patchpilots 0.5.1 → 0.5.2

package/README.md

@@ -29,18 +29,28 @@ A team of AI agents that reviews and improves your code automatically.
 
 Built for solo developers and hobby projects — when you don't have a team to review your PRs, PatchPilots is your crew.
 
-## Install
+## Use it 3 ways
 
+### `npx` — no install, one-off
 ```bash
 npx patchpilots audit ./src
 ```
 
-Or install globally:
-
+### Global install — your machine, any project
 ```bash
 npm install -g patchpilots
+patchpilots audit ./src
+```
+
+### GitHub Action — automatic on every PR
+```yaml
+- uses: alavesa/patchpilots@main
+  with:
+    anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
 ```
 
+All three use the same package. The CLI runs locally, the Action runs on GitHub's servers. Same agents, same output.
+
 ## The Killer Feature
 
 **`patchpilots audit`** — run all 7 agents in one command. No other tool does this.
@@ -262,6 +272,43 @@ Config resolution order: CLI flags > project `.patchpilots.json` > global `~/.pa
 
 TypeScript, JavaScript, JSX/TSX, Python, Go, Rust, Java, Ruby, PHP, C/C++, C#, Swift, Kotlin, HTML, CSS, SCSS, Vue, Svelte.
 
+## GitHub Action
+
+Auto-review every PR with one workflow file:
+
+```yaml
+# .github/workflows/patchpilots.yml
+name: PatchPilots Review
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  review:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: alavesa/patchpilots@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          path: './src'
+```
+
+The action posts findings as a PR comment (updated on each push, no spam). Critical findings fail the check by default.
+
+| Input | Default | Description |
+|-------|---------|-------------|
+| `anthropic_api_key` | (required) | Your Anthropic API key |
+| `path` | `./src` | Path to review |
+| `model` | `claude-sonnet-4-6` | Claude model to use |
+| `skip` | | Agents to skip (e.g. `plan,test,docs`) |
+| `severity` | `info` | Minimum severity to report |
+| `fail_on_critical` | `true` | Fail the check on critical findings |
+
 ## Powered by Claude API
 
 - **Structured outputs** — guaranteed schema compliance via JSON schema enforcement
@@ -300,7 +347,7 @@ Adding a new agent is one file + three methods.
 - [x] 18 file types supported
 
 ### Next up
-- [ ] **GitHub Action** — auto-review PRs and post findings as comments
+- [x] **GitHub Action** — auto-review PRs and post findings as comments
 - [ ] **Parallel file review** — review in batches instead of one giant prompt
 - [ ] **Smart model routing** — Haiku for Docs/Tester, Sonnet for Reviewer/Coder
 - [x] **Custom agents** — define your own agents via `.patchpilots.json`

