qodo-cli 0.4.0__tar.gz → 0.9.0__tar.gz

qodo_cli-0.9.0/.pr_agent.toml

@@ -0,0 +1,26 @@
+# Qodo Merge / PR-Agent configuration for qodo-cli.
+# Docs: https://docs.qodo.ai/qodo-documentation/qodo-merge/configuration/configuration-file
+#
+# Kept minimal on purpose (per Qodo's guidance: only override what you need).
+# The repo's coding conventions live in best_practices.md at the root, which the
+# reviewer auto-references; this file just reinforces a few intentional patterns
+# that an earlier review flagged as false positives.
+
+[pr_reviewer]
+extra_instructions = """
+qodo-cli is an unofficial, community CLI to manage Qodo, built as a
+zero-runtime-dependency, stdlib-only Python package. Intentional patterns (do
+not flag these as issues):
+- Command handlers return a bare 0/1/None for the exit code. The EXIT_* constants
+  in qodo/cli/_errors.py are for CliError codes (the failure path), not for
+  handler return values. `return 0` in a handler is intentional and consistent
+  across every command.
+- Nested argparse subparsers inherit the structured-error parser class via
+  `add_subparsers(parser_class=type(p))` (see qodo/cli/_commands/cli.py). Passing
+  `type(p)` is the established idiom and is equivalent to naming
+  `_CliArgumentParser` directly — it is not a missing parser_class.
+- `qodo review resolve --reply` drives the user's own `gh` with their own auth;
+  the reply text belongs to the caller, so the tool must not auto-append an agent
+  signature.
+See best_practices.md at the repo root for the full conventions.
+"""

