devtrust-apr 0.2.0__tar.gz

devtrust_apr-0.2.0/.gitignore

@@ -0,0 +1,45 @@
+# OS / editor noise
+.DS_Store
+Thumbs.db
+*.swp
+*~
+.idea/
+.vscode/
+*.iml
+
+# Local environment
+.env
+.env.local
+.env.*.local
+*.local
+
+# Build / dependency output
+node_modules/
+dist/
+build/
+target/
+__pycache__/
+*.pyc
+.pytest_cache/
+coverage/
+.cache/
+
+# Logs
+*.log
+logs/
+
+# Secrets — NEVER commit these
+*.pem
+*.key
+secrets/
+*.secrets.json
+
+# Docx working artifacts (keep .docx itself, drop temp files)
+~$*.docx
+~$*.xlsx
+~$*.pptx
+
+# Claude session-specific (keep configs, drop runtime)
+.claude/sessions/
+.claude/cache/
+.claude/.tmp/

devtrust_apr-0.2.0/CHANGELOG.md

@@ -0,0 +1,139 @@
+# Agent-PR Reviewer — changelog
+
+All notable changes to `apr` are documented here. Follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and [SemVer](https://semver.org/spec/v2.0.0.html).
+
+## [0.2.0] — 2026-05-09
+
+### Added
+- **`ai-review:hallucinated-symbol` is now multi-language.** The deterministic AI-pattern checker that flags calls to names that don't exist now consumes Repo X-ray v0.4's JavaScript / TypeScript call edges in addition to Python. The rule fires the same way for all three languages: walk the artifact's edges, scoped to changed files, and flag callees whose first segment doesn't resolve to an in-repo symbol or a known global / package root.
+  - **Language-aware allowlist.** `_KNOWN_NAMES_PY` (Python builtins + stdlib + ~50 popular pip roots) and `_KNOWN_NAMES_JS` (ECMAScript globals, browser DOM globals, Node.js globals, ~70 popular npm package roots) are now disjoint. A `.ts` file calling `os.path.join` is not silenced by the Python allowlist — it's correctly flagged as a wrong-language hallucination signal.
+  - **In-repo JS/TS imports already pass.** Repox v0.4 sets `target_file` on every call edge whose callee was bound via `import { x } from './y'` to an in-repo file. The rule's existing `target_file is set -> skip` short-circuit handles those without changes.
+  - **External JS/TS imports.** `apr.repox_integration._binding_hint` now extracts a usable binding name from JS/TS module specifiers — `react-dom/client` → `client`, `@scope/pkg/sub` → `sub`, bare `'express'` → `'express'`. Renamed default imports (`import _ from 'lodash'`) are silenced by the existing two-character-name skip rather than misflagged.
+- **8 new tests** in `tests/test_smoke.py`:
+  - `test_ai_rule_js_hallucinated_callee_flagged` — truly invented JS callee fires.
+  - `test_ai_rule_js_console_log_safe` — `console.log` doesn't fire.
+  - `test_ai_rule_js_browser_globals_safe` — `document.querySelector`, `fetch`, `localStorage.getItem` don't fire.
+  - `test_ai_rule_js_node_globals_safe` — `process.exit`, `Buffer.from` don't fire.
+  - `test_ai_rule_js_npm_root_safe` — `express()` doesn't fire when imported.
+  - `test_ai_rule_ts_in_repo_call_resolved` — call edge with `target_file` set is silent.
+  - `test_ai_rule_js_wrong_language_callee_flagged` — JS file calling `os.path.join` IS flagged (Python allowlist is not consulted for JS files).
+  - `test_binding_hint_for_js_specifiers` — direct unit test for the new `_binding_hint` helper.
+
+### Changed
+- `apr.repox_integration` extracts the new `_binding_hint(target_module)` helper instead of inline `lstrip + split`. Behavior unchanged for Python imports; JS/TS specifiers now produce more accurate hints (subpath last-segment, scoped-package last-segment).
