tlc-claude-code 0.9.8 → 1.1.0

package/README.md

@@ -290,10 +290,91 @@ Commands install to `.claude/commands/tlc/`
 
 ---
 
+## VPS Deployment
+
+Deploy TLC server for your team on any VPS.
+
+### Quick Setup (Ubuntu)
+
+```bash
+curl -fsSL https://raw.githubusercontent.com/jurgencalleja/TLC/main/scripts/vps-setup.sh | bash
+```
+
+### What You Get
+
+| URL | Service |
+|-----|---------|
+| `https://dashboard.project.com` | TLC Dashboard with auth |
+| `https://main.project.com` | Main branch deployment |
+| `https://feat-x.project.com` | Feature branch deployment |
+
+### Requirements
+
+- Ubuntu 22.04+ VPS (2GB+ RAM)
+- Domain with wildcard DNS (`*.project.com → VPS_IP`)
+- GitHub/GitLab repo access
+
+### Manual Setup
+
+1. **Install dependencies**
+   ```bash
+   apt install docker.io nginx certbot nodejs npm postgresql
+   ```
+
+2. **Clone and configure**
+   ```bash
+   git clone https://github.com/jurgencalleja/TLC.git /opt/tlc
+   cd /opt/tlc && npm install
+   cp .env.example .env  # Edit with your settings
+   ```
+
+3. **Setup nginx + SSL**
+   ```bash
+   certbot --nginx -d "*.project.com" -d "dashboard.project.com"
+   ```
+
+4. **Start server**
+   ```bash
+   systemctl enable tlc && systemctl start tlc
+   ```
+
+5. **Configure webhook** in GitHub/GitLab repo settings
+
+[**Full VPS Guide →**](docs/vps-deployment.md)
+
+---
+
+## Kubernetes Deployment
+
+For teams using Kubernetes:
+
+```bash
+# Add Helm repo
+helm repo add tlc https://jurgencalleja.github.io/TLC/charts
+
+# Install
+helm install tlc tlc/tlc-server \
+  --set domain=project.example.com \
+  --set slack.webhookUrl=https://hooks.slack.com/...
+```
+
+### Kubernetes Features
+
+- **Auto-scaling** branch deployments per namespace
+- **Ingress** with wildcard TLS
+- **Persistent volumes** for deployment state
+- **ConfigMaps** for environment config
+
+[**Full K8s Guide →**](docs/kubernetes-deployment.md)
+
+---
+
 ## Documentation
 
 - **[Help / All Commands](help.md)** — Complete command reference
 - **[Team Workflow](docs/team-workflow.md)** — Guide for teams (engineers + PO + QA)
+- **[VPS Deployment](docs/vps-deployment.md)** — Deploy on Ubuntu VPS
+- **[Kubernetes Deployment](docs/kubernetes-deployment.md)** — Deploy on K8s
 
 ---
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tlc-claude-code",
-  "version": "0.9.8",
+  "version": "1.1.0",
   "description": "TLC - Test Led Coding for Claude Code",
   "bin": {
     "tlc": "./bin/tlc.js",

package/server/dashboard/index.html

@@ -424,6 +424,65 @@
       opacity: 0.5;
     }
 
+    /* App Preview */
+    .app-preview-container {
+      display: flex;
+      flex-direction: column;
+      height: 100%;
+    }
+    .app-preview-toolbar {
+      display: flex;
+      gap: 10px;
+      padding: 10px 0;
+      align-items: center;
+      border-bottom: 1px solid #30363d;
+      margin-bottom: 10px;
+    }
+    .app-preview-toolbar .app-url {
+      margin-left: auto;
+      font-family: monospace;
+      font-size: 12px;
+      color: #8b949e;
+    }
+    .app-iframe {
+      flex: 1;
+      border: 1px solid #30363d;
+      border-radius: 8px;
+      background: white;
+      width: 100%;
+      min-height: 500px;
+    }
+
+    /* Progress Bar */
+    .progress-container {
+      margin-bottom: 20px;
+    }
+    .progress-header {
+      display: flex;
+      justify-content: space-between;
+      margin-bottom: 8px;
+      font-size: 13px;
+    }
+    .progress-header .phase-name {
+      color: #58a6ff;
+      font-weight: 500;
+    }
+    .progress-header .progress-pct {
+      color: #3fb950;
+    }
+    .progress-bar {
+      height: 8px;
+      background: #21262d;
+      border-radius: 4px;
+      overflow: hidden;
+    }
+    .progress-fill {
+      height: 100%;
+      background: linear-gradient(90deg, #238636, #3fb950);
+      border-radius: 4px;
+      transition: width 0.3s ease;
+    }
+
     /* Buttons */
     .btn {
       padding: 8px 16px;
@@ -462,7 +521,8 @@
   <div class="container">
     <div class="main-content">
       <div class="tabs">
-        <button class="tab active" data-tab="plan">Plan</button>
+        <button class="tab active" data-tab="app">🖥️ App</button>
+        <button class="tab" data-tab="plan">Plan</button>
         <button class="tab" data-tab="tests">Tests</button>
         <button class="tab" data-tab="bugs">Bugs <span class="badge" id="bugs-badge" style="display:none">0</span></button>
         <button class="tab" data-tab="logs">Logs</button>
@@ -470,8 +530,21 @@
       </div>
 
