lastlight 0.1.8 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +265 -118
- package/agent-context/rules.md +62 -9
- package/agent-context/security.md +69 -0
- package/config/default.yaml +89 -0
- package/deploy/.env.production.example +20 -2
- package/deploy/entrypoint.sh +16 -17
- package/deploy/native/README.md +160 -0
- package/deploy/native/install.sh +110 -0
- package/deploy/native/lastlight.env.example +95 -0
- package/deploy/native/lastlight.service +50 -0
- package/deploy/sandbox-entrypoint.sh +59 -42
- package/dist/admin/auth.d.ts +1 -1
- package/dist/admin/auth.js +3 -1
- package/dist/admin/auth.js.map +1 -1
- package/dist/admin/chat-session-reader.d.ts +11 -14
- package/dist/admin/chat-session-reader.js +27 -51
- package/dist/admin/chat-session-reader.js.map +1 -1
- package/dist/admin/docker.d.ts +37 -0
- package/dist/admin/docker.js +86 -1
- package/dist/admin/docker.js.map +1 -1
- package/dist/admin/index.js +38 -3
- package/dist/admin/index.js.map +1 -1
- package/dist/admin/log-search.test.d.ts +1 -0
- package/dist/admin/log-search.test.js +78 -0
- package/dist/admin/log-search.test.js.map +1 -0
- package/dist/admin/routes.d.ts +52 -3
- package/dist/admin/routes.js +780 -63
- package/dist/admin/routes.js.map +1 -1
- package/dist/admin/routes.test.js +680 -14
- package/dist/admin/routes.test.js.map +1 -1
- package/dist/admin/server-logs.test.d.ts +1 -0
- package/dist/admin/server-logs.test.js +58 -0
- package/dist/admin/server-logs.test.js.map +1 -0
- package/dist/admin/sessions.d.ts +26 -39
- package/dist/admin/sessions.js +86 -310
- package/dist/admin/sessions.js.map +1 -1
- package/dist/admin/sessions.test.d.ts +1 -0
- package/dist/admin/sessions.test.js +78 -0
- package/dist/admin/sessions.test.js.map +1 -0
- package/dist/admin/version.d.ts +15 -0
- package/dist/admin/version.js +73 -0
- package/dist/admin/version.js.map +1 -0
- package/dist/admin/version.test.d.ts +1 -0
- package/dist/admin/version.test.js +71 -0
- package/dist/admin/version.test.js.map +1 -0
- package/dist/cli-config.d.ts +55 -0
- package/dist/cli-config.js +119 -0
- package/dist/cli-config.js.map +1 -0
- package/dist/cli-config.test.d.ts +1 -0
- package/dist/cli-config.test.js +92 -0
- package/dist/cli-config.test.js.map +1 -0
- package/dist/cli-format.d.ts +19 -0
- package/dist/cli-format.js +107 -0
- package/dist/cli-format.js.map +1 -0
- package/dist/cli-server.d.ts +73 -0
- package/dist/cli-server.js +347 -0
- package/dist/cli-server.js.map +1 -0
- package/dist/cli-server.test.d.ts +1 -0
- package/dist/cli-server.test.js +38 -0
- package/dist/cli-server.test.js.map +1 -0
- package/dist/cli-timeline.d.ts +35 -0
- package/dist/cli-timeline.js +373 -0
- package/dist/cli-timeline.js.map +1 -0
- package/dist/cli-timeline.test.d.ts +1 -0
- package/dist/cli-timeline.test.js +104 -0
- package/dist/cli-timeline.test.js.map +1 -0
- package/dist/cli.d.ts +0 -19
- package/dist/cli.js +910 -194
- package/dist/cli.js.map +1 -1
- package/dist/config-overlay.test.d.ts +1 -0
- package/dist/config-overlay.test.js +112 -0
- package/dist/config-overlay.test.js.map +1 -0
- package/dist/config-resolve.d.ts +28 -0
- package/dist/config-resolve.js +47 -0
- package/dist/config-resolve.js.map +1 -0
- package/dist/config-resolve.test.d.ts +1 -0
- package/dist/config-resolve.test.js +68 -0
- package/dist/config-resolve.test.js.map +1 -0
- package/dist/config.d.ts +62 -49
- package/dist/config.js +452 -76
- package/dist/config.js.map +1 -1
- package/dist/config.test.js +201 -32
- package/dist/config.test.js.map +1 -1
- package/dist/connectors/github-webhook.js +83 -5
- package/dist/connectors/github-webhook.js.map +1 -1
- package/dist/connectors/github-webhook.test.d.ts +1 -0
- package/dist/connectors/github-webhook.test.js +156 -0
- package/dist/connectors/github-webhook.test.js.map +1 -0
- package/dist/connectors/messaging/session-manager.d.ts +18 -0
- package/dist/connectors/messaging/session-manager.js +83 -2
- package/dist/connectors/messaging/session-manager.js.map +1 -1
- package/dist/connectors/messaging/session-manager.test.d.ts +1 -0
- package/dist/connectors/messaging/session-manager.test.js +144 -0
- package/dist/connectors/messaging/session-manager.test.js.map +1 -0
- package/dist/connectors/slack/connector.d.ts +9 -0
- package/dist/connectors/slack/connector.js +15 -0
- package/dist/connectors/slack/connector.js.map +1 -1
- package/dist/connectors/slack/mrkdwn.js +81 -0
- package/dist/connectors/slack/mrkdwn.js.map +1 -1
- package/dist/connectors/slack/mrkdwn.test.js +49 -0
- package/dist/connectors/slack/mrkdwn.test.js.map +1 -1
- package/dist/connectors/types.d.ts +1 -1
- package/dist/cron/fanout.d.ts +33 -0
- package/dist/cron/fanout.js +55 -0
- package/dist/cron/fanout.js.map +1 -0
- package/dist/cron/fanout.test.d.ts +1 -0
- package/dist/cron/fanout.test.js +73 -0
- package/dist/cron/fanout.test.js.map +1 -0
- package/dist/cron/jobs.d.ts +5 -0
- package/dist/cron/jobs.js +10 -3
- package/dist/cron/jobs.js.map +1 -1
- package/dist/cron/scheduler.d.ts +12 -0
- package/dist/cron/scheduler.js +27 -1
- package/dist/cron/scheduler.js.map +1 -1
- package/dist/engine/agent-executor.d.ts +158 -0
- package/dist/engine/agent-executor.js +1140 -0
- package/dist/engine/agent-executor.js.map +1 -0
- package/dist/engine/agent-executor.test.d.ts +1 -0
- package/dist/engine/agent-executor.test.js +395 -0
- package/dist/engine/agent-executor.test.js.map +1 -0
- package/dist/engine/chat-runner.d.ts +123 -0
- package/dist/engine/chat-runner.js +379 -0
- package/dist/engine/chat-runner.js.map +1 -0
- package/dist/engine/chat-runner.test.d.ts +1 -0
- package/dist/engine/chat-runner.test.js +104 -0
- package/dist/engine/chat-runner.test.js.map +1 -0
- package/dist/engine/chat-skills.d.ts +45 -0
- package/dist/engine/chat-skills.js +184 -0
- package/dist/engine/chat-skills.js.map +1 -0
- package/dist/engine/chat-skills.test.d.ts +1 -0
- package/dist/engine/chat-skills.test.js +20 -0
- package/dist/engine/chat-skills.test.js.map +1 -0
- package/dist/engine/chat.d.ts +20 -23
- package/dist/engine/chat.js +251 -155
- package/dist/engine/chat.js.map +1 -1
- package/dist/engine/chat.test.d.ts +1 -0
- package/dist/engine/chat.test.js +42 -0
- package/dist/engine/chat.test.js.map +1 -0
- package/dist/engine/classifier.d.ts +35 -2
- package/dist/engine/classifier.js +170 -31
- package/dist/engine/classifier.js.map +1 -1
- package/dist/engine/classifier.test.d.ts +1 -0
