pierre-review 0.1.13 → 0.1.15

package/dist/api/routes/claude-review.js

@@ -1,5 +1,5 @@
 import { config } from '../../config.js';
-import { getClaudeReviewById, getClaudeReviewContext, getFindingPostContext, getLatestClaudeReview, listClaudeReviewHistory, } from '../../db/queries.js';
+import { getClaudeReviewById, getClaudeReviewContext, getFindingPostContext, getLatestClaudeReview, listAllClaudeReviews, listClaudeReviewHistory, } from '../../db/queries.js';
 import { markFindingPosted, markReviewPosted, updateFinding, updateReviewDraft, } from '../../review/persist.js';
 import { getReviewStatus, listActiveReviews, requestReviewCancel, startReview, } from '../../review/review-manager.js';
 import { detectClaudeAuth } from '../../review/auth.js';
@@ -7,7 +7,7 @@ import { hasUserAnthropicKey, setUserAnthropicKey, } from '../../review/local-se
 import { buildReview, fetchCurrentHeadSha, fetchPrDiff, findingCommentBody, stripNoiseFromDiff, submitGithubComment, submitGithubReview, } from '../../review/post-review.js';
 import { isNoiseFile } from '../../review/prompt.js';
 import { accountIdOf } from '../plugins/auth.js';
-const MODELS = ['claude-opus-4-8', 'claude-sonnet-4-6', 'claude-haiku-4-5'];
+const MODELS = ['claude-opus-4-8', 'claude-sonnet-4-6'];
 const VERDICTS = ['COMMENT', 'REQUEST_CHANGES', 'APPROVE'];
 const idParam = {
     params: {
@@ -175,6 +175,14 @@ export async function claudeReviewRoutes(app) {
         }
         return { status: 'cancelling' };
     });
+    // Cross-PR list of prior Claude reviews (one entry per PR = its most-recent
+    // succeeded run, within the timeline window). Static path — registered before
+    // the /:reviewId param route so Fastify never mis-routes it.
+    app.get('/api/claude-reviews', async (req) => {
+        if (!config.claudeReviewEnabled)
+            return { reviews: [] };
+        return { reviews: await listAllClaudeReviews(accountIdOf(req)) };
+    });
     // All in-flight reviews (global progress banner). Static path — Fastify
     // prioritises it over the /:reviewId param route.
     app.get('/api/claude-reviews/active', async () => {

package/dist/api/routes/timeline.js

@@ -66,7 +66,7 @@ export async function timelineRoutes(app) {
             userIds: parseIntList(q.userIds),
             types: parseTypes(q.types),
             statuses: parseStatuses(q.statuses),
-            excludeBots: q.excludeBots !== 'false',
+            excludeBots: q.excludeBots === 'true',
             excludeStale: q.excludeStale === 'true',
         };
         return getTimeline(filters);

package/dist/app.js

@@ -30,6 +30,39 @@ export async function buildApp() {
                 : { target: 'pino-pretty', options: { translateTime: 'HH:MM:ss' } },
         },
     });
+    // Cloud only: canonicalise the host and pin HTTPS. Local mode runs on
+    // http://127.0.0.1, where HSTS would wrongly pin localhost to HTTPS and a www
+    // redirect is meaningless — so both are cloud-gated. Registered first so it runs
+    // before everything else (the redirect short-circuits before CORS/routing).
+    if (config.isCloud) {
+        let canonicalHost = '';
+        try {
+            // hostname (not host) so a configured port never enters the comparison.
+            canonicalHost = new URL(config.appBaseUrl).hostname.toLowerCase();
+        }
+        catch {
+            canonicalHost = '';
+        }
+        app.addHook('onRequest', async (req, reply) => {
+            // HSTS: keep browsers on HTTPS for this domain. Honored only over HTTPS
+            // (Railway terminates TLS); ignored on plain HTTP. `includeSubDomains` also
+            // covers www. No `preload` — it's hard to undo. HSTS_MAX_AGE=0 disables it.
+            if (config.hstsMaxAge > 0) {
+                reply.header('Strict-Transport-Security', `max-age=${config.hstsMaxAge}; includeSubDomains`);
+            }
+            // Canonical host: 301 www.<apex> → <apex> so the OAuth round-trip and the
+            // session cookie stay on a single origin (and crawlers see one canonical
+            // URL). The HSTS header set above still rides on the redirect response.
+            if (canonicalHost) {
+                // Strip any :port from the Host header before comparing hostnames.
+                const host = (req.headers.host ?? '').toLowerCase().split(':')[0] ?? '';
+                if (host !== canonicalHost &&
+                    host.replace(/^www\./, '') === canonicalHost) {
+                    return reply.redirect(`${config.appBaseUrl}${req.url}`, 301);
+                }
+            }
+        });
+    }
     // CORS: in cloud mode lock to the app's own origin and allow credentials so the
     // session cookie rides along; local mode reflects any origin (dev convenience).
     await app.register(cors, {