       <div class="tab-content">
+        <!-- App Preview Panel -->
+        <div class="tab-panel active" id="panel-app">
+          <div class="app-preview-container">
+            <div class="app-preview-toolbar">
+              <button class="btn btn-secondary" onclick="reloadApp()">🔄 Reload</button>
+              <button class="btn btn-secondary" onclick="openAppNewTab()">↗️ Open in New Tab</button>
+              <button class="btn btn-primary" onclick="captureScreenshot()">📸 Screenshot for Bug</button>
+              <span class="app-url" id="app-url">Loading...</span>
+            </div>
+            <iframe id="app-iframe" src="/app" class="app-iframe"></iframe>
+          </div>
+        </div>
+
         <!-- Plan Panel -->
-        <div class="tab-panel active" id="panel-plan">
+        <div class="tab-panel" id="panel-plan">
           <div class="plan-content" id="plan-content">
             <div class="empty-state">
               <div class="icon">📋</div>
@@ -549,6 +622,19 @@
     </div>
 
     <div class="sidebar">
+      <div class="sidebar-section">
+        <h3>Progress</h3>
+        <div class="progress-container">
+          <div class="progress-header">
+            <span class="phase-name" id="progress-phase">Phase 1</span>
+            <span class="progress-pct" id="progress-pct">0%</span>
+          </div>
+          <div class="progress-bar">
+            <div class="progress-fill" id="progress-fill" style="width: 0%"></div>
+          </div>
+        </div>
+      </div>
+
       <div class="sidebar-section">
         <h3>Stats</h3>
         <div class="stats-grid">
@@ -589,15 +675,15 @@
       <div class="sidebar-section">
         <h3>Links</h3>
         <div class="links">
-          <a class="link" href="http://localhost:5001" target="_blank">
-            <span>App</span>
-            <span class="url">:5001</span>
+          <a class="link" id="link-app" href="#" target="_blank">
+            <span>App (Direct)</span>
+            <span class="url" id="link-app-port">:3000</span>
           </a>
           <a class="link" href="http://localhost:8080" target="_blank">
             <span>Database Admin</span>
             <span class="url">:8080</span>
           </a>
-          <a class="link" href="http://localhost:5433" target="_blank" onclick="event.preventDefault(); alert('Connect with: postgres://postgres:postgres@localhost:5433/app')">
+          <a class="link" href="#" onclick="event.preventDefault(); alert('Connect with: postgres://postgres:postgres@localhost:5433/app')">
             <span>PostgreSQL</span>
             <span class="url">:5433</span>
           </a>
@@ -611,6 +697,8 @@
     const logs = { app: [], test: [], git: [] };
     let currentLogType = 'app';
     let reconnectAttempts = 0;
+    let appPort = 3000;
+    let screenshotData = null;
 
     // Tab switching
     document.querySelectorAll('.tab').forEach(tab => {
@@ -651,8 +739,17 @@
       switch(msg.type) {
         case 'init':
           Object.assign(logs, msg.data.logs || {});
+          if (msg.data.appPort) {
+            updateAppPort(msg.data.appPort);
+          }
           renderLogs();
           break;
+        case 'app-start':
+          if (msg.data.port) {
+            updateAppPort(msg.data.port);
+            reloadApp();
+          }
+          break;
         case 'app-log':
           addLog('app', msg.data.data, msg.data.level || detectLogLevel(msg.data.data));
           break;
@@ -886,12 +983,85 @@
       refreshBugs();
       refreshChangelog();
       refreshStats();
+      refreshProgress();
+    }
+
+    // App Preview functions
+    function reloadApp() {
+      const iframe = document.getElementById('app-iframe');
+      iframe.src = iframe.src;
+    }
+
+    function openAppNewTab() {
+      window.open(`http://localhost:${appPort}`, '_blank');
+    }
+
+    async function captureScreenshot() {
+      try {
+        // Use html2canvas-like approach via the iframe
+        const iframe = document.getElementById('app-iframe');
+
+        // For cross-origin iframes, we can't capture directly
+        // Instead, prompt user to use browser screenshot or provide manual upload
+        const desc = prompt('Describe the bug (screenshot will be from current app view):');
+        if (!desc) return;
+
+        // Create bug with current URL
+        const res = await fetch('/api/bug', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({
+            description: desc,
+            severity: 'medium',
+            url: iframe.src
+          })
+        });
+        const data = await res.json();
+        if (data.success) {
+          alert(`Bug ${data.bugId} created!\n\nTip: Use browser's screenshot tool (Cmd+Shift+4 on Mac, Win+Shift+S on Windows) to capture and attach manually.`);
+          refreshBugs();
+        }
+      } catch (e) {
+        alert('Failed to create bug: ' + e.message);
+      }
+    }
+
+    async function refreshProgress() {
+      try {
+        const res = await fetch('/api/progress');
+        const data = await res.json();
+
+        const phaseName = `Phase ${data.phase || '?'}: ${data.phaseName || 'Unknown'}`;
+        const pct = data.progress || 0;
+
+        document.getElementById('progress-phase').textContent = phaseName;
+        document.getElementById('progress-pct').textContent = `${pct}%`;
+        document.getElementById('progress-fill').style.width = `${pct}%`;
+      } catch (e) {
+        // Fallback to stats-based progress
+        try {
+          const res = await fetch('/api/status');
+          const data = await res.json();
+          const phaseName = `Phase ${data.phase || '?'}`;
+          document.getElementById('progress-phase').textContent = phaseName;
+        } catch (e2) {
+          console.error('Failed to load progress:', e2);
+        }
+      }
+    }
+
+    function updateAppPort(port) {
+      appPort = port;
+      document.getElementById('app-url').textContent = `localhost:${port}`;
+      document.getElementById('link-app').href = `http://localhost:${port}`;
+      document.getElementById('link-app-port').textContent = `:${port}`;
     }
 