- package/dist/engine/classifier.test.js +115 -0
- package/dist/engine/classifier.test.js.map +1 -0
- package/dist/engine/dispatcher.d.ts +60 -0
- package/dist/engine/dispatcher.js +601 -0
- package/dist/engine/dispatcher.js.map +1 -0
- package/dist/engine/dispatcher.test.d.ts +1 -0
- package/dist/engine/dispatcher.test.js +511 -0
- package/dist/engine/dispatcher.test.js.map +1 -0
- package/dist/engine/event-shim.d.ts +117 -0
- package/dist/engine/event-shim.js +435 -0
- package/dist/engine/event-shim.js.map +1 -0
- package/dist/engine/event-shim.test.d.ts +1 -0
- package/dist/engine/event-shim.test.js +194 -0
- package/dist/engine/event-shim.test.js.map +1 -0
- package/dist/engine/git-auth.d.ts +13 -17
- package/dist/engine/git-auth.js +99 -42
- package/dist/engine/git-auth.js.map +1 -1
- package/dist/engine/git-auth.test.d.ts +1 -0
- package/dist/engine/git-auth.test.js +117 -0
- package/dist/engine/git-auth.test.js.map +1 -0
- package/dist/engine/github-app-client.d.ts +7 -0
- package/dist/engine/github-app-client.js +16 -0
- package/dist/engine/github-app-client.js.map +1 -0
- package/dist/engine/github-app-client.test.d.ts +1 -0
- package/dist/engine/github-app-client.test.js +44 -0
- package/dist/engine/github-app-client.test.js.map +1 -0
- package/dist/engine/github-tools.d.ts +12 -0
- package/dist/engine/github-tools.js +261 -0
- package/dist/engine/github-tools.js.map +1 -0
- package/dist/engine/github.d.ts +1027 -43
- package/dist/engine/github.js +153 -14
- package/dist/engine/github.js.map +1 -1
- package/dist/engine/llm.d.ts +47 -0
- package/dist/engine/llm.js +221 -0
- package/dist/engine/llm.js.map +1 -0
- package/dist/engine/llm.test.d.ts +1 -0
- package/dist/engine/llm.test.js +189 -0
- package/dist/engine/llm.test.js.map +1 -0
- package/dist/engine/profiles.d.ts +249 -0
- package/dist/engine/profiles.js +42 -0
- package/dist/engine/profiles.js.map +1 -0
- package/dist/engine/router.d.ts +12 -6
- package/dist/engine/router.js +339 -81
- package/dist/engine/router.js.map +1 -1
- package/dist/engine/router.test.js +428 -78
- package/dist/engine/router.test.js.map +1 -1
- package/dist/engine/screen.d.ts +41 -0
- package/dist/engine/screen.js +93 -0
- package/dist/engine/screen.js.map +1 -0
- package/dist/engine/screen.test.d.ts +1 -0
- package/dist/engine/screen.test.js +82 -0
- package/dist/engine/screen.test.js.map +1 -0
- package/dist/index.js +423 -437
- package/dist/index.js.map +1 -1
- package/dist/managed-repos.d.ts +7 -9
- package/dist/managed-repos.js +12 -15
- package/dist/managed-repos.js.map +1 -1
- package/dist/managed-repos.test.js +24 -19
- package/dist/managed-repos.test.js.map +1 -1
- package/dist/notify/index.d.ts +15 -0
- package/dist/notify/index.js +6 -0
- package/dist/notify/index.js.map +1 -0
- package/dist/notify/model.d.ts +57 -0
- package/dist/notify/model.js +89 -0
- package/dist/notify/model.js.map +1 -0
- package/dist/notify/model.test.d.ts +1 -0
- package/dist/notify/model.test.js +109 -0
- package/dist/notify/model.test.js.map +1 -0
- package/dist/notify/notifier.d.ts +17 -0
- package/dist/notify/notifier.js +87 -0
- package/dist/notify/notifier.js.map +1 -0
- package/dist/notify/notifier.test.d.ts +1 -0
- package/dist/notify/notifier.test.js +100 -0
- package/dist/notify/notifier.test.js.map +1 -0
- package/dist/notify/render.d.ts +21 -0
- package/dist/notify/render.js +59 -0
- package/dist/notify/render.js.map +1 -0
- package/dist/notify/render.test.d.ts +1 -0
- package/dist/notify/render.test.js +65 -0
- package/dist/notify/render.test.js.map +1 -0
- package/dist/notify/transports/github.d.ts +26 -0
- package/dist/notify/transports/github.js +26 -0
- package/dist/notify/transports/github.js.map +1 -0
- package/dist/notify/transports/slack.d.ts +26 -0
- package/dist/notify/transports/slack.js +28 -0
- package/dist/notify/transports/slack.js.map +1 -0
- package/dist/notify/transports.test.d.ts +1 -0
- package/dist/notify/transports.test.js +71 -0
- package/dist/notify/transports.test.js.map +1 -0
- package/dist/notify/types.d.ts +95 -0
- package/dist/notify/types.js +16 -0
- package/dist/notify/types.js.map +1 -0
- package/dist/sandbox/docker-compose.test.d.ts +1 -0
- package/dist/sandbox/docker-compose.test.js +128 -0
- package/dist/sandbox/docker-compose.test.js.map +1 -0
- package/dist/sandbox/docker.d.ts +97 -9
- package/dist/sandbox/docker.js +192 -41
- package/dist/sandbox/docker.js.map +1 -1
- package/dist/sandbox/docker.test.d.ts +1 -0
- package/dist/sandbox/docker.test.js +137 -0
- package/dist/sandbox/docker.test.js.map +1 -0
- package/dist/sandbox/egress-allowlist.d.ts +69 -0
- package/dist/sandbox/egress-allowlist.js +164 -0
- package/dist/sandbox/egress-allowlist.js.map +1 -0
- package/dist/sandbox/egress-allowlist.test.d.ts +1 -0
- package/dist/sandbox/egress-allowlist.test.js +65 -0
- package/dist/sandbox/egress-allowlist.test.js.map +1 -0
- package/dist/sandbox/egress-firewall-config.d.ts +127 -0
- package/dist/sandbox/egress-firewall-config.js +434 -0
- package/dist/sandbox/egress-firewall-config.js.map +1 -0
- package/dist/sandbox/egress-firewall-config.test.d.ts +1 -0
- package/dist/sandbox/egress-firewall-config.test.js +244 -0
- package/dist/sandbox/egress-firewall-config.test.js.map +1 -0
- package/dist/sandbox/images.d.ts +23 -0
- package/dist/sandbox/images.js +55 -0
- package/dist/sandbox/images.js.map +1 -0
- package/dist/sandbox/index.d.ts +82 -3
- package/dist/sandbox/index.js +223 -93
- package/dist/sandbox/index.js.map +1 -1
- package/dist/sandbox/index.test.d.ts +1 -0
- package/dist/sandbox/index.test.js +157 -0
- package/dist/sandbox/index.test.js.map +1 -0
- package/dist/session-log.d.ts +63 -0
- package/dist/session-log.js +290 -0
- package/dist/session-log.js.map +1 -0
- package/dist/session-log.test.d.ts +1 -0
- package/dist/session-log.test.js +85 -0
- package/dist/session-log.test.js.map +1 -0
- package/dist/setup.d.ts +31 -12
- package/dist/setup.js +516 -174
- package/dist/setup.js.map +1 -1
- package/dist/setup.test.js +138 -6
- package/dist/setup.test.js.map +1 -1
- package/dist/state/approval-store.d.ts +86 -0
- package/dist/state/approval-store.js +140 -0
- package/dist/state/approval-store.js.map +1 -0
- package/dist/state/build-assets.d.ts +50 -0
- package/dist/state/build-assets.js +154 -0
- package/dist/state/build-assets.js.map +1 -0
- package/dist/state/build-assets.test.d.ts +1 -0
- package/dist/state/build-assets.test.js +106 -0
