pierre-review 0.1.25 → 0.1.27

package/dist/api/routes/feed.js

@@ -0,0 +1,9 @@
+import { getFeed } from '../../db/queries.js';
+import { accountIdOf } from '../plugins/auth.js';
+// The watched-repo activity Feed: recent events (last 14 days) across repos the user
+// has Watched, newest first, commit pushes excluded. The frontend mirrors these into an
+// append-only IndexedDB store (see lib/feedStore.ts). Account-scoped.
+export async function feedRoutes(app) {
+    app.get('/api/feed', async (req) => getFeed(accountIdOf(req), 14));
+}
+//# sourceMappingURL=feed.js.map

package/dist/api/routes/prs.js

@@ -1,6 +1,31 @@
-import { getPrDetail, markAllViewed, markPrViewed } from '../../db/queries.js';
+import { createHash } from 'node:crypto';
+import { getAccessToken, getAccountUserId } from '../../auth/account.js';
+import { getPrDetail, getPrFilesContext, getPrWriteContext, markAllViewed, markPrViewed, upsertLocalPrComment, upsertLocalReview, } from '../../db/queries.js';
+import { buildFileAnchors, fallbackAnchor, isFindingAnchored, } from '../../github/diff-anchor.js';
+import { addIssueComment, fetchHeadShaFor, fetchPrFilesWithPatch, postInlineComment, submitPrReview, } from '../../github/mutations.js';
 import { hydratePrDetail } from '../../sync/hydrate-detail.js';
 import { accountIdOf } from '../plugins/auth.js';
+// GitHub anchors a file in the PR "Files changed" diff by the SHA-256 of its
+// path (matches db/queries.ts + hydrate-detail.ts's diffAnchorId).
+function diffAnchorId(path) {
+    return createHash('sha256').update(path, 'utf8').digest('hex');
+}
+const PR_FILE_STATUSES = [
+    'added',
+    'modified',
+    'removed',
+    'renamed',
+    'changed',
+    'copied',
+    'unchanged',
+];
+// Pass GitHub's REST file status through verbatim when it's one we model, else
+// fall back to 'changed' (the catch-all GitHub itself uses).
+function normalizeStatus(status) {
+    return PR_FILE_STATUSES.includes(status)
+        ? status
+        : 'changed';
+}
 const idParamSchema = {
     params: {
         type: 'object',
@@ -23,6 +48,37 @@ const markAllViewedSchema = {
         properties: { repoIds: { type: 'array', items: { type: 'integer' } } },
     },
 };
+const commentSchema = {
+    ...idParamSchema,
+    body: {
+        type: 'object',
+        required: ['body'],
+        additionalProperties: false,
+        properties: { body: { type: 'string' } },
+    },
+};
+const approveSchema = {
+    ...idParamSchema,
+    body: {
+        type: 'object',
+        additionalProperties: false,
+        properties: { body: { type: 'string' } },
+    },
+};
+const reviewCommentSchema = {
+    ...idParamSchema,
+    body: {
+        type: 'object',
+        required: ['path', 'line', 'body'],
+        additionalProperties: false,
+        properties: {
+            path: { type: 'string' },
+            line: { type: 'integer' },
+            side: { type: 'string', enum: ['LEFT', 'RIGHT'] },
+            body: { type: 'string' },
+        },
+    },
+};
 export async function prRoutes(app) {
     // Bulk "mark all seen": stamp every open PR (optionally scoped to repoIds) viewed
     // at its head, clearing all new-since badges at once. Static path — no :id — so it
@@ -66,5 +122,195 @@ export async function prRoutes(app) {
         }
         return { status: 'ok' };
     });
+    // Post a new issue-level (general) PR comment, then optimistically stamp it
+    // locally so it shows before the next sync.
+    app.post('/api/prs/:id/comment', { schema: commentSchema }, async (req, reply) => {
+        const { id } = req.params;
+        const { body } = req.body;
+        const accountId = accountIdOf(req);
+        const ctx = await getPrWriteContext(id, accountId);
+        if (!ctx) {
+            reply.status(404);
+            return { error: 'NotFound', message: `PR ${id} not found` };
+        }
+        try {
+            const token = await getAccessToken(accountId);
