        encoding: "utf-8",
+        maxBuffer: 50 * 1024 * 1024
+      });
+    } catch (err) {
+      const msg = err.stderr?.toString() ?? err.message;
+      throw new Error(`gh pr diff ${opts.pr} failed: ${msg.trim()}`);
+    }
+  }
+  if (opts.base) {
+    try {
+      return execSync(`git diff ${shellQuote(opts.base)}...HEAD`, {
+        encoding: "utf-8",
+        maxBuffer: 50 * 1024 * 1024,
+        timeout: 3e4
+      });
+    } catch (err) {
+      throw new Error(`git diff ${opts.base}...HEAD failed: ${err.message}`);
+    }
+  }
+  throw new Error("aicli ci: must supply --pr <num> or --base <ref> to determine the diff source");
+}
+function shellQuote(ref) {
+  if (!/^[A-Za-z0-9._/\-]+$/.test(ref)) {
+    throw new Error(`unsafe ref: ${ref}`);
+  }
+  return ref;
+}
+function buildGitContextStr(opts) {
+  const parts = [];
+  if (opts.pr != null) parts.push(`PR: #${opts.pr}`);
+  if (opts.base) parts.push(`Base: ${opts.base}`);
+  try {
+    const branch = execSync("git rev-parse --abbrev-ref HEAD", { encoding: "utf-8", timeout: 5e3 }).trim();
+    if (branch) parts.push(`Branch: ${branch}`);
+  } catch {
+  }
+  parts.push(`Reviewer: aicli v${VERSION}`);
+  return parts.join(" | ");
+}
+function countSeverity(md) {
+  const count = (re) => (md.match(re) ?? []).length;
+  return {
+    critical: count(/🔴\s*(?:CRITICAL|Critical|critical)/g),
+    high: count(/🟠\s*(?:HIGH|High|high)/g),
+    warning: count(/🟡\s*(?:WARNING|Warning|warning|MEDIUM|Medium|medium)/g),
+    info: count(/🔵\s*(?:INFO|Info|info|LOW|Low|low)/g)
+  };
+}
+async function runOnePrompt(registry, providerId, modelId, prompt) {
+  const provider = registry.get(providerId);
+  const resp = await provider.chat({
+    messages: [{ role: "user", content: prompt }],
+    model: modelId,
+    stream: false,
+    temperature: 0.3,
+    maxTokens: 8192
+  });
+  return resp.content?.trim() ?? "";
+}
+function postOrUpdatePrComment(prNumber, body, update) {
+  const fullBody = `${body}
+
+${CI_COMMENT_MARKER}`;
+  if (update) {
+    let comments = [];
+    try {
+      const out = execFileSync("gh", ["pr", "view", String(prNumber), "--json", "comments"], {
+        encoding: "utf-8",
+        maxBuffer: 20 * 1024 * 1024
+      });
+      const parsed = JSON.parse(out);
+      comments = parsed.comments ?? [];
+    } catch {
+    }
+    const existing = comments.find((c) => c.body.includes(CI_COMMENT_MARKER));
+    if (existing) {
+      execFileSync(
+        "gh",
+        ["api", "--method", "PATCH", `repos/{owner}/{repo}/issues/comments/${gqlIdToRest(existing.id)}`, "-f", `body=${fullBody}`],
+        { stdio: "pipe" }
+      );
+      return { updated: true, id: existing.id };
+    }
+  }
+  execFileSync("gh", ["pr", "comment", String(prNumber), "--body-file", "-"], {
+    input: fullBody,
+    stdio: ["pipe", "pipe", "pipe"]
+  });
+  return { updated: false };
+}
+function gqlIdToRest(graphqlId) {
+  if (/^\d+$/.test(graphqlId)) return graphqlId;
+  const query = `query($id:ID!){ node(id:$id){ ... on IssueComment { databaseId } } }`;
+  const out = execFileSync("gh", ["api", "graphql", "-f", `query=${query}`, "-F", `id=${graphqlId}`], {
+    encoding: "utf-8"
+  });
+  const parsed = JSON.parse(out);
+  const id = parsed.data?.node?.databaseId;
+  if (!id) throw new Error(`could not resolve comment id ${graphqlId}`);