- package/dist/state/build-assets.test.js.map +1 -0
- package/dist/state/db.d.ts +65 -333
- package/dist/state/db.js +112 -835
- package/dist/state/db.js.map +1 -1
- package/dist/state/db.test.js +127 -91
- package/dist/state/db.test.js.map +1 -1
- package/dist/state/execution-store.d.ts +257 -0
- package/dist/state/execution-store.js +527 -0
- package/dist/state/execution-store.js.map +1 -0
- package/dist/state/migrate.d.ts +15 -0
- package/dist/state/migrate.js +175 -0
- package/dist/state/migrate.js.map +1 -0
- package/dist/state/workflow-run-store.d.ts +195 -0
- package/dist/state/workflow-run-store.js +363 -0
- package/dist/state/workflow-run-store.js.map +1 -0
- package/dist/state/workflow-run-store.test.d.ts +1 -0
- package/dist/state/workflow-run-store.test.js +264 -0
- package/dist/state/workflow-run-store.test.js.map +1 -0
- package/dist/telemetry/index.d.ts +38 -0
- package/dist/telemetry/index.js +253 -0
- package/dist/telemetry/index.js.map +1 -0
- package/dist/telemetry/index.test.d.ts +1 -0
- package/dist/telemetry/index.test.js +73 -0
- package/dist/telemetry/index.test.js.map +1 -0
- package/dist/telemetry/pi-events.d.ts +12 -0
- package/dist/telemetry/pi-events.js +134 -0
- package/dist/telemetry/pi-events.js.map +1 -0
- package/dist/telemetry/pi-events.test.d.ts +1 -0
- package/dist/telemetry/pi-events.test.js +69 -0
- package/dist/telemetry/pi-events.test.js.map +1 -0
- package/dist/workflows/dag.d.ts +13 -1
- package/dist/workflows/dag.js +7 -3
- package/dist/workflows/dag.js.map +1 -1
- package/dist/workflows/dag.test.js +22 -0
- package/dist/workflows/dag.test.js.map +1 -1
- package/dist/workflows/golden-build.test.d.ts +1 -0
- package/dist/workflows/golden-build.test.js +45 -0
- package/dist/workflows/golden-build.test.js.map +1 -0
- package/dist/workflows/loader-overlay.test.d.ts +1 -0
- package/dist/workflows/loader-overlay.test.js +101 -0
- package/dist/workflows/loader-overlay.test.js.map +1 -0
- package/dist/workflows/loader.d.ts +36 -11
- package/dist/workflows/loader.js +311 -87
- package/dist/workflows/loader.js.map +1 -1
- package/dist/workflows/loader.test.js +114 -10
- package/dist/workflows/loader.test.js.map +1 -1
- package/dist/workflows/loop-eval.js +2 -0
- package/dist/workflows/loop-eval.js.map +1 -1
- package/dist/workflows/loop-eval.test.js +14 -0
- package/dist/workflows/loop-eval.test.js.map +1 -1
- package/dist/workflows/phase-executor.d.ts +145 -0
- package/dist/workflows/phase-executor.js +691 -0
- package/dist/workflows/phase-executor.js.map +1 -0
- package/dist/workflows/phase-executor.test.d.ts +1 -0
- package/dist/workflows/phase-executor.test.js +434 -0
- package/dist/workflows/phase-executor.test.js.map +1 -0
- package/dist/workflows/phase-ref.d.ts +44 -0
- package/dist/workflows/phase-ref.js +78 -0
- package/dist/workflows/phase-ref.js.map +1 -0
- package/dist/workflows/phase-ref.test.d.ts +1 -0
- package/dist/workflows/phase-ref.test.js +24 -0
- package/dist/workflows/phase-ref.test.js.map +1 -0
- package/dist/workflows/resume.d.ts +5 -11
- package/dist/workflows/resume.js +88 -7
- package/dist/workflows/resume.js.map +1 -1
- package/dist/workflows/runner.d.ts +34 -27
- package/dist/workflows/runner.js +252 -930
- package/dist/workflows/runner.js.map +1 -1
- package/dist/workflows/runner.test.js +346 -35
- package/dist/workflows/runner.test.js.map +1 -1
- package/dist/workflows/schema.d.ts +52 -10
- package/dist/workflows/schema.js +147 -7
- package/dist/workflows/schema.js.map +1 -1
- package/dist/workflows/simple.d.ts +67 -3
- package/dist/workflows/simple.js +248 -87
- package/dist/workflows/simple.js.map +1 -1
- package/dist/workflows/simple.test.d.ts +1 -0
- package/dist/workflows/simple.test.js +107 -0
- package/dist/workflows/simple.test.js.map +1 -0
- package/dist/workflows/templates.d.ts +29 -0
- package/dist/workflows/templates.js +42 -4
- package/dist/workflows/templates.js.map +1 -1
- package/dist/workflows/templates.test.js +103 -0
- package/dist/workflows/templates.test.js.map +1 -1
- package/dist/workflows/triggers.d.ts +21 -0
- package/dist/workflows/triggers.js +44 -0
- package/dist/workflows/triggers.js.map +1 -0
- package/dist/workflows/verdict.d.ts +19 -0
- package/dist/workflows/verdict.js +30 -0
- package/dist/workflows/verdict.js.map +1 -0
- package/dist/workflows/verdict.test.d.ts +1 -0
- package/dist/workflows/verdict.test.js +44 -0
- package/dist/workflows/verdict.test.js.map +1 -0
- package/dist/worktree/manager.d.ts +1 -1
- package/dist/worktree/manager.js +14 -14
- package/dist/worktree/manager.js.map +1 -1
- package/dist/worktree/manager.test.d.ts +1 -0
- package/dist/worktree/manager.test.js +87 -0
- package/dist/worktree/manager.test.js.map +1 -0
- package/docker-compose.yml +206 -5
- package/package.json +19 -7
- package/sandbox.Dockerfile +97 -18
- package/skills/README.md +40 -0
- package/skills/browser-qa/SKILL.md +193 -0
- package/skills/browser-qa/scripts/agent-browser.mjs +380 -0
- package/skills/building/SKILL.md +95 -0
- package/skills/chat/SKILL.md +30 -11
- package/skills/code-review/SKILL.md +59 -0
- package/skills/debug-production/SKILL.md +108 -0
- package/skills/demo/SKILL.md +194 -0
- package/skills/demo/scripts/compose-demo.sh +205 -0
- package/skills/issue-answer/SKILL.md +90 -0
- package/skills/issue-comment/SKILL.md +38 -24
- package/skills/issue-triage/SKILL.md +103 -37
- package/skills/issue-triage/references/AGENT-BRIEF.md +61 -0
- package/skills/pr-comment/SKILL.md +64 -0
- package/skills/pr-review/SKILL.md +65 -49
- package/skills/qa-test/SKILL.md +97 -0
- package/skills/repo-health/SKILL.md +48 -45
- package/skills/security-feedback/SKILL.md +173 -0
- package/skills/security-feedback/references/templates.md +77 -0
- package/skills/security-review/SKILL.md +213 -0
- package/skills/security-review/references/issue-format.md +302 -0
- package/skills/verify/SKILL.md +118 -0
- package/workflows/answer.yaml +37 -0
- package/workflows/build.yaml +32 -22
- package/workflows/cron-security.yaml +6 -0
- package/workflows/demo.yaml +55 -0
- package/workflows/explore.yaml +9 -0
- package/workflows/pr-comment.yaml +16 -0
- package/workflows/pr-fix.yaml +3 -0
- package/workflows/pr-review.yaml +4 -1
- package/workflows/prompts/answer.md +67 -0
- package/workflows/prompts/architect.md +24 -7
- package/workflows/prompts/demo.md +100 -0
- package/workflows/prompts/executor.md +29 -20
- package/workflows/prompts/explore-ask.md +51 -22
- package/workflows/prompts/explore-publish.md +2 -2
