whitesmith 0.0.2 → 0.0.4

package/src/providers/github-ci.ts

@@ -6,7 +6,7 @@ import * as path from 'node:path';
 
 export type AuthMode = 'auth-json' | 'models-json';
 
-interface ProviderEntry {
+export interface ProviderEntry {
 	name: string;
 	baseUrl?: string;
 	api?: string;
@@ -16,11 +16,33 @@ interface ProviderEntry {
 	builtin: boolean;
 }
 
+/**
+ * Serializable CI configuration.
+ * Can be saved to JSON with --export-config and loaded with --config.
+ * When --include-secrets is used, the `secrets` field maps env var names to
+ * their actual API key values. These are set via `gh secret set` on install.
+ */
+export interface CIConfigFile {
+	providers: ProviderEntry[];
+	defaultProvider: string;
+	defaultModel: string;
+	/** API key values keyed by env var name. Only present with --include-secrets. */
+	secrets?: Record<string, string>;
+}
+
 interface CIConfig {
 	authMode: AuthMode;
 	providers: ProviderEntry[];
 	defaultProvider: string;
 	defaultModel: string;
+	/** When true, install whitesmith from source (pnpm i + pnpm link --global) instead of npm. */
+	dev: boolean;
+	/** When true, generate the review workflow. */
+	reviewWorkflow: boolean;
+	/** When true, the review step is enabled in the main loop (whitesmith PRs are already reviewed inline). */
+	reviewStepEnabled: boolean;
+	/** whitesmith package version to pin in npm install. */
+	version: string;
 }
 
 /**
@@ -180,12 +202,14 @@ async function promptDefaults(
 }
 
 /**
- * Prompt for API key values and set them as GitHub secrets.
- * Returns the list of secrets that were set.
+ * Set API key secrets on GitHub. If `knownSecrets` contains a value for an
+ * env var, it is used directly; otherwise the user is prompted interactively.
+ * Returns the list of secret names that were successfully set.
  */
-async function promptAndSetSecrets(
+async function setOrPromptSecrets(
 	ctx: GitHubCIContext,
 	providers: ProviderEntry[],
+	knownSecrets?: Record<string, string>,
 ): Promise<string[]> {
 	const setSecrets: string[] = [];
 	const seen = new Set<string>();
@@ -194,9 +218,12 @@ async function promptAndSetSecrets(
 		if (seen.has(p.apiKeyEnvVar)) continue;
 		seen.add(p.apiKeyEnvVar);
 
-		const apiKey = await password({
-			message: `Enter API key for ${p.name} (secret: ${p.apiKeyEnvVar}):`,
-		});
+		let apiKey = knownSecrets?.[p.apiKeyEnvVar];
+		if (!apiKey) {
+			apiKey = await password({
+				message: `Enter API key for ${p.name} (secret: ${p.apiKeyEnvVar}):`,
+			});
+		}
 
 		if (!apiKey) {
 			console.log(`  ⚠ Skipped ${p.apiKeyEnvVar} (empty)`);
@@ -252,94 +279,164 @@ function indent(text: string, spaces: number): string {
 		.join('\n');
 }
 
-function generateModelsJsonStep(config: CIConfig): string {
-	const modelsJson = buildModelsJson(config.providers);
-	const modelsJsonStr = JSON.stringify(modelsJson, null, 2);
-
-	return `\
-      - name: Configure pi models
-        run: |
-          mkdir -p ~/.pi/agent
-          cat > ~/.pi/agent/models.json << 'MODELS_EOF'
-${indent(modelsJsonStr, 10)}
-          MODELS_EOF`;
-}
+/**
+ * Top-level env block shared by whitesmith.yml and whitesmith-comment.yml.
+ * Includes defaults, GH_TOKEN, and API key secrets.
+ */
+function generateTopLevelEnv(config: CIConfig): string {
+	const lines: string[] = [
+		`  WHITESMITH_PROVIDER: ${config.defaultProvider}`,
+		`  WHITESMITH_MODEL: ${config.defaultModel}`,
+		`  GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}`,
+	];
 