+  return String(id);
+}
+async function runCi(opts) {
+  const maxDiff = opts.maxDiffChars ?? 3e4;
+  let diff;
+  try {
+    diff = fetchDiff(opts).trim();
+  } catch (err) {
+    return {
+      exitCode: 2,
+      markdown: `\u274C ${err.message}`,
+      posted: false,
+      severity: { critical: 0, high: 0, warning: 0, info: 0 }
+    };
+  }
+  if (!diff) {
+    return {
+      exitCode: 0,
+      markdown: "\u2705 No changes to review.",
+      posted: false,
+      severity: { critical: 0, high: 0, warning: 0, info: 0 }
+    };
+  }
+  const { diff: trimmedDiff, truncated } = truncateDiff(diff, maxDiff);
+  const gitCtx = buildGitContextStr(opts);
+  const config = new ConfigManager();
+  await config.load();
+  const registry = new ProviderRegistry(config);
+  await registry.initialize();
+  const providerId = opts.provider ?? config.getDefaultProvider();
+  if (!registry.has(providerId)) {
+    return {
+      exitCode: 2,
+      markdown: `\u274C Provider '${providerId}' is not configured. Set the right AICLI_API_KEY_* env var or pass --provider.`,
+      posted: false,
+      severity: { critical: 0, high: 0, warning: 0, info: 0 }
+    };
+  }
+  const providerInfo = registry.get(providerId).info;
+  const modelId = opts.model ?? config.get("defaultModels")[providerId] ?? providerInfo.defaultModel;
+  const sections = [];
+  sections.push(`## \u{1F916} aicli code review`);
+  sections.push(`*Provider: \`${providerId}\` \xB7 Model: \`${modelId}\` \xB7 aicli v${VERSION}*`);
+  sections.push("");
+  try {
+    if (!opts.skipCode) {
+      const prompt = buildReviewPrompt(trimmedDiff, gitCtx, !!opts.detailed);
+      const review = await runOnePrompt(registry, providerId, modelId, prompt);
+      sections.push("### Code Review");
+      sections.push(review);
+      sections.push("");
+    }
+    if (!opts.skipSecurity) {
+      const prompt = buildSecurityReviewPrompt(trimmedDiff, gitCtx);
+      const review = await runOnePrompt(registry, providerId, modelId, prompt);
+      sections.push("### Security Review");
+      sections.push(review);
+      sections.push("");
+    }
+  } catch (err) {
+    return {
+      exitCode: 2,
+      markdown: `\u274C Review call failed: ${err.message}`,
+      posted: false,
+      severity: { critical: 0, high: 0, warning: 0, info: 0 }
+    };
+  }
+  if (truncated) {
+    sections.push(`> \u26A0 Diff was truncated to ${maxDiff} chars (original: ${diff.length}). Consider splitting large PRs.`);
+  }
+  const markdown = sections.join("\n");
+  const severity = countSeverity(markdown);
+  let posted = false;
+  let updatedCommentId;
+  if (opts.post && opts.pr != null && !opts.dryRun) {
+    try {
+      const result = postOrUpdatePrComment(opts.pr, markdown, opts.update !== false);
+      posted = true;
+      updatedCommentId = result.id;
+    } catch (err) {
+      return {
+        exitCode: 2,
+        markdown: `${markdown}
+
+---
+
+\u274C Failed to post comment: ${err.message}`,
+        posted: false,
+        severity
+      };
+    }
+  }
+  const hasBlocker = severity.critical > 0 || severity.high > 0;
+  return {
+    exitCode: hasBlocker ? 1 : 0,
+    markdown,
+    posted,
+    updatedCommentId,
+    severity
+  };
+}
+export {
+  CI_COMMENT_MARKER,
+  countSeverity,
+  runCi
+};