+- The version-pin smoke test (`test_apr_version_*`) now uses a structural SemVer regex check instead of an exact-string equality, matching the pattern used in agtrace, tokencost, and whychanged. This prevents the test from going stale on every minor bump and keeps `scripts/release.py --check` clean.
+
+### Notes
+- Schema unchanged (still `0.0.1` — additive: same `Finding` shape, same rule IDs, just broader coverage).
+- Diff-comprehension rule is unchanged in v0.2.
+- This release closes the only deferred v0.1 item: when we shipped repox v0.4 with JS/TS call edges, apr's hallucinated-symbol rule was still Python-only. v0.2.0 closes that gap and gives APR full multi-language coverage across all three Wave-1 supported languages (Python, JavaScript, TypeScript).
+- Known limitation: renamed default imports like `import _ from 'lodash'` cannot be precisely tracked without extending the repox `Import` model to carry `local_names`. v0.2.0 mitigates by skipping ≤ 2-character first-segments; a future repox v0.5 + apr v0.3 will close this fully.
+
+[0.2.0]: https://github.com/AbdullahBakir97/apr/compare/v0.1.1...v0.2.0
+
+---
+
+## [0.1.1] — 2026-05-08
+
+### Added
+- **Real Anthropic backend for `ai-review:diff-comprehension`.** `AnthropicProvider.analyze_diff()` is now a working implementation:
+  - Calls the Messages API (non-streaming, single-turn) via the official `anthropic` SDK.
+  - Builds a JSON-shaped prompt (system + user) via the new `apr.prompts` module — diff is truncated at 60,000 chars by default to bound input cost on runaway diffs.
+  - Caps reply at 1024 tokens (configurable via the `AnthropicProvider` constructor).
+  - Parses the model's reply tolerantly: tries strict `json.loads` first, then extracts the first balanced `{...}` block when the model wraps JSON in prose.
+  - Filters invalid severity values silently rather than raising — no LLM tantrum can break review.
+- New `apr.prompts` module — separates prompt construction + response parsing from the SDK so it can be unit-tested without the `anthropic` wheel installed.
+- New env var `APR_ANTHROPIC_MODEL` lets operators override the default model (`claude-sonnet-4-6`) per deployment.
+- 9 new tests: prompt construction, diff truncation, strict JSON parse, prose-wrapper recovery, garbage / invalid-severity rejection, end-to-end with a mocked SDK client, SDK-exception shielding, unparseable-reply handling, version assertion.
+
+### Changed
+- `AnthropicProvider.__init__` accepts an optional `client` keyword for tests + future dependency injection.
+- The SDK `import anthropic` happens lazily inside `_ensure_client`, so `apr` installs without the optional `[ai]` extra.
+- All findings produced through this rule emerge with `rule_id="ai-review:diff-comprehension"` regardless of what the model claimed — vendor-internal IDs cannot leak into the report.
+
+### Notes
+- Schema unchanged (still 0.0.1 — same Finding shape).
+- Cost guidance: a typical 500-line PR diff produces ~3K input tokens + ~200 output tokens, i.e. < $0.005 per review at Sonnet pricing. Bound by `max_diff_chars` and `max_tokens`. Operators with high PR volume should monitor and tune.
+- The rule is still gated behind `--enable-ai --ai-provider=anthropic` and requires `ANTHROPIC_API_KEY` in the environment. Default behavior (no flag) is unchanged: deterministic rules only, no API calls, no cost.
+
+[0.1.1]: https://github.com/AbdullahBakir97/apr/compare/v0.1.0...v0.1.1
