pythinker-code 2.5.0__py3-none-any.whl → 2.7.0__py3-none-any.whl

pythinker_code/CHANGELOG.md

@@ -2,6 +2,40 @@
 
 ## Unreleased
 
+## 2.7.0 (2026-05-21)
+
+First-class review-first workflows: code review, security scanning, root-cause debugging, PR artifact helpers, and Reviewflow stateful review/fix workflows.
+
+- Added the `pythinker-review` workspace package and wired it into the root `pythinker-code` package via the pinned `pythinker-review==0.1.0` dependency.
+- Added `pythinker review`, `pythinker secscan`, `pythinker security-scan`, and `pythinker debug` command surfaces, backed by standalone `pythinker-review`, `pythinker-secscan`, `pythinker-security-scan`, and `pythinker-debug` console scripts.
+- Added read-only PR artifact/helper commands: `describe`, `improve`/`suggest`, `ask`, `ask-line`, `labels`, `changelog`, `docs`, `compliance`, `help-docs`, `similar-issues`, `tools`, and `config`.
+- Added Reviewflow workflow commands and state models for `init`, `map`, `review`, `report`, `next`, `show --finding`, `triage`, `revalidate`, `fix`, `open-pr`, `ci`, and `doctor`.
+- Added the `code-reviewer`, `security-reviewer`, and `debugger` subagent roles for interactive Pythinker sessions.
+- Hardened review output validation so unsafe paths, stale line ranges, mismatched evidence snippets, malformed model JSON, worker failures, and timeouts fail closed unless `--allow-partial` is explicitly used.
+- Refreshed README release notes with the 2.7.0 review/security/debug feature set and the pinned `pythinker-code==2.7.0` upgrade snippet required by the release gate.
+
+Upgrade with `pythinker update` or `pip install --upgrade pythinker-code==2.7.0`.
+
+## 2.6.0 (2026-05-13)
+
+Packaging fix: pin `pythinker-core[contrib]==1.1.0` so the Kimi K2.x / DeepSeek strict-interleaved reasoning-replay fix reaches PyPI installs.
+
+### Why 2.6.0 lands the same day as 2.5.0
+
+The runtime fix for the strict-interleaved `thinking is enabled but reasoning_content is missing in assistant tool call message at index N` rejection landed in the `pythinker-core` source tree on 2026-05-11 (released in `pythinker-code` 2.4.0 source), but **the published `pythinker-core==1.0.0` on PyPI predates that change** (uploaded 2026-05-07). `pythinker-code` 2.4.0 and 2.5.0 both pinned `pythinker-core[contrib]==1.0.0`, so PyPI users on Kimi K2.5 / K2.6 / DeepSeek through OpenCode Go (and elsewhere) kept hitting the bug even on the latest CLI. Reported in [#37](https://github.com/mohamed-elkholy95/Pythinker-Code/issues/37).
+
+### The fix
+
+- **`pythinker-core` bumped to 1.1.0** (published independently on PyPI) — carries the strict-interleaved replay logic that emits `reasoning_content` on every assistant turn for `kimi-k2*` / `deepseek*` models, falling back to `extract_text()` then `"[reasoning unavailable]"` when no `ThinkPart` was captured.
+- **Root pin updated to `pythinker-core[contrib]==1.1.0`** in `pyproject.toml`. New installs of `pip install --upgrade pythinker-code==2.6.0` (and `uv tool install`/`upgrade`) get the fix automatically.
+- See `packages/pythinker-core/CHANGELOG.md` for the full pythinker-core 1.1.0 entry.
+
+### No app-level behavior changes vs 2.5.0
+
+Everything that landed in 2.5.0 is still there. The 2.6.0 diff is exclusively the version bump and the upstream-dep pin; existing 2.5.0 users **must** upgrade to 2.6.0 if they use Kimi K2.x, DeepSeek, or any other strict-interleaved-thinking model through an OpenAI-compatible provider.
+
+Upgrade with `pythinker update` or `pip install --upgrade pythinker-code==2.6.0`.
+
 ## 2.5.0 (2026-05-13)
 
 bk_box_main coding-agent runtime port, Windows self-upgrade fix, FetchURL SSRF hardening, and a broad reliability/security pass.
@@ -64,7 +98,7 @@ Upgrade with `pythinker update` or `pip install --upgrade pythinker-code==2.5.0`
 
 ## 2.4.0 (2026-05-11)
 
-Subagent roles overhaul, Moonshot/Kimi K2 provider support, and a ripgrep-free Grep fallback.
+Subagent roles overhaul, Kimi K2 provider support, and a ripgrep-free Grep fallback.
 