package/dist/{constants-7Q5DB2X6.js → constants-3VNPPLEQ.js}

@@ -36,7 +36,7 @@ import {
   TEST_TIMEOUT,
   VERSION,
   buildUserIdentityPrompt
-} from "./chunk-XW4EP5IE.js";
+} from "./chunk-EUE7FFIO.js";
 import "./chunk-PDX44BCA.js";
 export {
   AGENTIC_BEHAVIOR_GUIDELINE,

package/dist/{doctor-cli-RHGMQVCU.js → doctor-cli-HVLJGWSO.js}

@@ -2,25 +2,26 @@
 import {
   getConfigDirUsage,
   listRecentCrashes
-} from "./chunk-HUILGJNB.js";
+} from "./chunk-AWRXHBW2.js";
 import {
   ProviderRegistry
-} from "./chunk-EHLHWFZP.js";
+} from "./chunk-XZBA3NHG.js";
 import {
   ConfigManager
-} from "./chunk-WPYKTLP2.js";
+} from "./chunk-AQQSYFTU.js";
 import {
   getStatsSnapshot,
   getTopFailingTools,
   getTopUsedTools,
   resetStats
-} from "./chunk-QSGDXXE6.js";
+} from "./chunk-JB7LEZQO.js";
+import "./chunk-OWPFDHKC.js";
 import "./chunk-2ZD3YTVM.js";
 import {
   DEV_STATE_FILE_NAME,
   MEMORY_FILE_NAME,
   VERSION
-} from "./chunk-XW4EP5IE.js";
+} from "./chunk-EUE7FFIO.js";
 import "./chunk-PDX44BCA.js";
 
 // src/diagnostics/doctor-cli.ts

package/dist/electron-server.js

@@ -36,7 +36,7 @@ import {
   VERSION,
   buildUserIdentityPrompt,
   runTestsTool
-} from "./chunk-YGGW2D2V.js";
+} from "./chunk-QJWZ5G64.js";
 import {
   hasSemanticIndex,
   semanticSearch
@@ -4121,6 +4121,11 @@ function buildErrorHint(command, stderr) {
       `Hint: On Windows, "Remove-Item ... -ErrorAction SilentlyContinue" still makes the powershell process exit 1 when no files match (even though the error is silenced). Use Test-Path as a guard: @('tmp_a.sql','tmp_b.sql','tmp_c.csv') | Where-Object { Test-Path $_ } | Remove-Item -Force \u2014 Test-Path returns a bool without raising, so missing paths are filtered out and exit code is 0.`
     );
   }
+  if (IS_WINDOWS && /-(?:EA|ErrorAction)\s+(?:SilentlyContinue|Ignore)\b/i.test(command) && /\b(Get-ChildItem|Get-Item|Get-Content|gci|gi|gc|dir|ls)\b/i.test(command) && !/Remove-Item/i.test(command) && !/Test-Path/i.test(command) && /cannot find path|no such file|does not exist|exit 1|不存在|找不到/i.test(stderr || command)) {
+    hints.push(
+      `Hint: On Windows, "-ErrorAction SilentlyContinue" silences the error MESSAGE but does NOT change the exit code \u2014 the process still exits 1 when the path doesn't exist (because powershell.exe -NonInteractive flips the exit code on any non-terminating error, silenced or not). If you're just probing for existence, use Test-Path instead \u2014 it returns $true/$false without raising: \`if (Test-Path ./mydir) { Get-ChildItem ./mydir }\` or unconditionally use \`New-Item -ItemType Directory -Force -Path ./mydir\` which is idempotent. Don't retry the same -ErrorAction SilentlyContinue probe expecting a different result.`
+    );
+  }
   const colMissing = stderr.match(/column "([^"]+)" does not exist/i);
   if (colMissing) {
     hints.push(
@@ -12568,7 +12573,7 @@ ${undoResults.map((r) => `  \u2022 ${r}`).join("\n")}` });
       case "test": {
         this.send({ type: "info", message: "\u{1F9EA} Running tests..." });
         try {
-          const { executeTests } = await import("./run-tests-SUYREW3B.js");
+          const { executeTests } = await import("./run-tests-OP6HUEBM.js");
           const argStr = args.join(" ").trim();
           let testArgs = {};
           if (argStr) {