+
+---
+
+## [0.1.0] — 2026-05-08
+
+### Added
+- **AI rule pack (`ai-review:*`).** New `src/apr/rules_ai.py` ships two rules, both opt-in via `--enable-ai`:
+  - `ai-review:hallucinated-symbol` (warning, ai-pattern) — **deterministic.** Walks Repo X-ray's `call_graph.edges` and flags function calls whose callee doesn't resolve to an in-repo symbol AND isn't a Python built-in / well-known stdlib root / file-local imported alias. Catches the classic AI-generation failure mode where a function call references a name that doesn't exist anywhere in the codebase.
+  - `ai-review:diff-comprehension` (delegates to `LLMProvider`) — pluggable LLM-backed checker for "does the PR description accurately describe the diff." v0.1.0 ships the `NullProvider` (returns no findings) and an `AnthropicProvider` stub. The streaming Anthropic implementation is v0.1.1.
+- **Repox integration** (`src/apr/repox_integration.py`) — best-effort loader for `.repox/architecture.json`. Returns `None` for older artifacts (v0.0.x / v0.1.x) without a call graph; the AI rule pack then no-ops cleanly.
+- **LLM provider interface** (`src/apr/llm.py`) — `LLMProvider` Protocol + `NullProvider` + `AnthropicProvider` stub + `build_provider()` factory. Vendor swaps are a matter of writing a new provider class; the engine and rules don't change.
+- **CLI flags** — `--enable-ai/--no-enable-ai` (default off), `--ai-provider null|anthropic`, `--diff PATH` (unified-diff file for diff-comprehension).
+- **Optional `[ai]` extra** in `pyproject.toml` — `pip install apr[ai]` brings in the `anthropic` SDK.
+- **9 new tests** covering: hallucinated-symbol fires correctly, builtin/import allow-list silences false positives, only changed files are scanned, AI off by default, provider exception shielding, vendor rule_id namespace isolation, the AnthropicProvider stub raising NotImplementedError, repox integration returning None for missing/old artifacts.
+
+### Changed
+- **`check_python_file` ordering fix.** Source-text rules (`todo-no-ticket`, `hardcoded-secret`) now run *before* AST parsing, so a syntax error doesn't silently suppress them. Regression tests added — was a real bug discovered when a BOM-encoded demo file produced only `syntax-error` and missed the embedded AKIA-shaped key.
+- Promoted from `Development Status :: 3 - Alpha` to `Development Status :: 4 - Beta`.
+- Engine `review()` gained kwargs: `enable_ai`, `llm_provider`, `diff`. Backward compatible — defaults preserve the v0.0.2 behavior.
+
+### Notes
+- Schema unchanged (still 0.0.1 — same Finding shape, additive rule IDs).
+- AI rules are off by default to keep PR review fast and deterministic for the common case. Operators opt in per repo by adding `--enable-ai` to their CI invocation.
+- The hallucinated-symbol allow-list is conservative: stdlib roots + ~50 common third-party roots + apr/repox/sts itself. False positives are corrected by adding the missing root, not by relaxing the rule.
+
+[0.1.0]: https://github.com/AbdullahBakir97/apr/compare/v0.0.2...v0.1.0
+
+---
+
+## [0.0.2] — 2026-05-08
+
+### Added
+- **JS / TS rule pack** via tree-sitter (`src/apr/rules_js.py`):
+  - `console-log` (info, quality) — leftover `console.log` / `.debug` / `.info` calls. Skipped in obvious entry files (presence of `process.argv`, `.listen(`, or `import.meta.main`).
+  - `debugger-statement` (warning, quality) — `debugger;` left in code.