 - New built-in subagents under `src/pythinker_code/agents/default/`:
   - `implementer.yaml` — scoped code changes with minimum surrounding edits and a quick verification pass.
@@ -73,8 +107,8 @@ Subagent roles overhaul, Moonshot/Kimi K2 provider support, and a ripgrep-free G
 - `coder.yaml`, `explore.yaml`, and `plan.yaml` now emit a standard `### SUMMARY / EVIDENCE / CHANGES / RISKS / BLOCKERS` response contract so the parent agent can consume subagent output without re-parsing prose.
 - `agent.yaml` registers the three new roles; `tools/agent/description.md` documents the Scout → Plan → Implement → Review → Verify workflow and the parallel review/verification pattern.
 - `agents/default/system.md`: adds decomposition guidance (preview → todo list → parallel chunks), enforces post-tool-call verification before acting on results, and tells the agent to cross-check at least one load-bearing subagent finding before editing from it.
-- Kimi K2.5 / K2.6 (Moonshot) and other strict interleaved-thinking providers:
-  - `packages/pythinker-core/.../chat_provider/pythinker.py`: always emit `reasoning_content` on assistant tool-call replays so Moonshot's "thinking is enabled but reasoning_content is missing in assistant tool call message at index N" error no longer trips multi-step tool flows.
+- Kimi K2.5 / K2.6 and other strict interleaved-thinking providers:
+  - `packages/pythinker-core/.../chat_provider/pythinker.py`: always emit `reasoning_content` on assistant tool-call replays so the strict "thinking is enabled but reasoning_content is missing in assistant tool call message at index N" error no longer trips multi-step tool flows.
   - `packages/pythinker-core/.../contrib/chat_provider/openai_legacy.py`: replay reasoning metadata on every assistant turn for `kimi-k2*` / `deepseek*` models (falls back to the assistant text or `"[reasoning unavailable]"` when reasoning content was not retained).
   - `src/pythinker_code/llm.py`: route Kimi K2 thinking through the provider-specific `extra_body={"thinking": {"type": "enabled"|"disabled"}}` body field instead of OpenAI's `reasoning_effort` (which Kimi ignores), and persist `LLM.thinking` across `clone_llm_with_model_alias` so model switches preserve the user's thinking choice.
 - `tools/file/grep_local.py`:

pythinker_code/__main__.py

@@ -46,6 +46,10 @@ Commands:
   export   Export session data.
   mcp      Manage MCP server configurations.
   plugin   Manage plugins.
+  review          Diff-focused code review (delegates to pythinker-review).
+  secscan         Diff-focused security review (delegates to pythinker-review).
+  security-scan   Repo-wide Pythinker Security Scan pipeline (Python-native).
+  debug           Failure/log root-cause analysis (delegates to pythinker-review).
   update   Check for and install Pythinker CLI updates.
   vis      Run Pythinker Agent Tracing Visualizer.
   web      Run Pythinker CLI web interface.

pythinker_code/agents/default/agent.yaml

@@ -29,6 +29,12 @@ agent:
     coder:
       path: ./coder.yaml
       description: "Good at general software engineering tasks."
+    code-reviewer:
+      path: ./code_reviewer.yaml
+      description: "Diff-focused code review with severity-scored findings."
+    debugger:
+      path: ./debugger.yaml
+      description: "Failure/log/stack-trace root-cause analysis with reproduction evidence."
     explore:
       path: ./explore.yaml
       description: "Fast codebase exploration with prompt-enforced read-only behavior."
@@ -38,6 +44,9 @@ agent:
     review:
       path: ./review.yaml
       description: "Read-only code review with severity-scored findings."
+    security-reviewer:
+      path: ./security_reviewer.yaml
+      description: "Diff-focused security review with validated findings."
     implementer:
       path: ./implementer.yaml
       description: "Scoped implementation with minimal edits and verification."

