whitesmith 0.0.2 → 0.0.4

package/dist/providers/github-ci.js

@@ -127,19 +127,23 @@ async function promptDefaults(providers) {
     return { provider, model };
 }
 /**
- * Prompt for API key values and set them as GitHub secrets.
- * Returns the list of secrets that were set.
+ * Set API key secrets on GitHub. If `knownSecrets` contains a value for an
+ * env var, it is used directly; otherwise the user is prompted interactively.
+ * Returns the list of secret names that were successfully set.
  */
-async function promptAndSetSecrets(ctx, providers) {
+async function setOrPromptSecrets(ctx, providers, knownSecrets) {
     const setSecrets = [];
     const seen = new Set();
     for (const p of providers) {
         if (seen.has(p.apiKeyEnvVar))
             continue;
         seen.add(p.apiKeyEnvVar);
-        const apiKey = await password({
-            message: `Enter API key for ${p.name} (secret: ${p.apiKeyEnvVar}):`,
-        });
+        let apiKey = knownSecrets?.[p.apiKeyEnvVar];
+        if (!apiKey) {
+            apiKey = await password({
+                message: `Enter API key for ${p.name} (secret: ${p.apiKeyEnvVar}):`,
+            });
+        }
         if (!apiKey) {
             console.log(`  ⚠ Skipped ${p.apiKeyEnvVar} (empty)`);
             continue;
@@ -189,86 +193,157 @@ function indent(text, spaces) {
         .map((line) => (line.trim() === '' ? '' : pad + line))
         .join('\n');
 }
-function generateModelsJsonStep(config) {
-    const modelsJson = buildModelsJson(config.providers);
-    const modelsJsonStr = JSON.stringify(modelsJson, null, 2);
-    return `\
-      - name: Configure pi models
-        run: |
-          mkdir -p ~/.pi/agent
-          cat > ~/.pi/agent/models.json << 'MODELS_EOF'
-${indent(modelsJsonStr, 10)}
-          MODELS_EOF`;
-}
-function generateAuthJsonSteps() {
-    return `\
-      - name: Configure pi auth
-        env:
-          PI_AUTH_JSON: \${{ secrets.PI_AUTH_JSON }}
-        run: |
-          if [ -z "$PI_AUTH_JSON" ]; then
-            echo "ERROR: PI_AUTH_JSON secret is not configured."
-            echo "Set it to the contents of ~/.pi/agent/auth.json"
-            exit 1
-          fi
-          mkdir -p ~/.pi/agent
-          echo "$PI_AUTH_JSON" > ~/.pi/agent/auth.json
-          chmod 600 ~/.pi/agent/auth.json
-
-      # Workaround for https://github.com/badlogic/pi-mono/issues/2743
-      - name: Refresh OAuth token
-        env:
-          GH_PAT: \${{ secrets.GH_PAT }}
-        run: node .github/scripts/refresh-oauth-token.mjs`;
-}
-function generateAuthSteps(config) {
-    if (config.authMode === 'auth-json') {
-        return generateAuthJsonSteps();
-    }
-    return generateModelsJsonStep(config);
-}
-function generateRunEnvBlock(config) {
-    const envs = {
-        GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}',
-    };
+/**
+ * Top-level env block shared by whitesmith.yml and whitesmith-comment.yml.
+ * Includes defaults, GH_TOKEN, and API key secrets.
+ */
+function generateTopLevelEnv(config) {
+    const lines = [
+        `  WHITESMITH_PROVIDER: ${config.defaultProvider}`,
+        `  WHITESMITH_MODEL: ${config.defaultModel}`,
+        `  GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}`,
+    ];
     if (config.authMode === 'models-json') {
+        const seen = new Set();
         for (const p of config.providers) {
-            envs[p.apiKeyEnvVar] = `\${{ secrets.${p.apiKeyEnvVar} }}`;
+            if (seen.has(p.apiKeyEnvVar))
+                continue;
+            seen.add(p.apiKeyEnvVar);
+            lines.push(`  ${p.apiKeyEnvVar}: \${{ secrets.${p.apiKeyEnvVar} }}`);
         }
     }
-    return Object.entries(envs)
-        .map(([k, v]) => `          ${k}: ${v}`)
-        .join('\n');