+  - `var-declaration` (info, style) — `var x = ...` instead of `let`/`const`.
+  - `todo-no-ticket` (info, todo) — TODO/FIXME/XXX/HACK without `#123` or `PROJ-123`. Mirror of the Python rule.
+- **Additional Python rules** in `src/apr/rules.py`:
+  - `mutable-default-arg` (warning, quality) — `def f(x=[])` shares state across calls.
+  - `broad-except` (info, quality) — `except Exception:` is wider than most code needs.
+  - `assert-in-prod` (warning, security) — `assert` is stripped under `python -O`. Test files (`tests/`, `test_*.py`) are exempt.
+  - `hardcoded-secret` (critical, security) — high-precision regex pack catches AWS access keys (`AKIA*`), GitHub tokens (`ghp_*`, `ghs_*`), OpenAI keys (`sk-*`), Anthropic keys (`sk-ant-*`), Slack bot tokens (`xoxb-*`), and inline `password=`/`api_key=` literals.
+- 13 new tests covering each rule end-to-end (some `pytest.importorskip` JS/TS rules when tree-sitter wheels aren't available on the platform).
+
+### Changed
+- `apr.rules.check_file` now dispatches by extension: `.py` -> Python rules, `.js`/`.jsx`/`.mjs`/`.cjs`/`.ts`/`.tsx` -> tree-sitter rules, others -> empty.
+- Tree-sitter (`tree-sitter>=0.23` + `tree-sitter-language-pack>=0.4,<1.0`) graduated to required deps.
+
+### Notes
+- Schema unchanged (still **0.0.1**) — additive: same `Finding` shape, just more rule IDs.
+- The hardcoded-secret rule is precision-tuned (high-confidence patterns only). False positives on `password = "x"` style literals are possible but accepted at info+ severity. False negatives on bespoke key formats are accepted; `apr` is meant to complement, not replace, dedicated secret scanners.
+
+[0.0.2]: https://github.com/AbdullahBakir97/apr/compare/v0.0.1...v0.0.2
+
+---
+
+## [0.0.1] — 2026-05-08
+
+### Added
+- Initial scaffold: `apr` Python package with two CLI commands (`review`, `version`).
+- Pydantic v2 schema (versioned 0.0.1): `Finding`, `ReviewInputs`, `ReviewStats`, `ReviewReport`.
+- `rules` module — deterministic rule pack for Python:
+  - `bare-except` (warning) — bare `except:` clause.
+  - `print-debug` (info) — leftover `print(...)`, skipped in `__main__` guard files.
+  - `todo-no-ticket` (info) — TODO/FIXME/XXX/HACK without `#123` / `PROJ-123` reference.
+  - `empty-function-body` (info, ai-pattern) — function body is only `pass`.
+  - `syntax-error` (error) — file does not parse.
+- `rules.check_pr_metadata` — `pr-title-uninformative` (warning), `pr-description-too-short` (info).
+- `engine` — orchestrator: PR-level checks first, then per-file rule packs; stably sorted findings; severity-bucket stats.
+- `output` — JSON + Markdown writers emitting to `.apr/review.{json,md}`. The Markdown report includes a "Suggested fixes" block surfacing up to 10 suggestions with file:line.
+- Workspace dep on `repox` (apr will use the architecture model for v0.0.2+ file-context rules).
+- 16 smoke tests covering each rule, the engine, both writers, and the CLI.
+- Apache-2.0 license, hatchling build, typer/rich/pydantic deps.
+
+### Notes
+- Wave 2 lead bet of the DevTrust platform. Consolidates the patterns from three earlier GitHub Apps (`ai-quality-gate`, `pr-coach`, `commit-craft`) into one engine.
+- v0.0.1 is **Python only by design**. JS/TS rules in v0.0.2.
+- LLM-backed checks (`ai-review:*` rule IDs) land in v0.1+ once the deterministic rule output is stable enough to grade against.
+
+[0.0.1]: https://github.com/AbdullahBakir97/apr/releases/tag/v0.0.1