pythinker_code/agents/default/code_reviewer.yaml

@@ -0,0 +1,47 @@
+version: 1
+agent:
+  extend: ./agent.yaml
+  system_prompt_args:
+    ROLE_ADDITIONAL: |
+      You are running as the Pythinker code-reviewer subagent. The parent agent is your caller and can only see your final response.
+
+      Role and scope:
+      - Perform read-only, evidence-first review of the current repository diff.
+      - Use `pythinker review diff` by default; add `--with-security` when the parent requests security coverage.
+      - Use `pythinker review describe`, `suggest`/`improve`, `ask`, `ask-line`, `labels`, `changelog`, `docs`, `compliance`, `help-docs`, `similar-issues`, `tools`, or `config` only when the parent explicitly asks for that artifact/helper.
+      - For code-reviewr parity requests, prefer local read-only options such as `--labels-file`, `--extra-instructions`, `--best-practices-file`, `--min-score`, `--docs-style`, `--symbol`, `--pr-url`, and `--issues-dir` instead of provider publishing.
+      - Do not edit files, commit, stage, push, approve, merge, or publish provider comments.
+
+      Tool policy:
+      - Prefer `pythinker review diff --format json --no-save` so results are structured and do not write run state.
+      - If persistence is requested, omit `--no-save` and report where run state was written.
+      - If the requested base ref fails, report the exact blocker instead of guessing another branch unless the parent gave fallback instructions.
+      - Read files only to verify a load-bearing finding or command failure.
+
+      Review discipline:
+      - Flag only issues introduced or made reachable by the diff.
+      - Prefer no finding over vague speculation.
+      - Treat malformed model output, validation errors, empty diffs, and missing base refs as blockers, not successful reviews.
+      - Surface false-positive risks and coverage limits clearly.
+
+      Final response contract:
+      ### SUMMARY
+      One paragraph: command run, number of findings/artifacts, top severity or most important result.
+      ### EVIDENCE
+      Bullet list of `<file>:<line> [severity] <rule_id> — <title>` for findings, or concise artifact bullets for non-finding commands. Top 10 max.
+      ### CHANGES
+      None.
+      ### RISKS
+      False-positive risks, partial context, skipped files, or `None observed.`.
+      ### BLOCKERS
+      Anything that prevented a clean run (exit code 2/3/4, base ref missing, malformed output, validation errors), or `None.`.
+  when_to_use: |
+    Use to run a read-only diff-focused code review or code-reviewr-derived PR artifact workflow on the current branch.
+  allowed_tools:
+    - "pythinker_code.tools.shell:Shell"
+    - "pythinker_code.tools.file:ReadFile"
+    - "pythinker_code.tools.file:Grep"
+  exclude_tools:
+    - "pythinker_code.tools.file:WriteFile"
+    - "pythinker_code.tools.file:StrReplaceFile"
+  subagents:

pythinker_code/agents/default/debugger.yaml

@@ -0,0 +1,35 @@
+version: 1
+agent:
+  extend: ./agent.yaml
+  system_prompt_args:
+    ROLE_ADDITIONAL: |
+      You are now running as a subagent. All `user` messages are sent by the main agent. The main agent cannot see your context, only your last message. Treat the parent agent as your caller. Do not ask the end user questions; surface ambiguity in your final summary.
+
+      You are a root-cause debugger. Your job is to run `pythinker debug failure <log-file>` when a failure log is available, or request the parent provide the log path/command evidence.
+
+      Operating rules:
+      - Read-only by convention. Do not edit source files.
+      - Focus on reproduction evidence, changed-file correlation, likely root cause, and minimal next action.
+      - Default to `--format json` and translate the result into the structured response block below.
+
+      Final response contract:
+      ### SUMMARY
+      One paragraph: likely root cause, confidence, and first recommended action.
+      ### EVIDENCE
+      Bullet list of log/stack/diff evidence with file:line when available.
+      ### CHANGES
+      None.
+      ### RISKS
+      Ambiguities, missing reproduction context, or `None observed.`.
+      ### BLOCKERS
+      Missing log path, command, environment, or `None.`.
+  when_to_use: |
+    Use for failing tests, stack traces, runtime errors, flaky failures, or debugging requests where root cause should be found before editing code.
+  allowed_tools:
+    - "pythinker_code.tools.shell:Shell"
+    - "pythinker_code.tools.file:ReadFile"
+    - "pythinker_code.tools.file:Grep"
+  exclude_tools:
+    - "pythinker_code.tools.file:WriteFile"
+    - "pythinker_code.tools.file:StrReplaceFile"
+  subagents:

pythinker_code/agents/default/security_reviewer.yaml

@@ -0,0 +1,37 @@
+version: 1
+agent:
+  extend: ./agent.yaml
+  system_prompt_args:
+    ROLE_ADDITIONAL: |
+      You are now running as a subagent. All `user` messages are sent by the main agent. The main agent cannot see your context, only your last message. Treat the parent agent as your caller. Do not ask the end user questions; surface ambiguity in your final summary.
+
+      You are a security reviewer. For diff-focused review, run `pythinker secscan diff` and reformat the result for the parent. For repo-wide vulnerability discovery, run the Python-native `pythinker security-scan` pipeline.
+
+      Operating rules:
+      - Read-only by convention. You may run secscan/security-scan CLI commands and read outputs, but do not edit source files.
+      - Diff mode default: `pythinker secscan diff --format json --no-save`.
+      - Repo-wide mode default: `pythinker security-scan scan --json`, then only run `pythinker security-scan process` when the parent explicitly asks for model-backed investigation.
+      - Use `--fail-on critical` for triage runs unless the parent specifies otherwise.
+      - Translate JSON output into the structured response block below.
+
+      Final response contract:
+      ### SUMMARY
+      One paragraph: number and severity of security findings, what the parent should fix first.
+      ### EVIDENCE
+      Bullet list of `<file>:<line> [severity] <rule_id> — <title>`, top 10.
+      ### CHANGES
+      None.
+      ### RISKS
+      False-positive risks, missing context, or coverage gaps; or `None observed.`.
+      ### BLOCKERS
+      Anything that prevented a clean run (exit 3/4, base ref missing), or `None.`.
+  when_to_use: |
+    Use to run a diff-only security review on the current branch. Can run in parallel with `code-reviewer`.
+  allowed_tools:
+    - "pythinker_code.tools.shell:Shell"
+    - "pythinker_code.tools.file:ReadFile"
+    - "pythinker_code.tools.file:Grep"
+  exclude_tools:
+    - "pythinker_code.tools.file:WriteFile"
+    - "pythinker_code.tools.file:StrReplaceFile"
+  subagents:

pythinker_code/agents/default/system.md

@@ -1,9 +1,21 @@
-You are Pythinker CLI, an interactive general AI agent running on a user's computer.
+You are Pythinker — a think-first software engineering agent running on the user's computer. Before you write code, you read code.
 
-Your primary goal is to help users with software engineering tasks by taking action — use the tools available to you to make real changes on the user's system. You should also answer questions when asked. Always adhere strictly to the following system instructions and the user's requirements.
+Your identity, in order of priority:
+
+1. **Code reviewer.** Diff-aware critique with severity-scored findings, anchored to specific files and lines.
+2. **Security & vulnerability scanner.** Surface injection, secret leakage, unsafe deserialization, SSRF, path traversal, weak crypto, supply-chain risks, and OWASP-class issues. Validate before reporting.
+3. **Root-cause diagnostician.** Reproduce, isolate, and explain failures from logs, stack traces, and diffs — fix only after the cause is named.
+4. **Code creator.** Implement changes only after review/diagnosis, or when the user explicitly asks you to build, edit, or refactor from the start.
+
+You still have the full coding toolset and use it decisively when asked. The think-first posture is about *order*, not capability: review → diagnose → secure → then create.
 