package/dist/config.js

@@ -96,6 +96,11 @@ export const config = {
     sessionSecret: process.env.SESSION_SECRET ?? '',
     // 32-byte (64-hex) key for AES-256-GCM encryption of stored access tokens.
     encryptionKey: process.env.ENCRYPTION_KEY ?? '',
+    // HSTS max-age (seconds) for the cloud public origin. Sent only in cloud mode
+    // and honored only over HTTPS (Railway terminates TLS). Default 1 year. Set
+    // HSTS_MAX_AGE=0 as a kill switch. `preload` is intentionally NOT sent — it is
+    // hard to undo; opt in manually once the domain is proven.
+    hstsMaxAge: intFromEnv('HSTS_MAX_AGE', 31536000),
     // ---- Claude Review (agentic PR review; opt-in, LOCAL-ONLY) ----
     // OFF by default: the feature spends real money / Agent-SDK credits per run.
     // Enable with ENABLE_CLAUDE_REVIEW=true. FORCE-DISABLED in cloud mode (it
@@ -108,8 +113,9 @@ export const config = {
     cloneCacheMaxBytes: intFromEnv('CLONE_CACHE_MAX_BYTES', 2 * 1024 * 1024 * 1024),
     // Default model for the picker; per-run model still overrides on the request.
     defaultReviewModel: process.env.DEFAULT_REVIEW_MODEL ?? 'claude-sonnet-4-6',
-    // Per-run caps (cost/disk/time runaway guards).
-    reviewMaxTurns: intFromEnv('REVIEW_MAX_TURNS', 40),
+    // Per-run caps (cost/disk/time runaway guards). The diff is inlined in full, so
+    // reviews need far fewer turns than the old default; 30 is still generous.
+    reviewMaxTurns: intFromEnv('REVIEW_MAX_TURNS', 30),
     reviewBudgetUsd: floatFromEnv('REVIEW_BUDGET_USD', 1.0),
     // At most one review per PR; this caps concurrent reviews across all PRs.
     reviewConcurrency: intFromEnv('REVIEW_CONCURRENCY', 1),