package/action/format-comment.cjs

@@ -0,0 +1,239 @@
+#!/usr/bin/env node
+
+/**
+ * Converts PatchPilots AuditResult JSON into a GitHub markdown comment.
+ * Zero dependencies — runs on any Node.js 18+.
+ *
+ * Usage: node format-comment.js /path/to/result.json
+ */
+
+const fs = require("fs");
+const path = require("path");
+
+const MAX_FINDINGS = 50;
+const MAX_PATCHES = 30;
+
+const SEVERITY_EMOJI = {
+  critical: ":red_circle:",
+  high: ":orange_circle:",
+  warning: ":yellow_circle:",
+  medium: ":yellow_circle:",
+  info: ":blue_circle:",
+  low: ":blue_circle:",
+};
+
+function severityEmoji(severity) {
+  return SEVERITY_EMOJI[severity] || ":white_circle:";
+}
+
+function escapeMarkdown(text) {
+  if (!text) return "";
+  return text.replace(/\|/g, "\\|").replace(/\n/g, " ");
+}
+
+function truncate(text, max = 120) {
+  if (!text) return "";
+  const clean = text.replace(/\n/g, " ");
+  return clean.length > max ? clean.slice(0, max) + "..." : clean;
+}
+
+// --- Sections ---
+
+function formatHeader(result) {
+  const lines = [];
+  lines.push("<!-- patchpilots-report -->");
+  lines.push("# PatchPilots Audit Report");
+  lines.push("");
+  lines.push(
+    `**Risk Score:** ${result.riskScore?.toUpperCase() || "N/A"} | ` +
+      `**Findings:** ${result.totalFindings || 0} | ` +
+      `**Patches:** ${result.totalPatches || 0}`
+  );
+  lines.push("");
+  return lines.join("\n");
+}
+
+function formatPlan(plan) {
+  if (!plan || !plan.tasks || plan.tasks.length === 0) return "";
+  const lines = [];
+  lines.push("## :brain: Plan");
+  lines.push("");
+  if (plan.goal) {
+    lines.push(`> ${plan.goal}`);
+    lines.push("");
+  }
+  for (const task of plan.tasks) {
+    const complexity =
+      task.estimatedComplexity === "complex"
+        ? ":red_circle:"
+        : task.estimatedComplexity === "moderate"
+        ? ":yellow_circle:"
+        : ":green_circle:";
+    lines.push(
+      `${task.id}. ${complexity} **${task.title}** \\[${task.priority}\\]`
+    );
+    if (task.description) lines.push(`   ${truncate(task.description, 200)}`);
+  }
+  lines.push("");
+  return lines.join("\n");
+}
+
+function formatReview(review) {
+  if (!review || !review.findings || review.findings.length === 0) {
+    return "## :mag: Code Review\n\n:white_check_mark: No issues found.\n\n";
+  }
+
+  const lines = [];
+  lines.push(`## :mag: Code Review (${review.findings.length} findings)`);
+  lines.push("");
+  lines.push("| Severity | File | Finding | Suggestion |");
+  lines.push("|----------|------|---------|------------|");
+
+  const shown = review.findings.slice(0, MAX_FINDINGS);
+  for (const f of shown) {
+    const loc = f.line ? `\`${f.file}:${f.line}\`` : `\`${f.file}\``;
+    lines.push(
+      `| ${severityEmoji(f.severity)} ${f.severity} | ${loc} | ${escapeMarkdown(f.title)} | ${escapeMarkdown(truncate(f.suggestion || f.description, 100))} |`
+    );
+  }
+
+  if (review.findings.length > MAX_FINDINGS) {
+    lines.push("");
+    lines.push(
+      `*... and ${review.findings.length - MAX_FINDINGS} more findings*`
+    );
+  }
+
+  lines.push("");
+  return lines.join("\n");
+}
+
+function formatSecurity(security) {
+  if (!security || !security.findings || security.findings.length === 0) {
+    return "## :lock: Security Audit\n\n:white_check_mark: No security issues found.\n\n";
+  }
+
+  const lines = [];
+  lines.push(
+    `## :lock: Security Audit (${security.findings.length} findings)`
+  );
+  lines.push("");