 ${ROLE_ADDITIONAL}
 
+Product posture (strong): for any ambiguous engineering request, default to evidence-first review, security diagnosis, or root-cause analysis before editing code. Inspect evidence and produce findings/recommendations first. Patch only after an explicit remediation request — or when the user's initial intent was clearly to build or change code. Never silently choose "make the edit" when "show me what's wrong" is a plausible reading of the request; if both readings are plausible, ask one short clarifying question.
+
+When you do produce findings, prefer the existing reviewer/scanner subagents over ad-hoc analysis: `code-reviewer` for diff critique, `security-reviewer` for vulnerability validation, `debugger` for failure root-causing, `review`/`explore`/`plan` for read-only passes. Promote these flows to the user when they fit — many users do not yet know Pythinker leads with review.
+
+
 # Prompt and Tool Use
 
 The user's messages may contain questions and/or task descriptions in natural language, code snippets, logs, file paths, or other forms of information. Read them, understand them and do what the user requested. For simple questions/greetings that do not involve any information in the working directory or on the internet, you may simply reply directly. For anything else, default to taking action with tools. When the request could be interpreted as either a question to answer or a task to complete, treat it as a task.

pythinker_code/app.py

@@ -776,6 +776,17 @@ class PythinkerCLI:
                         level=WelcomeInfoItem.Level.WARN,
                     )
                 )
+        welcome_info.append(
+            WelcomeInfoItem(
+                name="Tip",
+                value=(
+                    'Pythinker reviews before it writes. Try "review this diff",'
+                    ' "scan for vulnerabilities", or "find the root cause"'
+                    " — code edits come after the analysis."
+                ),
+                level=WelcomeInfoItem.Level.INFO,
+            )
+        )
         welcome_info.append(
             WelcomeInfoItem(
                 name="Tip",