package/dist/db/queries.js

@@ -1028,6 +1028,60 @@ export async function listClaudeReviewHistory(prId, accountId) {
         finishedAt: iso(r.finishedAt),
     }));
 }
+// Cross-PR list of prior Claude reviews: ONE entry per PR = that PR's most-recent
+// SUCCEEDED run, accountId-scoped, restricted to PRs still within the timeline
+// window (open, or last touched within `backfillDays`), newest-first by finish
+// time. Used by GET /api/claude-reviews to populate the "prior reviews" view.
+export async function listAllClaudeReviews(accountId) {
+    // Same window cutoff getTimeline uses for its overlap predicate (now − backfillDays).
+    const cutoff = new Date(Date.now() - config.backfillDays * 24 * 60 * 60 * 1000);
+    const rows = await db
+        .select({
+        reviewId: claudeReviews.id,
+        prId: claudeReviews.prId,
+        owner: repos.owner,
+        name: repos.name,
+        prNumber: pullRequests.number,
+        prTitle: pullRequests.title,
+        prState: pullRequests.state,
+        summary: claudeReviews.summary,
+        verdict: claudeReviews.verdict,
+        headSha: claudeReviews.headSha,
+        status: claudeReviews.status,
+        createdAt: claudeReviews.createdAt,
+        finishedAt: claudeReviews.finishedAt,
+    })
+        .from(claudeReviews)
+        .innerJoin(pullRequests, eq(pullRequests.id, claudeReviews.prId))
+        .innerJoin(repos, eq(repos.id, pullRequests.repoId))
+        .where(and(eq(repos.accountId, accountId), eq(claudeReviews.status, 'succeeded'), or(eq(pullRequests.state, 'open'), gte(sql `coalesce(${pullRequests.mergedAt}, ${pullRequests.closedAt}, ${pullRequests.openedAt})`, tsBound(cutoff)))))
+        .orderBy(desc(claudeReviews.finishedAt), desc(claudeReviews.createdAt))
+        .execute();
+    // Keep the first (most-recent) succeeded run per PR. N is small (single local
+    // user), so a JS pass is simpler and portable across both dialects.
+    const seen = new Set();
+    const items = [];
+    for (const r of rows) {
+        if (seen.has(r.prId))
+            continue;
+        seen.add(r.prId);
+        items.push({
+            reviewId: r.reviewId,
+            prId: r.prId,
+            repoFullName: `${r.owner}/${r.name}`,
+            prNumber: r.prNumber,
+            prTitle: r.prTitle,
+            prState: r.prState,
+            summary: r.summary,
+            verdict: r.verdict,
+            headSha: r.headSha,
+            status: r.status,
+            createdAt: r.createdAt.toISOString(),
+            finishedAt: iso(r.finishedAt),
+        });
+    }
+    return items;
+}
 export async function getFindingPostContext(findingId, accountId) {
     const rows = await db
         .select({

package/dist/db/schema.pg.js

@@ -311,7 +311,7 @@ export const claudeReviews = pgTable('claude_reviews', {
         enum: ['queued', 'running', 'succeeded', 'failed', 'cancelled'],
     }).notNull(),
     model: text('model', {
-        enum: ['claude-opus-4-8', 'claude-sonnet-4-6', 'claude-haiku-4-5'],
+        enum: ['claude-opus-4-8', 'claude-sonnet-4-6'],
     }).notNull(),
     scope: text('scope', { enum: ['diff_only', 'worktree'] }),
     summary: text('summary'),

package/dist/db/schema.sqlite.js

@@ -339,7 +339,7 @@ export const claudeReviews = sqliteTable('claude_reviews', {
         enum: ['queued', 'running', 'succeeded', 'failed', 'cancelled'],
     }).notNull(),
     model: text('model', {
-        enum: ['claude-opus-4-8', 'claude-sonnet-4-6', 'claude-haiku-4-5'],
+        enum: ['claude-opus-4-8', 'claude-sonnet-4-6'],
     }).notNull(),
     // Null until the agent decides whether it explored the worktree.
     scope: text('scope', { enum: ['diff_only', 'worktree'] }),