-function generateAuthJsonSteps(): string {
-	return `\
-      - name: Configure pi auth
-        env:
-          PI_AUTH_JSON: \${{ secrets.PI_AUTH_JSON }}
-        run: |
-          if [ -z "$PI_AUTH_JSON" ]; then
-            echo "ERROR: PI_AUTH_JSON secret is not configured."
-            echo "Set it to the contents of ~/.pi/agent/auth.json"
-            exit 1
-          fi
-          mkdir -p ~/.pi/agent
-          echo "$PI_AUTH_JSON" > ~/.pi/agent/auth.json
-          chmod 600 ~/.pi/agent/auth.json
+	if (config.authMode === 'models-json') {
+		const seen = new Set<string>();
+		for (const p of config.providers) {
+			if (seen.has(p.apiKeyEnvVar)) continue;
+			seen.add(p.apiKeyEnvVar);
+			lines.push(`  ${p.apiKeyEnvVar}: \${{ secrets.${p.apiKeyEnvVar} }}`);
+		}
+	}
 
-      # Workaround for https://github.com/badlogic/pi-mono/issues/2743
-      - name: Refresh OAuth token
-        env:
-          GH_PAT: \${{ secrets.GH_PAT }}
-        run: node .github/scripts/refresh-oauth-token.mjs`;
+	return lines.join('\n');
 }
 
-function generateAuthSteps(config: CIConfig): string {
+/**
+ * Composite action: node setup, git config, npm cache, install, auth config.
+ * This is written to .github/actions/setup-whitesmith/action.yml so workflows
+ * can just do `uses: ./.github/actions/setup-whitesmith`.
+ */
+function generateSetupAction(config: CIConfig): string {
+	let authStep: string;
+
 	if (config.authMode === 'auth-json') {
-		return generateAuthJsonSteps();
+		authStep = `\
+    - name: Configure pi auth
+      shell: bash
+      run: |
+        if [ -z "$PI_AUTH_JSON" ]; then
+          echo "ERROR: PI_AUTH_JSON secret is not set" >&2; exit 1
+        fi
+        mkdir -p ~/.pi/agent
+        echo "$PI_AUTH_JSON" > ~/.pi/agent/auth.json
+        chmod 600 ~/.pi/agent/auth.json
+
+    # Workaround for https://github.com/badlogic/pi-mono/issues/2743
+    - name: Refresh OAuth token
+      shell: bash
+      run: node .github/scripts/refresh-oauth-token.mjs`;
+	} else {
+		const modelsJson = buildModelsJson(config.providers);
+		const modelsJsonStr = JSON.stringify(modelsJson, null, 2);
+
+		authStep = `\
+    - name: Configure pi models
+      shell: bash
+      run: |
+        mkdir -p ~/.pi/agent
+        cat > ~/.pi/agent/models.json << 'MODELS_EOF'
+${indent(modelsJsonStr, 8)}
+        MODELS_EOF`;
 	}
-	return generateModelsJsonStep(config);
-}
-
-function generateRunEnvBlock(config: CIConfig): string {
-	const envs: Record<string, string> = {
-		GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}',
-	};
 
-	if (config.authMode === 'models-json') {
-		for (const p of config.providers) {
-			envs[p.apiKeyEnvVar] = `\${{ secrets.${p.apiKeyEnvVar} }}`;
-		}
+	let installSteps: string;
+
+	if (config.dev) {
+		// Dev mode: build whitesmith from source using pnpm.
+		// We add pnpm's global bin to $GITHUB_PATH so that `whitesmith` and `pi`
+		// are available in all subsequent steps (persists across composite action
+		// steps and the calling workflow).
+		// We always rebuild (even on cache hit) because source changes per commit.
+		installSteps = `\
+    - name: Setup pnpm
+      uses: pnpm/action-setup@v4
+
+    - name: Add pnpm global bin to PATH
+      shell: bash
+      run: |
+        pnpm setup
+        echo "$HOME/.local/share/pnpm" >> "$GITHUB_PATH"
+
+    - name: Install dependencies and build whitesmith
+      shell: bash
+      run: |
+        pnpm install
+        pnpm run build
+        pnpm link --global
+
+    - name: Install pi
+      shell: bash
+      run: pnpm add -g @mariozechner/pi-coding-agent`;
+	} else {
+		installSteps = `\
+    - name: Get npm global prefix
+      id: npm-prefix
+      shell: bash
+      run: echo "dir=$(npm prefix -g)" >> "$GITHUB_OUTPUT"
+
+    - name: Cache npm packages
+      id: npm-cache
+      uses: actions/cache@v4
+      with:
+        path: \${{ steps.npm-prefix.outputs.dir }}
+        key: whitesmith-\${{ runner.os }}-${config.version}
+
+    - name: Install whitesmith and pi
+      if: steps.npm-cache.outputs.cache-hit != 'true'
+      shell: bash
+      run: npm install -g whitesmith@${config.version} @mariozechner/pi-coding-agent`;
 	}
 