- package/workflows/prompts/explore-read.md +24 -10
- package/workflows/prompts/explore-synthesize.md +15 -8
- package/workflows/prompts/fix.md +9 -10
- package/workflows/prompts/guardrails.md +26 -8
- package/workflows/prompts/pr-fix.md +6 -7
- package/workflows/prompts/pr.md +11 -10
- package/workflows/prompts/qa-browser.md +95 -0
- package/workflows/prompts/qa-synth.md +44 -0
- package/workflows/prompts/qa-test.md +60 -0
- package/workflows/prompts/re-reviewer.md +8 -9
- package/workflows/prompts/reviewer.md +10 -9
- package/workflows/prompts/verify-browser.md +93 -0
- package/workflows/prompts/verify-synth.md +44 -0
- package/workflows/prompts/verify.md +63 -0
- package/workflows/qa-test.yaml +87 -0
- package/workflows/security-feedback.yaml +25 -0
- package/workflows/security-review.yaml +29 -0
- package/workflows/verify.yaml +85 -0
- package/deploy/mcp-config.tmpl.json +0 -14
- package/dist/cron/rate-limits.d.ts +0 -26
- package/dist/cron/rate-limits.js +0 -193
- package/dist/cron/rate-limits.js.map +0 -1
- package/dist/engine/executor.d.ts +0 -75
- package/dist/engine/executor.js +0 -292
- package/dist/engine/executor.js.map +0 -1
- package/mcp-github-app/package.json +0 -18
- package/mcp-github-app/src/auth.js +0 -66
- package/mcp-github-app/src/github.js +0 -371
- package/mcp-github-app/src/index.js +0 -534
- package/skills/devops/webhook-subscriptions/SKILL.md +0 -180
- package/skills/github/DESCRIPTION.md +0 -3
- package/skills/github/codebase-inspection/SKILL.md +0 -115
- package/skills/github/github-auth/SKILL.md +0 -54
- package/skills/github/github-auth/scripts/gh-env.sh +0 -66
- package/skills/github/github-code-review/SKILL.md +0 -480
- package/skills/github/github-code-review/references/review-output-template.md +0 -74
- package/skills/github/github-issues/SKILL.md +0 -369
- package/skills/github/github-issues/templates/bug-report.md +0 -35
- package/skills/github/github-issues/templates/feature-request.md +0 -31
- package/skills/github/github-pr-workflow/SKILL.md +0 -395
- package/skills/github/github-pr-workflow/references/ci-troubleshooting.md +0 -183
- package/skills/github/github-pr-workflow/references/conventional-commits.md +0 -71
- package/skills/github/github-pr-workflow/templates/pr-body-bugfix.md +0 -35
- package/skills/github/github-pr-workflow/templates/pr-body-feature.md +0 -33
- package/skills/github/github-repo-management/SKILL.md +0 -515
- package/skills/github/github-repo-management/references/github-api-cheatsheet.md +0 -161
- package/skills/github-orchestrator/SKILL.md +0 -103
- package/skills/mcp/DESCRIPTION.md +0 -3
- package/skills/mcp/mcporter/SKILL.md +0 -122
- package/skills/mcp/native-mcp/SKILL.md +0 -356
- package/skills/software-development/architect/SKILL.md +0 -154
- package/skills/software-development/assure-guardrails/SKILL.md +0 -239
- package/skills/software-development/plan/SKILL.md +0 -64
- package/skills/software-development/requesting-code-review/SKILL.md +0 -291
- package/skills/software-development/subagent-driven-development/SKILL.md +0 -433
- package/skills/software-development/systematic-debugging/SKILL.md +0 -366
- package/skills/software-development/test-driven-development/SKILL.md +0 -342
|
@@ -1,74 +1,90 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: pr-review
|
|
3
|
-
description: Review a GitHub pull request
|
|
4
|
-
version:
|
|
3
|
+
description: Review a GitHub pull request and post one formal review — advance the existing discussion, verify by building, and give tiered feedback. Use when asked to review a PR or on a cron PR scan.
|
|
4
|
+
version: 3.0.0
|
|
5
5
|
tags: [github, review, code-quality]
|
|
6
6
|
---
|
|
7
7
|
|
|
8
|
-
# PR Review
|
|
8
|
+
# PR Review
|
|
9
9
|
|
|
10
|
-
|
|
11
|
-
|
|
10
|
+
Review an open PR and post **one formal review**. Build and test the change for
|
|
11
|
+
real — static reasoning alone is not a review of correctness.
|
|
12
12
|
|
|
13
|
-
|
|
13
|
+
This skill is the PR-specific procedure. It uses two shared skills: the
|
|
14
|
+
**building** skill for installing and running the test/lint/typecheck gate, and
|
|
15
|
+
the **code-review** skill for the finding tiers and what-to-check rubric.
|
|
16
|
+
|
|
17
|
+
## Workspace
|
|
14
18
|
|
|
15
|
-
|
|
19
|
+
The harness pre-clones the PR's head ref into a `<repo>/` **subdirectory** of
|
|
20
|
+
your cwd (the cwd holds `AGENTS.md`; the repo is one level deeper). `ls -la` —
|
|
21
|
+
if you see `<repo>/.git/`, `cd <repo>` and use git directly. To refresh:
|
|
22
|
+
`git fetch origin <branch> --depth 50 && git reset --hard FETCH_HEAD`. If the
|
|
23
|
+
pre-clone is missing, `git clone https://github.com/{{owner}}/{{repo}}.git {{repo}}`.
|
|
16
24
|
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
25
|
+
**Read code from this local checkout, never the API.** Use `git`/`read`/`grep`
|
|
26
|
+
on disk for the diff and file contents. Do **not** call
|
|
27
|
+
`github_get_pull_request_diff`, `github_list_pull_request_files`, or
|
|
28
|
+
`github_get_file_contents` — the API patch is a large redundant payload that
|
|
29
|
+
re-bloats context every turn. The `github_*` tools are for *API* operations only
|
|
30
|
+
(metadata, comments, posting the review).
|
|
22
31
|
|
|
23
|
-
|
|
32
|
+
## Procedure
|
|
24
33
|
|
|
25
|
-
|
|
26
|
-
- Get the PR title, description, author, labels, and linked issues
|
|
27
|
-
- Get the list of changed files and the diff
|
|
28
|
-
- Skip PRs authored by `last-light[bot]` (self-review)
|
|
34
|
+
### 1. Confirm the target
|
|
29
35
|
|
|
30
|
-
|
|
36
|
+
If `prNumber` (or `issueNumber`) is set in the Context block, **that is your
|
|
37
|
+
target** — go straight to `github_get_pull_request` with it. Do **not** call
|
|
38
|
+
`github_list_pull_requests` to "find" or "confirm" it; you were handed it, and
|
|
39
|
+
listing dumps a large payload for nothing. Only when no PR is given (a repo-wide
|
|
40
|
+
`mode: scan`) do you list open PRs and pick the most recent unreviewed one.
|
|
31
41
|
|
|
32
|
-
|
|
33
|
-
-
|
|
34
|
-
-
|
|
42
|
+
**Stop conditions** (check before reviewing):
|
|
43
|
+
- PR authored by `last-light[bot]` → skip. Never self-review.
|
|
44
|
+
- `merged === true` → stop. This skill reviews open PRs only.
|
|
45
|
+
- A `last-light[bot]` review already exists on the **current head SHA** → stop;
|
|
46
|
+
don't post a duplicate. (A re-review is fine once new commits land.)