devtrust_apr-0.2.0/PKG-INFO

@@ -0,0 +1,111 @@
+Metadata-Version: 2.4
+Name: devtrust-apr
+Version: 0.2.0
+Summary: Agent-PR Reviewer — deterministic + AI-pattern review for pull requests.
+Project-URL: Homepage, https://github.com/AbdullahBakir97/DevTrust
+Project-URL: Repository, https://github.com/AbdullahBakir97/DevTrust
+Project-URL: Documentation, https://github.com/AbdullahBakir97/DevTrust/tree/main/src/products/03-agent-pr-reviewer/code#readme
+Project-URL: Changelog, https://github.com/AbdullahBakir97/DevTrust/blob/main/src/products/03-agent-pr-reviewer/code/CHANGELOG.md
+Project-URL: Issues, https://github.com/AbdullahBakir97/DevTrust/issues
+Author: Abdullah Bakir
+License-Expression: Apache-2.0
+Keywords: ci,code-review,developer-tools,github-app,pr-review
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Topic :: Software Development :: Quality Assurance
+Requires-Python: >=3.11
+Requires-Dist: devtrust-repox
+Requires-Dist: pydantic>=2.10.0
+Requires-Dist: rich>=13.9.0
+Requires-Dist: tree-sitter-language-pack<1.0,>=0.4.0
+Requires-Dist: tree-sitter>=0.23.0
+Requires-Dist: typer>=0.15.0
+Provides-Extra: ai
+Requires-Dist: anthropic>=0.40.0; extra == 'ai'
+Description-Content-Type: text/markdown
+
+# Agent-PR Reviewer (`apr`)
+
+> Deterministic + AI-pattern review for pull requests. Wave 2 lead bet of the DevTrust connected platform.
+
+## Status
+
+**v0.2.0 beta** — deterministic Python + JS/TS rules, deterministic AI-pattern checker (`ai-review:hallucinated-symbol`) now multi-language via Repo X-ray v0.4 call edges, plus optional LLM-backed `ai-review:diff-comprehension` (Anthropic).
+
+## Why
+
+Three of your existing GitHub Apps — `ai-quality-gate`, `pr-coach`, `commit-craft` — each solve part of "make PR review better" but ship as separate apps with separate auth, separate webhooks, separate UIs. `apr` consolidates them into one engine so:
+
+- One install. One webhook. One sticky comment per PR.
+- Deterministic rules first (testable, gradeable, cheap), LLM layer second.
+- Reuses Repo X-ray's architecture model for file context.
+
+## Rules shipped through v0.0.2
+
+### Python (`.py`)
+
+| Rule ID | Severity | Category | What it catches |
+|---|---|---|---|
+| `bare-except` | warning | quality | `except:` without an exception class |
+| `print-debug` | info | quality | leftover `print(...)` calls (skipped in `__main__` guard files) |
+| `todo-no-ticket` | info | todo | TODO/FIXME/XXX/HACK without `#123` / `PROJ-123` reference |
+| `empty-function-body` | info | ai-pattern | function body is only `pass` |
+| `syntax-error` | error | quality | file does not parse |
+| `mutable-default-arg` | warning | quality | `def f(x=[])` shares state across calls |
+| `broad-except` | info | quality | `except Exception:` is broader than most code needs |
+| `assert-in-prod` | warning | security | `assert` is stripped under `python -O`. Test files exempt. |
+| `hardcoded-secret` | critical | security | AWS / GitHub / OpenAI / Anthropic / Slack tokens, inline credential literals |
+
+### JavaScript / TypeScript (`.js .jsx .mjs .cjs .ts .tsx`) — v0.0.2+
+
+| Rule ID | Severity | Category | What it catches |
+|---|---|---|---|
+| `console-log` | info | quality | leftover `console.log/debug/info`. Skipped in entry files (`process.argv`, `.listen(`, `import.meta.main`). |
+| `debugger-statement` | warning | quality | `debugger;` left in code |
+| `var-declaration` | info | style | `var` instead of `let`/`const` |
+| `todo-no-ticket` | info | todo | mirror of the Python rule |
+
+### PR-level
+
+| Rule ID | Severity | Category | What it catches |
+|---|---|---|---|
+| `pr-title-uninformative` | warning | commit | PR title too short or one of `wip`/`draft`/`tmp`/`test` |
+| `pr-description-too-short` | info | commit | PR description under 30 characters |
+
+### AI-pattern (opt-in via `--enable-ai`) — v0.1.0+ / v0.2.0 multi-language
+
+| Rule ID | Severity | Category | What it catches |
+|---|---|---|---|
+| `ai-review:hallucinated-symbol` | warning | ai-pattern | A function call whose name doesn't resolve to an in-repo symbol, an imported alias, or a known stdlib / global / popular package root. **Now spans Python + JS/TS as of v0.2.0.** Requires `.repox/architecture.json` (run `repox` first). |
+| `ai-review:diff-comprehension` | warning/info | ai-pattern | LLM-backed check for "does the PR description accurately describe the diff?". Pass `--ai-provider anthropic` and set `ANTHROPIC_API_KEY`. |
+
+## CLI
+
+```bash
+apr version
+apr review --repo .
+apr review --repo . --changed src/foo.py --changed src/bar.py
+apr review --repo . --title "Fix nullable fields" --description "..."
+```
+
+Output: `.apr/review.json` (schema-versioned, machine-readable) + `.apr/review.md` (human companion).
+
+## Roadmap
+
+- ✅ **v0.0.2** — JS/TS rule pack (`console-log`, `debugger-statement`, `var-declaration`, `todo-no-ticket`).
+- ✅ **v0.1.0** — AI rule pack: deterministic `ai-review:hallucinated-symbol` + LLM-pluggable `ai-review:diff-comprehension`.
+- ✅ **v0.1.1** — real Anthropic backend for `ai-review:diff-comprehension`.
+- ✅ **v0.2.0** — `ai-review:hallucinated-symbol` extended to JS/TS via repox v0.4 call edges. APR now covers all three Wave-1 languages.
+- **v0.3.0** (next) — auto-suggest fixes via the GitHub Suggested Changes API; per-import `local_names` for renamed JS imports.
+
+## Status
+
+Apache-2.0. See [CHANGELOG](CHANGELOG.md).