-	return Object.entries(envs)
-		.map(([k, v]) => `          ${k}: ${v}`)
-		.join('\n');
+	return `\
+name: Setup whitesmith
+description: Install Node.js, whitesmith, pi, and configure AI provider auth
+
+runs:
+  using: composite
+  steps:
+    - name: Setup Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: '22'
+
+    - name: Configure git
+      shell: bash
+      run: |
+        git config user.name "whitesmith[bot]"
+        git config user.email "whitesmith[bot]@users.noreply.github.com"
+
+${installSteps}
+
+${authStep}
+`;
 }
 
 function generateMainWorkflow(config: CIConfig): string {
-	const authSteps = generateAuthSteps(config);
-	const envBlock = generateRunEnvBlock(config);
+	const envBlock = generateTopLevelEnv(config);
 
 	return `\
-# NOTE: This workflow requires the repo setting:
-#   Settings → Actions → General → "Allow GitHub Actions to create and approve pull requests"
-# Without this, PR creation will fail with a permissions error.
+# Requires: Settings → Actions → General → "Allow GitHub Actions to create and approve pull requests"
 name: whitesmith
 
 on:
-  schedule:
-    - cron: '*/15 * * * *'
   workflow_dispatch:
     inputs:
+      issue:
+        description: 'Issue number to target (leave empty for global scan)'
       max_iterations:
         description: 'Maximum iterations'
         default: '3'
-        type: string
       provider:
-        description: 'AI provider (e.g. ${config.defaultProvider})'
-        required: false
-        type: string
+        description: 'AI provider (overrides WHITESMITH_PROVIDER)'
       model:
-        description: 'AI model ID (e.g. ${config.defaultModel})'
-        required: false
-        type: string
+        description: 'AI model (overrides WHITESMITH_MODEL)'
+
+env:
+${envBlock}
 
 concurrency:
-  group: whitesmith-loop
+  group: \${{ inputs.issue && format('whitesmith-issue-{0}', inputs.issue) || 'whitesmith-global' }}
   cancel-in-progress: false
 
 permissions:
@@ -354,64 +451,36 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: \${{ secrets.GITHUB_TOKEN }}
 
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '22'
+      - uses: ./.github/actions/setup-whitesmith
 
-      - name: Configure git
-        run: |
-          git config user.name "whitesmith[bot]"
-          git config user.email "whitesmith[bot]@users.noreply.github.com"
-
-      - name: Get npm global prefix
-        id: npm-prefix
-        run: echo "dir=$(npm prefix -g)" >> "$GITHUB_OUTPUT"
-
-      - name: Cache global npm packages
-        id: npm-cache
-        uses: actions/cache@v4
-        with:
-          path: \${{ steps.npm-prefix.outputs.dir }}
-          key: npm-global-\${{ runner.os }}-pi-v1
-
-      - name: Install whitesmith and pi
-        if: steps.npm-cache.outputs.cache-hit != 'true'
-        run: |
-          npm install -g whitesmith
-          npm install -g @mariozechner/pi-coding-agent
-
-${authSteps}
-
-      - name: Run whitesmith
-        env:
-${envBlock}
-        run: |
-          PROVIDER="\${{ inputs.provider || '${config.defaultProvider}' }}"
-          MODEL="\${{ inputs.model || '${config.defaultModel}' }}"
+      - run: |
+          ISSUE_FLAG=""
+          if [ -n "\${{ inputs.issue }}" ]; then
+            ISSUE_FLAG="--issue \${{ inputs.issue }}"
+          fi
           whitesmith run . \\
-            --agent-cmd "pi" \\
-            --provider "$PROVIDER" \\
-            --model "$MODEL" \\
+            \$ISSUE_FLAG \\
+            --provider "\${{ inputs.provider || env.WHITESMITH_PROVIDER }}" \\
+            --model "\${{ inputs.model || env.WHITESMITH_MODEL }}" \\
             --max-iterations \${{ inputs.max_iterations || '3' }}
 `;
 }
 
 function generateCommentWorkflow(config: CIConfig): string {
-	const authSteps = generateAuthSteps(config);
-	const envBlock = generateRunEnvBlock(config);
+	const envBlock = generateTopLevelEnv(config);
 
 	return `\
-# NOTE: This workflow requires the repo setting:
-#   Settings → Actions → General → "Allow GitHub Actions to create and approve pull requests"
+# Requires: Settings → Actions → General → "Allow GitHub Actions to create and approve pull requests"
 name: whitesmith-comment
 
 on:
   issue_comment:
     types: [created]
 