package/dist/review/agent.js

@@ -25,6 +25,8 @@ const DISALLOWED_TOOLS = [
     'Bash(git commit *)',
     'Bash(git config *)',
 ];
+// How many recent-activity lines to keep in the live progress ring buffer.
+const ACTIVITY_LOG_CAP = 25;
 // Run a review end-to-end and persist its result. Owns status transitions:
 // running → succeeded/failed/cancelled. Never throws to the caller for an
 // expected failure (it records it); rethrows only truly unexpected errors so the
@@ -88,11 +90,30 @@ export async function runReview(args) {
                 abortController,
             },
         });
-        let announcedReviewing = false;
+        // Rolling, newest-last log of what the agent is doing right now, surfaced via
+        // onProgress (rides the /status poll). Live-only — never persisted.
+        const activity = [];
+        const pushActivity = (line) => {
+            const trimmed = line.trim();
+            if (!trimmed)
+                return;
+            activity.push(trimmed);
+            if (activity.length > ACTIVITY_LOG_CAP)
+                activity.shift();
+        };
         for await (const message of q) {
-            if (message.type === 'assistant' && !announcedReviewing) {
-                announcedReviewing = true;
-                onProgress({ phase: 'reviewing' });
+            if (message.type === 'assistant') {
+                // Derive short, human-readable lines from the assistant turn's content
+                // blocks. Defensive throughout: content may be missing and tool input
+                // shapes vary — a malformed block must never abort the review.
+                try {
+                    for (const line of describeAssistantBlocks(message))
+                        pushActivity(line);
+                }
+                catch {
+                    /* never let progress derivation break the run */
+                }
+                onProgress({ phase: 'reviewing', recentActivity: [...activity] });
             }
             else if (message.type === 'result') {
                 result = message;
@@ -164,7 +185,17 @@ export async function runReview(args) {
         if (repoCloneDir && worktreePath) {
             await removeWorktree(repoCloneDir, worktreePath).catch(() => { });
         }
-        cleanupCloneCache();
+        // LRU eviction does a full recursive dir walk; keep it off the run-teardown
+        // critical path. Defer it (fire-and-forget) so the review result returns
+        // promptly. cleanupCloneCache is itself best-effort and never throws.
+        setImmediate(() => {
+            try {
+                cleanupCloneCache();
+            }
+            catch {
+                /* advisory cleanup — never surface */
+            }
+        });
     }
 }
 function errorMessage(err) {
@@ -172,4 +203,74 @@ function errorMessage(err) {
         return err.message;
     return String(err);
 }
+const TEXT_SNIPPET_CAP = 120;
+const BASH_CMD_CAP = 80;
+/**
+ * Turn one assistant message into a few short, human-readable progress lines:
+ * a label per tool_use block (e.g. `Read src/foo.ts`, `Grep "TODO"`, `Bash npm
+ * test`) plus a clipped snippet of any assistant text. Defensive throughout —
+ * the SDK content/tool-input shapes vary, so every access is guarded and this
+ * never throws.
+ */
+function describeAssistantBlocks(message) {
+    const lines = [];
+    const content = message?.message
+        ?.content;
+    if (!Array.isArray(content))
+        return lines;
+    for (const raw of content) {
+        if (!raw || typeof raw !== 'object')
+            continue;
+        const block = raw;
+        if (block.type === 'tool_use') {
+            const name = typeof block.name === 'string' ? block.name : 'Tool';
+            const input = block.input && typeof block.input === 'object'
+                ? block.input
+                : {};
+            lines.push(labelToolUse(name, input));
+        }
+        else if (block.type === 'text' && typeof block.text === 'string') {
+            const snippet = clip(block.text.replace(/\s+/g, ' ').trim(), TEXT_SNIPPET_CAP);
+            if (snippet)
+                lines.push(snippet);
+        }
+    }
+    return lines;
+}
+/** Build a short label for a tool call from its name + a truncated first arg. */
+function labelToolUse(name, input) {
+    const str = (v) => typeof v === 'string' && v.trim().length > 0 ? v.trim() : null;
+    switch (name) {
+        case 'Read': {
+            const p = str(input.file_path) ?? str(input.path);
+            return p ? `Read ${p}` : 'Read …';
+        }
+        case 'Glob': {
+            const p = str(input.pattern);
+            return p ? `Glob ${p}` : 'Glob …';
+        }
+        case 'Grep': {
+            const p = str(input.pattern);
+            return p ? `Grep "${clip(p, BASH_CMD_CAP)}"` : 'Grep …';
+        }
+        case 'Bash': {
+            const c = str(input.command);
+            return c ? `Bash ${clip(c, BASH_CMD_CAP)}` : 'Bash …';
+        }
+        case 'mcp__review__submit_review':
+            return 'Submitting review…';
+        default: {
+            // Generic: name + a truncated first string-valued arg, if any.
+            for (const key of Object.keys(input)) {
+                const v = str(input[key]);
+                if (v)
+                    return `${name} ${clip(v, BASH_CMD_CAP)}`;
+            }
+            return `${name} …`;
+        }
+    }
+}
+function clip(s, max) {
+    return s.length > max ? `${s.slice(0, max)}…` : s;
+}
 //# sourceMappingURL=agent.js.map