{qodo_cli-0.4.0 → qodo_cli-0.9.0}/CHANGELOG.md

@@ -5,6 +5,202 @@ All notable changes to this project will be documented in this file.
 Format follows [Keep a Changelog](https://keepachangelog.com/). This project
 adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.9.0] - 2026-06-17
+
+### Added
+
+- **GitLab provider** for `qodo review` (via `glab`): find the open MR, list the
+  Qodo bot's notes across MR discussions (with the same parsed triage fields as
+  GitHub), reply, and resolve. GitLab's model is MR *discussions* (resolution is
+  at the discussion level — there is no `+1` marker, so resolving the discussion
+  *is* the acknowledgement). Implemented but **not live-tested** against a real
+  GitLab (we have none) — covered by mocked tests mirroring the GitHub ones, with
+  the `glab` REST shapes pinned in the citation ledger. (#10)
+
+### Changed
+
+- Generalized the provider gate: `require_provider` (supersedes the GitHub-only
+  `require_github` on the `review` surface) now allows **GitHub + GitLab**;
+  Azure/Bitbucket/Gerrit still error with a clear "not wired yet". `review`
+  dispatches find/fetch/resolve through a provider-aware seam
+  (`find_pr` / `fetch_comments` / `resolve` / `prefetch_threads`). (#10)
+- Internal refactor to clear SonarCloud maintainability findings on the stack —
+  no behavior change: split the `config` render/validate/init handlers and
+  `review._select_targets` into focused helpers (cognitive complexity ≤ 15),
+  de-nested the validate mark ternary, extracted `_parse_thread_node`, and named
+  the shared resolve-action labels (`_ACT_RESOLVE_THREAD` /
+  `_ACT_LOOKUP_DISCUSSION`) to drop duplicated literals. (PR #12 review)
+
+### Fixed
+
+- **Self-hosted GitLab on a custom domain is now detected.** `resolve_provider`
+  gained a `glab_knows_host()` upgrade path mirroring the GHE `gh_knows_host()`
+  one: an `origin` whose host isn't `github.com`/`gitlab.com` is no longer
+  hard-failed as `unknown` when `glab auth status --hostname <host>` recognises
+  it — it resolves to `gitlab`. `gh` is consulted first (a host both CLIs know
+  resolves to `github`). Mocked-only, like the GHE path. (#10, PR #16 review)
+- **Live smokes are now explicitly opt-in and skip (don't fail) when their
+  prerequisites are missing.** Both `test_contracts.py` smokes require a
+  deliberate `QODO_LIVE_SMOKE=1` switch, so a shell that merely exports
+  `QODO_API_KEY` for real `qodo rules` use no longer fires a network call during
+  a normal `pytest` run. The GHE smoke additionally gates on `gh` being present
+  and authenticated to the remote's host (`gh_knows_host`), so a `gh`-less or
+  unauthenticated box *skips* rather than failing on `resolve_provider → unknown`.
+  (#8, PR #15 review)
+- **`qodo config init` is now symlink-safe.** It treats any existing path
+  (regular file, directory, FIFO, or a possibly-broken symlink) as occupied, and
+  under `--force` it refuses — with a structured `CliError` — to write *through* a
+  symlink (which could escape the repo root) or over a non-regular path (which
+  would crash). Targets are pre-scanned so a refusal aborts before any write,
+  never leaving a half-scaffold. (#7, PR #14 review)
+- **`qodo config show`/`validate` degrade gracefully on an unreadable
+  `best_practices.md`.** `_inspect()` now guards the `best_practices.md` read
+  (`OSError`/`UnicodeDecodeError`) the same way the `.pr_agent.toml` read was
+  already guarded, so a permission/encoding problem reports a controlled
+  `readable: false` status instead of crashing the read-only verb with a generic
+  exit 1. (#7, PR #14 review)
+- **Scope auto-detection is now truly non-raising.** `_origin_url()` wraps its
+  `subprocess.run(git …)` in `try/except OSError`, and `detect_scopes()` guards
+  `Path.cwd()` — so a git that vanishes mid-run or a deleted working directory
+  yields *no scope* (per the documented contract) instead of turning an optional
+  enhancement into a `qodo rules get` failure. (#9, PR #13 review)
+- **`repo_slug()` no longer leaves `.git` in the slug for a trailing-slash
+  remote.** A URL like `https://host/org/repo.git/` now correctly yields
+  `org/repo` (the path is stripped of surrounding slashes *before* the `.git`
+  suffix), not `org/repo.git`. (#9, PR #13 review)
+- **`review resolve`'s reaction-only fallback no longer flips the exit code.**
+  When no GitHub review thread maps to a comment, the `+1` reaction stands as the
+  acknowledgement marker; that documented fallback is now reported `ok=True` with
+  `fallback: true` (instead of `ok=False`), so `review resolve --all` exits 0 when
+  every actionable step succeeded. A genuine thread-resolve error still reports
+  `ok=False`. (GitLab is unchanged — it has no `+1` marker, so a missing discussion
+  is a real failure there.) (#3–#6, PR #12 review)
+- **`review resolve --severity` rejects an invalid value instead of silently
+  resolving nothing.** A typo like `--severity HGIH` now fails at parse time with a
+  structured `error:`/`hint:` (exit 1) rather than matching no comments and exiting
+  0. Stays case-insensitive (`high` → `HIGH`). (#3–#6, PR #12 review)
+
+## [0.8.1] - 2026-06-17
+
+### Added
+
+- `tests/test_contracts.py` + `tests/fixtures/rules_search_response.json` — an
+  **offline contract test** that pins the Qodo `/rules/search` response shape
+  (relevance order, the `{id, name, content, severity}` fields, severities within
+  the known set, unknown extra fields passing through), so the parser is verified