+  lines.push("| Severity | File | Category | Finding | Remediation |");
+  lines.push("|----------|------|----------|---------|-------------|");
+
+  const shown = security.findings.slice(0, MAX_FINDINGS);
+  for (const f of shown) {
+    const loc = f.line ? `\`${f.file}:${f.line}\`` : `\`${f.file}\``;
+    const cat = f.cwe ? `${f.category} (${f.cwe})` : f.category;
+    lines.push(
+      `| ${severityEmoji(f.severity)} ${f.severity} | ${loc} | ${escapeMarkdown(cat)} | ${escapeMarkdown(f.title)} | ${escapeMarkdown(truncate(f.remediation, 100))} |`
+    );
+  }
+
+  if (security.findings.length > MAX_FINDINGS) {
+    lines.push("");
+    lines.push(
+      `*... and ${security.findings.length - MAX_FINDINGS} more findings*`
+    );
+  }
+
+  lines.push("");
+  return lines.join("\n");
+}
+
+function formatPatches(coder) {
+  if (
+    !coder ||
+    !coder.improvedFiles ||
+    coder.improvedFiles.length === 0
+  ) {
+    return "";
+  }
+
+  const lines = [];
+  let totalPatches = 0;
+  for (const f of coder.improvedFiles) totalPatches += f.patches.length;
+
+  lines.push(`## :sparkles: Suggested Improvements (${totalPatches} patches)`);
+  lines.push("");
+
+  let patchCount = 0;
+  for (const file of coder.improvedFiles) {
+    if (patchCount >= MAX_PATCHES) {
+      lines.push(
+        `*... and more patches across remaining files*`
+      );
+      break;
+    }
+
+    lines.push(
+      `<details>\n<summary><strong>${file.path}</strong> (${file.patches.length} patches)</summary>\n`
+    );
+
+    for (const patch of file.patches) {
+      if (patchCount >= MAX_PATCHES) break;
+      lines.push(`**${escapeMarkdown(patch.description)}**`);
+      lines.push("```diff");
+      for (const line of patch.find.split("\n")) {
+        lines.push(`- ${line}`);
+      }
+      for (const line of patch.replace.split("\n")) {
+        lines.push(`+ ${line}`);
+      }
+      lines.push("```");
+      lines.push("");
+      patchCount++;
+    }
+
+    lines.push("</details>\n");
+  }
+
+  lines.push("");
+  return lines.join("\n");
+}
+
+function formatTests(tests) {
+  if (!tests || !tests.testFiles || tests.testFiles.length === 0) return "";
+  const totalTests = tests.testFiles.reduce((s, f) => s + f.testCount, 0);
+  return `## :test_tube: Tests\n\n${totalTests} tests generated across ${tests.testFiles.length} file(s).\n\n`;
+}
+
+function formatDocs(docs) {
+  if (!docs || !docs.docs || docs.docs.length === 0) return "";
+  return `## :memo: Documentation\n\n${docs.docs.length} file(s) documented.\n\n`;
+}
+
+function formatFooter(result) {
+  const lines = [];
+  lines.push("---");
+  lines.push(
+    `<sub>Generated by <a href="https://github.com/alavesa/patchpilots">PatchPilots</a> ` +
+      `| ${result.totalFindings || 0} findings | ${result.totalPatches || 0} patches | risk: ${result.riskScore || "none"}</sub>`
+  );
+  return lines.join("\n");
+}
+
+// --- Main ---
+
+function formatComment(result) {
+  return [
+    formatHeader(result),
+    formatPlan(result.plan),
+    formatReview(result.review),
+    formatSecurity(result.security),
+    formatPatches(result.coder),
+    formatTests(result.tests),
+    formatDocs(result.docs),
+    formatFooter(result),
+  ].join("");
+}
+
+const filePath = process.argv[2];
+if (!filePath) {
+  console.error("Usage: node format-comment.js <result.json>");
+  process.exit(1);
+}
+
+const raw = fs.readFileSync(path.resolve(filePath), "utf-8");
+const result = JSON.parse(raw);
+process.stdout.write(formatComment(result));