package/dist/{hub-SXNKYCN7.js → hub-PSQ3P5DO.js}

@@ -386,7 +386,7 @@ ${content}`);
   }
 }
 async function runTaskMode(config, providers, configManager, topic) {
-  const { TaskOrchestrator } = await import("./task-orchestrator-R6VOCA4V.js");
+  const { TaskOrchestrator } = await import("./task-orchestrator-JWQJJY3H.js");
   const orchestrator = new TaskOrchestrator(config, providers, configManager);
   let interrupted = false;
   const onSigint = () => {

package/dist/index.js

@@ -1,4 +1,8 @@
 #!/usr/bin/env node
+import {
+  buildReviewPrompt,
+  buildSecurityReviewPrompt
+} from "./chunk-HLWUDRBO.js";
 import {
   McpManager,
   SNAPSHOT_PROMPT,
@@ -16,12 +20,12 @@ import {
   saveDevState,
   sessionHasMeaningfulContent,
   setupProxy
-} from "./chunk-IGZVCNGE.js";
+} from "./chunk-RJYVWTHV.js";
 import {
   getConfigDirUsage,
   listRecentCrashes,
   writeCrashLog
-} from "./chunk-HUILGJNB.js";
+} from "./chunk-AWRXHBW2.js";
 import {
   CONTENT_ONLY_STREAM_REMINDER,
   HALLUCINATION_CORRECTION_MESSAGE,
@@ -39,10 +43,10 @@ import {
   looksLikeDocumentBody,
   stripPseudoToolCalls,
   stripToolCallReminder
-} from "./chunk-EHLHWFZP.js";
+} from "./chunk-XZBA3NHG.js";
 import {
   ConfigManager
-} from "./chunk-WPYKTLP2.js";
+} from "./chunk-AQQSYFTU.js";
 import {
   ToolExecutor,
   ToolRegistry,
@@ -61,16 +65,17 @@ import {
   spawnAgentContext,
   theme,
   undoStack
-} from "./chunk-PWCPOHZ4.js";
+} from "./chunk-BOQ4YWRM.js";
 import "./chunk-UQQJWHRV.js";
 import "./chunk-2DXY7UGF.js";
-import "./chunk-2JPLV25X.js";
+import "./chunk-GB2KTJC2.js";
 import {
   getStatsSnapshot,
   getTopFailingTools,
   getTopUsedTools,
   installFlushOnExit
-} from "./chunk-QSGDXXE6.js";
+} from "./chunk-JB7LEZQO.js";
+import "./chunk-OWPFDHKC.js";
 import {
   AuthError,
   ProviderError,
@@ -97,7 +102,7 @@ import {
   SKILLS_DIR_NAME,
   VERSION,
   buildUserIdentityPrompt
-} from "./chunk-XW4EP5IE.js";
+} from "./chunk-EUE7FFIO.js";
 import {
   formatGitContextForPrompt,
   getGitContext,
@@ -449,6 +454,7 @@ var Renderer = class {
     console.log(feat("save_last_response Web mode (v0.4.101\u20130.4.102+): hidden from CLI-only contexts and tee-streams chunks to disk in Web UI as the response arrives"));
     console.log(feat("write_file long-content guidance (v0.4.103+): tool description no longer encourages AI to chunk long files \u2014 single-shot writes prevented from being split into truncated parts"));
     console.log(feat("Provider retry + fallback chain (v0.4.144+): transient network / 5xx / 429 errors retry on the same provider with exponential backoff; persistent failures walk config.fallback.chain (per-entry provider+model). Opt-in via config.fallback.enabled. Stream-safe: never retries after first chunk yielded"));
+    console.log(feat("aicli ci \u2014 headless PR review for GitHub Actions (v0.4.145+): `aicli ci --pr <num> --post` reads diff via gh CLI, runs code + security review, posts/updates a single PR comment via sentinel marker. Drop-in workflow YAML at docs/github-actions-example.yml. Critical/high findings \u2192 exit 1 (CI gate)"));
     console.log();
   }
   printPrompt(provider, _model) {
@@ -993,62 +999,6 @@ function copyToClipboard(text) {
     }
   }
 }
-function buildReviewPrompt(diff, gitContextStr, detailed) {
-  const level = detailed ? "Please perform a detailed in-depth review covering: security, performance, maintainability, error handling, naming conventions, and code duplication." : "Please perform a concise code review focusing on bugs, security issues, and key improvement suggestions.";
-  return `# Code Review Request
-
-${level}
-
-## Git Status
-${gitContextStr}
-
-## Code Changes (diff)
-\`\`\`diff
-${diff}
-\`\`\`
-
-## Output Format
-Please structure your review as follows:
-1. **Overall Assessment**: One-sentence summary of the change quality
-2. **Issues** (if any): Each issue with [Severity] file:line \u2014 description + suggested fix