pythinker_code/auth/github_feedback.py

@@ -0,0 +1,228 @@
+from __future__ import annotations
+
+import asyncio
+import time
+import webbrowser
+from dataclasses import dataclass
+from typing import Any, cast
+
+from pythinker_code.auth.oauth import (
+    OAuthEvent,
+    OAuthRef,
+    OAuthToken,
+    delete_tokens,
+    load_tokens,
+    save_tokens,
+)
+from pythinker_code.utils.aiohttp import new_client_session
+from pythinker_code.utils.logging import logger
+
+GITHUB_FEEDBACK_OAUTH_KEY = "oauth/github-feedback"
+GITHUB_DEVICE_CODE_URL = "https://github.com/login/device/code"
+GITHUB_ACCESS_TOKEN_URL = "https://github.com/login/oauth/access_token"
+GITHUB_API_URL = "https://api.github.com"
+GITHUB_API_VERSION = "2022-11-28"
+
+
+class GitHubFeedbackError(RuntimeError):
+    """GitHub feedback submission failed."""
+
+
+@dataclass(slots=True, frozen=True)
+class GitHubIssue:
+    number: int | None
+    html_url: str | None
+
+
+@dataclass(slots=True, frozen=True)
+class _GitHubDeviceAuthorization:
+    device_code: str
+    user_code: str
+    verification_uri: str
+    expires_in: int
+    interval: int
+
+
+def _oauth_ref() -> OAuthRef:
+    return OAuthRef(storage="file", key=GITHUB_FEEDBACK_OAUTH_KEY)
+
+
+def load_github_feedback_token() -> str | None:
+    token = load_tokens(_oauth_ref())
+    if token is None or not token.access_token:
+        return None
+    return token.access_token
+
+
+def delete_github_feedback_token() -> None:
+    delete_tokens(_oauth_ref())
+
+
+async def _request_device_authorization(client_id: str) -> _GitHubDeviceAuthorization:
+    async with (
+        new_client_session() as session,
+        session.post(
+            GITHUB_DEVICE_CODE_URL,
+            data={"client_id": client_id, "scope": "public_repo"},
+            headers={"Accept": "application/json"},
+        ) as response,
+    ):
+        data_any: Any = await response.json(content_type=None)
+        status = response.status
+    if not isinstance(data_any, dict):
+        raise GitHubFeedbackError("Unexpected GitHub device authorization response.")
+    data = cast(dict[str, Any], data_any)
+    if status != 200:
+        message = str(data.get("error_description") or data.get("error") or status)
+        raise GitHubFeedbackError(f"GitHub device authorization failed: {message}")
+    return _GitHubDeviceAuthorization(
+        device_code=str(data["device_code"]),
+        user_code=str(data["user_code"]),
+        verification_uri=str(data["verification_uri"]),
+        expires_in=int(data.get("expires_in") or 900),
+        interval=max(int(data.get("interval") or 5), 1),
+    )
+
+
+async def _poll_access_token(
+    client_id: str,
+    auth: _GitHubDeviceAuthorization,
+) -> OAuthToken:
+    interval = auth.interval
+    expires_at = time.monotonic() + auth.expires_in
+    while time.monotonic() < expires_at:
+        await asyncio.sleep(interval)
+        async with (
+            new_client_session() as session,
+            session.post(
+                GITHUB_ACCESS_TOKEN_URL,
+                data={
+                    "client_id": client_id,
+                    "device_code": auth.device_code,
+                    "grant_type": "urn:ietf:params:oauth:grant-type:device_code",
+                },
+                headers={"Accept": "application/json"},
+            ) as response,
+        ):
+            data_any: Any = await response.json(content_type=None)
+            status = response.status
+        if not isinstance(data_any, dict):
+            raise GitHubFeedbackError("Unexpected GitHub token response.")
+        data = cast(dict[str, Any], data_any)
+        if status != 200:
+            message = str(data.get("error_description") or data.get("error") or status)
+            raise GitHubFeedbackError(f"GitHub token request failed: {message}")
+        access_token = str(data.get("access_token") or "")
+        if access_token:
+            return OAuthToken(
+                access_token=access_token,
+                refresh_token=str(data.get("refresh_token") or ""),
+                expires_at=float(data.get("expires_at") or 0),
+                scope=str(data.get("scope") or ""),
+                token_type=str(data.get("token_type") or "bearer"),
+                expires_in=float(data.get("expires_in") or 0),
+            )
+        error_code = str(data.get("error") or "")
+        if error_code == "authorization_pending":
+            continue
+        if error_code == "slow_down":
+            interval += 5
+            continue
+        if error_code == "expired_token":
+            raise GitHubFeedbackError("GitHub device code expired.")
+        if error_code == "access_denied":
+            raise GitHubFeedbackError("GitHub authorization was denied.")
+        message = str(data.get("error_description") or error_code or "unknown error")
+        raise GitHubFeedbackError(f"GitHub authorization failed: {message}")
+    raise GitHubFeedbackError("GitHub device code expired.")
+
+
+async def login_github_feedback(
+    client_id: str,
+    *,
+    open_browser: bool = True,
+):
+    auth = await _request_device_authorization(client_id)
+    yield OAuthEvent(
+        "verification_url",
+        f"Open {auth.verification_uri} and enter code {auth.user_code}",
+        data={"verification_url": auth.verification_uri, "user_code": auth.user_code},
+    )
+    if open_browser:
+        try:
+            webbrowser.open(auth.verification_uri)
+        except Exception as exc:
+            logger.warning("Failed to open browser: {error}", error=exc)
+    yield OAuthEvent("waiting", "Waiting for GitHub authorization...")
+    token = await _poll_access_token(client_id, auth)
+    save_tokens(_oauth_ref(), token)
+    yield OAuthEvent("success", "GitHub authorization complete.")
+
+
+def _normalize_repo(repo: str) -> str:
+    repo = repo.strip().strip("/")
+    if repo.count("/") != 1:
+        raise GitHubFeedbackError("GitHub feedback repo must be in owner/name form.")
+    return repo
+
+
+async def create_github_issue(
+    repo: str,
+    token: str,
+    *,
+    title: str,
+    body: str,
+) -> GitHubIssue:
+    repo = _normalize_repo(repo)
+    async with (
+        new_client_session() as session,
+        session.post(
+            f"{GITHUB_API_URL}/repos/{repo}/issues",
+            json={"title": title, "body": body},
+            headers={
+                "Authorization": f"Bearer {token}",
+                "Accept": "application/vnd.github+json",
+                "X-GitHub-Api-Version": GITHUB_API_VERSION,
+                "User-Agent": "pythinker-feedback-cli",
+            },
+        ) as response,
+    ):
+        data_any: Any = await response.json(content_type=None)
+        status = response.status
+    if not isinstance(data_any, dict):
+        raise GitHubFeedbackError("Unexpected GitHub issue response.")
+    data = cast(dict[str, Any], data_any)
+    if status not in {200, 201}:
+        message = str(data.get("message") or status)
+        raise GitHubFeedbackError(f"GitHub issue creation failed: {message}")
+    number = data.get("number")
+    return GitHubIssue(
+        number=int(number) if isinstance(number, int) else None,
+        html_url=str(data.get("html_url") or "") or None,
+    )
+
+
+async def star_github_repo(repo: str, token: str) -> None:
+    repo = _normalize_repo(repo)
+    async with (
+        new_client_session() as session,
+        session.put(
+            f"{GITHUB_API_URL}/user/starred/{repo}",
+            headers={
+                "Authorization": f"Bearer {token}",
+                "Accept": "application/vnd.github+json",
+                "X-GitHub-Api-Version": GITHUB_API_VERSION,
+                "User-Agent": "pythinker-feedback-cli",
+            },
+        ) as response,
+    ):
+        status = response.status
+        if status == 204:
+            return
+        try:
+            data_any: Any = await response.json(content_type=None)
+        except Exception:
+            data_any = {}
+    message_payload = cast(dict[str, Any], data_any) if isinstance(data_any, dict) else {}
+    message = str(message_payload.get("message") or status)
+    raise GitHubFeedbackError(f"GitHub star failed: {message}")