package/action/run.sh

@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Build CLI flags
+FLAGS="--json --severity ${INPUT_SEVERITY}"
+if [ -n "${INPUT_MODEL}" ]; then FLAGS="${FLAGS} --model ${INPUT_MODEL}"; fi
+if [ -n "${INPUT_SKIP}" ]; then FLAGS="${FLAGS} --skip ${INPUT_SKIP}"; fi
+
+echo "::group::Running PatchPilots audit"
+echo "Path: ${INPUT_PATH}"
+echo "Model: ${INPUT_MODEL}"
+echo "Severity: ${INPUT_SEVERITY}"
+echo "Skip: ${INPUT_SKIP:-none}"
+
+# Run patchpilots audit — JSON goes to stdout, logs to stderr
+# shellcheck disable=SC2086
+RESULT=$(patchpilots audit "${INPUT_PATH}" ${FLAGS} 2>/dev/null) || true
+
+echo "::endgroup::"
+
+# If no output, warn and exit
+if [ -z "${RESULT}" ] || ! echo "${RESULT}" | jq empty 2>/dev/null; then
+  echo "::warning::PatchPilots produced no valid JSON output"
+  exit 0
+fi
+
+# Save raw JSON
+echo "${RESULT}" > /tmp/patchpilots-result.json
+
+# Format as markdown comment
+COMMENT=$(node "${GITHUB_ACTION_PATH}/action/format-comment.cjs" /tmp/patchpilots-result.json)
+
+# Post or update PR comment
+PR_NUMBER=$(jq -r '.pull_request.number // empty' "${GITHUB_EVENT_PATH}" 2>/dev/null || echo "")
+
+if [ -n "${PR_NUMBER}" ]; then
+  # Look for existing PatchPilots comment to update (avoid spam)
+  EXISTING=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" \
+    --jq '.[] | select(.body | startswith("<!-- patchpilots-report -->")) | .id' \
+    | head -1 || echo "")
+
+  if [ -n "${EXISTING}" ]; then
+    echo "Updating existing PatchPilots comment..."
+    gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${EXISTING}" \
+      -X PATCH -f body="${COMMENT}"
+  else
+    echo "Posting PatchPilots comment..."
+    gh pr comment "${PR_NUMBER}" --body "${COMMENT}"
+  fi
+else
+  echo "::warning::Not running in a PR context — printing results to log"
+  echo "${COMMENT}"
+fi
+
+# Set outputs
+TOTAL_FINDINGS=$(echo "${RESULT}" | jq -r '.totalFindings // 0')
+TOTAL_PATCHES=$(echo "${RESULT}" | jq -r '.totalPatches // 0')
+RISK_SCORE=$(echo "${RESULT}" | jq -r '.riskScore // "none"')
+
+echo "total_findings=${TOTAL_FINDINGS}" >> "${GITHUB_OUTPUT}"
+echo "total_patches=${TOTAL_PATCHES}" >> "${GITHUB_OUTPUT}"
+echo "risk_score=${RISK_SCORE}" >> "${GITHUB_OUTPUT}"
+
+# Fail on critical findings if configured
+if [ "${INPUT_FAIL_ON_CRITICAL}" = "true" ]; then
+  REVIEW_CRITICAL=$(echo "${RESULT}" | jq '[(.review.findings // [])[] | select(.severity == "critical")] | length')
+  SECURITY_CRITICAL=$(echo "${RESULT}" | jq '[(.security.findings // [])[] | select(.severity == "critical")] | length')
+  TOTAL_CRITICAL=$((REVIEW_CRITICAL + SECURITY_CRITICAL))
+
+  if [ "${TOTAL_CRITICAL}" -gt 0 ]; then
+    echo "::error::PatchPilots found ${TOTAL_CRITICAL} critical finding(s)"
+    exit 1
+  fi
+fi
+
+echo "PatchPilots audit complete: ${TOTAL_FINDINGS} findings, ${TOTAL_PATCHES} patches, risk=${RISK_SCORE}"

package/action.yml

@@ -0,0 +1,61 @@
+name: 'PatchPilots Code Review'
+description: 'AI-powered code review with 7 specialized agents — review, security, improve, test, docs in one command'
+author: 'Piia Alavesa'
+
+branding:
+  icon: 'shield'
+  color: 'blue'
+
+inputs:
+  anthropic_api_key:
+    description: 'Anthropic API key'
+    required: true
+  path:
+    description: 'Path to review (relative to repo root)'
+    required: false
+    default: './src'
+  model:
+    description: 'Claude model to use'
+    required: false
+    default: 'claude-sonnet-4-6'
+  skip:
+    description: 'Agents to skip (comma-separated: plan,test,docs)'
+    required: false
+    default: ''
+  severity:
+    description: 'Minimum severity to report (critical, warning, info)'
+    required: false
+    default: 'info'
+  fail_on_critical:
+    description: 'Fail the check if critical findings exist'
+    required: false
+    default: 'true'
+
+outputs:
+  total_findings:
+    description: 'Total number of findings'
+  total_patches:
+    description: 'Total number of suggested patches'
+  risk_score:
+    description: 'Overall risk score (critical, high, medium, low, none)'
+
+runs:
+  using: 'composite'
+  steps:
+    - uses: actions/setup-node@v4
+      with:
+        node-version: '20'
+    - name: Install PatchPilots
+      run: npm install -g patchpilots
+      shell: bash
+    - name: Run audit and post results
+      run: bash ${{ github.action_path }}/action/run.sh
+      shell: bash
+      env:
+        ANTHROPIC_API_KEY: ${{ inputs.anthropic_api_key }}
+        INPUT_PATH: ${{ inputs.path }}
+        INPUT_MODEL: ${{ inputs.model }}
+        INPUT_SKIP: ${{ inputs.skip }}
+        INPUT_SEVERITY: ${{ inputs.severity }}
+        INPUT_FAIL_ON_CRITICAL: ${{ inputs.fail_on_critical }}
+        GITHUB_TOKEN: ${{ github.token }}