+            const gh = await addIssueComment(token, ctx.owner, ctx.name, ctx.number, body);
+            const authorId = await getAccountUserId(accountId);
+            const rowId = await upsertLocalPrComment(ctx.prId, authorId, gh);
+            const result = {
+                id: rowId,
+                authorId,
+                body: gh.body,
+                createdAt: new Date(gh.createdAt).toISOString(),
+                url: gh.url,
+            };
+            return result;
+        }
+        catch (err) {
+            reply.status(502);
+            return {
+                error: 'GitHubError',
+                message: err instanceof Error ? err.message : String(err),
+            };
+        }
+    });
+    // Approve the PR. Server re-checks (matching getPrDetail.viewerCanApprove) that
+    // the viewer has write+ permission and isn't the author; else 403. On success
+    // submits an APPROVE review and stamps it locally. A GitHub 422 (e.g. a
+    // self-approve race) bubbles to the 502 catch.
+    app.post('/api/prs/:id/approve', { schema: approveSchema }, async (req, reply) => {
+        const { id } = req.params;
+        const { body } = (req.body ?? {});
+        const accountId = accountIdOf(req);
+        const ctx = await getPrWriteContext(id, accountId);
+        if (!ctx) {
+            reply.status(404);
+            return { error: 'NotFound', message: `PR ${id} not found` };
+        }
+        const viewerUserId = await getAccountUserId(accountId);
+        const canApprove = viewerUserId != null &&
+            viewerUserId !== ctx.authorId &&
+            ['WRITE', 'MAINTAIN', 'ADMIN'].includes(ctx.viewerPermission ?? '');
+        if (!canApprove) {
+            reply.status(403);
+            return {
+                error: 'NotPermitted',
+                message: 'You need write access to this repo and cannot approve your own PR.',
+            };
+        }
+        try {
+            const token = await getAccessToken(accountId);
+            const gh = await submitPrReview(token, ctx.owner, ctx.name, ctx.number, {
+                event: 'APPROVE',
+                body,
+            });
+            const rowId = await upsertLocalReview(ctx.prId, viewerUserId, gh);
+            const result = {
+                id: rowId,
+                authorId: viewerUserId,
+                state: 'approved',
+                body: gh.body,
+                submittedAt: new Date(gh.submittedAt).toISOString(),
+                url: gh.url,
+            };
+            return result;
+        }
+        catch (err) {
+            reply.status(502);
+            return {
+                error: 'GitHubError',
+                message: err instanceof Error ? err.message : String(err),
+            };
+        }
+    });
+    // Add ONE inline review comment, posted immediately. Validates the requested
+    // (path, line, side) lands on an addable diff line; if not, re-anchors to the
+    // file's first changed line; if the file has no changes at all, returns a
+    // not-anchored result without posting.
+    app.post('/api/prs/:id/review-comment', { schema: reviewCommentSchema }, async (req, reply) => {
+        const { id } = req.params;
+        const { path, line, body } = req.body;
+        const side = req.body.side ?? 'RIGHT';
+        const accountId = accountIdOf(req);
+        const ctx = await getPrWriteContext(id, accountId);
+        if (!ctx) {
+            reply.status(404);
+            return { error: 'NotFound', message: `PR ${id} not found` };
+        }
+        try {
+            const token = await getAccessToken(accountId);
+            // Resolve the LIVE head (not the possibly-stale DB head): commit_id must
+            // pin to the same commit whose diff we validate the line against below,
+            // or GitHub 422s the line as "not part of the diff".
+            const head = await fetchHeadShaFor(token, ctx.owner, ctx.name, ctx.number);