package/dist/review/clone-manager.js

@@ -46,11 +46,15 @@ export async function ensureClone(owner, name) {
  * Fetch a PR's head ref into the clone's object store so its head commit
  * (`sha`) becomes resolvable for a worktree checkout. The current PR head
  * commit equals `pull/<n>/head`, so fetching that ref is sufficient.
+ *
+ * Fast path: if `sha` is already present in the local object store (a prior
+ * review of the same head left it there), skip the network fetch entirely —
+ * it's the dominant per-review network cost and is fully redundant when the
+ * head hasn't moved.
  */
 export async function fetchPrHead(repoCloneDir, prNumber, sha) {
-    // `sha` is documented in the signature but the head ref fetch is what makes
-    // it resolvable; nothing else is needed here.
-    void sha;
+    if (await hasCommit(repoCloneDir, sha))
+        return;
     await git([
         '-C',
         repoCloneDir,
@@ -61,6 +65,21 @@ export async function fetchPrHead(repoCloneDir, prNumber, sha) {
         `pull/${prNumber}/head`,
     ]);
 }
+/** True if `sha` resolves to a commit object already in the local store. */
+async function hasCommit(repoCloneDir, sha) {
+    if (!sha)
+        return false;
+    try {
+        await execFileAsync('git', ['-C', repoCloneDir, 'cat-file', '-e', `${sha}^{commit}`], {
+            timeout: 10_000,
+            maxBuffer: 1024 * 1024,
+        });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
 /**
  * Create an ephemeral detached worktree at `<clone>/.worktrees/<sha>` checked
  * out at `sha`, and return its absolute path. If a stale worktree at that path

package/dist/review/prompt.js

@@ -113,6 +113,7 @@ Decide how far to look using this heuristic:
 When in doubt about whether something exported is used elsewhere, look — a wrong signature change with stale callers is a blocker, not a nit.
 
 # What you're given
+- The COMPLETE unified diff for this PR is inlined in the user message. Use it directly — do NOT run \`git diff\`/\`git show\` to re-derive the change, and do NOT Read files just to see the diff. Explore the worktree only for context the diff doesn't show (callers, dependents, type definitions, surrounding code).
 - Noise files (lockfiles and generated/vendored artifacts) have ALREADY been stripped from the diff. Do not ask for them and do not flag their absence.
 - Line numbers for anchoring findings refer to the NEW-file (RIGHT) side of the diff unless you are pointing at a removed/old line.
 
@@ -194,7 +195,7 @@ export function buildUserPrompt(input) {
     }
     lines.push('## Diff');
     lines.push('');
-    lines.push('This unified diff has already had noise files removed. Line numbers you cite for anchoring refer to the NEW-file (RIGHT) side unless you are pointing at a deleted line (LEFT).');
+    lines.push('The COMPLETE unified diff for this PR is provided in full below (noise files already removed). Use it directly — do NOT run `git diff` / `git show` to re-derive it, and do NOT Read files just to see the diff. Explore the worktree only for context the diff does not show: callers, dependents, type definitions, and surrounding code. Line numbers you cite for anchoring refer to the NEW-file (RIGHT) side unless you are pointing at a deleted line (LEFT).');
     lines.push('');
     lines.push('```diff');
     lines.push(diff);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pierre-review",
-  "version": "0.1.13",
+  "version": "0.1.15",
   "description": "Dashboard for tracking your team's GitHub PR activity across repos — local (SQLite + gh) or self-hosted multi-tenant cloud (Postgres + GitHub App).",
   "type": "module",
   "author": "Alex Wakeman",