pythinker_code/cli/_lazy_group.py

@@ -18,6 +18,26 @@ class LazySubcommandGroup(typer.core.TyperGroup):
         "export": ("pythinker_code.cli.export", "cli", "Export session data."),
         "mcp": ("pythinker_code.cli.mcp", "cli", "Manage MCP server configurations."),
         "plugin": ("pythinker_code.cli.plugin", "cli", "Manage plugins."),
+        "review": (
+            "pythinker_code.cli.review",
+            "cli",
+            "Diff-focused code review (delegates to pythinker-review).",
+        ),
+        "secscan": (
+            "pythinker_code.cli.secscan",
+            "cli",
+            "Diff-focused security review (delegates to pythinker-review).",
+        ),
+        "security-scan": (
+            "pythinker_code.cli.security_scan",
+            "cli",
+            "Repo-wide Pythinker Security Scan pipeline (Python-native).",
+        ),
+        "debug": (
+            "pythinker_code.cli.debug",
+            "cli",
+            "Failure/log root-cause analysis (delegates to pythinker-review).",
+        ),
         "update": (
             "pythinker_code.cli.update",
             "cli",
@@ -31,6 +51,10 @@ class LazySubcommandGroup(typer.core.TyperGroup):
         "export",
         "mcp",
         "plugin",
+        "review",
+        "secscan",
+        "security-scan",
+        "debug",
         "update",
         "vis",
         "web",

pythinker_code/cli/debug.py

@@ -0,0 +1,11 @@
+"""`pythinker debug` — active-model wrapper for pythinker-debug."""
+
+from __future__ import annotations
+
+from pythinker_review.cli import debug as upstream_debug
+
+# Importing review installs the active-model resolver used by debug.
+from pythinker_code.cli import review as review_wrapper
+
+_REVIEW_CLI = review_wrapper.cli
+cli = upstream_debug.app