-3. **Improvement Suggestions** (if any): Non-critical but recommended optimizations
-4. **Highlights** (if any): Good practices worth acknowledging
-
-Severity levels: \u{1F534} Critical / \u{1F7E1} Warning / \u{1F535} Info`;
-}
-function buildSecurityReviewPrompt(diff, gitContextStr) {
-  return `# Security Vulnerability Review
-
-Analyze the following code changes **exclusively for security vulnerabilities**.
-
-## Categories to check:
-1. **Injection** \u2014 SQL, command, path traversal, XSS, template injection
-2. **Authentication & Authorization** \u2014 hardcoded credentials, missing auth checks, privilege escalation
-3. **Secrets & Sensitive Data** \u2014 API keys, tokens, passwords in code, logging sensitive data
-4. **Input Validation** \u2014 missing validation, unsafe deserialization, buffer issues
-5. **Cryptography** \u2014 weak algorithms, improper random, hardcoded IVs/salts
-6. **Dependencies** \u2014 known vulnerable packages, unsafe dynamic imports
-7. **File System** \u2014 path traversal, unsafe file permissions, symlink attacks
-8. **Network** \u2014 SSRF, insecure protocols, missing TLS validation
-
-## Git Status
-${gitContextStr}
-
-## Code Changes (diff)
-\`\`\`diff
-${diff}
-\`\`\`
-
-## Output Format
-For each finding:
-- **Severity**: \u{1F534} CRITICAL / \u{1F7E0} HIGH / \u{1F7E1} MEDIUM / \u{1F535} LOW / \u2139\uFE0F INFO
-- **Category**: (from list above)
-- **File & location**: file:line
-- **Description**: what the vulnerability is and how it could be exploited
-- **Recommended fix**: specific code change to resolve
-
-If no security issues found, state "\u2705 No security vulnerabilities detected" with a brief explanation of what was checked.`;
-}
 var CommandRegistry = class {
   commands = /* @__PURE__ */ new Map();
   register(command) {
@@ -1819,7 +1769,7 @@ No tools match "${filter}".
           const { join: join6 } = await import("path");
           const { existsSync: existsSync6 } = await import("fs");
           const { getGitRoot: getGitRoot2 } = await import("./git-context-7KIP4X2V.js");
-          const { MCP_PROJECT_CONFIG_NAME: MCP_PROJECT_CONFIG_NAME2 } = await import("./constants-7Q5DB2X6.js");
+          const { MCP_PROJECT_CONFIG_NAME: MCP_PROJECT_CONFIG_NAME2 } = await import("./constants-3VNPPLEQ.js");
           const { approveProject, hashMcpFile } = await import("./project-trust-IFM7FXEV.js");
           const cwd = process.cwd();
           const projectRoot = getGitRoot2(cwd) ?? cwd;
@@ -2880,7 +2830,7 @@ ${hint}` : "")
       usage: "/test [command|filter]",
       async execute(args, ctx) {
         try {
-          const { executeTests } = await import("./run-tests-X4YQXIGP.js");
+          const { executeTests } = await import("./run-tests-D4ZQ7NLP.js");
           const argStr = args.join(" ").trim();
           let testArgs = {};
           if (argStr) {
@@ -7580,7 +7530,7 @@ program.command("web").description("Start Web UI server with browser-based chat
     console.error("Error: Invalid port number. Must be between 1 and 65535.");
     process.exit(1);
   }
-  const { startWebServer } = await import("./server-X24SIKZE.js");
+  const { startWebServer } = await import("./server-KJJEI67Z.js");
   await startWebServer({ port, host: options.host });
 });
 program.command("user [action] [username]").description("Manage Web UI users (list | create <name> | delete <name> | reset-password <name> | logout-all <name> | migrate <name>)").action(async (action, username) => {
@@ -7747,12 +7697,12 @@ program.command("sessions").description("List recent conversation sessions").opt
   console.log(footer + "\n");
 });
 program.command("doctor").description("Health check: API keys, config, MCP, recent crashes, tool usage, disk usage").option("--json", "Output as JSON (for scripting)").option("--reset-stats", "Reset accumulated tool usage statistics").action(async (options) => {
-  const { runDoctorCli } = await import("./doctor-cli-RHGMQVCU.js");