+    return lines.join('\n');
+}
+/**
+ * Composite action: node setup, git config, npm cache, install, auth config.
+ * This is written to .github/actions/setup-whitesmith/action.yml so workflows
+ * can just do `uses: ./.github/actions/setup-whitesmith`.
+ */
+function generateSetupAction(config) {
+    let authStep;
+    if (config.authMode === 'auth-json') {
+        authStep = `\
+    - name: Configure pi auth
+      shell: bash
+      run: |
+        if [ -z "$PI_AUTH_JSON" ]; then
+          echo "ERROR: PI_AUTH_JSON secret is not set" >&2; exit 1
+        fi
+        mkdir -p ~/.pi/agent
+        echo "$PI_AUTH_JSON" > ~/.pi/agent/auth.json
+        chmod 600 ~/.pi/agent/auth.json
+
+    # Workaround for https://github.com/badlogic/pi-mono/issues/2743
+    - name: Refresh OAuth token
+      shell: bash
+      run: node .github/scripts/refresh-oauth-token.mjs`;
+    }
+    else {
+        const modelsJson = buildModelsJson(config.providers);
+        const modelsJsonStr = JSON.stringify(modelsJson, null, 2);
+        authStep = `\
+    - name: Configure pi models
+      shell: bash
+      run: |
+        mkdir -p ~/.pi/agent
+        cat > ~/.pi/agent/models.json << 'MODELS_EOF'
+${indent(modelsJsonStr, 8)}
+        MODELS_EOF`;
+    }
+    let installSteps;
+    if (config.dev) {
+        // Dev mode: build whitesmith from source using pnpm.
+        // We add pnpm's global bin to $GITHUB_PATH so that `whitesmith` and `pi`
+        // are available in all subsequent steps (persists across composite action
+        // steps and the calling workflow).
+        // We always rebuild (even on cache hit) because source changes per commit.
+        installSteps = `\
+    - name: Setup pnpm
+      uses: pnpm/action-setup@v4
+
+    - name: Add pnpm global bin to PATH
+      shell: bash
+      run: |
+        pnpm setup
+        echo "$HOME/.local/share/pnpm" >> "$GITHUB_PATH"
+
+    - name: Install dependencies and build whitesmith
+      shell: bash
+      run: |
+        pnpm install
+        pnpm run build
+        pnpm link --global
+
+    - name: Install pi
+      shell: bash
+      run: pnpm add -g @mariozechner/pi-coding-agent`;
+    }
+    else {
+        installSteps = `\
+    - name: Get npm global prefix
+      id: npm-prefix
+      shell: bash
+      run: echo "dir=$(npm prefix -g)" >> "$GITHUB_OUTPUT"
+
+    - name: Cache npm packages
+      id: npm-cache
+      uses: actions/cache@v4
+      with:
+        path: \${{ steps.npm-prefix.outputs.dir }}
+        key: whitesmith-\${{ runner.os }}-${config.version}
+
+    - name: Install whitesmith and pi
+      if: steps.npm-cache.outputs.cache-hit != 'true'
+      shell: bash
+      run: npm install -g whitesmith@${config.version} @mariozechner/pi-coding-agent`;
+    }
+    return `\
+name: Setup whitesmith
+description: Install Node.js, whitesmith, pi, and configure AI provider auth
+
+runs:
+  using: composite
+  steps:
+    - name: Setup Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: '22'
+
+    - name: Configure git
+      shell: bash
+      run: |
+        git config user.name "whitesmith[bot]"
+        git config user.email "whitesmith[bot]@users.noreply.github.com"
+
+${installSteps}
+
+${authStep}
+`;
 }
 function generateMainWorkflow(config) {
-    const authSteps = generateAuthSteps(config);
-    const envBlock = generateRunEnvBlock(config);
+    const envBlock = generateTopLevelEnv(config);
     return `\
-# NOTE: This workflow requires the repo setting:
-#   Settings → Actions → General → "Allow GitHub Actions to create and approve pull requests"
-# Without this, PR creation will fail with a permissions error.
+# Requires: Settings → Actions → General → "Allow GitHub Actions to create and approve pull requests"
 name: whitesmith
 