     // Initialize
     connect();
     refreshAll();
     setInterval(refreshStats, 30000);
+    setInterval(refreshProgress, 30000);
   </script>
 </body>
 </html>

package/server/index.js

@@ -218,6 +218,25 @@ app.get('/api/status', (req, res) => {
   });
 });
 
+app.get('/api/progress', (req, res) => {
+  const plan = parsePlan(PROJECT_DIR);
+
+  // Calculate progress from tasks
+  let progress = 0;
+  if (plan.tasks && plan.tasks.length > 0) {
+    const completed = plan.tasks.filter(t => t.status === 'done' || t.status === 'complete').length;
+    progress = Math.round((completed / plan.tasks.length) * 100);
+  }
+
+  res.json({
+    phase: plan.currentPhase,
+    phaseName: plan.currentPhaseName,
+    totalTasks: plan.tasks?.length || 0,
+    completedTasks: plan.tasks?.filter(t => t.status === 'done' || t.status === 'complete').length || 0,
+    progress
+  });
+});
+
 app.get('/api/logs/:type', (req, res) => {
   const type = req.params.type;
   if (logs[type]) {

package/server/lib/overdrive-command.js

@@ -31,7 +31,7 @@ function parseOverdriveArgs(args = '') {
     if (/^\d+$/.test(part)) {
       options.phase = parseInt(part, 10);
     } else if (part === '--agents' && parts[i + 1]) {
-      options.agents = Math.min(parseInt(parts[++i], 10), 5); // Max 5 agents
+      options.agents = Math.min(parseInt(parts[++i], 10), 10); // Max 10 agents
     } else if (part === '--mode' && parts[i + 1]) {
       options.mode = parts[++i];
     } else if (part === '--dry-run') {

package/server/lib/overdrive-command.test.js

@@ -33,9 +33,9 @@ describe('overdrive-command', () => {
       expect(options.agents).toBe(4);
     });
 
-    it('caps agents at 5', () => {
-      const options = parseOverdriveArgs('--agents 10');
-      expect(options.agents).toBe(5);
+    it('caps agents at 10', () => {
+      const options = parseOverdriveArgs('--agents 15');
+      expect(options.agents).toBe(10);
     });
 
     it('parses --mode flag', () => {

package/server/lib/plan-parser.js

@@ -108,11 +108,32 @@ function parseBugs(projectDir) {
 
   let match;
   while ((match = bugRegex.exec(content)) !== null) {
-    const [, id, title, status] = match;
+    const [fullMatch, id, title, status] = match;
+
+    // Try to extract date and description from following lines
+    const afterBug = content.slice(match.index + fullMatch.length);
+    const nextBugIndex = afterBug.search(/###\s+BUG-/);
+    const bugSection = nextBugIndex > 0 ? afterBug.slice(0, nextBugIndex) : afterBug;
+
+    // Extract date
+    const dateMatch = bugSection.match(/\*\*Reported:\*\*\s*(\S+)/);
+    const date = dateMatch ? dateMatch[1] : null;
+
+    // Extract severity
+    const severityMatch = bugSection.match(/\*\*Severity:\*\*\s*(\w+)/);
+    const severity = severityMatch ? severityMatch[1].toLowerCase() : 'medium';
+
+    // Extract description (text after metadata, before ---)
+    const lines = bugSection.split('\n').filter(l => l.trim() && !l.startsWith('-') && !l.startsWith('*'));
+    const description = lines.slice(0, 2).join(' ').trim().slice(0, 200);
+
     bugs.push({
       id,
       title: title.trim(),
-      status: status.toLowerCase()
+      status: status.toLowerCase(),
+      date,
+      severity,
+      description: description || title.trim()
     });
   }
 