+  const { runDoctorCli } = await import("./doctor-cli-HVLJGWSO.js");
   await runDoctorCli({ json: !!options.json, resetStats: !!options.resetStats });
 });
 program.command("batch <action> [arg] [arg2]").description("Anthropic Message Batches: submit | list | status <id> | results <id> [out] | cancel <id>").option("--dry-run", "Parse and validate input without submitting (submit only)").action(async (action, arg, arg2, options) => {
   try {
-    const batch = await import("./batch-64YESATH.js");
+    const batch = await import("./batch-GMCR2YE6.js");
     switch (action) {
       case "submit":
         if (!arg) {
@@ -7795,7 +7745,7 @@ program.command("batch <action> [arg] [arg2]").description("Anthropic Message Ba
   }
 });
 program.command("mcp-serve").description("Start an MCP server over STDIO, exposing aicli's built-in tools to Claude Desktop / Cursor / other MCP clients").option("--allow-destructive", "Allow bash / run_interactive / task_create (always destructive in MCP mode)").option("--allow-outside-cwd", "Allow tool path arguments to escape the sandbox root \u2014 disabled by default").option("--tools <list>", "Comma-separated whitelist of tools to expose (default: all eligible tools)").option("--cwd <path>", "Working directory AND sandbox root (default: current directory)").action(async (options) => {
-  const { startMcpServer } = await import("./server-MGKTVVAR.js");
+  const { startMcpServer } = await import("./server-IKU7UN7J.js");
   await startMcpServer({
     allowDestructive: !!options.allowDestructive,
     allowOutsideCwd: !!options.allowOutsideCwd,
@@ -7803,6 +7753,29 @@ program.command("mcp-serve").description("Start an MCP server over STDIO, exposi
     cwd: options.cwd
   });
 });
+program.command("ci").description("Headless PR review (code + security) \u2014 reads git/gh diff, optionally posts to PR. Designed for GitHub Actions.").option("--pr <num>", "PR number; diff fetched via `gh pr diff <num>`", (v) => parseInt(v, 10)).option("--base <ref>", "Base ref for `git diff <ref>...HEAD` (ignored when --pr set)").option("--post", "Post review as a PR comment (requires gh CLI + GH_TOKEN, needs --pr)").option("--no-update", "Always create a new comment instead of updating the previous aicli review").option("--skip-code", "Skip the code review section").option("--skip-security", "Skip the security review section").option("--detailed", "Use the detailed code-review prompt").option("--max-diff <n>", "Max diff chars sent to the model (default 30000)", (v) => parseInt(v, 10)).option("--provider <id>", "Override provider (default: config.defaultProvider)").option("--model <id>", "Override model").option("--dry-run", "Print result to stdout instead of posting (overrides --post)").action(async (options) => {
+  const { runCi } = await import("./ci-CPXECTTZ.js");
+  const result = await runCi({
+    pr: options.pr,
+    base: options.base,
+    post: !!options.post,
+    update: options.update !== false,
+    skipCode: !!options.skipCode,
+    skipSecurity: !!options.skipSecurity,
+    detailed: !!options.detailed,
+    maxDiffChars: options.maxDiff,
+    provider: options.provider,
+    model: options.model,
+    dryRun: !!options.dryRun
+  });
+  process.stdout.write(result.markdown + "\n");
+  if (result.posted) {
+    process.stderr.write(`
+\u2705 Posted review to PR #${options.pr}${result.updatedCommentId ? " (updated existing comment)" : ""}
+`);
+  }
+  process.exit(result.exitCode);
+});
 program.command("help").description("Show a comprehensive guide to all aicli features and commands").action(() => {
   const B = "\x1B[1m";
   const D = "\x1B[2m";
@@ -7922,7 +7895,7 @@ program.command("hub [topic]").description("Start multi-agent hub (discuss / bra
     }),
     config.get("customProviders")
   );
-  const { startHub } = await import("./hub-SXNKYCN7.js");
+  const { startHub } = await import("./hub-PSQ3P5DO.js");
   await startHub(
     {
       topic: topic ?? "",