+env:
+${envBlock}
+
 concurrency:
   group: whitesmith-comment-\${{ github.event.issue.number }}
   cancel-in-progress: false
@@ -427,120 +496,203 @@ jobs:
     outputs:
       should_run: \${{ steps.check.outputs.should_run }}
     steps:
-      - name: Check if should run
-        id: check
+      - id: check
         env:
-          GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}
           COMMENT_BODY: \${{ github.event.comment.body }}
         run: |
-          # Always run if comment contains /whitesmith
           if echo "$COMMENT_BODY" | grep -q '/whitesmith'; then
             echo "should_run=true" >> "$GITHUB_OUTPUT"
-            echo "Triggered by /whitesmith keyword"
             exit 0
           fi
-
-          # For PR comments, auto-trigger if the PR is on a whitesmith branch
           if [ -n "\${{ github.event.issue.pull_request.url }}" ]; then
             BRANCH=$(gh pr view \${{ github.event.issue.number }} \\
-              --repo \${{ github.repository }} \\
-              --json headRefName -q .headRefName)
-            echo "PR branch: $BRANCH"
-            if echo "$BRANCH" | grep -qE '^(investigate|task)/'; then
+              --repo \${{ github.repository }} --json headRefName -q .headRefName)
+            if echo "$BRANCH" | grep -qE '^(investigate|issue)/'; then
               echo "should_run=true" >> "$GITHUB_OUTPUT"
-              echo "Triggered by comment on whitesmith PR branch"
               exit 0
             fi
           fi
-
           echo "should_run=false" >> "$GITHUB_OUTPUT"
-          echo "Skipping: not a /whitesmith command and not a whitesmith PR"
 
   run:
     needs: check
-    runs-on: ubuntu-latest
     if: needs.check.outputs.should_run == 'true'
+    runs-on: ubuntu-latest
     steps:
-      - name: React with eyes to acknowledge
-        env:
-          GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}
-        run: |
+      - run: |
           gh api repos/\${{ github.repository }}/issues/comments/\${{ github.event.comment.id }}/reactions \\
             -f content=eyes
 
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: \${{ secrets.GITHUB_TOKEN }}
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '22'
-
-      - name: Configure git
-        run: |
-          git config user.name "whitesmith[bot]"
-          git config user.email "whitesmith[bot]@users.noreply.github.com"
 
-      - name: Get npm global prefix
-        id: npm-prefix
-        run: echo "dir=$(npm prefix -g)" >> "$GITHUB_OUTPUT"
+      - uses: ./.github/actions/setup-whitesmith
 
-      - name: Cache global npm packages
-        id: npm-cache
-        uses: actions/cache@v4
-        with:
-          path: \${{ steps.npm-prefix.outputs.dir }}
-          key: npm-global-\${{ runner.os }}-pi-v1
-
-      - name: Install whitesmith and pi
-        if: steps.npm-cache.outputs.cache-hit != 'true'
-        run: |
-          npm install -g whitesmith
-          npm install -g @mariozechner/pi-coding-agent
-
-${authSteps}
-
-      - name: Save comment body to file
-        env:
+      - env:
           COMMENT_BODY: \${{ github.event.comment.body }}
         run: |
           printf '%s' "$COMMENT_BODY" > .whitesmith-comment-body.txt
-
-      - name: Run whitesmith comment
-        env:
-${envBlock}
-        run: |
           whitesmith comment . \\
             --number "\${{ github.event.issue.number }}" \\
             --body-file .whitesmith-comment-body.txt \\
-            --provider "${config.defaultProvider}" \\
-            --model "${config.defaultModel}" \\
+            --provider "$WHITESMITH_PROVIDER" \\
+            --model "$WHITESMITH_MODEL" \\
             --post
 