 on:
-  schedule:
-    - cron: '*/15 * * * *'
   workflow_dispatch:
     inputs:
+      issue:
+        description: 'Issue number to target (leave empty for global scan)'
       max_iterations:
         description: 'Maximum iterations'
         default: '3'
-        type: string
       provider:
-        description: 'AI provider (e.g. ${config.defaultProvider})'
-        required: false
-        type: string
+        description: 'AI provider (overrides WHITESMITH_PROVIDER)'
       model:
-        description: 'AI model ID (e.g. ${config.defaultModel})'
-        required: false
-        type: string
+        description: 'AI model (overrides WHITESMITH_MODEL)'
+
+env:
+${envBlock}
 
 concurrency:
-  group: whitesmith-loop
+  group: \${{ inputs.issue && format('whitesmith-issue-{0}', inputs.issue) || 'whitesmith-global' }}
   cancel-in-progress: false
 
 permissions:
@@ -283,62 +358,34 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: \${{ secrets.GITHUB_TOKEN }}
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '22'
-
-      - name: Configure git
-        run: |
-          git config user.name "whitesmith[bot]"
-          git config user.email "whitesmith[bot]@users.noreply.github.com"
-
-      - name: Get npm global prefix
-        id: npm-prefix
-        run: echo "dir=$(npm prefix -g)" >> "$GITHUB_OUTPUT"
-
-      - name: Cache global npm packages
-        id: npm-cache
-        uses: actions/cache@v4
-        with:
-          path: \${{ steps.npm-prefix.outputs.dir }}
-          key: npm-global-\${{ runner.os }}-pi-v1
 
-      - name: Install whitesmith and pi
-        if: steps.npm-cache.outputs.cache-hit != 'true'
-        run: |
-          npm install -g whitesmith
-          npm install -g @mariozechner/pi-coding-agent
-
-${authSteps}
+      - uses: ./.github/actions/setup-whitesmith
 
-      - name: Run whitesmith
-        env:
-${envBlock}
-        run: |
-          PROVIDER="\${{ inputs.provider || '${config.defaultProvider}' }}"
-          MODEL="\${{ inputs.model || '${config.defaultModel}' }}"
+      - run: |
+          ISSUE_FLAG=""
+          if [ -n "\${{ inputs.issue }}" ]; then
+            ISSUE_FLAG="--issue \${{ inputs.issue }}"
+          fi
           whitesmith run . \\
-            --agent-cmd "pi" \\
-            --provider "$PROVIDER" \\
-            --model "$MODEL" \\
+            \$ISSUE_FLAG \\
+            --provider "\${{ inputs.provider || env.WHITESMITH_PROVIDER }}" \\
+            --model "\${{ inputs.model || env.WHITESMITH_MODEL }}" \\
             --max-iterations \${{ inputs.max_iterations || '3' }}
 `;
 }
 function generateCommentWorkflow(config) {
-    const authSteps = generateAuthSteps(config);
-    const envBlock = generateRunEnvBlock(config);
+    const envBlock = generateTopLevelEnv(config);
     return `\
-# NOTE: This workflow requires the repo setting:
-#   Settings → Actions → General → "Allow GitHub Actions to create and approve pull requests"
+# Requires: Settings → Actions → General → "Allow GitHub Actions to create and approve pull requests"
 name: whitesmith-comment
 
 on:
   issue_comment:
     types: [created]
 