package/server/lib/pr-reviewer.js

@@ -0,0 +1,463 @@
+/**
+ * PR Reviewer Module
+ * Automatically reviews code changes for TLC compliance
+ */
+
+const { execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+
+/**
+ * Get changed files between two refs
+ * @param {string} base - Base ref (e.g., 'main')
+ * @param {string} head - Head ref (e.g., 'HEAD')
+ * @param {string} cwd - Working directory
+ * @returns {Array} List of changed files with status
+ */
+function getChangedFiles(base = 'main', head = 'HEAD', cwd = process.cwd()) {
+  try {
+    const output = execSync(`git diff --name-status ${base}...${head}`, {
+      cwd,
+      encoding: 'utf-8',
+    });
+
+    return output
+      .trim()
+      .split('\n')
+      .filter(Boolean)
+      .map(line => {
+        const [status, ...fileParts] = line.split('\t');
+        return {
+          status: status.trim(),
+          file: fileParts.join('\t').trim(),
+          isTest: isTestFile(fileParts.join('\t').trim()),
+        };
+      });
+  } catch (e) {
+    return [];
+  }
+}
+
+/**
+ * Check if a file is a test file
+ * @param {string} filePath - File path
+ * @returns {boolean}
+ */
+function isTestFile(filePath) {
+  const testPatterns = [
+    /\.test\.[jt]sx?$/,
+    /\.spec\.[jt]sx?$/,
+    /test_.*\.py$/,
+    /_test\.py$/,
+    /_test\.go$/,
+    /\.test\.go$/,
+    /spec\/.*_spec\.rb$/,
+    /__tests__\//,
+    /tests?\//i,
+  ];
+  return testPatterns.some(p => p.test(filePath));
+}
+
+/**
+ * Check if implementation file has corresponding test
+ * @param {string} implFile - Implementation file path
+ * @param {Array} allFiles - All changed files
+ * @param {string} cwd - Working directory
+ * @returns {Object} Test coverage info
+ */
+function findTestForFile(implFile, allFiles, cwd = process.cwd()) {
+  // Skip if it's already a test file
+  if (isTestFile(implFile)) {
+    return { hasTest: true, isTestFile: true };
+  }
+
+  // Skip non-code files
+  const codeExtensions = ['.js', '.ts', '.jsx', '.tsx', '.py', '.go', '.rb'];
+  const ext = path.extname(implFile);
+  if (!codeExtensions.includes(ext)) {
+    return { hasTest: true, skipped: true, reason: 'non-code file' };
+  }
+
+  // Generate possible test file names
+  const baseName = path.basename(implFile, ext);
+  const dirName = path.dirname(implFile);
+
+  const possibleTestFiles = [
+    // Same directory patterns
+    `${dirName}/${baseName}.test${ext}`,
+    `${dirName}/${baseName}.spec${ext}`,
+    `${dirName}/__tests__/${baseName}.test${ext}`,
+    `${dirName}/__tests__/${baseName}${ext}`,
+    // Test directory patterns
+    `test/${dirName}/${baseName}.test${ext}`,
+    `tests/${dirName}/${baseName}.test${ext}`,
+    `test/${baseName}.test${ext}`,
+    `tests/${baseName}.test${ext}`,
+    // Python patterns
+    `${dirName}/test_${baseName}.py`,
+    `tests/test_${baseName}.py`,
+    // Go patterns
+    `${dirName}/${baseName}_test.go`,
+  ];
+
+  // Check if any test file exists in changed files
+  const changedTestFile = allFiles.find(
+    f => f.isTest && possibleTestFiles.some(p => f.file.includes(baseName))
+  );
+
+  if (changedTestFile) {
+    return { hasTest: true, testFile: changedTestFile.file, inChangeset: true };
+  }
+
+  // Check if test file exists on disk
+  for (const testFile of possibleTestFiles) {
+    const fullPath = path.join(cwd, testFile);
+    if (fs.existsSync(fullPath)) {
+      return { hasTest: true, testFile, existsOnDisk: true };
+    }
+  }
+
+  return { hasTest: false, searchedPatterns: possibleTestFiles.slice(0, 3) };
+}
+
+/**
+ * Analyze commit order to verify test-first development
+ * @param {string} base - Base ref
+ * @param {string} head - Head ref
+ * @param {string} cwd - Working directory
+ * @returns {Object} Commit order analysis
+ */
+function analyzeCommitOrder(base = 'main', head = 'HEAD', cwd = process.cwd()) {
+  try {
+    const output = execSync(
+      `git log --oneline --name-status ${base}..${head}`,
+      { cwd, encoding: 'utf-8' }
+    );
+
+    const commits = [];
+    let currentCommit = null;
+
+    for (const line of output.split('\n')) {
+      if (/^[a-f0-9]{7,}/.test(line)) {
+        if (currentCommit) commits.push(currentCommit);
+        const [hash, ...msgParts] = line.split(' ');
+        currentCommit = {
+          hash,
+          message: msgParts.join(' '),
+          files: [],
+          hasTests: false,
+          hasImpl: false,
+        };
+      } else if (currentCommit && line.trim()) {
+        const [status, file] = line.split('\t');
+        if (file) {
+          const isTest = isTestFile(file);
+          currentCommit.files.push({ status, file, isTest });
+          if (isTest) currentCommit.hasTests = true;