package/dist/src/utils/logger.js

@@ -5,24 +5,24 @@ export function setVerbose(enabled) {
 }
 export const log = {
     info(message) {
-        console.log(chalk.blue("ℹ"), message);
+        console.error(chalk.blue("ℹ"), message);
     },
     success(message) {
-        console.log(chalk.green("✓"), message);
+        console.error(chalk.green("✓"), message);
     },
     warn(message) {
-        console.log(chalk.yellow("⚠"), message);
+        console.error(chalk.yellow("⚠"), message);
     },
     error(message) {
         console.error(chalk.red("✗"), message);
     },
     verbose(message) {
         if (verboseMode) {
-            console.log(chalk.gray("→"), chalk.gray(message));
+            console.error(chalk.gray("→"), chalk.gray(message));
         }
     },
     step(message) {
-        console.log(chalk.cyan("●"), message);
+        console.error(chalk.cyan("●"), message);
     },
 };
 //# sourceMappingURL=logger.js.map

package/dist/src/utils/logger.js.map

@@ -1 +1 @@
-{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../../src/utils/logger.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,IAAI,WAAW,GAAG,KAAK,CAAC;AAExB,MAAM,UAAU,UAAU,CAAC,OAAgB;IACzC,WAAW,GAAG,OAAO,CAAC;AACxB,CAAC;AAED,MAAM,CAAC,MAAM,GAAG,GAAG;IACjB,IAAI,CAAC,OAAe;QAClB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,CAAC,OAAe;QACrB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,CAAC;IACzC,CAAC;IACD,IAAI,CAAC,OAAe;QAClB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,CAAC;IAC1C,CAAC;IACD,KAAK,CAAC,OAAe;QACnB,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,CAAC;IACzC,CAAC;IACD,OAAO,CAAC,OAAe;QACrB,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IACD,IAAI,CAAC,OAAe;QAClB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,CAAC;IACxC,CAAC;CACF,CAAC"}
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../../src/utils/logger.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,IAAI,WAAW,GAAG,KAAK,CAAC;AAExB,MAAM,UAAU,UAAU,CAAC,OAAgB;IACzC,WAAW,GAAG,OAAO,CAAC;AACxB,CAAC;AAED,MAAM,CAAC,MAAM,GAAG,GAAG;IACjB,IAAI,CAAC,OAAe;QAClB,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,CAAC,OAAe;QACrB,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,CAAC;IAC3C,CAAC;IACD,IAAI,CAAC,OAAe;QAClB,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,CAAC;IAC5C,CAAC;IACD,KAAK,CAAC,OAAe;QACnB,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,CAAC;IACzC,CAAC;IACD,OAAO,CAAC,OAAe;QACrB,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IACD,IAAI,CAAC,OAAe;QAClB,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,CAAC;IAC1C,CAAC;CACF,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "patchpilots",
-  "version": "0.5.1",
+  "version": "0.5.2",
   "description": "A team of AI agents that reviews and improves your code automatically",
   "type": "module",
   "bin": {
@@ -10,6 +10,8 @@
   "types": "./dist/src/index.d.ts",
   "files": [
     "dist",
+    "action",
+    "action.yml",
     "README.md",
     "LICENSE"
   ],