+env:
+${envBlock}
+
 concurrency:
   group: whitesmith-comment-\${{ github.event.issue.number }}
   cancel-in-progress: false
@@ -354,119 +401,196 @@ jobs:
     outputs:
       should_run: \${{ steps.check.outputs.should_run }}
     steps:
-      - name: Check if should run
-        id: check
+      - id: check
         env:
-          GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}
           COMMENT_BODY: \${{ github.event.comment.body }}
         run: |
-          # Always run if comment contains /whitesmith
           if echo "$COMMENT_BODY" | grep -q '/whitesmith'; then
             echo "should_run=true" >> "$GITHUB_OUTPUT"
-            echo "Triggered by /whitesmith keyword"
             exit 0
           fi
-
-          # For PR comments, auto-trigger if the PR is on a whitesmith branch
           if [ -n "\${{ github.event.issue.pull_request.url }}" ]; then
             BRANCH=$(gh pr view \${{ github.event.issue.number }} \\
-              --repo \${{ github.repository }} \\
-              --json headRefName -q .headRefName)
-            echo "PR branch: $BRANCH"
-            if echo "$BRANCH" | grep -qE '^(investigate|task)/'; then
+              --repo \${{ github.repository }} --json headRefName -q .headRefName)
+            if echo "$BRANCH" | grep -qE '^(investigate|issue)/'; then
               echo "should_run=true" >> "$GITHUB_OUTPUT"
-              echo "Triggered by comment on whitesmith PR branch"
               exit 0
             fi
           fi
-
           echo "should_run=false" >> "$GITHUB_OUTPUT"
-          echo "Skipping: not a /whitesmith command and not a whitesmith PR"
 
   run:
     needs: check
-    runs-on: ubuntu-latest
     if: needs.check.outputs.should_run == 'true'
+    runs-on: ubuntu-latest
     steps:
-      - name: React with eyes to acknowledge
-        env:
-          GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}
-        run: |
+      - run: |
           gh api repos/\${{ github.repository }}/issues/comments/\${{ github.event.comment.id }}/reactions \\
             -f content=eyes
 
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: \${{ secrets.GITHUB_TOKEN }}
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '22'
-
-      - name: Configure git
-        run: |
-          git config user.name "whitesmith[bot]"
-          git config user.email "whitesmith[bot]@users.noreply.github.com"
 
-      - name: Get npm global prefix
-        id: npm-prefix
-        run: echo "dir=$(npm prefix -g)" >> "$GITHUB_OUTPUT"
+      - uses: ./.github/actions/setup-whitesmith
 
-      - name: Cache global npm packages
-        id: npm-cache
-        uses: actions/cache@v4
-        with:
-          path: \${{ steps.npm-prefix.outputs.dir }}
-          key: npm-global-\${{ runner.os }}-pi-v1
-
-      - name: Install whitesmith and pi
-        if: steps.npm-cache.outputs.cache-hit != 'true'
-        run: |
-          npm install -g whitesmith
-          npm install -g @mariozechner/pi-coding-agent
-
-${authSteps}
-
-      - name: Save comment body to file
-        env:
+      - env:
           COMMENT_BODY: \${{ github.event.comment.body }}
         run: |
           printf '%s' "$COMMENT_BODY" > .whitesmith-comment-body.txt
-
-      - name: Run whitesmith comment
-        env:
-${envBlock}
-        run: |
           whitesmith comment . \\
             --number "\${{ github.event.issue.number }}" \\
             --body-file .whitesmith-comment-body.txt \\
-            --provider "${config.defaultProvider}" \\
-            --model "${config.defaultModel}" \\
+            --provider "$WHITESMITH_PROVIDER" \\
+            --model "$WHITESMITH_MODEL" \\
             --post
 
-      - name: React with checkmark on success
-        if: success()
-        env:
-          GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}
+      - if: success()
         run: |
           gh api repos/\${{ github.repository }}/issues/comments/\${{ github.event.comment.id }}/reactions \\
             -f content="+1"
 