-      - name: React with checkmark on success
-        if: success()
-        env:
-          GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}
+      - if: success()
         run: |
           gh api repos/\${{ github.repository }}/issues/comments/\${{ github.event.comment.id }}/reactions \\
             -f content="+1"
 
-      - name: React with X and comment on failure
-        if: failure()
-        env:
-          GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}
+      - if: failure()
         run: |
           gh api repos/\${{ github.repository }}/issues/comments/\${{ github.event.comment.id }}/reactions \\
             -f content="-1"
-          gh issue comment \${{ github.event.issue.number }} \\
-            --repo \${{ github.repository }} \\
-            --body "❌ Agent run failed for [this comment](\${{ github.event.comment.html_url }}). Check the [workflow run](\${{ github.server_url }}/\${{ github.repository }}/actions/runs/\${{ github.run_id }}) for details."
+          gh issue comment \${{ github.event.issue.number }} --repo \${{ github.repository }} \\
+            --body "❌ Agent run failed. See [workflow run](\${{ github.server_url }}/\${{ github.repository }}/actions/runs/\${{ github.run_id }})."
 `;
 }
 
-function generateReconcileWorkflow(): string {
+function generateReviewWorkflow(config: CIConfig): string {
+	const envBlock = generateTopLevelEnv(config);
+
+	// When the review step is enabled in the main loop, whitesmith PRs are
+	// already reviewed inline. The workflow should only review non-whitesmith PRs.
+	// When the review step is disabled, the workflow reviews ALL PRs.
+	const skipWhitesmithCheck = config.reviewStepEnabled
+		? `\
+  check:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    outputs:
+      should_run: \${{ steps.check.outputs.should_run }}
+    steps:
+      - id: check
+        run: |
+          BRANCH="\${{ github.event.pull_request.head.ref }}"
+          if echo "$BRANCH" | grep -qE '^(investigate|issue)/'; then
+            echo "Skipping review for whitesmith-managed branch: $BRANCH"
+            echo "should_run=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "should_run=true" >> "$GITHUB_OUTPUT"
+          fi
+
+  review:
+    needs: check
+    if: >-
+      (github.event_name == 'workflow_dispatch') ||
+      (needs.check.outputs.should_run == 'true')`
+		: `\
+  review:`;
+
+	return `\
+name: whitesmith-review
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+  workflow_dispatch:
+    inputs:
+      number:
+        description: 'PR or issue number to review'
+        required: true
+      type:
+        description: 'Review type (auto-detected if empty): pr, issue-tasks, issue-tasks-completed'
+      provider:
+        description: 'AI provider (overrides WHITESMITH_PROVIDER)'
+      model:
+        description: 'AI model (overrides WHITESMITH_MODEL)'
+
+env:
+${envBlock}
+
+concurrency:
+  group: whitesmith-review-\${{ github.event.pull_request.number || inputs.number }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
+jobs:
+${skipWhitesmithCheck}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: ./.github/actions/setup-whitesmith
+
+      - if: github.event_name == 'pull_request'
+        run: |
+          whitesmith review . \\
+            --number "\${{ github.event.pull_request.number }}" \\
+            --provider "\${{ env.WHITESMITH_PROVIDER }}" \\
+            --model "\${{ env.WHITESMITH_MODEL }}" \\
+            --post
+
+      - if: github.event_name == 'workflow_dispatch'
+        run: |
+          TYPE_FLAG=""
+          if [ -n "\${{ inputs.type }}" ]; then
+            TYPE_FLAG="--type \${{ inputs.type }}"
+          fi
+          whitesmith review . \\
+            --number "\${{ inputs.number }}" \\
+            \$TYPE_FLAG \\
+            --provider "\${{ inputs.provider || env.WHITESMITH_PROVIDER }}" \\
+            --model "\${{ inputs.model || env.WHITESMITH_MODEL }}" \\
+            --post
+`;
+}
+
+function generateIssueWorkflow(config: CIConfig): string {
+	const envBlock = generateTopLevelEnv(config);
+
+	return `\
+name: whitesmith-issue
+
+on:
+  issues:
+    types: [opened]
+
+env:
+${envBlock}
+
+concurrency:
+  group: whitesmith-issue-\${{ github.event.issue.number }}
+  cancel-in-progress: false
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+
+jobs:
+  run:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: ./.github/actions/setup-whitesmith
+
+      - run: |
+          whitesmith run . \\
+            --issue "\${{ github.event.issue.number }}" \\
+            --provider "$WHITESMITH_PROVIDER" \\
+            --model "$WHITESMITH_MODEL" \\
+            --max-iterations 10
+`;
+}
+
+function generateReconcileWorkflow(config: CIConfig): string {
+	const envBlock = generateTopLevelEnv(config);
+
 	return `\
 name: whitesmith-reconcile
 