+  without a Qodo subscription in CI. (#8)
+- **Opt-in live smokes** (skipped by default): `test_live_rules_search_smoke`
+  (runs when `QODO_API_KEY` is set) and `test_live_ghe_resolves_to_github` (runs
+  when `QODO_CLI_GHE_REMOTE` points at a real GitHub Enterprise origin). (#8)
+- `docs/manual-verification.md` — a manual checklist for the paths that need a
+  real system to exercise (live `qodo rules`, GitHub Enterprise resolution, the
+  non-GitHub provider gate), cross-referenced from the citation ledger. (#8)
+
+### Changed
+
+### Fixed
+
+## [0.8.0] - 2026-06-17
+
+### Added
+
+- `qodo config` — a new noun group to manage the **repo-level** Qodo reviewer
+  config (`.pr_agent.toml` + `best_practices.md`), distinct from the *client*
+  `~/.qodo/config.json` that `qodo rules` reads: (#7)
+  - `config show` — report presence, the parsed `.pr_agent.toml` sections, and
+    `best_practices.md` status (read-only).
+  - `config validate` — validate the config (valid TOML, a config present) and
+    exit 1 when invalid; warns (without failing) on a missing `[pr_reviewer]`
+    section or an empty `best_practices.md`. Emits the rubric-shaped
+    `{valid, checks: [...]}` in `--json`.
+  - `config init [--force]` — scaffold a minimal `.pr_agent.toml` +
+    `best_practices.md` when absent; never overwrites without `--force`.
+  - `config overview` — describe the noun (rubric-required).
+
+### Changed
+
+### Fixed
+
+## [0.7.0] - 2026-06-17
+
+### Added
+
+- `qodo rules get` now **auto-detects the rules scope** when `--scope` is
+  omitted, mirroring `qodo-get-rules`: the `org/repo` slug from the git `origin`
+  (SSH `git@host:org/repo(.git)`, HTTPS, and `ssh://` forms; multi-level
+  namespaces such as GitLab subgroups preserved) plus the module name from a
+  `modules/<name>/` path. Detection is non-raising — no git / no origin yields no
+  scope, and `scopes` is omitted entirely (never sent empty). The detected scope
+  is surfaced in `--json` (`scopes`) and the text header. (#9)
+- `qodo rules get --no-scope` forces scope omission (skips auto-detection);
+  `--scope` continues to override detection. `--scope` and `--no-scope` are
+  mutually exclusive. (#9)
+
+### Changed
+
+### Fixed
+
+## [0.6.0] - 2026-06-17
+
+### Added
+
+- `qodo review list` now parses each Qodo comment body into structured triage
+  fields surfaced in `--json` and the text table: `severity` (from the badge —
+  `Action required → HIGH`, `Review recommended → MEDIUM`, other → `LOW`, none →
+  `null`), `type` and `categories` (the `<code>` chips), `description` (the
+  `<pre>` block, HTML-entity-decoded), and `agent_prompt` (the remediation
+  block). Parsing is best-effort — an unrecognised body degrades to title-only.
+  (#3)
+- `qodo review list --kind {inline,summary,all}` filters by comment kind so the
+  non-actionable summary rollups can be excluded. (#3)
+- `qodo review resolve` now resolves the GitHub review **thread** via the GraphQL
+  `resolveReviewThread` mutation by default (mapping the REST comment id to its
+  thread node id), with `--no-resolve-thread` to skip and a graceful fallback to
+  the `+1` reaction when no thread maps to the comment. (#4)
+- `qodo review resolve --all` / `--severity <S>` and multiple positional ids
+  resolve several inline comments in one call. (#5)
+- `qodo review resolve --reply "..." --sign` appends the `culture.yaml` nick
+  signature (`- <nick> (Claude)`) to the reply, at most once (duplicate-guarded);
+  default stays unsigned. (#6)
+
+### Changed
+
+- `qodo review resolve` is now **best-effort and per-action**: it reports each of
+  reply / acknowledge / resolve-thread per comment, so a posted reply whose
+  acknowledgement failed reads as partial success (exit 1) rather than a blanket
+  failure. The `resolve_comment()` return type changed from `list[str]` to
+  `list[{action, ok, detail}]`, and the `resolve --json` payload now carries a
+  `resolved` list with per-action results. (#5)
+
+### Fixed
+
+## [0.5.0] - 2026-06-17
+
+### Added
+
+- `.pr_agent.toml` + `best_practices.md` at the repo root — the Qodo Merge
+  reviewer config (cite, don't fork). They codify this repo's intentional
+  patterns (bare `return 0` handlers, `parser_class=type(p)` subparser nesting,
+  the mechanics-only `review resolve --reply`) so Qodo reviews accurately and
+  stops raising them as violations.
+- `qodo doctor` now also checks **Qodo setup**, against the current git repo:
+  `.pr_agent.toml` present, `best_practices.md` present, and whether a usable
+  Qodo API key is resolvable for `qodo rules` — `QODO_API_KEY`, else a non-empty
+  `API_KEY` in `~/.qodo/config.json` (a present-but-keyless or malformed file
+  fails the check with guidance, and never throws). These are advisory and each
+  carries a `remediation` that guides an agent through setup. Runs in any repo
+  (not just a source checkout). (Addresses #7.)
+
+### Changed
+
+- `qodo doctor` `healthy` now depends on **error**-severity checks only;
+  `warning`/`info` checks surface guidance without flipping `healthy` or the
+  exit code. Fixes the `claude → CLAUDE.md` drift in the `doctor` explain entry
+  (this repo's backend is `colleague` → `AGENTS.colleague.md`).
+- `learn` now describes `doctor` as "agent-identity invariants + Qodo setup" in
+  both its text and JSON payload, matching `overview` and the explain catalog
+  (self-description stays consistent across the introspection surfaces).
+
 ## [0.4.0] - 2026-06-17
 