-      - name: React with X and comment on failure
-        if: failure()
-        env:
-          GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}
+      - if: failure()
         run: |
           gh api repos/\${{ github.repository }}/issues/comments/\${{ github.event.comment.id }}/reactions \\
             -f content="-1"
-          gh issue comment \${{ github.event.issue.number }} \\
-            --repo \${{ github.repository }} \\
-            --body "❌ Agent run failed for [this comment](\${{ github.event.comment.html_url }}). Check the [workflow run](\${{ github.server_url }}/\${{ github.repository }}/actions/runs/\${{ github.run_id }}) for details."
+          gh issue comment \${{ github.event.issue.number }} --repo \${{ github.repository }} \\
+            --body "❌ Agent run failed. See [workflow run](\${{ github.server_url }}/\${{ github.repository }}/actions/runs/\${{ github.run_id }})."
 `;
 }
-function generateReconcileWorkflow() {
+function generateReviewWorkflow(config) {
+    const envBlock = generateTopLevelEnv(config);
+    // When the review step is enabled in the main loop, whitesmith PRs are
+    // already reviewed inline. The workflow should only review non-whitesmith PRs.
+    // When the review step is disabled, the workflow reviews ALL PRs.
+    const skipWhitesmithCheck = config.reviewStepEnabled
+        ? `\
+  check:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    outputs:
+      should_run: \${{ steps.check.outputs.should_run }}
+    steps:
+      - id: check
+        run: |
+          BRANCH="\${{ github.event.pull_request.head.ref }}"
+          if echo "$BRANCH" | grep -qE '^(investigate|issue)/'; then
+            echo "Skipping review for whitesmith-managed branch: $BRANCH"
+            echo "should_run=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "should_run=true" >> "$GITHUB_OUTPUT"
+          fi
+
+  review:
+    needs: check
+    if: >-
+      (github.event_name == 'workflow_dispatch') ||
+      (needs.check.outputs.should_run == 'true')`
+        : `\
+  review:`;
+    return `\
+name: whitesmith-review
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+  workflow_dispatch:
+    inputs:
+      number:
+        description: 'PR or issue number to review'
+        required: true
+      type:
+        description: 'Review type (auto-detected if empty): pr, issue-tasks, issue-tasks-completed'
+      provider:
+        description: 'AI provider (overrides WHITESMITH_PROVIDER)'
+      model:
+        description: 'AI model (overrides WHITESMITH_MODEL)'
+
+env:
+${envBlock}
+
+concurrency:
+  group: whitesmith-review-\${{ github.event.pull_request.number || inputs.number }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
+jobs:
+${skipWhitesmithCheck}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: ./.github/actions/setup-whitesmith
+
+      - if: github.event_name == 'pull_request'
+        run: |
+          whitesmith review . \\
+            --number "\${{ github.event.pull_request.number }}" \\
+            --provider "\${{ env.WHITESMITH_PROVIDER }}" \\
+            --model "\${{ env.WHITESMITH_MODEL }}" \\
+            --post
+
+      - if: github.event_name == 'workflow_dispatch'
+        run: |
+          TYPE_FLAG=""
+          if [ -n "\${{ inputs.type }}" ]; then
+            TYPE_FLAG="--type \${{ inputs.type }}"
+          fi
+          whitesmith review . \\
+            --number "\${{ inputs.number }}" \\
+            \$TYPE_FLAG \\
+            --provider "\${{ inputs.provider || env.WHITESMITH_PROVIDER }}" \\
+            --model "\${{ inputs.model || env.WHITESMITH_MODEL }}" \\
+            --post
+`;
+}
+function generateIssueWorkflow(config) {
+    const envBlock = generateTopLevelEnv(config);
+    return `\
+name: whitesmith-issue
+
+on:
+  issues:
+    types: [opened]
+
+env:
+${envBlock}
+
+concurrency:
+  group: whitesmith-issue-\${{ github.event.issue.number }}
+  cancel-in-progress: false
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+
+jobs:
+  run:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: ./.github/actions/setup-whitesmith
+
+      - run: |
+          whitesmith run . \\
+            --issue "\${{ github.event.issue.number }}" \\
+            --provider "$WHITESMITH_PROVIDER" \\
+            --model "$WHITESMITH_MODEL" \\
+            --max-iterations 10
+`;
+}
+function generateReconcileWorkflow(config) {
+    const envBlock = generateTopLevelEnv(config);
     return `\
 name: whitesmith-reconcile
 