+          else currentCommit.hasImpl = true;
+        }
+      }
+    }
+    if (currentCommit) commits.push(currentCommit);
+
+    // Analyze TDD compliance
+    const analysis = {
+      commits: commits.length,
+      testFirstCommits: 0,
+      implOnlyCommits: 0,
+      mixedCommits: 0,
+      violations: [],
+    };
+
+    for (const commit of commits) {
+      if (commit.hasTests && !commit.hasImpl) {
+        analysis.testFirstCommits++;
+      } else if (commit.hasImpl && !commit.hasTests) {
+        analysis.implOnlyCommits++;
+        // Check if it's a fix/refactor (acceptable)
+        const isFixOrRefactor = /^(fix|refactor|chore|docs|style):/i.test(commit.message);
+        if (!isFixOrRefactor) {
+          analysis.violations.push({
+            commit: commit.hash,
+            message: commit.message,
+            reason: 'Implementation without tests',
+          });
+        }
+      } else if (commit.hasTests && commit.hasImpl) {
+        analysis.mixedCommits++;
+      }
+    }
+
+    analysis.tddScore = commits.length > 0
+      ? Math.round((analysis.testFirstCommits / commits.length) * 100)
+      : 100;
+
+    return analysis;
+  } catch (e) {
+    return { error: e.message };
+  }
+}
+
+/**
+ * Check for common security issues in diff
+ * @param {string} base - Base ref
+ * @param {string} head - Head ref
+ * @param {string} cwd - Working directory
+ * @returns {Array} Security issues found
+ */
+function checkSecurityIssues(base = 'main', head = 'HEAD', cwd = process.cwd()) {
+  const issues = [];
+
+  try {
+    const diff = execSync(`git diff ${base}...${head}`, {
+      cwd,
+      encoding: 'utf-8',
+      maxBuffer: 10 * 1024 * 1024,
+    });
+
+    const patterns = [
+      { pattern: /password\s*=\s*['"][^'"]+['"]/gi, type: 'hardcoded-password', severity: 'high' },
+      { pattern: /api[_-]?key\s*=\s*['"][^'"]+['"]/gi, type: 'hardcoded-api-key', severity: 'high' },
+      { pattern: /secret\s*=\s*['"][^'"]+['"]/gi, type: 'hardcoded-secret', severity: 'high' },
+      { pattern: /eval\s*\(/g, type: 'eval-usage', severity: 'medium' },
+      { pattern: /innerHTML\s*=/g, type: 'innerhtml-xss', severity: 'medium' },
+      { pattern: /dangerouslySetInnerHTML/g, type: 'react-xss', severity: 'medium' },
+      { pattern: /exec\s*\(\s*[`'"]/g, type: 'command-injection', severity: 'high' },
+      { pattern: /SELECT.*FROM.*WHERE.*\+/gi, type: 'sql-injection', severity: 'high' },
+      { pattern: /\.env(?:\.local)?$/gm, type: 'env-file-committed', severity: 'high' },
+      { pattern: /console\.log\(/g, type: 'console-log', severity: 'low' },
+      { pattern: /TODO|FIXME|HACK|XXX/g, type: 'todo-comment', severity: 'info' },
+    ];
+
+    // Only check added lines
+    const addedLines = diff
+      .split('\n')
+      .filter(line => line.startsWith('+') && !line.startsWith('+++'));
+
+    for (const { pattern, type, severity } of patterns) {
+      for (const line of addedLines) {
+        if (pattern.test(line)) {
+          issues.push({
+            type,
+            severity,
+            line: line.slice(1).trim().slice(0, 100),
+          });
+        }
+      }
+    }
+  } catch (e) {
+    // Ignore diff errors
+  }
+
+  return issues;
+}
+
+/**
+ * Generate review report
+ * @param {Object} options - Review options
+ * @returns {Object} Review report
+ */
+function generateReview(options = {}) {
+  const {
+    base = 'main',
+    head = 'HEAD',
+    cwd = process.cwd(),
+    prNumber = null,
+  } = options;
+
+  const report = {
+    timestamp: new Date().toISOString(),
+    base,
+    head,
+    prNumber,
+    passed: true,
+    summary: [],
+    details: {},
+  };
+
+  // 1. Get changed files
+  const changedFiles = getChangedFiles(base, head, cwd);
+  report.details.changedFiles = changedFiles;
+  report.details.fileCount = changedFiles.length;
+
+  // 2. Check test coverage for changed files
+  const coverageIssues = [];
+  const implFiles = changedFiles.filter(f => !f.isTest && f.status !== 'D');
+
+  for (const file of implFiles) {
+    const testInfo = findTestForFile(file.file, changedFiles, cwd);
+    if (!testInfo.hasTest) {
+      coverageIssues.push({
+        file: file.file,
+        issue: 'No test file found',
+        suggestions: testInfo.searchedPatterns,
+      });
+    }
+  }
+
+  report.details.coverage = {
+    implFiles: implFiles.length,
+    testFiles: changedFiles.filter(f => f.isTest).length,
+    missingTests: coverageIssues.length,
+    issues: coverageIssues,
+  };
+
+  if (coverageIssues.length > 0) {
+    report.passed = false;
+    report.summary.push(`❌ ${coverageIssues.length} files missing tests`);
+  } else {
+    report.summary.push(`✅ All changed files have tests`);