|
|
35
47
|
|
|
36
|
-
|
|
37
|
-
- Clone the repo locally and read changed files in FULL context
|
|
38
|
-
- Trace data flow through modified functions
|
|
39
|
-
- Check callers of modified functions for regression risk
|
|
40
|
-
- Check if tests cover actual risk areas, not just happy paths
|
|
48
|
+
### 2. Read the prior discussion
|
|
41
49
|
|
|
42
|
-
|
|
50
|
+
A review advances the conversation, don't restart it. Fetch and absorb:
|
|
51
|
+
`github_list_pull_request_reviews`, `github_list_issue_comments`,
|
|
52
|
+
`github_list_pull_request_review_comments`. Done when you can say: which findings
|
|
53
|
+
were already raised (don't repeat them), which threads the author resolved
|
|
54
|
+
(treat as done unless the fix is wrong), which are still open (surface those —
|
|
55
|
+
higher signal than a fresh nit), and whether a human already approved.
|
|
43
56
|
|
|
44
|
-
|
|
45
|
-
- **Important**: Missing tests, perf issues, type errors — should fix
|
|
46
|
-
- **Suggestions**: Clarity, naming, DRY opportunities — nice to have
|
|
47
|
-
- **Nits**: Style, formatting — optional
|
|
57
|
+
### 3. Get the diff
|
|
48
58
|
|
|
49
|
-
|
|
59
|
+
From inside `<repo>/`:
|
|
60
|
+
```
|
|
61
|
+
git fetch origin <baseRef> --depth 50 # base isn't in the head-only clone
|
|
62
|
+
git diff --stat origin/<baseRef>...HEAD # churn
|
|
63
|
+
git diff origin/<baseRef>...HEAD # the patch
|
|
64
|
+
```
|
|
50
65
|
|
|
51
|
-
|
|
52
|
-
- Findings grouped by tier, with file:line references
|
|
53
|
-
- Inline code suggestions where helpful
|
|
54
|
-
- For complex PRs: impact analysis (affected code paths, regression risks)
|
|
55
|
-
- Overall assessment: approve, request changes, or comment
|
|
56
|
-
- Thank the contributor
|
|
66
|
+
### 4. Verify by building
|
|
57
67
|
|
|
58
|
-
|
|
68
|
+
Follow the **building** skill: install dependencies (install-first), then run the
|
|
69
|
+
project's build and tests, and cite the real output in your findings. Any PR that
|
|
70
|
+
touches code must be built and tested. The one exception is a pure style/docs PR,
|
|
71
|
+
where building to nitpick formatting is wasted effort — skip it and say so.
|
|
59
72
|
|
|
60
|
-
|
|
73
|
+
### 5. Assess and submit
|
|
61
74
|
|
|
62
|
-
|
|
75
|
+
Apply the **code-review** skill's rubric — read each changed file in context,
|
|
76
|
+
check correctness/edge-cases/security/regression-risk/test-coverage, and
|
|
77
|
+
categorise findings into the tiers. Then write the review:
|
|
63
78
|
|
|
64
|
-
|
|
79
|
+
- One or two sentences on what the PR does.
|
|
80
|
+
- Findings grouped by tier, each with a `path:line` reference and an inline code
|
|
81
|
+
suggestion where it helps.
|
|
82
|
+
- For a complex PR, an impact note (affected paths, regression risks).
|
|
83
|
+
- An overall assessment, and thanks to the contributor.
|
|
65
84
|
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
- Don't nitpick generated files (lock files, compiled assets)
|
|
69
|
-
- Don't repeat what linters/CI already catch
|
|
70
|
-
- Don't block PRs over style preferences alone
|
|
71
|
-
- Skip PRs authored by the bot itself
|
|
85
|
+
Submit with `github_create_pull_request_review` (a **formal** review, not a plain
|
|
86
|
+
issue comment), event `APPROVE` / `REQUEST_CHANGES` / `COMMENT` to match.
|
|
72
87
|
|
|
73
88
|
## Verification
|
|
74
|
-
|
|
89
|
+
|
|
90
|
+
Confirm the review posted by checking the PR's reviews list.
|
|
@@ -0,0 +1,97 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: qa-test
|
|
3
|
+
description: Run an automated QA flow against a CLI or a locally-served app and report step-level pass/fail with evidence. Use when asked to QA-test a feature, exercise a flow end-to-end, or smoke-test what a PR changed.
|
|
4
|
+
version: 1.0.0
|
|
5
|
+
tags: [github, qa, testing, evidence]
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
# QA Test
|
|
9
|
+
|
|
10
|
+
Drive a target through a sequence of steps and report **step-level pass/fail**
|
|
11
|
+
with evidence for each step. The deliverable is a QA report, not a single
|
|
12
|
+
verdict — partial coverage with documented failures is the expected output.
|
|
13
|
+
|
|
14
|
+
This skill uses the **building** skill for installing dependencies and running
|
|
15
|
+
the repo's build/run commands in the sandbox.
|
|
16
|
+
|
|
17
|
+
> **Scope (text-evidence path).** In the default text phase the sandbox agent
|
|
18
|
+
> has bash, file read, and the github tools — no browser, no screenshots. QA a
|
|
19
|
+
> **CLI** directly, or a **web service** by starting its dev-server in the
|
|
20
|
+
> background and exercising it with `curl` (status codes, response bodies,
|
|
21
|
+
> headers). Capture stdout/stderr, exit codes, and log excerpts as per-step
|
|
22
|
+
> evidence. Driving a real browser UI and attaching screenshots is the separate
|
|
23
|
+
> `browser-qa` skill, staged only in the gated browser phase running on the
|
|
24
|
+
> docker QA image (Playwright + Chromium). If that skill isn't in your
|
|
25
|
+
> catalogue, mark a step that genuinely needs rendered-UI interaction
|
|
26
|
+
> **BLOCKED** with the reason rather than faking a result — the browser phase
|
|
27
|
+
> will pick it up when available.
|
|
28
|
+
|
|
29
|
+
## Parse the target
|
|
30
|
+
|
|
31
|
+
The Context block gives you what to test and (usually) a PR/issue. The target
|
|
32
|
+
may be:
|
|
33
|
+
|
|
34
|
+
- A **CLI command** (`my-cli --flag`, a subcommand) → run it directly.
|
|
35
|
+
- A **local web service** (an app the repo serves on a port) → start it, hit it
|
|
36
|
+
with `curl`.
|
|
37
|
+
- A **PR reference + focus area** → read the diff and infer the flow that
|
|
38
|
+
exercises what changed.
|
|
39
|
+
- A **free-text flow** ("create a project, then list it") → infer concrete steps.
|
|
40
|
+
|
|
41
|
+
When a PR/issue is given, read its description + diff (from the local checkout —
|
|
42
|
+
see the **building** skill) to decide what's worth testing.
|
|
43
|
+
|
|
44
|
+
## Define the steps
|
|
45
|
+
|
|
46
|
+
If the request specifies steps, use them. Otherwise design a reasonable flow:
|
|
47
|
+
|
|
48
|
+
- **CLI**: invoke with valid input → assert output/exit code → invoke an edge
|
|
49
|
+
case (bad flag, missing arg) → assert it's handled → done.
|
|
50
|
+
- **Web service**: start the server → wait until it's ready → hit the primary
|
|
51
|
+
endpoint(s) → assert status + body → hit an error case → assert handling →
|
|
52
|
+
stop the server.
|
|
53
|
+
|
|
54
|
+
State the steps and their success criteria before running. If the flow or the
|
|
55
|
+
success criteria are genuinely ambiguous and you can't infer them from the diff,
|
|
56
|
+
say what's unclear in the report rather than inventing a pass.
|
|
57
|
+
|
|
58
|
+
## Run each step
|
|
59
|
+
|
|
60
|
+
Follow the **building** skill to install and build first. Then run each step in
|
|
61
|
+
order, capturing evidence (command + stdout/stderr + exit code) at every step.