package/dist/{run-tests-X4YQXIGP.js → run-tests-D4ZQ7NLP.js}

@@ -2,8 +2,8 @@
 import {
   executeTests,
   runTestsTool
-} from "./chunk-2JPLV25X.js";
-import "./chunk-XW4EP5IE.js";
+} from "./chunk-GB2KTJC2.js";
+import "./chunk-EUE7FFIO.js";
 import "./chunk-PDX44BCA.js";
 export {
   executeTests,

package/dist/{run-tests-SUYREW3B.js → run-tests-OP6HUEBM.js}

@@ -1,7 +1,7 @@
 import {
   executeTests,
   runTestsTool
-} from "./chunk-YGGW2D2V.js";
+} from "./chunk-QJWZ5G64.js";
 import "./chunk-3RG5ZIWI.js";
 export {
   executeTests,

package/dist/{server-MGKTVVAR.js → server-IKU7UN7J.js}

@@ -1,19 +1,21 @@
 #!/usr/bin/env node
 import {
   ToolRegistry
-} from "./chunk-PWCPOHZ4.js";
+} from "./chunk-BOQ4YWRM.js";
 import "./chunk-UQQJWHRV.js";
 import "./chunk-2DXY7UGF.js";
-import "./chunk-2JPLV25X.js";
+import "./chunk-GB2KTJC2.js";
+import {
+  runTool
+} from "./chunk-JB7LEZQO.js";
 import {
   getDangerLevel,
-  runTool,
   schemaToJsonSchema
-} from "./chunk-QSGDXXE6.js";
+} from "./chunk-OWPFDHKC.js";
 import "./chunk-2ZD3YTVM.js";
 import {
   VERSION
-} from "./chunk-XW4EP5IE.js";
+} from "./chunk-EUE7FFIO.js";
 import "./chunk-4BKXL7SM.js";
 import "./chunk-7ZJN4KLV.js";
 import "./chunk-KHYD3WXE.js";