+  }
+
+  // 3. Analyze commit order (TDD compliance)
+  const commitAnalysis = analyzeCommitOrder(base, head, cwd);
+  report.details.commits = commitAnalysis;
+
+  if (commitAnalysis.tddScore !== undefined) {
+    if (commitAnalysis.tddScore < 50 && commitAnalysis.commits > 2) {
+      report.passed = false;
+      report.summary.push(`❌ TDD score: ${commitAnalysis.tddScore}% (target: 50%+)`);
+    } else {
+      report.summary.push(`✅ TDD score: ${commitAnalysis.tddScore}%`);
+    }
+
+    if (commitAnalysis.violations.length > 0) {
+      report.summary.push(`⚠️ ${commitAnalysis.violations.length} commits without tests`);
+    }
+  }
+
+  // 4. Security check
+  const securityIssues = checkSecurityIssues(base, head, cwd);
+  report.details.security = securityIssues;
+
+  const highSeverity = securityIssues.filter(i => i.severity === 'high');
+  const mediumSeverity = securityIssues.filter(i => i.severity === 'medium');
+
+  if (highSeverity.length > 0) {
+    report.passed = false;
+    report.summary.push(`❌ ${highSeverity.length} high severity security issues`);
+  }
+  if (mediumSeverity.length > 0) {
+    report.summary.push(`⚠️ ${mediumSeverity.length} medium severity security issues`);
+  }
+  if (highSeverity.length === 0 && mediumSeverity.length === 0) {
+    report.summary.push(`✅ No security issues detected`);
+  }
+
+  // 5. Overall verdict
+  report.verdict = report.passed ? 'APPROVED' : 'CHANGES_REQUESTED';
+
+  return report;
+}
+
+/**
+ * Format review report as markdown
+ * @param {Object} report - Review report
+ * @returns {string} Markdown formatted report
+ */
+function formatReviewMarkdown(report) {
+  const lines = [];
+
+  lines.push('# Code Review Report');
+  lines.push('');
+  lines.push(`**Date:** ${report.timestamp}`);
+  lines.push(`**Base:** ${report.base} → **Head:** ${report.head}`);
+  if (report.prNumber) {
+    lines.push(`**PR:** #${report.prNumber}`);
+  }
+  lines.push('');
+
+  // Verdict
+  const verdictEmoji = report.passed ? '✅' : '❌';
+  lines.push(`## ${verdictEmoji} Verdict: ${report.verdict}`);
+  lines.push('');
+
+  // Summary
+  lines.push('## Summary');
+  lines.push('');
+  for (const item of report.summary) {
+    lines.push(`- ${item}`);
+  }
+  lines.push('');
+
+  // Coverage details
+  if (report.details.coverage.missingTests > 0) {
+    lines.push('## Missing Tests');
+    lines.push('');
+    lines.push('| File | Suggested Test Location |');
+    lines.push('|------|------------------------|');
+    for (const issue of report.details.coverage.issues) {
+      const suggestion = issue.suggestions?.[0] || 'N/A';
+      lines.push(`| \`${issue.file}\` | \`${suggestion}\` |`);
+    }
+    lines.push('');
+  }
+
+  // TDD violations
+  if (report.details.commits.violations?.length > 0) {
+    lines.push('## TDD Violations');
+    lines.push('');
+    lines.push('| Commit | Message | Issue |');
+    lines.push('|--------|---------|-------|');
+    for (const v of report.details.commits.violations) {
+      lines.push(`| \`${v.commit}\` | ${v.message.slice(0, 40)} | ${v.reason} |`);
+    }
+    lines.push('');
+  }
+
+  // Security issues
+  const importantSecurity = report.details.security.filter(
+    i => i.severity === 'high' || i.severity === 'medium'
+  );
+  if (importantSecurity.length > 0) {
+    lines.push('## Security Issues');
+    lines.push('');
+    lines.push('| Severity | Type | Sample |');
+    lines.push('|----------|------|--------|');
+    for (const issue of importantSecurity) {
+      lines.push(`| ${issue.severity.toUpperCase()} | ${issue.type} | \`${issue.line.slice(0, 50)}\` |`);
+    }
+    lines.push('');
+  }
+
+  // Stats
+  lines.push('## Statistics');
+  lines.push('');
+  lines.push(`- Files changed: ${report.details.fileCount}`);
+  lines.push(`- Implementation files: ${report.details.coverage.implFiles}`);
+  lines.push(`- Test files: ${report.details.coverage.testFiles}`);
+  if (report.details.commits.commits) {
+    lines.push(`- Commits: ${report.details.commits.commits}`);
+    lines.push(`- TDD Score: ${report.details.commits.tddScore}%`);
+  }
+
+  return lines.join('\n');
+}
+
+/**
+ * Run review and return result
+ * @param {Object} options - Review options
+ * @returns {Object} Review result with report and formatted output
+ */
+function runReview(options = {}) {
+  const report = generateReview(options);
+  const markdown = formatReviewMarkdown(report);
+
+  return {
+    report,
+    markdown,
+    passed: report.passed,
+    verdict: report.verdict,
+  };
+}
+
+module.exports = {
+  getChangedFiles,
+  isTestFile,
+  findTestForFile,
+  analyzeCommitOrder,
+  checkSecurityIssues,
+  generateReview,
+  formatReviewMarkdown,
+  runReview,
+};