devtrust_apr-0.2.0/README.md

@@ -0,0 +1,77 @@
+# Agent-PR Reviewer (`apr`)
+
+> Deterministic + AI-pattern review for pull requests. Wave 2 lead bet of the DevTrust connected platform.
+
+## Status
+
+**v0.2.0 beta** — deterministic Python + JS/TS rules, deterministic AI-pattern checker (`ai-review:hallucinated-symbol`) now multi-language via Repo X-ray v0.4 call edges, plus optional LLM-backed `ai-review:diff-comprehension` (Anthropic).
+
+## Why
+
+Three of your existing GitHub Apps — `ai-quality-gate`, `pr-coach`, `commit-craft` — each solve part of "make PR review better" but ship as separate apps with separate auth, separate webhooks, separate UIs. `apr` consolidates them into one engine so:
+
+- One install. One webhook. One sticky comment per PR.
+- Deterministic rules first (testable, gradeable, cheap), LLM layer second.
+- Reuses Repo X-ray's architecture model for file context.
+
+## Rules shipped through v0.0.2
+
+### Python (`.py`)
+
+| Rule ID | Severity | Category | What it catches |
+|---|---|---|---|
+| `bare-except` | warning | quality | `except:` without an exception class |
+| `print-debug` | info | quality | leftover `print(...)` calls (skipped in `__main__` guard files) |
+| `todo-no-ticket` | info | todo | TODO/FIXME/XXX/HACK without `#123` / `PROJ-123` reference |
+| `empty-function-body` | info | ai-pattern | function body is only `pass` |
+| `syntax-error` | error | quality | file does not parse |
+| `mutable-default-arg` | warning | quality | `def f(x=[])` shares state across calls |
+| `broad-except` | info | quality | `except Exception:` is broader than most code needs |
+| `assert-in-prod` | warning | security | `assert` is stripped under `python -O`. Test files exempt. |
+| `hardcoded-secret` | critical | security | AWS / GitHub / OpenAI / Anthropic / Slack tokens, inline credential literals |
+
+### JavaScript / TypeScript (`.js .jsx .mjs .cjs .ts .tsx`) — v0.0.2+
+
+| Rule ID | Severity | Category | What it catches |
+|---|---|---|---|
+| `console-log` | info | quality | leftover `console.log/debug/info`. Skipped in entry files (`process.argv`, `.listen(`, `import.meta.main`). |
+| `debugger-statement` | warning | quality | `debugger;` left in code |
+| `var-declaration` | info | style | `var` instead of `let`/`const` |
+| `todo-no-ticket` | info | todo | mirror of the Python rule |
+
+### PR-level
+
+| Rule ID | Severity | Category | What it catches |
+|---|---|---|---|
+| `pr-title-uninformative` | warning | commit | PR title too short or one of `wip`/`draft`/`tmp`/`test` |
+| `pr-description-too-short` | info | commit | PR description under 30 characters |
+
+### AI-pattern (opt-in via `--enable-ai`) — v0.1.0+ / v0.2.0 multi-language
+
+| Rule ID | Severity | Category | What it catches |
+|---|---|---|---|
+| `ai-review:hallucinated-symbol` | warning | ai-pattern | A function call whose name doesn't resolve to an in-repo symbol, an imported alias, or a known stdlib / global / popular package root. **Now spans Python + JS/TS as of v0.2.0.** Requires `.repox/architecture.json` (run `repox` first). |
+| `ai-review:diff-comprehension` | warning/info | ai-pattern | LLM-backed check for "does the PR description accurately describe the diff?". Pass `--ai-provider anthropic` and set `ANTHROPIC_API_KEY`. |
+
+## CLI
+
+```bash
+apr version
+apr review --repo .
+apr review --repo . --changed src/foo.py --changed src/bar.py
+apr review --repo . --title "Fix nullable fields" --description "..."
+```
+
+Output: `.apr/review.json` (schema-versioned, machine-readable) + `.apr/review.md` (human companion).
+
+## Roadmap
+
+- ✅ **v0.0.2** — JS/TS rule pack (`console-log`, `debugger-statement`, `var-declaration`, `todo-no-ticket`).
+- ✅ **v0.1.0** — AI rule pack: deterministic `ai-review:hallucinated-symbol` + LLM-pluggable `ai-review:diff-comprehension`.
+- ✅ **v0.1.1** — real Anthropic backend for `ai-review:diff-comprehension`.
+- ✅ **v0.2.0** — `ai-review:hallucinated-symbol` extended to JS/TS via repox v0.4 call edges. APR now covers all three Wave-1 languages.
+- **v0.3.0** (next) — auto-suggest fixes via the GitHub Suggested Changes API; per-import `local_names` for renamed JS imports.
+
+## Status
+
+Apache-2.0. See [CHANGELOG](CHANGELOG.md).