 ### Added

{qodo_cli-0.4.0 → qodo_cli-0.9.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: qodo-cli
-Version: 0.4.0
+Version: 0.9.0
 Summary: Community CLI and agent to manage Qodo — the AI code reviewer and Qodo's other agents (requires a Qodo subscription). Unofficial: not affiliated with, authorized, or endorsed by Qodo; the Qodo name and trademark belong to Qodo Ltd.
 Project-URL: Homepage, https://github.com/agentculture/qodo-cli
 Project-URL: Issues, https://github.com/agentculture/qodo-cli/issues

qodo_cli-0.9.0/best_practices.md

@@ -0,0 +1,59 @@
+# Best practices for qodo-cli
+
+Repository-specific coding standards for the Qodo reviewer — and for any agent
+working in this repo. `qodo-cli` is an unofficial, community CLI to manage Qodo,
+built as a **zero-runtime-dependency, stdlib-only** Python package.
+
+These conventions are pinned by the test suite and the agent-first rubric
+(`teken cli doctor . --strict`); please review against them rather than against
+generic defaults.
+
+## Dependencies
+
+- Runtime dependencies must stay empty (`dependencies = []` in `pyproject.toml`).
+  Use only the Python standard library at runtime, and flag any new third-party
+  runtime import. `teken` and the lint/test tools are dev-only.
+
+## Exit codes
+
+- Command handlers return a bare `0` / `1` / `None` for their exit code (`0` is
+  success). The `EXIT_*` constants in `qodo/cli/_errors.py` are for `CliError`
+  codes on the failure path, **not** for handler return values. A bare
+  `return 0` in a handler is intentional and consistent across every command —
+  do not flag it as a magic number.
+
+## Errors and output
+
+- Every failure raises `CliError(code, message, remediation)`; no Python
+  traceback may leak to stderr. Text-mode errors render `error: <msg>` then
+  `hint: <remediation>` (the `hint:` prefix is required).
+- Results go to stdout; errors and diagnostics go to stderr. Never mix the two,
+  in text or `--json` mode. Every command supports `--json`.
+
+## argparse
+
+- Build subparsers with the structured-error parser class. Nested subparsers
+  inherit it via `add_subparsers(parser_class=type(p))` (see
+  `qodo/cli/_commands/cli.py`); passing `type(p)` is the established idiom and is
+  equivalent to naming `_CliArgumentParser` directly — it is not a missing
+  `parser_class`.
+- Add the standard `--json` flag with `add_json_flag()` from `qodo.cli._output`
+  rather than re-declaring the literal.
+
+## The CLI is mechanics-only
+
+- `qodo review resolve --reply` drives the user's own `gh` with their own auth;
+  the reply text belongs to the caller. The tool must not auto-append an agent
+  signature — that would mis-attribute human-authored replies. Signing is the
+  caller's responsibility (an opt-in flag may be added later).
+
+## Cite, don't import
+
+- Behavior derived from `qodo-ai/qodo-skills` and the vendored `.claude/skills/`
+  kit is cited as the source of truth, not forked or vendored into runtime code.
+  Keep `docs/qodo-skills-sources.md` in sync when the upstream contract changes.
+
+## Keep the self-description in sync
+
+- When adding a command, update `learn`, `overview`, and the explain catalog so
+  the rubric and the self-describing text stay consistent.