@@ -475,42 +599,71 @@ on:
     types: [closed]
     branches: [main]
 
+env:
+${envBlock}
+
 permissions:
-  contents: read
+  contents: write
   issues: write
-  pull-requests: read
+  pull-requests: write
 
 jobs:
-  reconcile:
+  parse:
     if: github.event.pull_request.merged == true
     runs-on: ubuntu-latest
+    outputs:
+      issue_number: \${{ steps.parse.outputs.issue_number }}
+      branch_type: \${{ steps.parse.outputs.branch_type }}
     steps:
-      - uses: actions/checkout@v4
+      - id: parse
+        run: |
+          BRANCH="\${{ github.event.pull_request.head.ref }}"
+          INVESTIGATE_NUM=$(echo "$BRANCH" | sed -n 's|^investigate/\\([0-9]*\\)$|\\1|p')
+          ISSUE_NUM=$(echo "$BRANCH" | sed -n 's|^issue/\\([0-9]*\\)$|\\1|p')
+          if [ -n "$INVESTIGATE_NUM" ]; then
+            echo "issue_number=$INVESTIGATE_NUM" >> "$GITHUB_OUTPUT"
+            echo "branch_type=investigate" >> "$GITHUB_OUTPUT"
+          elif [ -n "$ISSUE_NUM" ]; then
+            echo "issue_number=$ISSUE_NUM" >> "$GITHUB_OUTPUT"
+            echo "branch_type=issue" >> "$GITHUB_OUTPUT"
+          else
+            echo "branch_type=other" >> "$GITHUB_OUTPUT"
+          fi
 
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
+  implement:
+    needs: parse
+    if: needs.parse.outputs.branch_type == 'investigate'
+    runs-on: ubuntu-latest
+    concurrency:
+      group: whitesmith-issue-\${{ needs.parse.outputs.issue_number }}
+      cancel-in-progress: false
+    steps:
+      - uses: actions/checkout@v4
         with:
-          node-version: '22'
+          fetch-depth: 0
 
-      - name: Get npm global prefix
-        id: npm-prefix
-        run: echo "dir=$(npm prefix -g)" >> "$GITHUB_OUTPUT"
+      - uses: ./.github/actions/setup-whitesmith
 
-      - name: Cache global npm packages
-        id: npm-cache
-        uses: actions/cache@v4
-        with:
-          path: \${{ steps.npm-prefix.outputs.dir }}
-          key: npm-global-\${{ runner.os }}-whitesmith-v1
+      - run: |
+          whitesmith run . \\
+            --issue "\${{ needs.parse.outputs.issue_number }}" \\
+            --provider "$WHITESMITH_PROVIDER" \\
+            --model "$WHITESMITH_MODEL" \\
+            --max-iterations 10
+
+  reconcile:
+    needs: parse
+    if: needs.parse.outputs.branch_type != 'investigate'
+    runs-on: ubuntu-latest
+    concurrency:
+      group: \${{ (needs.parse.outputs.issue_number && format('whitesmith-issue-{0}', needs.parse.outputs.issue_number)) || 'whitesmith-reconcile-other' }}
+      cancel-in-progress: false
+    steps:
+      - uses: actions/checkout@v4
 
-      - name: Install whitesmith
-        if: steps.npm-cache.outputs.cache-hit != 'true'
-        run: npm install -g whitesmith
+      - uses: ./.github/actions/setup-whitesmith
 