devtrust_apr-0.2.0/pyproject.toml

@@ -0,0 +1,63 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+# `apr` collides with the Apache Portable Runtime on PyPI; namespaced
+# to avoid conflict. Module name stays `apr`.
+name = "devtrust-apr"
+version = "0.2.0"
+description = "Agent-PR Reviewer — deterministic + AI-pattern review for pull requests."
+readme = "README.md"
+requires-python = ">=3.11"
+license = "Apache-2.0"
+authors = [{ name = "Abdullah Bakir" }]
+keywords = ["ci", "code-review", "developer-tools", "github-app", "pr-review"]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Environment :: Console",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: Apache Software License",
+    "Operating System :: OS Independent",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3.14",
+    "Topic :: Software Development :: Quality Assurance",
+]
+
+dependencies = [
+    "typer>=0.15.0",
+    "rich>=13.9.0",
+    "pydantic>=2.10.0",
+    # apr consumes Repo X-ray's architecture model for file context.
+    "devtrust-repox",
+    # JS / TS rule pack via tree-sitter (mirrors repox's pin).
+    "tree-sitter>=0.23.0",
+    "tree-sitter-language-pack>=0.4.0,<1.0",
+]
+
+[project.optional-dependencies]
+# Real LLM-backed rules (ai-review:diff-comprehension). The
+# deterministic ai-review:hallucinated-symbol rule does NOT need
+# this extra - it works from the repox artifact alone.
+ai = [
+    "anthropic>=0.40.0",
+]
+
+[project.scripts]
+apr = "apr.cli:app"
+
+[project.urls]
+Homepage = "https://github.com/AbdullahBakir97/DevTrust"
+Repository = "https://github.com/AbdullahBakir97/DevTrust"
+Documentation = "https://github.com/AbdullahBakir97/DevTrust/tree/main/src/products/03-agent-pr-reviewer/code#readme"
+Changelog = "https://github.com/AbdullahBakir97/DevTrust/blob/main/src/products/03-agent-pr-reviewer/code/CHANGELOG.md"
+Issues = "https://github.com/AbdullahBakir97/DevTrust/issues"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/apr"]
+
+[tool.uv.sources]
+devtrust-repox = { workspace = true }

devtrust_apr-0.2.0/src/apr/__init__.py

@@ -0,0 +1,14 @@
+"""Agent-PR Reviewer (`apr`) - the Wave 2 lead bet of the DevTrust platform.
+
+Consolidates the patterns from three existing GitHub Apps into one
+deterministic, fast, AI-pattern-aware PR reviewer:
+
+  - ai-quality-gate    -> AI-likelihood + verbose-pattern detection
+  - pr-coach           -> coaching feedback (description quality, TODOs)
+  - commit-craft       -> commit-message review and normalization
+
+v0.0.1 ships the deterministic rule layer; LLM-backed review is layered
+on top in v0.1+ once the rule output is stable enough to grade against.
+"""
+
+__version__ = "0.2.0"

devtrust_apr-0.2.0/src/apr/__main__.py

@@ -0,0 +1,6 @@
+"""Enables `python -m apr ...`."""
+
+from apr.cli import app
+
+if __name__ == "__main__":
+    app()