qodo_cli-0.9.0/docs/manual-verification.md

@@ -0,0 +1,115 @@
+# Manual verification checklist
+
+Two `qodo-cli` paths are implemented and unit-tested with mocks, but cannot be
+exercised against the real systems in CI (we have no GitHub Enterprise instance
+and no Qodo subscription in the CI environment). This checklist is how to verify
+them by hand when a real system *is* available, plus the offline contract test
+that pins the response shape in the meantime.
+
+See `docs/qodo-skills-sources.md` for the resolved contracts these verify.
+
+## 1. Offline contract test (always runs)
+
+`tests/test_contracts.py::test_rules_search_parses_recorded_response` asserts the
+`/rules/search` parser against a recorded response fixture
+(`tests/fixtures/rules_search_response.json`) — relevance order preserved, the
+documented `{id, name, content, severity}` fields present, severities within the
+known set, and unknown extra fields (e.g. `score`) passing through untouched.
+
+If the Qodo API response shape ever changes, refresh the fixture from a real
+response and update the contract test alongside the parser:
+
+```bash
+# with a real key, capture a response shape (redact ids/content as needed):
+QODO_API_KEY=… qodo rules get "validate input" --json
+# then update tests/fixtures/rules_search_response.json + the contract test.
+```
+
+## 2. `qodo rules` against the real Qodo API
+
+Prerequisite: a Qodo subscription and an API key, either in
+`~/.qodo/config.json` (`"API_KEY"`) or exported as `QODO_API_KEY`.
+
+```bash
+qodo doctor                      # qodo_client_config_present should pass
+qodo rules get "validate all user input at trust boundaries"
+qodo rules get "sql safety" --json | jq '.rules[].severity'
+qodo rules get "anything" --no-scope --json | jq '.scopes'   # -> null
+```
+
+Expected: relevance-ranked rules with `ERROR` / `WARNING` / `RECOMMENDATION`
+severities; `--json` carries `scopes` (the auto-detected `org/repo`, or `null`
+under `--no-scope`); a missing key exits `2` with a `hint:` and never prompts.
+
+Opt-in smoke (runs only when explicitly enabled — `QODO_LIVE_SMOKE` gates it so a
+shell that merely exports `QODO_API_KEY` for real `qodo rules` use never fires a
+network call during a normal `pytest` run):
+
+```bash
+QODO_LIVE_SMOKE=1 QODO_API_KEY=… \
+  uv run pytest tests/test_contracts.py::test_live_rules_search_smoke -v
+```
+
+## 3. `qodo review` against a real GitHub Enterprise host
+
+`resolve_provider()` upgrades an unknown host to `github` when `gh` is
+authenticated to it (`gh auth status --hostname <host>`). This is covered by
+mocked tests only — verify it against a real GHE instance like so:
+
+```bash
+gh auth login --hostname ghe.your-company.com     # one-time
+cd /path/to/a/repo/whose/origin/is/that/GHE/host
+qodo review list                                   # should detect + list, not error
+```
+
+Expected: the GHE remote resolves to `github` (no "not wired yet" / "could not
+identify the git provider" error), and the Qodo bot's comments list as on
+github.com. Then exercise resolution on a real PR:
+
+```bash
+qodo review list --json | jq '.comments[] | {id, severity, type}'
+qodo review resolve <comment-id> --reply "Verified." --sign
+qodo review resolve --all --severity HIGH          # batch
+```
+
+Expected: the reply posts, the `+1` reaction lands, and the GitHub review thread
+is marked resolved (via the GraphQL `resolveReviewThread` mutation); a comment
+with no mappable thread falls back to reaction-only and is reported, not failed.
+
+Opt-in smoke (runs only when opted in *and* `gh` is authenticated to the host —
+otherwise it skips cleanly rather than failing on a `gh`-less / unauthenticated
+box):
+
+```bash
+QODO_LIVE_SMOKE=1 QODO_CLI_GHE_REMOTE=git@ghe.your-company.com:org/repo.git \
+  uv run pytest tests/test_contracts.py::test_live_ghe_resolves_to_github -v
+```
+
+## 4. `qodo review` against a self-hosted GitLab on a custom domain
+
+`resolve_provider()` upgrades an unknown host to `gitlab` when `glab` is
+authenticated to it (`glab auth status --hostname <host>`), mirroring the GHE
+path above. `gitlab.com` is detected by hostname directly (no `glab` call);
+`gh` is consulted before `glab`, so a host both CLIs know resolves to `github`.
+Covered by mocked tests only — verify it against a real self-hosted instance:
+
+```bash
+glab auth login --hostname gitlab.your-company.com   # one-time
+cd /path/to/a/repo/whose/origin/is/that/GitLab/host
+qodo review list                                      # should detect + list, not error
+```
+
+Expected: the custom-domain remote resolves to `gitlab` (no "not wired yet" /
+"could not identify the git provider" error), and the Qodo bot's notes list as
+on gitlab.com. Resolution marks the note's MR *discussion* resolved (GitLab has
+no `+1` marker).
+
+## 5. Provider gate (still-unwired providers)
+
+An Azure/Bitbucket/Gerrit remote should fail with a clear, actionable message
+rather than misbehaving:
+
+```bash
+cd /path/to/an/azure/devops/repo
+qodo review list        # exit 2, "provider 'azure' is not wired yet" + hint
+```