|
|
62
|
+
|
|
63
|
+
- **Record each step's result as you go** — PASS, FAIL, or BLOCKED.
|
|
64
|
+
- **On failure, continue to the next step** for maximum coverage — *unless* the
|
|
65
|
+
failure blocks everything downstream (e.g. the server never starts, or a login
|
|
66
|
+
step fails). If it's a hard blocker, record it, mark the rest BLOCKED, and stop.
|
|
67
|
+
- Treat a wrong result as a real finding, not your mistake. Don't edit the code
|
|
68
|
+
under test to make a step pass.
|
|
69
|
+
|
|
70
|
+
## Report
|
|
71
|
+
|
|
72
|
+
Produce your report as your **final message** in this shape — the workflow posts
|
|
73
|
+
it for you (don't `github_add_issue_comment` yourself; that would double-post).
|
|
74
|
+
**Keep it concise**: a one-line environment summary, the results table (terse
|
|
75
|
+
Evidence cells), the failures, and a short coverage note — not a step-by-step
|
|
76
|
+
narration.
|
|
77
|
+
|
|
78
|
+
```
|
|
79
|
+
## QA Test: <target>
|
|
80
|
+
|
|
81
|
+
**Environment:** <branch / commit, package manager, how the app was run>
|
|
82
|
+
|
|
83
|
+
### Results
|
|
84
|
+
| Step | Status | Evidence |
|
|
85
|
+
|------|--------|----------|
|
|
86
|
+
| <step description> | PASS / FAIL / BLOCKED | <command + key output / exit code> |
|
|
87
|
+
|
|
88
|
+
### Issues found
|
|
89
|
+
- <each FAIL with the expected vs observed behaviour and the evidence>
|
|
90
|
+
|
|
91
|
+
### Coverage
|
|
92
|
+
<what was tested, and what was not tested and why (e.g. a UI-only step that the
|
|
93
|
+
text-evidence sandbox can't drive).>
|
|
94
|
+
```
|
|
95
|
+
|
|
96
|
+
Every defined step must have a row and a result. Never report a flow as
|
|
97
|
+
"passed" with steps you didn't actually run — list them as untested instead.
|
|
@@ -1,64 +1,67 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: repo-health
|
|
3
|
-
description: Generate a health report for a GitHub repository — open
|
|
4
|
-
version:
|
|
5
|
-
|
|
6
|
-
hermes:
|
|
7
|
-
tags: [github, monitoring, reporting]
|
|
8
|
-
category: maintenance
|
|
9
|
-
requires_toolsets: [terminal]
|
|
3
|
+
description: Generate a health report for a GitHub repository — open-issue and PR backlog, unreviewed PRs, stale needs-info, failing CI, and the resulting action items. Use for a status report or on a weekly cron.
|
|
4
|
+
version: 2.0.0
|
|
5
|
+
tags: [github, monitoring, reporting]
|
|
10
6
|
---
|
|
11
7
|
|
|
12
|
-
#
|
|
8
|
+
# Repo Health
|
|
13
9
|
|
|
14
|
-
|
|
15
|
-
|
|
10
|
+
Produce a point-in-time health snapshot of a repo and the action items it
|
|
11
|
+
implies. One report per run.
|
|
16
12
|
|
|
17
13
|
## Procedure
|
|
18
14
|
|
|
19
|
-
1.
|
|
20
|
-
- Open issue count, broken down by label/priority
|
|
21
|
-
- Open PR count, and how long each has been open
|
|
22
|
-
- PRs awaiting review (no reviews yet)
|
|
23
|
-
- Issues labeled `needs-info` with no response
|
|
24
|
-
- Recently closed issues and merged PRs (last 7 days)
|
|
15
|
+
### 1. Gather metrics
|
|
25
16
|
|
|
26
|
-
|
|
27
|
-
- PRs open > 7 days with no review
|
|
28
|
-
- Issues labeled `p0-critical` or `p1-high` still open
|
|
29
|
-
- Stale `needs-info` issues (14+ days)
|
|
30
|
-
- PRs with failing CI
|
|
17
|
+
Pull these via `github_*` MCP tools. Done when each number below is filled.
|
|
31
18
|
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
19
|
+
- **Open issues** — total, and a breakdown by the repo's own priority/severity
|
|
20
|
+
labels *if it uses any* (don't assume a fixed scheme).
|
|
21
|
+
- **Open PRs** — total, and how long each has been open. Exclude drafts from any
|
|
22
|
+
"awaiting review" count.
|
|
23
|
+
- **Unreviewed PRs** — open, non-draft, no reviews yet.
|
|
24
|
+
- **Stale `needs-info`** — issues labelled `needs-info` with no activity for 14+ days.
|
|
25
|
+
- **Recent throughput** — issues closed and PRs merged in the last 7 days.
|
|
35
26
|
|
|
36
|
-
|
|
37
|
-
- Open issues: X (Y critical, Z high)
|
|
38
|
-
- Open PRs: X (Y awaiting review)
|
|
39
|
-
- Merged this week: X PRs
|
|
40
|
-
- Closed this week: X issues
|
|
27
|
+
Batch requests and don't fetch full history — rate limits bite on large repos.
|
|
41
28
|
|
|
42
|
-
|
|
43
|
-
- [ ] PR #123 — open 12 days, no review
|
|
44
|
-
- [ ] Issue #456 — p0-critical, open 3 days
|
|
45
|
-
- [ ] Issue #789 — needs-info, stale 21 days
|
|
29
|
+
### 2. Derive action items
|
|
46
30
|
|
|
47
|
-
|
|
48
|
-
- Issue velocity: +X opened, -Y closed (net: ±Z)
|
|
49
|
-
```
|
|
31
|
+
Each is a checkbox line with the number and the reason:
|
|
50
32
|
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
33
|
+
- PRs open > 7 days with no review.
|
|
34
|
+
- High-priority issues still open (by whatever priority labels the repo uses).
|
|
35
|
+
- `ready-for-agent` issues sitting unactioned (agent backlog).
|
|
36
|
+
- Stale `needs-info` (14+ days).
|
|
37
|
+
- PRs with failing CI.
|
|
54
38
|
|
|
55
|
-
|
|
39
|
+
### 3. Render the report
|
|
56
40
|
|
|
57
|
-
|
|
41
|
+
```markdown
|
|
42
|
+
## Repo Health: {owner}/{repo} — {YYYY-MM-DD}
|
|
58
43
|
|
|
59
|
-
|
|
60
|
-
-
|
|
61
|
-
-
|
|
44
|
+
### Overview
|
|
45
|
+
- Open issues: {X} ({breakdown by the repo's priority labels, if any})
|
|
46
|
+
- Open PRs: {X} ({Y} awaiting review)
|
|
47
|
+
- Merged this week: {X} PRs · Closed this week: {X} issues
|
|
48
|
+
|
|
49
|
+
### Action items
|
|
50
|
+
- [ ] PR #123 — open 12 days, no review
|
|
51
|
+
- [ ] Issue #456 — high priority, open 3 days
|
|
52
|
+
- [ ] Issue #789 — needs-info, stale 21 days
|
|
53
|
+
|
|
54
|
+
### Trends
|
|
55
|
+
- Issue velocity: +{X} opened, −{Y} closed (net {±Z})
|
|
56
|
+
```
|
|
57
|
+
|
|
58
|
+
Omit a section that has nothing in it rather than printing "none".
|
|
59
|
+
|
|
60
|
+
### 4. Deliver
|
|
61
|
+
|
|
62
|
+
Output the report as the final response. The harness routes it (direct display
|
|
63
|
+
interactively, or to the configured channel on a cron run).
|
|
62
64
|
|
|
63
65
|
## Verification
|
|
64
|
-
|
|
66
|
+
|
|
67
|
+
Spot-check 2–3 of the reported numbers against the GitHub UI before delivering.