-      - name: Reconcile
-        env:
-          GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}
-        run: whitesmith reconcile .
+      - run: whitesmith reconcile .
 `;
 }
 // ─── Refresh OAuth Script (auth-json mode only) ─────────────────────────────
@@ -608,30 +761,58 @@ if (repo && token) {
   console.log("Skipping secret update (no GH_PAT or GITHUB_REPOSITORY)");
 }
 `;
+/**
+ * Load config from a JSON file, skipping interactive prompts.
+ */
+function loadConfigFile(filePath) {
+    const raw = fs.readFileSync(filePath, 'utf-8');
+    const data = JSON.parse(raw);
+    if (!data.providers || !Array.isArray(data.providers) || data.providers.length === 0) {
+        throw new Error(`Config file must contain a non-empty "providers" array`);
+    }
+    if (!data.defaultProvider) {
+        throw new Error(`Config file must contain "defaultProvider"`);
+    }
+    if (!data.defaultModel) {
+        throw new Error(`Config file must contain "defaultModel"`);
+    }
+    return data;
+}
 export async function installGitHubCI(ctx, options) {
     const { authMode } = options;
+    const fake = options.fake ?? false;
+    const exportConfig = options.exportConfig ?? undefined;
     console.log('=== whitesmith install-ci (GitHub) ===\n');
     console.log(`Auth mode: ${authMode}\n`);
     let repo = ctx.repo;
-    if (!repo && authMode === 'models-json' && ctx.ghAvailable) {
+    if (!exportConfig && !fake && !repo && authMode === 'models-json' && ctx.ghAvailable) {
         repo = await input({
             message: 'GitHub repository (owner/repo) — needed to set secrets:',
         });
         ctx.repo = repo;
     }
-    let providers = [];
+    let providers;
     let defaultProvider;
     let defaultModel;
-    if (authMode === 'models-json') {
-        // Configure providers interactively
+    let loadedSecrets;
+    if (options.configFile) {
+        // Load from file — no prompts
+        const loaded = loadConfigFile(options.configFile);
+        providers = loaded.providers;
+        defaultProvider = loaded.defaultProvider;
+        defaultModel = loaded.defaultModel;
+        loadedSecrets = loaded.secrets;
+    }
+    else if (authMode === 'models-json') {
+        // Interactive prompts
         providers = await promptProviders();
-        // Pick defaults
         const defaults = await promptDefaults(providers);
         defaultProvider = defaults.provider;
         defaultModel = defaults.model;
     }
     else {
         // auth.json mode — still need provider/model for whitesmith commands
+        providers = [];
         defaultProvider = await input({
             message: 'Default AI provider:',
             default: 'anthropic',
@@ -641,22 +822,75 @@ export async function installGitHubCI(ctx, options) {
             default: 'claude-sonnet-4-20250514',
         });
     }
+    // ── Export config mode — write JSON to stdout and exit ───────────────
+    if (exportConfig) {
+        const configFile = { providers, defaultProvider, defaultModel };
+        if (options.includeSecrets && providers.length > 0) {
+            const secrets = {};
+            const seen = new Set();
+            for (const p of providers) {
+                if (seen.has(p.apiKeyEnvVar))
+                    continue;
+                seen.add(p.apiKeyEnvVar);
+                const key = await password({
+                    message: `Enter API key for ${p.name} (${p.apiKeyEnvVar}):`,
+                });
+                if (key)
+                    secrets[p.apiKeyEnvVar] = key;
+            }
+            if (Object.keys(secrets).length > 0) {
+                configFile.secrets = secrets;
+            }
+        }
+        const json = JSON.stringify(configFile, null, 2) + '\n';
+        fs.writeFileSync(exportConfig, json, 'utf-8');
+        console.log(`\n✅ Config written to ${exportConfig}`);
+        return;
+    }
+    // Auto-detect dev mode: check if we're inside the whitesmith repo itself
+    let dev = options.dev ?? false;
+    if (!dev) {
+        try {