@@ -549,42 +701,71 @@ on:
     types: [closed]
     branches: [main]
 
+env:
+${envBlock}
+
 permissions:
-  contents: read
+  contents: write
   issues: write
-  pull-requests: read
+  pull-requests: write
 
 jobs:
-  reconcile:
+  parse:
     if: github.event.pull_request.merged == true
     runs-on: ubuntu-latest
+    outputs:
+      issue_number: \${{ steps.parse.outputs.issue_number }}
+      branch_type: \${{ steps.parse.outputs.branch_type }}
     steps:
-      - uses: actions/checkout@v4
+      - id: parse
+        run: |
+          BRANCH="\${{ github.event.pull_request.head.ref }}"
+          INVESTIGATE_NUM=$(echo "$BRANCH" | sed -n 's|^investigate/\\([0-9]*\\)$|\\1|p')
+          ISSUE_NUM=$(echo "$BRANCH" | sed -n 's|^issue/\\([0-9]*\\)$|\\1|p')
+          if [ -n "$INVESTIGATE_NUM" ]; then
+            echo "issue_number=$INVESTIGATE_NUM" >> "$GITHUB_OUTPUT"
+            echo "branch_type=investigate" >> "$GITHUB_OUTPUT"
+          elif [ -n "$ISSUE_NUM" ]; then
+            echo "issue_number=$ISSUE_NUM" >> "$GITHUB_OUTPUT"
+            echo "branch_type=issue" >> "$GITHUB_OUTPUT"
+          else
+            echo "branch_type=other" >> "$GITHUB_OUTPUT"
+          fi
 
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
+  implement:
+    needs: parse
+    if: needs.parse.outputs.branch_type == 'investigate'
+    runs-on: ubuntu-latest
+    concurrency:
+      group: whitesmith-issue-\${{ needs.parse.outputs.issue_number }}
+      cancel-in-progress: false
+    steps:
+      - uses: actions/checkout@v4
         with:
-          node-version: '22'
+          fetch-depth: 0
 
-      - name: Get npm global prefix
-        id: npm-prefix
-        run: echo "dir=$(npm prefix -g)" >> "$GITHUB_OUTPUT"
+      - uses: ./.github/actions/setup-whitesmith
 
-      - name: Cache global npm packages
-        id: npm-cache
-        uses: actions/cache@v4
-        with:
-          path: \${{ steps.npm-prefix.outputs.dir }}
-          key: npm-global-\${{ runner.os }}-whitesmith-v1
+      - run: |
+          whitesmith run . \\
+            --issue "\${{ needs.parse.outputs.issue_number }}" \\
+            --provider "$WHITESMITH_PROVIDER" \\
+            --model "$WHITESMITH_MODEL" \\
+            --max-iterations 10
 
-      - name: Install whitesmith
-        if: steps.npm-cache.outputs.cache-hit != 'true'
-        run: npm install -g whitesmith
+  reconcile:
+    needs: parse
+    if: needs.parse.outputs.branch_type != 'investigate'
+    runs-on: ubuntu-latest
+    concurrency:
+      group: \${{ (needs.parse.outputs.issue_number && format('whitesmith-issue-{0}', needs.parse.outputs.issue_number)) || 'whitesmith-reconcile-other' }}
+      cancel-in-progress: false
+    steps:
+      - uses: actions/checkout@v4
 
-      - name: Reconcile
-        env:
-          GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}
-        run: whitesmith reconcile .
+      - uses: ./.github/actions/setup-whitesmith
+
+      - run: whitesmith reconcile .
 `;
 }
 