|
|
@@ -0,0 +1,173 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: security-feedback
|
|
3
|
+
description: Process a maintainer's comment on a security scan-summary issue — break selected findings out into individual actionable issues, or record accepted risks / false positives in SECURITY.md.
|
|
4
|
+
version: 2.0.0
|
|
5
|
+
tags: [github, security, feedback]
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
# Security Feedback
|
|
9
|
+
|
|
10
|
+
A maintainer commented on a `security`-labelled issue — almost always a per-run
|
|
11
|
+
**security scan summary** (one issue per scan, a task-list of findings). Based on
|
|
12
|
+
the comment, either:
|
|
13
|
+
|
|
14
|
+
- **Break selected findings into individual issues** (each can later feed `build`). Primary flow.
|
|
15
|
+
- **Record a suppression** in `SECURITY.md` (accepted risk / false positive).
|
|
16
|
+
- Reply for discussion, or ignore noise.
|
|
17
|
+
|
|
18
|
+
The parent issue's grammar is the contract defined in
|
|
19
|
+
`skills/security-review/references/issue-format.md`. This skill is staged into its
|
|
20
|
+
own workspace and **cannot read that file**, so it carries its own copy of the
|
|
21
|
+
row/severity regex below — **if you change the grammar, update both in lockstep.**
|
|
22
|
+
|
|
23
|
+
## Context
|
|
24
|
+
|
|
25
|
+
- `context.repo` — `owner/name`
|
|
26
|
+
- `context.issueNumber` — the security summary issue (parent)
|
|
27
|
+
- `context.commentBody` — the triggering comment
|
|
28
|
+
- `context.sender` — the commenter's GitHub login
|
|
29
|
+
|
|
30
|
+
The parent body is not passed — fetch it at step 1.
|
|
31
|
+
|
|
32
|
+
## 1. Fetch and parse the parent issue
|
|
33
|
+
|
|
34
|
+
`github_get_issue({ owner, repo, issue_number: issueNumber })`.
|
|
35
|
+
|
|
36
|
+
**Version check.** The body MUST start with `<!-- lastlight-security-scan-version: 1 -->`.
|
|
37
|
+
If the marker is missing or the version isn't `1`, reply: "Unknown scan-summary
|
|
38
|
+
format — this skill is at version 1 but the parent reports a different version.
|
|
39
|
+
Ask the maintainer to re-run `@last-light security-review`." Do not parse further.
|
|
40
|
+
|
|
41
|
+
**Parse each finding row** with this canonical regex (all three states):
|
|
42
|
+
|
|
43
|
+
```
|
|
44
|
+
/^- \[([ x])\] <!-- item:(\d+) fp:([0-9a-f]{8,}) --> (?:~~)?\*\*(.+?)\*\* — `([^`]+):(\d+)` \(([a-z][a-z0-9-]*) · `([^`]+)`\)(?:~~ → #(\d+))?$/m
|
|
45
|
+
```
|
|
46
|
+
|
|
47
|
+
Captures: `checkbox` (` `/`x`), `item`, `fp`, `title`, `file`, `line`, `tool`,
|
|
48
|
+
`rule`, and `subIssueNumber` (only when already broken out). Derive per row:
|
|
49
|
+
|
|
50
|
+
| Derived | Definition |
|
|
51
|
+
|---------|------------|
|
|
52
|
+
| `alreadyBrokenOut` | `subIssueNumber != null` — turned into a sub-issue on a prior run |
|
|
53
|
+
| `userTicked` | `checkbox === "x" && !alreadyBrokenOut` — the maintainer ticked the box, selecting it |
|
|
54
|
+
|
|
55
|
+
`userTicked` is the primary selection signal; `alreadyBrokenOut` rows are never
|
|
56
|
+
re-selected regardless of checkbox state.
|
|
57
|
+
|
|
58
|
+
**Severity** comes from the nearest preceding section header (tolerating a
|
|
59
|
+
trailing truncation suffix like `(showing first 7 of 25)`):
|
|
60
|
+
|
|
61
|
+
```
|
|
62
|
+
/^### (🔴|🟠|🟡|🟢) (Critical|High|Medium|Low) \((\d+)\)(?:\s.*)?$/m
|
|
63
|
+
```
|
|
64
|
+
|
|
65
|
+
Map Critical/High/Medium/Low → `p0-critical`/`p1-high`/`p2-medium`/`p3-low`.
|
|
66
|
+
|
|
67
|
+
**Parse the `<details>` block** after each row (starts `<details><summary>Details</summary>`,
|
|
68
|
+
ends `</details>`): the fenced block → `snippet` + `language`; paragraphs between
|
|
69
|
+
the fence and `**Suggested fix:**` → `explanation`; text after `**Suggested fix:**`
|
|
70
|
+
→ `suggestedFix`.
|
|
71
|
+
|
|
72
|
+
Store each finding as `{ item, fp, title, file, line, tool, rule, severity,
|
|
73
|
+
language, snippet, explanation, suggestedFix, userTicked, alreadyBrokenOut, subIssueNumber? }`.
|
|
74
|
+
|
|
75
|
+
## 2. Classify the comment intent
|
|
76
|
+
|
|
77
|
+
Pick the single best-fit bucket:
|
|
78
|
+
|
|
79
|
+
- **create-issues** — break selected findings out. Signals: bare `@last-light
|
|
80
|
+
create issues` (defaults to ticked), "create issues for…", "make issues for…",
|
|
81
|
+
"break out…", "file sub-issues for…", "create an issue for items 1, 3".
|
|
82
|
+
- **accept-risk** — accept a finding's risk. Signals: "accept-risk:", "we know
|
|
83
|
+
about this", "won't fix", "accepted".
|
|
84
|
+
- **false-positive** — not real. Signals: "false-positive:", "not a vulnerability",
|
|
85
|
+
"not applicable".
|
|
86
|
+
- **reopen** — re-evaluate a suppressed finding. Signals: "reopen", "re-evaluate".
|
|
87
|
+
- **discuss** — a question or conversation about the findings.
|
|
88
|
+
- **ignore** — noise (thanks, unrelated remark).
|
|
89
|
+
|
|
90
|
+
`accept-risk` / `false-positive` / `reopen` MUST name a specific finding via
|
|
91
|
+
`item N` / `item: N` — fall through to `discuss` if unresolved.
|
|
92
|
+
|
|
93
|
+
## 3. Act
|
|
94
|
+
|
|
95
|
+
### create-issues
|
|
96
|
+
|
|
97
|
+
1. **Resolve the selection** (first match wins):
|
|
98
|
+
- **`ticked` / `checked` / `selected`** → every `userTicked` finding. Preferred UX.
|
|
99
|
+
- **Default (no qualifier)** → treat as `ticked`. If no rows are ticked, reply:
|
|
100
|
+
```
|
|
101
|
+
No rows are ticked. Tick the checkboxes on the findings you want broken out, then comment again — or use one of:
|
|
102
|
+
- `@last-light create issues for the criticals`
|
|
103
|
+
- `@last-light create issues for items 1, 3, 5`
|
|
104
|
+
- `@last-light create issues for all`
|
|
105
|
+
```
|
|
106
|
+
- `all` / `every` → every parsed finding regardless of tick state.
|
|
107
|
+
- `criticals` / `the criticals` / `p0-critical` → every `p0-critical` (same for
|
|
108
|
+
highs/mediums/lows). A count in the comment ("5 criticals") is ignored.
|
|
109
|
+
- `items N, M` / `item N` → specific 1-based item numbers from `<!-- item:N -->`.
|
|
110
|
+
|
|
111
|
+
In every form, silently drop `alreadyBrokenOut` findings and mention them in the
|
|
112
|
+
summary. If the selection is empty, reply:
|
|
113
|
+
```
|
|
114
|
+
No findings matched `{selection text}`. This scan has: {nC} critical, {nH} high, {nM} medium, {nL} low. Ticked: {nTicked}. Already broken out: {nDone}.