pythinker_code/cli/review.py

@@ -0,0 +1,74 @@
+"""`pythinker review` — delegates to pythinker-review with active-model wiring."""
+
+from __future__ import annotations
+
+import asyncio
+from dataclasses import dataclass
+from typing import Any, cast
+
+from pydantic import SecretStr
+from pythinker_review.cli import review as upstream_review
+from pythinker_review.llm.protocol import ReviewLLM
+
+cli = upstream_review.app
+
+
+@dataclass(slots=True)
+class PythinkerActiveLLM:
+    """Bridge pythinker-core's configured provider to the ReviewLLM protocol."""
+
+    chat_provider: Any
+    model_display_name: str
+
+    async def complete_json(self, *, system: str, user: str, timeout_s: float) -> str:
+        from pythinker_core import generate
+        from pythinker_core.message import Message
+        from pythinker_core.tooling.empty import EmptyToolset
+
+        result = await asyncio.wait_for(
+            generate(
+                self.chat_provider,
+                system,
+                EmptyToolset().tools,
+                [Message(role="user", content=user)],
+            ),
+            timeout=timeout_s,
+        )
+        return result.message.extract_text()
+
+
+def build_active_llm(*, model_name: str | None = None) -> ReviewLLM | None:
+    """Build a ReviewLLM from the current Pythinker config, returning None when unset."""
+    from pythinker_code.auth.oauth import OAuthManager
+    from pythinker_code.config import LLMModel, LLMProvider, load_config
+    from pythinker_code.llm import augment_provider_with_env_vars, create_llm, model_display_name
+
+    config = load_config()
+    selected = model_name or config.default_model
+    if selected and selected in config.models:
+        model = config.models[selected].model_copy(deep=True)
+        provider = config.providers[model.provider].model_copy(deep=True)
+    else:
+        model = LLMModel(provider="", model="", max_context_size=100_000)
+        provider = LLMProvider(type="pythinker", base_url="", api_key=SecretStr(""))
+    augment_provider_with_env_vars(provider, model, provider_key=model.provider)
+    llm = create_llm(
+        provider,
+        model,
+        thinking=config.default_thinking,
+        session_id=None,
+        oauth=OAuthManager(config),
+    )
+    if llm is None:
+        return None
+    display = model_display_name(model.model, model)
+    return PythinkerActiveLLM(
+        chat_provider=cast(Any, llm.chat_provider), model_display_name=display
+    )
+
+
+def _resolve_llm_with_active_model() -> ReviewLLM | None:
+    return build_active_llm()
+
+
+upstream_review.set_llm_resolver(_resolve_llm_with_active_model)

pythinker_code/cli/secscan.py

@@ -0,0 +1,11 @@
+"""`pythinker secscan` — active-model wrapper for pythinker-secscan."""
+
+from __future__ import annotations
+
+from pythinker_review.cli import secscan as upstream_secscan
+
+# Importing review installs the active-model resolver used by secscan.
+from pythinker_code.cli import review as review_wrapper
+
+_REVIEW_CLI = review_wrapper.cli
+cli = upstream_secscan.app

pythinker_code/cli/security_scan.py

@@ -0,0 +1,35 @@
+"""`pythinker security-scan` — active-model wrapper for Python-native Pythinker Security Scan."""
+
+from __future__ import annotations
+
+import os
+
+import typer
+from pythinker_review.cli import security_scan as upstream_security_scan
+from pythinker_review.llm.fake import FakeReviewLLM
+from pythinker_review.llm.protocol import ReviewLLM
+
+# Importing review installs the active-model resolver shared by review/secscan.
+from pythinker_code.cli import review as review_wrapper
+
+_REVIEW_CLI = review_wrapper.cli
+cli = upstream_security_scan.app
+
+
+def _resolve_security_scan_llm() -> ReviewLLM:
+    adapter = review_wrapper.build_active_llm()
+    if adapter is not None:
+        return adapter
+    fake = os.environ.get("PYTHINKER_REVIEW_FAKE_LLM_RESPONSES")
+    if fake is not None:
+        return FakeReviewLLM(scripted=fake.split("\0") if fake else ["[]"])
+    typer.secho(
+        "No active model configured. Set PYTHINKER_REVIEW_FAKE_LLM_RESPONSES for tests, "
+        "or configure a Pythinker model before running `pythinker security-scan`.",
+        fg=typer.colors.RED,
+        err=True,
+    )
+    raise typer.Exit(code=3)
+
+
+upstream_security_scan.__dict__["_resolve_llm"] = _resolve_security_scan_llm