@@ -690,6 +871,42 @@ if (repo && token) {
 export interface InstallCIOptions {
 	authMode: AuthMode;
 	fake?: boolean;
+	/** Path to a JSON config file — skips interactive prompts. */
+	configFile?: string;
+	/** Write the provider config as JSON to this file path instead of generating workflows. */
+	exportConfig?: string;
+	/** When used with --export-config, prompt for API keys and include them in the output. */
+	includeSecrets?: boolean;
+	/** Build whitesmith from source (pnpm i + link --global) instead of installing from npm. Auto-detected when inside the whitesmith repo. */
+	dev?: boolean;
+	/** Generate the review workflow for PR reviews. Off by default. */
+	reviewWorkflow?: boolean;
+	/** Whether the review step is enabled in the main loop (affects review workflow filtering). */
+	reviewStepEnabled?: boolean;
+	/** Skip setting GitHub secrets (useful when reconfiguring workflows only). */
+	skipSecrets?: boolean;
+	/** whitesmith package version to pin in the install command. */
+	version: string;
+}
+
+/**
+ * Load config from a JSON file, skipping interactive prompts.
+ */
+function loadConfigFile(filePath: string): CIConfigFile {
+	const raw = fs.readFileSync(filePath, 'utf-8');
+	const data = JSON.parse(raw) as CIConfigFile;
+
+	if (!data.providers || !Array.isArray(data.providers) || data.providers.length === 0) {
+		throw new Error(`Config file must contain a non-empty "providers" array`);
+	}
+	if (!data.defaultProvider) {
+		throw new Error(`Config file must contain "defaultProvider"`);
+	}
+	if (!data.defaultModel) {
+		throw new Error(`Config file must contain "defaultModel"`);
+	}
+
+	return data;
 }
 
 export async function installGitHubCI(
@@ -697,33 +914,42 @@ export async function installGitHubCI(
 	options: InstallCIOptions,
 ): Promise<void> {
 	const {authMode} = options;
+	const fake = options.fake ?? false;
+	const exportConfig = options.exportConfig ?? undefined;
 
 	console.log('=== whitesmith install-ci (GitHub) ===\n');
 	console.log(`Auth mode: ${authMode}\n`);
 
 	let repo = ctx.repo;
 
-	if (!repo && authMode === 'models-json' && ctx.ghAvailable) {
+	if (!exportConfig && !fake && !repo && authMode === 'models-json' && ctx.ghAvailable) {
 		repo = await input({
 			message: 'GitHub repository (owner/repo) — needed to set secrets:',
 		});
 		ctx.repo = repo;
 	}
 
-	let providers: ProviderEntry[] = [];
+	let providers: ProviderEntry[];
 	let defaultProvider: string;
 	let defaultModel: string;
-
-	if (authMode === 'models-json') {
-		// Configure providers interactively
+	let loadedSecrets: Record<string, string> | undefined;
+
+	if (options.configFile) {
+		// Load from file — no prompts
+		const loaded = loadConfigFile(options.configFile);
+		providers = loaded.providers;
+		defaultProvider = loaded.defaultProvider;
+		defaultModel = loaded.defaultModel;
+		loadedSecrets = loaded.secrets;
+	} else if (authMode === 'models-json') {
+		// Interactive prompts
 		providers = await promptProviders();
-
-		// Pick defaults
 		const defaults = await promptDefaults(providers);
 		defaultProvider = defaults.provider;
 		defaultModel = defaults.model;
 	} else {
 		// auth.json mode — still need provider/model for whitesmith commands
+		providers = [];
 		defaultProvider = await input({
 			message: 'Default AI provider:',
 			default: 'anthropic',
@@ -734,24 +960,77 @@ export async function installGitHubCI(
 		});
 	}
 
