open-azdo 0.2.9 → 0.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +56 -2
- package/SECURITY.md +3 -2
- package/dist/open-azdo.js +57330 -33407
- package/dist/open-azdo.js.map +106 -17
- package/examples/azure-pipelines.review.debug.yml +3 -3
- package/examples/azure-pipelines.review.yml +2 -2
- package/package.json +6 -1
package/README.md
CHANGED
|
@@ -9,10 +9,11 @@ This package is the published-package path for secure PR review automation. Unli
|
|
|
9
9
|
- edit the repository
|
|
10
10
|
- commit or push changes
|
|
11
11
|
- expose command-triggered execution modes
|
|
12
|
-
-
|
|
12
|
+
- rely on a persistent or shared OpenCode server
|
|
13
13
|
- rely on tokenized clone URLs
|
|
14
14
|
|
|
15
15
|
The CLI consumes the Azure Pipeline checkout workspace directly and uses the built-in `System.AccessToken` for the minimal Azure DevOps REST surface.
|
|
16
|
+
Each review run starts a short-lived localhost OpenCode server, prompts it through the SDK v2 client with JSON-schema structured output, and tears it down before exit. If the model returns malformed JSON, `open-azdo` attempts repair before degrading to a summary-only `"concerns"` result.
|
|
16
17
|
|
|
17
18
|
## Install And Run
|
|
18
19
|
|
|
@@ -50,6 +51,50 @@ Optional flags:
|
|
|
50
51
|
- `--dry-run`
|
|
51
52
|
- `--json`
|
|
52
53
|
|
|
54
|
+
## Sandbox Capture
|
|
55
|
+
|
|
56
|
+
Use the live capture command when you want to validate changes against a real Azure DevOps pull request without mutating PR threads:
|
|
57
|
+
|
|
58
|
+
```bash
|
|
59
|
+
bun run ./bin/open-azdo.ts sandbox capture --model "openai/gpt-5.4"
|
|
60
|
+
```
|
|
61
|
+
|
|
62
|
+
The command is intentionally opt-in and uses a separate env namespace:
|
|
63
|
+
|
|
64
|
+
- `OPEN_AZDO_LIVE_MODEL`
|
|
65
|
+
- `OPEN_AZDO_LIVE_OPENCODE_VARIANT`
|
|
66
|
+
- `OPEN_AZDO_LIVE_OPENCODE_TIMEOUT`
|
|
67
|
+
- `OPEN_AZDO_LIVE_WORKSPACE`
|
|
68
|
+
- `OPEN_AZDO_LIVE_COLLECTION_URL`
|
|
69
|
+
- `OPEN_AZDO_LIVE_ORGANIZATION`
|
|
70
|
+
- `OPEN_AZDO_LIVE_PROJECT`
|
|
71
|
+
- `OPEN_AZDO_LIVE_REPOSITORY_ID`
|
|
72
|
+
- `OPEN_AZDO_LIVE_PULL_REQUEST_ID`
|
|
73
|
+
- `OPEN_AZDO_LIVE_ACCESS_TOKEN`
|
|
74
|
+
|
|
75
|
+
Provider API keys remain provider-native, for example `OPENAI_API_KEY`.
|
|
76
|
+
|
|
77
|
+
Behavior:
|
|
78
|
+
|
|
79
|
+
- if `OPEN_AZDO_LIVE_WORKSPACE` or `--workspace` is set, `open-azdo` validates that checkout and does not mutate it
|
|
80
|
+
- otherwise it creates a temporary checkout, fetches the PR source and target refs, runs the review, and deletes the temp checkout on exit
|
|
81
|
+
- Azure DevOps stays read-only for this command
|
|
82
|
+
- the same short-lived localhost OpenCode server behavior used by `review` is reused here
|
|
83
|
+
|
|
84
|
+
Default output path:
|
|
85
|
+
|
|
86
|
+
```text
|
|
87
|
+
.captures/<org>-<project>-pr-<id>.json
|
|
88
|
+
```
|
|
89
|
+
|
|
90
|
+
From the monorepo root you can use:
|
|
91
|
+
|
|
92
|
+
```bash
|
|
93
|
+
bun run sandbox:capture
|
|
94
|
+
```
|
|
95
|
+
|
|
96
|
+
Start with [`.env.integration.example`](../../.env.integration.example) and write your local secrets to `.env.integration.local`.
|
|
97
|
+
|
|
53
98
|
Exit behavior:
|
|
54
99
|
|
|
55
100
|
- successful review runs return `0`, even when findings are posted
|
|
@@ -92,7 +137,7 @@ steps:
|
|
|
92
137
|
unzip -q bun.zip
|
|
93
138
|
export PATH="$PWD/bun-linux-x64:$PATH"
|
|
94
139
|
|
|
95
|
-
curl -fsSL https://github.com/sst/opencode/releases/download/v1.
|
|
140
|
+
curl -fsSL https://github.com/sst/opencode/releases/download/v1.3.3/opencode-linux-x64.tar.gz -o opencode.tar.gz
|
|
96
141
|
mkdir -p opencode-bin
|
|
97
142
|
tar -xzf opencode.tar.gz -C opencode-bin
|
|
98
143
|
export PATH="$PWD/opencode-bin:$PATH"
|
|
@@ -114,3 +159,12 @@ bun install
|
|
|
114
159
|
bun run check
|
|
115
160
|
bun run build
|
|
116
161
|
```
|
|
162
|
+
|
|
163
|
+
For local sandbox validation:
|
|
164
|
+
|
|
165
|
+
```bash
|
|
166
|
+
bun run sandbox:capture
|
|
167
|
+
bun run sandbox:dev
|
|
168
|
+
```
|
|
169
|
+
|
|
170
|
+
The sandbox app runs on `http://127.0.0.1:4317`, not port `3000`. The expected UI smoke path is manual validation with the `playwriter` skill.
|
package/SECURITY.md
CHANGED
|
@@ -9,6 +9,7 @@
|
|
|
9
9
|
Inputs are treated as untrusted:
|
|
10
10
|
|
|
11
11
|
- pull-request title and description
|
|
12
|
+
- pull-request thread comments
|
|
12
13
|
- repository contents
|
|
13
14
|
- generated diffs and file excerpts
|
|
14
15
|
- model output
|
|
@@ -40,14 +41,14 @@ If required history is missing, `open-azdo` fails with a remediation message ins
|
|
|
40
41
|
|
|
41
42
|
## OpenCode Containment
|
|
42
43
|
|
|
43
|
-
Each review run
|
|
44
|
+
Each review run starts a short-lived OpenCode server bound to `127.0.0.1` on a dynamically chosen port and shuts it down on exit. The generated `azdo-review` agent remains read-only:
|
|
44
45
|
|
|
45
46
|
- read/search/listing tools allowed
|
|
46
47
|
- edit and write denied
|
|
47
48
|
- web fetch and web search denied
|
|
48
49
|
- bash denied by default, with a narrow allowlist for read-style commands
|
|
49
50
|
|
|
50
|
-
|
|
51
|
+
OpenCode is prompted through the SDK v2 client with JSON-schema structured output. If structured output is unavailable or malformed, the workflow attempts JSON repair and then degrades to a summary-only `"concerns"` result instead of trusting arbitrary text as valid findings.
|
|
51
52
|
|
|
52
53
|
## Azure DevOps Mutations
|
|
53
54
|
|