+            const pkgPath = path.join(ctx.workDir, 'package.json');
+            if (fs.existsSync(pkgPath)) {
+                const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+                if (pkg.name === 'whitesmith') {
+                    dev = true;
+                    console.log('📦 Detected whitesmith repo — using dev mode (build from source)\n');
+                }
+            }
+        }
+        catch {
+            // Ignore — not in whitesmith repo
+        }
+    }
+    const reviewWorkflow = options.reviewWorkflow ?? false;
+    const reviewStepEnabled = options.reviewStepEnabled ?? true;
     const config = {
         authMode,
         providers,
         defaultProvider,
         defaultModel,
+        dev,
+        reviewWorkflow,
+        reviewStepEnabled,
+        version: options.version,
     };
     // ── Set GitHub secrets via gh CLI ─────────────────────────────────────
-    const fake = options.fake ?? false;
-    if (!fake && authMode === 'models-json' && repo) {
+    const skipSecrets = options.skipSecrets ?? false;
+    if (skipSecrets) {
+        console.log('\n🔑 Skipping secret setup (--no-secrets)');
+    }
+    else if (!fake && authMode === 'models-json' && repo) {
         if (!ctx.ghAvailable) {
             console.log('\n⚠ GitHub CLI (gh) is not available or not authenticated.');
             console.log('  You will need to set the following secrets manually.\n');
         }
         else {
+            // If config file included secrets, set them directly without prompting
+            const configSecrets = options.configFile ? loadedSecrets : undefined;
             console.log('\n🔑 Setting API key secrets on GitHub...\n');
-            const setSecrets = await promptAndSetSecrets(ctx, providers);
+            const setSecrets = await setOrPromptSecrets(ctx, providers, configSecrets);
             const allEnvVars = [...new Set(providers.map((p) => p.apiKeyEnvVar))];
             const missing = allEnvVars.filter((v) => !setSecrets.includes(v));
             if (missing.length > 0) {
@@ -672,10 +906,16 @@ export async function installGitHubCI(ctx, options) {
     }
     // ── Generate and write workflow files ─────────────────────────────────
     const outputBase = fake ? '.fake' : '.github';
-    const githubDir = path.join(ctx.workDir, outputBase);
-    const workflowsDir = path.join(githubDir, 'workflows');
+    const baseDir = path.join(ctx.workDir, outputBase);
+    const workflowsDir = path.join(baseDir, 'workflows');
+    const actionsDir = path.join(baseDir, 'actions', 'setup-whitesmith');
     fs.mkdirSync(workflowsDir, { recursive: true });
+    fs.mkdirSync(actionsDir, { recursive: true });
     const files = [
+        {
+            path: path.join(actionsDir, 'action.yml'),
+            content: generateSetupAction(config),
+        },
         {
             path: path.join(workflowsDir, 'whitesmith.yml'),
             content: generateMainWorkflow(config),
@@ -684,13 +924,23 @@ export async function installGitHubCI(ctx, options) {
             path: path.join(workflowsDir, 'whitesmith-comment.yml'),
             content: generateCommentWorkflow(config),
         },
+        {
+            path: path.join(workflowsDir, 'whitesmith-issue.yml'),
+            content: generateIssueWorkflow(config),
+        },
         {
             path: path.join(workflowsDir, 'whitesmith-reconcile.yml'),
-            content: generateReconcileWorkflow(),
+            content: generateReconcileWorkflow(config),
         },
     ];
+    if (config.reviewWorkflow) {
+        files.push({
+            path: path.join(workflowsDir, 'whitesmith-review.yml'),
+            content: generateReviewWorkflow(config),
+        });
+    }
     if (authMode === 'auth-json') {
-        const scriptsDir = path.join(githubDir, 'scripts');
+        const scriptsDir = path.join(baseDir, 'scripts');
         fs.mkdirSync(scriptsDir, { recursive: true });
         files.push({
             path: path.join(scriptsDir, 'refresh-oauth-token.mjs'),