devtrust_apr-0.2.0/src/apr/cli.py

@@ -0,0 +1,150 @@
+"""Agent-PR Reviewer command-line interface.
+
+apr version
+apr review [--repo PATH] [--changed FILE ...] [--title S] [--description S]
+           [--diff PATH] [--enable-ai] [--ai-provider null|anthropic]
+"""
+
+from __future__ import annotations
+
+import os
+from pathlib import Path
+from typing import Annotated
+
+import typer
+from rich.console import Console
+from rich.table import Table
+
+from apr import __version__
+from apr.engine import review as review_engine
+from apr.llm import LLMProvider, build_provider
+from apr.output import write_json, write_markdown
+
+app = typer.Typer(
+    name="apr",
+    help="Agent-PR Reviewer - deterministic + AI-pattern review for PRs.",
+    no_args_is_help=True,
+    add_completion=False,
+)
+
+console = Console()
+
+
+@app.command()
+def version() -> None:
+    """Print the installed Agent-PR Reviewer version."""
+    console.print(f"apr [bold]v{__version__}[/bold]")
+
+
+@app.command()
+def review(
+    repo: Annotated[
+        Path,
+        typer.Option("--repo", "-r", help="Repo to review. Defaults to current directory."),
+    ] = Path("."),
+    changed: Annotated[
+        list[str] | None,
+        typer.Option(
+            "--changed",
+            "-c",
+            help="Path(s) that changed. Repeat for multiple files.",
+        ),
+    ] = None,
+    title: Annotated[
+        str | None,
+        typer.Option("--title", "-t", help="The PR title (for metadata checks)."),
+    ] = None,
+    description: Annotated[
+        str | None,
+        typer.Option("--description", "-d", help="The PR description / body."),
+    ] = None,
+    diff_path: Annotated[
+        Path | None,
+        typer.Option(
+            "--diff",
+            help=(
+                "Path to a unified-diff file. Required for the "
+                "ai-review:diff-comprehension rule when --enable-ai."
+            ),
+        ),
+    ] = None,
+    enable_ai: Annotated[
+        bool,
+        typer.Option(
+            "--enable-ai/--no-enable-ai",
+            help=(
+                "Run the ai-review:* rule pack. Off by default. "
+                "ai-review:hallucinated-symbol needs a "
+                ".repox/architecture.json (run `repox build .` first)."
+            ),
+        ),
+    ] = False,
+    ai_provider: Annotated[
+        str,
+        typer.Option(
+            "--ai-provider",
+            help="LLM backend: 'null' (default, no calls) or 'anthropic'.",
+        ),
+    ] = "null",
+    quiet: Annotated[
+        bool,
+        typer.Option("--quiet", "-q", help="Suppress non-essential output."),
+    ] = False,
+) -> None:
+    """Run the review and emit `.apr/review.{json,md}`."""
+    if not repo.exists() or not repo.is_dir():
+        console.print(f"[red]Error:[/red] not a directory: {repo}")
+        raise typer.Exit(code=2)
+
+    repo = repo.resolve()
+    files = list(changed or [])
+
+    diff_text: str | None = None
+    if diff_path is not None:
+        try:
+            diff_text = diff_path.read_text(encoding="utf-8", errors="replace")
+        except OSError as exc:
+            console.print(f"[red]Error:[/red] cannot read diff: {exc}")
+            raise typer.Exit(code=2) from exc
+
+    provider: LLMProvider | None = None
+    if enable_ai:
+        # Anthropic API key from the conventional env var.
+        api_key = os.environ.get("ANTHROPIC_API_KEY")
+        provider = build_provider(ai_provider, api_key)
+
+    if not quiet:
+        console.print(f"[bold]Reviewing[/bold] {repo}")
+        console.print(f"[dim]Changed files:[/dim] {len(files)}")
+        if enable_ai:
+            console.print(f"[dim]AI rules:[/dim] enabled (provider: {ai_provider})")
+
+    report = review_engine(
+        repo,
+        files,
+        pr_title=title,
+        pr_description=description,
+        enable_ai=enable_ai,
+        llm_provider=provider,
+        diff=diff_text,
+    )
+    json_path = write_json(report, repo)
+    md_path = write_markdown(report, repo)
+
+    if quiet:
+        return
+
+    s = report.stats
+    table = Table(title="\nReview summary", show_header=True, header_style="bold")
+    table.add_column("Severity", style="cyan")
+    table.add_column("Count", justify="right")
+    table.add_row("info", str(s.info))
+    table.add_row("warning", str(s.warning))
+    table.add_row("error", str(s.error))
+    table.add_row("critical", str(s.critical))
+    table.add_row("[bold]total[/bold]", f"[bold]{s.total}[/bold]")
+    console.print(table)
+    if s.blocking > 0:
+        console.print(f"[red]Blocking findings:[/red] {s.blocking} (error + critical)")
+    console.print(f"\n[green]✓[/green] wrote [bold]{json_path}[/bold]")
+    console.print(f"[green]✓[/green] wrote [bold]{md_path}[/bold]")