{qodo_cli-0.4.0 → qodo_cli-0.9.0}/docs/qodo-skills-sources.md

@@ -30,8 +30,9 @@ calling agent — which keeps the CLI zero-dependency and model-agnostic.
   generates (call `rules get` once per query and merge).
 - **`qodo review`** — we own: detect the provider, find the open PR, fetch and
   filter the Qodo bot's comments, dedup by stable comment identity (id/url),
-  reply, acknowledge. The agent owns: reading the flagged files, generating a
-  fix, editing, and committing.
+  parse each body into structured triage fields, reply, acknowledge, and resolve
+  the review thread. The agent owns: reading the flagged files, generating a fix,
+  editing, and committing.
 
 ## Resolved contract — `qodo-get-rules`
 
@@ -49,6 +50,14 @@ calling agent — which keeps the CLI zero-dependency and model-agnostic.
 - **Request body:** `{"query": <str>, "top_k": <int>, "scopes": [<str>]}`.
   `scopes` is omitted entirely when empty (never `null` / `[]`). `top_k`
   defaults to `20`.
+- **Scope auto-detection:** when `--scope` is omitted, the CLI mirrors the
+  skill — it derives the repository scope as the `org/repo` slug from
+  `git remote get-url origin` (SSH `git@host:org/repo(.git)`, HTTPS
+  `https://host/org/repo(.git)`, `ssh://…` forms; multi-level namespaces such as
+  GitLab subgroups are preserved) and a module scope `<name>` when the working
+  path contains `modules/<name>/`. Detection is non-raising: no git / no origin
+  yields no scope (omitted, not empty). `--scope` overrides detection;
+  `--no-scope` forces omission.
 - **Response:** `{"rules": [{"id", "name", "content", "severity"}]}`, ranked by
   relevance (most relevant first). Severity is one of `ERROR`, `WARNING`,
   `RECOMMENDATION`.
@@ -79,15 +88,39 @@ calling agent — which keeps the CLI zero-dependency and model-agnostic.
   - inline comments: `gh api repos/{owner}/{repo}/pulls/<pr>/comments --paginate`
   - reply: `gh api repos/{owner}/{repo}/pulls/<pr>/comments/<id>/replies -X POST -f body=<text>`
   - acknowledge: `gh api repos/{owner}/{repo}/pulls/comments/<id>/reactions -X POST -f content='+1'`
+  - resolve thread: map the comment's REST id to its review-thread node id via
+    `gh api graphql` (`repository.pullRequest.reviewThreads` → match
+    `comments.nodes.databaseId`), then `resolveReviewThread(input:{threadId})`.
+
+- **Comment body structure (parsed by `qodo review list`):** a Qodo inline body
+  opens with a severity badge `<img ... alt="Action required">` (or
+  `"Review recommended"`); the title line carries `<code>` category chips
+  (e.g. `📘 Rule violation`, `≡ Correctness`); the `<pre>` block is the issue
+  description (HTML-entity-encoded); and a `<details><summary>Agent Prompt</summary>`
+  fenced block holds the remediation prompt. Severity map (the lever — extend as
+  Qodo adds badges): `Action required → HIGH`, `Review recommended → MEDIUM`,
+  any other badge → `LOW`, no badge → `null`. Parsing is best-effort; an
+  unrecognised body degrades to title-only with `null` fields.
+
+- **GitLab (wired now), via `glab`:** GitLab's model is MR **discussions** (each
+  holds one or more **notes**); resolution is at the discussion level (no `+1`
+  marker — resolving the discussion *is* the acknowledgement). The project path
+  is the `namespace/repo` slug from `origin`, URL-encoded for the API.
+  - find MR: `glab api "projects/<proj>/merge_requests?source_branch=<branch>&state=opened"`
+  - notes: `glab api "projects/<proj>/merge_requests/<iid>/discussions?per_page=100" --paginate`
+    (keep notes whose `author.username` is a Qodo bot; skip `system` notes)
+  - reply: `glab api projects/<proj>/merge_requests/<iid>/discussions/<disc>/notes -X POST -f body=<text>`
+  - resolve: `glab api projects/<proj>/merge_requests/<iid>/discussions/<disc> -X PUT -f resolved=true`
+  - **Implemented but NOT live-tested** against a real GitLab (we have none);
+    covered by mocked tests mirroring the GitHub ones (the `glab` REST shapes
+    above are the contract). The provider gate (`require_provider`) now allows
+    `github` + `gitlab`.
 