package/dist/{server-X24SIKZE.js → server-KJJEI67Z.js}

@@ -14,7 +14,7 @@ import {
   loadDevState,
   persistToolRound,
   setupProxy
-} from "./chunk-IGZVCNGE.js";
+} from "./chunk-RJYVWTHV.js";
 import {
   CONTENT_ONLY_STREAM_REMINDER,
   HALLUCINATION_CORRECTION_MESSAGE,
@@ -28,10 +28,10 @@ import {
   looksLikeDocumentBody,
   stripPseudoToolCalls,
   stripToolCallReminder
-} from "./chunk-EHLHWFZP.js";
+} from "./chunk-XZBA3NHG.js";
 import {
   ConfigManager
-} from "./chunk-WPYKTLP2.js";
+} from "./chunk-AQQSYFTU.js";
 import {
   ToolExecutor,
   ToolRegistry,
@@ -49,14 +49,16 @@ import {
   spawnAgentContext,
   truncateOutput,
   undoStack
-} from "./chunk-PWCPOHZ4.js";
+} from "./chunk-BOQ4YWRM.js";
 import "./chunk-UQQJWHRV.js";
 import "./chunk-2DXY7UGF.js";
-import "./chunk-2JPLV25X.js";
+import "./chunk-GB2KTJC2.js";
 import {
-  getDangerLevel,
   runTool
-} from "./chunk-QSGDXXE6.js";
+} from "./chunk-JB7LEZQO.js";
+import {
+  getDangerLevel
+} from "./chunk-OWPFDHKC.js";
 import "./chunk-2ZD3YTVM.js";
 import {
   AGENTIC_BEHAVIOR_GUIDELINE,
@@ -76,7 +78,7 @@ import {
   SKILLS_DIR_NAME,
   VERSION,
   buildUserIdentityPrompt
-} from "./chunk-XW4EP5IE.js";
+} from "./chunk-EUE7FFIO.js";
 import {
   formatGitContextForPrompt,
   getGitContext,
@@ -2460,7 +2462,7 @@ ${undoResults.map((r) => `  \u2022 ${r}`).join("\n")}` });
       case "test": {
         this.send({ type: "info", message: "\u{1F9EA} Running tests..." });
         try {
-          const { executeTests } = await import("./run-tests-X4YQXIGP.js");
+          const { executeTests } = await import("./run-tests-D4ZQ7NLP.js");
           const argStr = args.join(" ").trim();
           let testArgs = {};
           if (argStr) {

package/dist/{task-orchestrator-R6VOCA4V.js → task-orchestrator-JWQJJY3H.js}

@@ -3,18 +3,20 @@ import {
   ToolRegistry,
   googleSearchContext,
   truncateOutput
-} from "./chunk-PWCPOHZ4.js";
+} from "./chunk-BOQ4YWRM.js";
 import "./chunk-UQQJWHRV.js";
 import "./chunk-2DXY7UGF.js";
-import "./chunk-2JPLV25X.js";
+import "./chunk-GB2KTJC2.js";
 import {
-  getDangerLevel,
   runTool
-} from "./chunk-QSGDXXE6.js";
+} from "./chunk-JB7LEZQO.js";
+import {
+  getDangerLevel
+} from "./chunk-OWPFDHKC.js";
 import "./chunk-2ZD3YTVM.js";
 import {
   SUBAGENT_ALLOWED_TOOLS
-} from "./chunk-XW4EP5IE.js";
+} from "./chunk-EUE7FFIO.js";
 import "./chunk-4BKXL7SM.js";
 import "./chunk-7ZJN4KLV.js";
 import "./chunk-KHYD3WXE.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "jinzd-ai-cli",
-  "version": "0.4.144",
+  "version": "0.4.146",
   "description": "Cross-platform REPL-style AI CLI with multi-provider support",
   "type": "module",
   "main": "./dist/index.js",