+            // Find the requested file's REST patch (header-less) to validate anchoring.
+            const { files } = await fetchPrFilesWithPatch(token, ctx.owner, ctx.name, ctx.number);
+            const file = files.find((f) => f.filename === path);
+            const anchors = buildFileAnchors(path, file?.patch ?? null);
+            // A single-file AnchorIndex for the pure helpers.
+            const index = new Map([[path, anchors]]);
+            let finalLine = line;
+            let finalSide = side;
+            let anchored = true;
+            if (!isFindingAnchored(index, path, line, side)) {
+                const fb = fallbackAnchor(index, path);
+                if (!fb) {
+                    // The file has no changes in the diff → can't post inline.
+                    const result = {
+                        commentId: null,
+                        url: null,
+                        line,
+                        side,
+                        anchored: false,
+                    };
+                    return result;
+                }
+                finalLine = fb.line;
+                finalSide = fb.side;
+                anchored = false;
+            }
+            const gh = await postInlineComment(token, ctx.owner, ctx.name, ctx.number, { commitId: head, path, line: finalLine, side: finalSide, body });
+            const result = {
+                commentId: gh.databaseId,
+                url: gh.url,
+                line: finalLine,
+                side: finalSide,
+                anchored,
+            };
+            return result;
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            // A 422 means GitHub rejected the line as not part of the diff (e.g. the
+            // head shifted between our diff fetch and the post). Surface it as the
+            // structured "couldn't place" result so the FE's recovery UX engages
+            // (open on GitHub) instead of a generic error toast.
+            if (/->\s*422\b/.test(message)) {
+                const result = {
+                    commentId: null,
+                    url: null,
+                    line,
+                    side,
+                    anchored: false,
+                };
+                return result;
+            }
+            reply.status(502);
+            return { error: 'GitHubError', message };
+        }
+    });
+    // Changes tab: per-file diff patches, loaded on demand. Degrades to an empty
+    // list on a GitHub fetch error (never 500s) so the tab fails gracefully.
+    app.get('/api/prs/:id/files', { schema: idParamSchema }, async (req, reply) => {
+        const { id } = req.params;
+        const accountId = accountIdOf(req);
+        const ctx = await getPrFilesContext(id, accountId);
+        if (!ctx) {
+            reply.status(404);
+            return { error: 'NotFound', message: `PR ${id} not found` };
+        }
+        try {
+            const token = await getAccessToken(accountId);
+            const { files, truncated } = await fetchPrFilesWithPatch(token, ctx.owner, ctx.name, ctx.number);
+            const mapped = files.map((f) => ({
+                path: f.filename,
+                previousPath: f.previous_filename ?? null,
+                status: normalizeStatus(f.status),
+                additions: f.additions,
+                deletions: f.deletions,
+                patch: f.patch ?? null,
+                githubUrl: `${ctx.prUrl}/files#diff-${diffAnchorId(f.filename)}`,
+                blobUrl: f.blob_url,
+            }));
+            const result = { files: mapped, truncated };
+            return result;
+        }
+        catch {
+            // Graceful degrade — the Changes tab shows "no files" rather than 500ing.
+            const result = { files: [], truncated: false };
+            return result;
+        }
+    });
 }
 //# sourceMappingURL=prs.js.map