 ### Follow-up providers (recognised, not yet wired)
 
 These are captured from `resources/providers.md` so wiring them is a lookup, not
 a re-investigation. Today the CLI raises a clear "not wired yet" error for them.
 
-- **GitLab (`glab`):** find `glab mr list --source-branch <branch>`; fetch
-  `glab mr view <iid> --comments`; reply / resolve via
-  `glab api /projects/:id/merge_requests/<iid>/discussions/...`.
 - **Azure DevOps (`az`):** find `az repos pr list --source-branch <branch> --status active`;
   fetch / reply / resolve via `az devops invoke --resource pullRequestThreads`.
 - **Bitbucket (`curl`):** REST under
@@ -96,8 +129,9 @@ a re-investigation. Today the CLI raises a clear "not wired yet" error for them.
   `git push origin HEAD:refs/for/<branch>`.
 
 True GitHub review-thread resolution (the GraphQL `resolveReviewThread`
-mutation) is also a follow-up; today `resolve` posts the `+1` reaction the
-upstream skill uses as a lightweight acknowledgement.
+mutation) is **now wired**: `resolve` posts the `+1` reaction the upstream skill
+uses *and* resolves the GitHub review thread by default (`--no-resolve-thread`
+to skip), falling back to reaction-only when no thread maps to the comment.
 
 ## Non-goals (enforced)
 
@@ -107,11 +141,22 @@ upstream skill uses as a lightweight acknowledgement.
 - `qodo rules` does not implement an interactive login — it reuses existing
   credentials and errors when they are absent.
 
+## Verifying the contracts
+
+The `/rules/search` response shape is pinned by an **offline contract test**
+(`tests/test_contracts.py`) against a recorded fixture
+(`tests/fixtures/rules_search_response.json`). Paths that need a real system to
+exercise — `qodo rules` against the live API, and GitHub Enterprise provider
+resolution — have **opt-in live smokes** (gated on `QODO_API_KEY` /
+`QODO_CLI_GHE_REMOTE`, skipped by default) plus a manual checklist in
+`docs/manual-verification.md`.
+
 ## Re-sync procedure
 
 1. Re-fetch the upstream `SKILL.md` and the `references/` / `resources/` files
    listed in the verb↔skill map above.
 2. Diff the resolved contract in this file against them (endpoint, headers,
    request/response schema, bot logins, provider commands).
-3. Update `qodo/cli/_qodo_api.py` / `qodo/cli/_providers.py` and this ledger
+3. Update `qodo/cli/_qodo_api.py` / `qodo/cli/_providers.py`, the contract
+   fixture (`tests/fixtures/rules_search_response.json`), and this ledger
    together, then bump the version.

{qodo_cli-0.4.0 → qodo_cli-0.9.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "qodo-cli"
-version = "0.4.0"
+version = "0.9.0"
 description = "Community CLI and agent to manage Qodo — the AI code reviewer and Qodo's other agents (requires a Qodo subscription). Unofficial: not affiliated with, authorized, or endorsed by Qodo; the Qodo name and trademark belong to Qodo Ltd."
 readme = "README.md"
 license = "MIT"

{qodo_cli-0.4.0 → qodo_cli-0.9.0}/qodo/cli/__init__.py

@@ -63,6 +63,7 @@ def _argv_has_json(argv: list[str] | None) -> bool:
 
 def _build_parser() -> argparse.ArgumentParser:
     from qodo.cli._commands import cli as _cli_group
+    from qodo.cli._commands import config as _config_group
     from qodo.cli._commands import doctor as _doctor_cmd
     from qodo.cli._commands import explain as _explain_cmd
     from qodo.cli._commands import learn as _learn_cmd
@@ -87,6 +88,7 @@ def _build_parser() -> argparse.ArgumentParser:
     # Qodo domain noun groups (the real surface):
     _rules_group.register(sub)
     _review_group.register(sub)
+    _config_group.register(sub)
     # Agent-first introspection verbs:
     _whoami_cmd.register(sub)
     _learn_cmd.register(sub)