|
|
115
|
+
```
|
|
116
|
+
and create nothing. If the form is unrecognised (ambiguous), ask for clarification — don't guess.
|
|
117
|
+
|
|
118
|
+
2. **For each selected finding**, `github_create_issue` using the sub-issue body
|
|
119
|
+
template in [references/templates.md](references/templates.md). Record each new
|
|
120
|
+
`subIssueNumber` against its `item`.
|
|
121
|
+
|
|
122
|
+
3. **Rewrite the parent body.** For every finding just broken out, transition its
|
|
123
|
+
row to **broken-out**:
|
|
124
|
+
```
|
|
125
|
+
- [x] <!-- item:N fp:FP --> ~~**TITLE** — `FILE:LINE` (TOOL · `RULE`)~~ → #SUBISSUE
|
|
126
|
+
```
|
|
127
|
+
(checkbox `[x]`, title+location wrapped in `~~…~~`, ` → #SUBISSUE` appended).
|
|
128
|
+
Match by `item:N`. Do **not** touch rows that weren't selected, even if ticked.
|
|
129
|
+
Preserve all other content byte-for-byte. `github_update_issue`.
|
|
130
|
+
|
|
131
|
+
4. **Post a summary comment** on the parent:
|
|
132
|
+
```
|
|
133
|
+
Created {N} sub-issue(s) at @{sender}'s request:
|
|
134
|
+
|
|
135
|
+
- #{subN1} — {title 1} (item {item1})
|
|
136
|
+
…
|
|
137
|
+
|
|
138
|
+
{if any skipped}: Skipped {M} item(s) already broken out: items {list}.
|
|
139
|
+
|
|
140
|
+
Comment `@last-light build` on any sub-issue to start a fix.
|
|
141
|
+
```
|
|
142
|
+
|
|
143
|
+
### accept-risk / false-positive
|
|
144
|
+
|
|
145
|
+
1. Resolve the target by `item N`; fall through to `discuss` if absent/unknown.
|
|
146
|
+
2. Extract the reason (text after the first `:`, trimmed; "no reason given" if absent).
|
|
147
|
+
3. `github_clone_repo`. Read `SECURITY.md`; create from the scaffold in
|
|
148
|
+
[references/templates.md](references/templates.md) if missing.
|
|
149
|
+
4. Append a row to the matching table (accepted risks OR false positives) per the
|
|
150
|
+
template.
|
|
151
|
+
5. Commit on branch `security/feedback-{parentIssueNumber}-{shortFingerprint}`,
|
|
152
|
+
push, and open a PR titled `security: record {accept-risk|false-positive} for {shortFingerprint}`.
|
|
153
|
+
6. Comment on the parent: `Opened PR #{prNumber} to record this in SECURITY.md.
|
|
154
|
+
Once merged, this finding will be suppressed in future scans.`
|
|
155
|
+
7. Do **not** tick the task-list checkbox — that marker is reserved for "broken out to sub-issue".
|
|
156
|
+
|
|
157
|
+
### reopen
|
|
158
|
+
|
|
159
|
+
Reply: "To re-evaluate this finding, run `@last-light security-review` — the next
|
|
160
|
+
scan re-picks it up if `SECURITY.md` has been updated." Do not modify `SECURITY.md`.
|
|
161
|
+
|
|
162
|
+
### discuss
|
|
163
|
+
|
|
164
|
+
Reply conversationally using the finding's `<details>` block (risk, tool, suggested
|
|
165
|
+
fix). Don't modify `SECURITY.md` or create sub-issues.
|
|
166
|
+
|
|
167
|
+
### ignore
|
|
168
|
+
|
|
169
|
+
Take no action.
|
|
170
|
+
|
|
171
|
+
## Tool usage
|
|
172
|
+
|
|
173
|
+
GitHub operations via `github_*` MCP tools only — never `gh` CLI, `curl`, or raw HTTP.
|
|
@@ -0,0 +1,77 @@
|
|
|
1
|
+
# security-feedback templates
|
|
2
|
+
|
|
3
|
+
## Sub-issue body (create-issues)
|
|
4
|
+
|
|
5
|
+
`github_create_issue` with `title` = the finding's `title` (exactly as parsed, no
|
|
6
|
+
prefix/suffix), `labels` = `["security", severity]` (e.g. `["security",
|
|
7
|
+
"p0-critical"]`), and this body:
|
|
8
|
+
|
|
9
|
+
````markdown
|
|
10
|
+
<!-- fp:{fingerprint} -->
|
|
11
|
+
<!-- parent-security-scan: #{parentIssueNumber} -->
|
|
12
|
+
|
|
13
|
+
Broken out from security scan #{parentIssueNumber} on {today's date} at @{sender}'s request.
|
|
14
|
+
|
|
15
|
+
**File**: `{file}:{line}`
|
|
16
|
+
**Tool**: {tool} · `{rule}`
|
|
17
|
+
**Severity**: {severity}
|
|
18
|
+
|
|
19
|
+
```{language}
|
|
20
|
+
{snippet}
|
|
21
|
+
```
|
|
22
|
+
|
|
23
|
+
{explanation}
|
|
24
|
+
|
|
25
|
+
## Suggested fix
|
|
26
|
+
|
|
27
|
+
{suggestedFix}
|
|
28
|
+
|
|
29
|
+
---
|
|
30
|
+
|
|
31
|
+
_To build a fix for this finding, comment `@last-light build` on this issue._
|
|
32
|
+
````
|
|
33
|
+
|
|
34
|
+
## SECURITY.md scaffold (accept-risk / false-positive)
|
|
35
|
+
|
|
36
|
+
Create this if `SECURITY.md` is missing, then append the row:
|
|
37
|
+
|
|
38
|
+
```markdown
|
|
39
|
+
# SECURITY.md
|
|
40
|
+
|
|
41
|
+
This file configures the Last Light security scanner for this repository.
|
|
42
|
+
|
|
43
|
+
## Tool configuration
|
|
44
|
+
|
|
45
|
+
| Tool | Severity floor |
|
|
46
|
+
|------|---------------|
|
|
47
|
+
| npm-audit | medium |
|
|
48
|
+
| semgrep | medium |
|
|
49
|
+
| gitleaks | high |
|
|
50
|
+
| claude | medium |
|
|
51
|
+
|
|
52
|
+
## Accepted risks
|
|
53
|
+
|
|
54
|
+
Findings in this table are known risks the maintainers have explicitly accepted.
|
|
55
|
+
The scanner will not re-file issues for these findings.
|
|
56
|
+
|
|
57
|
+
| Fingerprint | Title | Reason | Date | Issue |
|
|
58
|
+
|-------------|-------|--------|------|-------|
|
|
59
|
+
|
|
60
|
+
## False positives
|
|
61
|
+
|
|
62
|
+
Findings in this table have been classified as not real security issues.
|
|
63
|
+
The scanner will not re-file issues for these findings.
|
|
64
|
+
|
|
65
|
+
| Fingerprint | Title | Reason | Date | Issue |
|
|
66
|
+
|-------------|-------|--------|------|-------|
|
|
67
|
+
```
|
|
68
|
+
|
|
69
|
+
Appended row (to whichever table matches the intent):
|
|
70
|
+
|
|
71
|
+
| Column | Value |
|
|
72
|
+
|--------|-------|
|
|
73
|
+
| Fingerprint | First 16 hex chars of the finding's `fp` |
|
|
74
|
+
| Title | Finding's `title` |
|
|
75
|
+
| Reason | Extracted reason (text after the first `:`; "no reason given" if absent) |
|
|
76
|
+
| Date | Today's date (YYYY-MM-DD, UTC) |
|
|
77
|
+
| Issue | `#{parentIssueNumber}` |
|