package/dist/api/routes/threads.js

@@ -1,4 +1,6 @@
-import { getThreadDetail } from '../../db/queries.js';
+import { getAccessToken, getAccountUserId } from '../../auth/account.js';
+import { getThreadDetail, getThreadWriteContext, stampThreadRepliedState, stampThreadResolved, upsertLocalReply, } from '../../db/queries.js';
+import { addReviewThreadReply, setReviewThreadResolved, } from '../../github/mutations.js';
 import { hydrateThreadDetail } from '../../sync/hydrate-detail.js';
 import { accountIdOf } from '../plugins/auth.js';
 const idParamSchema = {
@@ -8,6 +10,24 @@ const idParamSchema = {
         properties: { id: { type: 'integer' } },
     },
 };
+const replySchema = {
+    ...idParamSchema,
+    body: {
+        type: 'object',
+        required: ['body'],
+        additionalProperties: false,
+        properties: { body: { type: 'string' } },
+    },
+};
+const resolveSchema = {
+    ...idParamSchema,
+    body: {
+        type: 'object',
+        required: ['resolved'],
+        additionalProperties: false,
+        properties: { resolved: { type: 'boolean' } },
+    },
+};
 export async function threadRoutes(app) {
     app.get('/api/threads/:id', { schema: idParamSchema }, async (req, reply) => {
         const { id } = req.params;
@@ -19,5 +39,73 @@ export async function threadRoutes(app) {
         }
         return hydrateThreadDetail(thread, accountId);
     });
+    // Reply to an existing review thread. GraphQL addPullRequestReviewThreadReply,
+    // then optimistically stamp the new comment locally so it shows before sync.
+    app.post('/api/threads/:id/reply', { schema: replySchema }, async (req, reply) => {
+        const { id } = req.params;
+        const { body } = req.body;
+        const accountId = accountIdOf(req);
+        const ctx = await getThreadWriteContext(id, accountId);
+        if (!ctx) {
+            reply.status(404);
+            return { error: 'NotFound', message: `Thread ${id} not found` };
+        }
+        try {
+            const token = await getAccessToken(accountId);
+            const gh = await addReviewThreadReply(token, ctx.threadNodeId, body);
+            const authorId = await getAccountUserId(accountId);
+            const rowId = await upsertLocalReply(ctx.prId, id, authorId, gh);
+            // Bump the parent thread off 'untouched' so its badge reflects the reply
+            // before the next sync re-derives.
+            await stampThreadRepliedState(id);
+            const result = {
+                id: rowId,
+                authorId,
+                body: gh.body,
+                diffHunk: null,
+                createdAt: new Date(gh.createdAt).toISOString(),
+                url: gh.url,
+            };
+            return result;
+        }
+        catch (err) {
+            reply.status(502);
+            return {
+                error: 'GitHubError',
+                message: err instanceof Error ? err.message : String(err),
+            };
+        }
+    });
+    // Resolve (resolved=true) or unresolve (resolved=false) a review thread, then
+    // stamp the local derivedState so the UI reflects it before the next sync.
+    app.post('/api/threads/:id/resolve', { schema: resolveSchema }, async (req, reply) => {
+        const { id } = req.params;
+        const { resolved } = req.body;
+        const accountId = accountIdOf(req);
+        const ctx = await getThreadWriteContext(id, accountId);
+        if (!ctx) {
+            reply.status(404);
+            return { error: 'NotFound', message: `Thread ${id} not found` };
+        }
+        try {
+            const token = await getAccessToken(accountId);
+            const gh = await setReviewThreadResolved(token, ctx.threadNodeId, resolved);
+            // Ownership already confirmed above, so the stamp is non-null.
+            const derivedState = await stampThreadResolved(id, resolved, accountId);
+            const result = {
+                threadId: id,
+                isResolved: gh.isResolved,
+                derivedState: derivedState ?? (resolved ? 'resolved' : 'untouched'),
+            };
+            return result;
+        }
+        catch (err) {
+            reply.status(502);
+            return {
+                error: 'GitHubError',
+                message: err instanceof Error ? err.message : String(err),
+            };
+        }
+    });
 }
 //# sourceMappingURL=threads.js.map

package/dist/app.js

@@ -15,6 +15,7 @@ import { prRoutes } from './api/routes/prs.js';
 import { threadRoutes } from './api/routes/threads.js';
 import { meRoutes } from './api/routes/me.js';
 import { openPrsRoutes } from './api/routes/open-prs.js';
+import { feedRoutes } from './api/routes/feed.js';
 import { mergersRoutes } from './api/routes/mergers.js';
 import { insightsRoutes } from './api/routes/insights.js';
 import { claudeReviewRoutes } from './api/routes/claude-review.js';
@@ -126,6 +127,7 @@ export async function buildApp() {
     await app.register(threadRoutes);
     await app.register(meRoutes);
     await app.register(openPrsRoutes);
+    await app.register(feedRoutes);
     await app.register(mergersRoutes);
     await app.register(insightsRoutes);
     // Claude Review is local-only + opt-in. Only register its routes when enabled,

package/dist/db/migrations/0016_repo_viewer_permission.sql

@@ -0,0 +1,7 @@
+-- Viewer's repo permission (additive). `viewer_permission` records the GraphQL
+-- Repository.viewerPermission enum (ADMIN/MAINTAIN/WRITE/TRIAGE/READ) captured each
+-- activity sync. It drives whether the viewer may approve a PR (WRITE+ and not the
+-- author) — surfaced as PrDetail.viewerCanApprove. Nullable; existing rows stay NULL
+-- until the next sync repopulates them. Postgres baseline is regenerated separately
+-- via db:generate:pg.
+ALTER TABLE `repos` ADD `viewer_permission` text;

package/dist/db/migrations/meta/_journal.json

@@ -113,6 +113,13 @@
       "when": 1780800000006,
       "tag": "0015_repos_inbox_watch",
       "breakpoints": true
+    },
+    {
+      "idx": 16,
+      "version": "6",
+      "when": 1780800000007,
+      "tag": "0016_repo_viewer_permission",
+      "breakpoints": true
     }
   ]
 }

package/dist/db/migrations-pg/0006_majestic_dracula.sql

@@ -0,0 +1 @@
+ALTER TABLE "repos" ADD COLUMN "viewer_permission" text;