package/server/lib/pr-reviewer.test.js

@@ -0,0 +1,268 @@
+import { describe, it, expect } from 'vitest';
+import {
+  isTestFile,
+  formatReviewMarkdown,
+} from './pr-reviewer.js';
+
+describe('pr-reviewer', () => {
+  describe('isTestFile', () => {
+    it('identifies JavaScript test files', () => {
+      expect(isTestFile('src/auth.test.js')).toBe(true);
+      expect(isTestFile('src/auth.spec.js')).toBe(true);
+      expect(isTestFile('src/__tests__/auth.js')).toBe(true);
+    });
+
+    it('identifies TypeScript test files', () => {
+      expect(isTestFile('src/auth.test.ts')).toBe(true);
+      expect(isTestFile('src/auth.spec.tsx')).toBe(true);
+    });
+
+    it('identifies Python test files', () => {
+      expect(isTestFile('test_auth.py')).toBe(true);
+      expect(isTestFile('auth_test.py')).toBe(true);
+      expect(isTestFile('tests/test_login.py')).toBe(true);
+    });
+
+    it('identifies Go test files', () => {
+      expect(isTestFile('auth_test.go')).toBe(true);
+      expect(isTestFile('pkg/auth.test.go')).toBe(true);
+    });
+
+    it('identifies Ruby spec files', () => {
+      expect(isTestFile('spec/auth_spec.rb')).toBe(true);
+    });
+
+    it('identifies files in test directories', () => {
+      expect(isTestFile('test/helpers.js')).toBe(true);
+      expect(isTestFile('tests/utils.js')).toBe(true);
+    });
+
+    it('returns false for implementation files', () => {
+      expect(isTestFile('src/auth.js')).toBe(false);
+      expect(isTestFile('lib/utils.ts')).toBe(false);
+      expect(isTestFile('main.py')).toBe(false);
+    });
+
+    it('returns false for config files', () => {
+      expect(isTestFile('package.json')).toBe(false);
+      expect(isTestFile('.eslintrc.js')).toBe(false);
+      expect(isTestFile('tsconfig.json')).toBe(false);
+    });
+
+    it('returns false for documentation', () => {
+      expect(isTestFile('README.md')).toBe(false);
+      expect(isTestFile('docs/api.md')).toBe(false);
+    });
+  });
+
+  describe('formatReviewMarkdown', () => {
+    it('formats passing review', () => {
+      const report = {
+        timestamp: '2024-01-01T00:00:00Z',
+        base: 'main',
+        head: 'feature',
+        passed: true,
+        verdict: 'APPROVED',
+        summary: ['✅ All tests pass'],
+        details: {
+          fileCount: 5,
+          coverage: { implFiles: 3, testFiles: 2, missingTests: 0, issues: [] },
+          commits: { commits: 2, tddScore: 100, violations: [] },
+          security: [],
+        },
+      };
+
+      const markdown = formatReviewMarkdown(report);
+
+      expect(markdown).toContain('# Code Review Report');
+      expect(markdown).toContain('APPROVED');
+      expect(markdown).toContain('✅ All tests pass');
+      expect(markdown).toContain('main');
+      expect(markdown).toContain('feature');
+    });
+
+    it('formats failing review with missing tests', () => {
+      const report = {
+        timestamp: '2024-01-01T00:00:00Z',
+        base: 'main',
+        head: 'feature',
+        passed: false,
+        verdict: 'CHANGES_REQUESTED',
+        summary: ['❌ 2 files missing tests'],
+        details: {
+          fileCount: 5,
+          coverage: {
+            implFiles: 3,
+            testFiles: 1,
+            missingTests: 2,
+            issues: [
+              { file: 'src/a.js', suggestions: ['src/a.test.js'] },
+              { file: 'src/b.js', suggestions: ['src/b.test.js'] },
+            ],
+          },
+          commits: { commits: 1, tddScore: 50, violations: [] },
+          security: [],
+        },
+      };
+
+      const markdown = formatReviewMarkdown(report);
+
+      expect(markdown).toContain('CHANGES_REQUESTED');
+      expect(markdown).toContain('Missing Tests');
+      expect(markdown).toContain('src/a.js');
+      expect(markdown).toContain('src/b.js');
+    });
+
+    it('formats failing review with TDD violations', () => {
+      const report = {
+        timestamp: '2024-01-01T00:00:00Z',
+        base: 'main',
+        head: 'feature',
+        passed: false,
+        verdict: 'CHANGES_REQUESTED',
+        summary: ['❌ TDD violations'],
+        details: {
+          fileCount: 3,
+          coverage: { implFiles: 2, testFiles: 1, missingTests: 0, issues: [] },
+          commits: {
+            commits: 2,
+            tddScore: 0,