+	// ── Export config mode — write JSON to stdout and exit ───────────────
+
+	if (exportConfig) {
+		const configFile: CIConfigFile = {providers, defaultProvider, defaultModel};
+		if (options.includeSecrets && providers.length > 0) {
+			const secrets: Record<string, string> = {};
+			const seen = new Set<string>();
+			for (const p of providers) {
+				if (seen.has(p.apiKeyEnvVar)) continue;
+				seen.add(p.apiKeyEnvVar);
+				const key = await password({
+					message: `Enter API key for ${p.name} (${p.apiKeyEnvVar}):`,
+				});
+				if (key) secrets[p.apiKeyEnvVar] = key;
+			}
+			if (Object.keys(secrets).length > 0) {
+				configFile.secrets = secrets;
+			}
+		}
+		const json = JSON.stringify(configFile, null, 2) + '\n';
+		fs.writeFileSync(exportConfig, json, 'utf-8');
+		console.log(`\n✅ Config written to ${exportConfig}`);
+		return;
+	}
+
+	// Auto-detect dev mode: check if we're inside the whitesmith repo itself
+	let dev = options.dev ?? false;
+	if (!dev) {
+		try {
+			const pkgPath = path.join(ctx.workDir, 'package.json');
+			if (fs.existsSync(pkgPath)) {
+				const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+				if (pkg.name === 'whitesmith') {
+					dev = true;
+					console.log('📦 Detected whitesmith repo — using dev mode (build from source)\n');
+				}
+			}
+		} catch {
+			// Ignore — not in whitesmith repo
+		}
+	}
+
+	const reviewWorkflow = options.reviewWorkflow ?? false;
+	const reviewStepEnabled = options.reviewStepEnabled ?? true;
+
 	const config: CIConfig = {
 		authMode,
 		providers,
 		defaultProvider,
 		defaultModel,
+		dev,
+		reviewWorkflow,
+		reviewStepEnabled,
+		version: options.version,
 	};
 
 	// ── Set GitHub secrets via gh CLI ─────────────────────────────────────
 
-	const fake = options.fake ?? false;
+	const skipSecrets = options.skipSecrets ?? false;
 
-	if (!fake && authMode === 'models-json' && repo) {
+	if (skipSecrets) {
+		console.log('\n🔑 Skipping secret setup (--no-secrets)');
+	} else if (!fake && authMode === 'models-json' && repo) {
 		if (!ctx.ghAvailable) {
 			console.log('\n⚠ GitHub CLI (gh) is not available or not authenticated.');
 			console.log('  You will need to set the following secrets manually.\n');
 		} else {
+			// If config file included secrets, set them directly without prompting
+			const configSecrets = options.configFile ? loadedSecrets : undefined;
 			console.log('\n🔑 Setting API key secrets on GitHub...\n');
-			const setSecrets = await promptAndSetSecrets(ctx, providers);
+			const setSecrets = await setOrPromptSecrets(ctx, providers, configSecrets);
 
 			const allEnvVars = [...new Set(providers.map((p) => p.apiKeyEnvVar))];
 			const missing = allEnvVars.filter((v) => !setSecrets.includes(v));
@@ -769,11 +1048,17 @@ export async function installGitHubCI(
 	// ── Generate and write workflow files ─────────────────────────────────
 
 	const outputBase = fake ? '.fake' : '.github';
-	const githubDir = path.join(ctx.workDir, outputBase);
-	const workflowsDir = path.join(githubDir, 'workflows');
+	const baseDir = path.join(ctx.workDir, outputBase);
+	const workflowsDir = path.join(baseDir, 'workflows');
+	const actionsDir = path.join(baseDir, 'actions', 'setup-whitesmith');
 	fs.mkdirSync(workflowsDir, {recursive: true});
+	fs.mkdirSync(actionsDir, {recursive: true});
 
 	const files: {path: string; content: string}[] = [
+		{
+			path: path.join(actionsDir, 'action.yml'),
+			content: generateSetupAction(config),
+		},
 		{
 			path: path.join(workflowsDir, 'whitesmith.yml'),
 			content: generateMainWorkflow(config),
@@ -782,14 +1067,25 @@ export async function installGitHubCI(
 			path: path.join(workflowsDir, 'whitesmith-comment.yml'),
 			content: generateCommentWorkflow(config),
 		},
+		{
+			path: path.join(workflowsDir, 'whitesmith-issue.yml'),
+			content: generateIssueWorkflow(config),
+		},
 		{
 			path: path.join(workflowsDir, 'whitesmith-reconcile.yml'),
-			content: generateReconcileWorkflow(),
+			content: generateReconcileWorkflow(config),
 		},
 	];
 
+	if (config.reviewWorkflow) {
+		files.push({
+			path: path.join(workflowsDir, 'whitesmith-review.yml'),
+			content: generateReviewWorkflow(config),
+		});
+	}
+
 	if (authMode === 'auth-json') {
-		const scriptsDir = path.join(githubDir, 'scripts');
+		const scriptsDir = path.join(baseDir, 'scripts');
 		fs.mkdirSync(scriptsDir, {recursive: true});
 		files.push({
 			path: path.join(scriptsDir, 'refresh-oauth-token.mjs'),