+            violations: [
+              { commit: 'abc1234', message: 'feat: add feature', reason: 'No tests' },
+            ],
+          },
+          security: [],
+        },
+      };
+
+      const markdown = formatReviewMarkdown(report);
+
+      expect(markdown).toContain('TDD Violations');
+      expect(markdown).toContain('abc1234');
+      expect(markdown).toContain('No tests');
+    });
+
+    it('formats failing review with security issues', () => {
+      const report = {
+        timestamp: '2024-01-01T00:00:00Z',
+        base: 'main',
+        head: 'feature',
+        passed: false,
+        verdict: 'CHANGES_REQUESTED',
+        summary: ['❌ Security issues'],
+        details: {
+          fileCount: 2,
+          coverage: { implFiles: 1, testFiles: 1, missingTests: 0, issues: [] },
+          commits: { commits: 1, tddScore: 100, violations: [] },
+          security: [
+            { type: 'hardcoded-password', severity: 'high', line: 'password = "secret"' },
+            { type: 'eval-usage', severity: 'medium', line: 'eval(input)' },
+          ],
+        },
+      };
+
+      const markdown = formatReviewMarkdown(report);
+
+      expect(markdown).toContain('Security Issues');
+      expect(markdown).toContain('HIGH');
+      expect(markdown).toContain('hardcoded-password');
+      expect(markdown).toContain('MEDIUM');
+      expect(markdown).toContain('eval-usage');
+    });
+
+    it('includes PR number when present', () => {
+      const report = {
+        timestamp: '2024-01-01T00:00:00Z',
+        base: 'main',
+        head: 'feature',
+        prNumber: 42,
+        passed: true,
+        verdict: 'APPROVED',
+        summary: [],
+        details: {
+          fileCount: 0,
+          coverage: { implFiles: 0, testFiles: 0, missingTests: 0, issues: [] },
+          commits: {},
+          security: [],
+        },
+      };
+
+      const markdown = formatReviewMarkdown(report);
+
+      expect(markdown).toContain('**PR:** #42');
+    });
+
+    it('includes statistics', () => {
+      const report = {
+        timestamp: '2024-01-01T00:00:00Z',
+        base: 'main',
+        head: 'feature',
+        passed: true,
+        verdict: 'APPROVED',
+        summary: [],
+        details: {
+          fileCount: 10,
+          coverage: { implFiles: 6, testFiles: 4, missingTests: 0, issues: [] },
+          commits: { commits: 5, tddScore: 80, violations: [] },
+          security: [],
+        },
+      };
+
+      const markdown = formatReviewMarkdown(report);
+
+      expect(markdown).toContain('Statistics');
+      expect(markdown).toContain('Files changed: 10');
+      expect(markdown).toContain('Implementation files: 6');
+      expect(markdown).toContain('Test files: 4');
+      expect(markdown).toContain('Commits: 5');
+      expect(markdown).toContain('TDD Score: 80%');
+    });
+
+    it('handles empty report gracefully', () => {
+      const report = {
+        timestamp: '2024-01-01T00:00:00Z',
+        base: 'main',
+        head: 'HEAD',
+        passed: true,
+        verdict: 'APPROVED',
+        summary: [],
+        details: {
+          fileCount: 0,
+          coverage: { implFiles: 0, testFiles: 0, missingTests: 0, issues: [] },
+          commits: {},
+          security: [],
+        },
+      };
+
+      const markdown = formatReviewMarkdown(report);
+
+      expect(markdown).toContain('# Code Review Report');
+      expect(markdown).toContain('APPROVED');
+    });
+
+    it('skips low severity security issues in table', () => {
+      const report = {
+        timestamp: '2024-01-01T00:00:00Z',
+        base: 'main',
+        head: 'feature',
+        passed: true,
+        verdict: 'APPROVED',
+        summary: [],
+        details: {
+          fileCount: 1,
+          coverage: { implFiles: 1, testFiles: 0, missingTests: 0, issues: [] },
+          commits: {},
+          security: [
+            { type: 'console-log', severity: 'low', line: 'console.log("debug")' },
+            { type: 'todo-comment', severity: 'info', line: '// TODO: fix later' },
+          ],
+        },
+      };
+
+      const markdown = formatReviewMarkdown(report);
+
+      // Low severity issues should not appear in the Security Issues section
+      expect(markdown).not.toContain('Security Issues');
+    });
+  });
+});