reviewd 0.1.0__tar.gz

reviewd-0.1.0/.gitignore

@@ -0,0 +1,10 @@
+__pycache__/
+*.pyc
+*.egg-info/
+dist/
+build/
+.reviewd-worktrees/
+*.db
+.venv/
+.env
+.env.*

reviewd-0.1.0/.pre-commit-config.yaml

@@ -0,0 +1,25 @@
+repos:
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v1.5.0
+    hooks:
+      - id: detect-secrets
+        args: ['--baseline', '.secrets.baseline']
+
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: check-ast
+      - id: check-yaml
+      - id: check-added-large-files
+
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.8.6
+    hooks:
+      - id: ruff
+        args: [--fix]
+      - id: ruff-format
+
+  - repo: https://github.com/psf/black
+    rev: 24.10.0
+    hooks:
+      - id: black

reviewd-0.1.0/.secrets.baseline

@@ -0,0 +1,127 @@
+{
+  "version": "1.5.0",
+  "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "GitLabTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "IPPublicDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "OpenAIDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "PypiTokenDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TelegramBotTokenDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    }
+  ],
+  "results": {},
+  "generated_at": "2026-03-04T08:49:36Z"
+}

reviewd-0.1.0/CLAUDE.md

@@ -0,0 +1,104 @@
+# CLAUDE.md — reviewd
+
+## What This Is
+
+Local CLI tool that polls GitHub/BitBucket for open PRs, reviews them using Claude/Gemini CLI, and posts structured comments back. Invokes `claude --print` or `gemini -p` as local subprocesses — no API keys, uses existing CLI subscriptions.
+
+## Architecture
+
+```
+Poller (GitHub/BB API) → State Check (SQLite) → Worktree (git) → AI Review (CLI) → Parse JSON → Post Comments
+```
+
+- **Polling**, not webhooks — runs locally, no tunnel needed
+- **Git worktrees** for isolation — no interference with working copy
+- **AI has full tool access** — reads files, explores code, runs commands in the worktree
+- **JSON output** — prompt requests structured JSON as last block, extracted via regex
+- **SQLite** for state — tracks `(repo, pr_id, source_commit)` to avoid duplicate reviews
+- **ID-based comment cleanup** — tracks posted comment IDs in SQLite, deletes by ID on re-review
+
+## Project Conventions
+
+- Python 3.12+, no backward compatibility
+- Dependencies managed with `uv`
+- Google style, single quotes for strings, double quotes for messages
+- No broad except clauses
+- No unnecessary docstrings or comments
+- Tests only when explicitly asked
+- Never add Co-Authored-By to commits
+
+## Key Files
+
+| File | Purpose |
+|------|---------|
+| `src/reviewd/cli.py` | Click CLI: `ls`, `watch`, `pr`, `status` commands |
+| `src/reviewd/daemon.py` | Poll loop, boot summary, status line, orchestration, signal handling |
+| `src/reviewd/reviewer.py` | Worktree lifecycle + AI CLI invocation (Popen) + JSON extraction |
+| `src/reviewd/prompt.py` | Built-in review prompt template + builder |
+| `src/reviewd/commenter.py` | Format findings as markdown, post via provider, delete old comments by ID |
+| `src/reviewd/config.py` | YAML + `${ENV_VAR}` loading, global + per-project merge, provider factory |
+| `src/reviewd/state.py` | SQLite: reviews + posted_comments (with get/delete by repo+PR) |
+| `src/reviewd/models.py` | Dataclasses: PRInfo, Finding, ReviewResult, configs, CLI enum |
+| `src/reviewd/providers/base.py` | Abstract GitProvider ABC |
+| `src/reviewd/providers/bitbucket.py` | BitBucket 2.0 API (httpx, pagination with ID dedup, inline comments) |
+| `src/reviewd/providers/github.py` | GitHub REST API v3 (httpx, Link header pagination, review comments) |
+
+## Config
+
+### Global: `~/.config/reviewd/config.yaml`
+
+Provider credentials, repos list, poll interval, AI CLI choice, model, cli_args, global `instructions`, `review_title`, `footer`.
+
+### Per-project: `{repo_root}/.reviewd.yaml`
+
+Project-specific `instructions`, `test_commands`, `inline_comments_for`, `approve_if_no_critical`, `critical_task`.
+
+Instructions merge: global + per-project concatenated (global first). Old `guidelines`/`explore` fields still supported.
+
+### Per-repo overrides in global config
+
+`cli`, `model`, `repo_slug` (decouples display name from API slug), per-repo provider credentials.
+
+## How the Review Works
+
+1. Fetch PR metadata from provider API
+2. Clean up stale worktrees from previous interrupted runs
+3. Create git worktree at `{repo}/.reviewd-worktrees/pr-{id}`
+4. Build prompt: PR metadata + merged instructions + validation commands + JSON schema
+5. Run `claude --print --model X -p "<prompt>"` or `gemini --approval-mode yolo -e none -p "<prompt>"` via Popen
+6. Stream stderr for progress, ticker thread logs elapsed time every 30s
+7. Extract last ```json``` block from stdout
+8. Delete old bot comments by tracked IDs from SQLite
+9. Post inline comments (single-line, with `suggestion` code fence) + summary comment
+10. Cleanup worktree
+
+## CLI
+
+```bash
+reviewd init                                  # create config file
+reviewd ls                                    # list repos + open PRs
+reviewd watch -v                              # daemon mode
+reviewd watch -v --review-existing            # review not-yet-reviewed open PRs
+reviewd watch -v --cli gemini                 # override AI CLI
+reviewd pr pydpf 42                           # one-shot review
+reviewd pr pydpf 42 --dry-run                 # preview without posting
+reviewd pr pydpf 42 --force                   # re-review even if already done
+reviewd pr pydpf 42 --cli gemini              # override AI CLI
+reviewd status pydpf                          # review history
+```
+
+## Prompt Injection Defenses
+
+- Prompt includes a security scope block (before any user-controlled content) that forbids file writes, network access, accessing secrets, and following instructions embedded in code
+- Gemini CLI: `-e none` disables all extensions
+- Project config (`.reviewd.yaml`) is read from the main repo, not the worktree — PR authors cannot inject instructions via config
+- `test_commands` come only from the repo owner's config, not from PR content
+
+## Known Limitations
+
+- BitBucket markdown doesn't support HTML comments — bot marker uses empty link `[](reviewd)`
+- Can't `git fetch` by commit hash from BB — if source branch is deleted, commit must exist locally
+- Claude CLI rejects nested sessions — must unset `CLAUDECODE` env var in subprocess
+- Gemini CLI loads global extensions by default — use `-e none` to disable
+- Inline suggestions are single-line only (TODO: multi-line support)
+- AI may hallucinate line numbers — prompt instructs to double-check but not guaranteed

reviewd-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Simion Agavriloaei
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

reviewd-0.1.0/PKG-INFO

@@ -0,0 +1,221 @@
+Metadata-Version: 2.4
+Name: reviewd
+Version: 0.1.0
+Summary: Local AI code reviewer for GitHub and BitBucket PRs — uses Claude or Gemini CLI to review pull requests and post structured comments
+Project-URL: Homepage, https://github.com/simion/reviewd
+Project-URL: Repository, https://github.com/simion/reviewd
+Project-URL: Issues, https://github.com/simion/reviewd/issues
+Author-email: Simion Agavriloaei <hi@simion.cv>
+License-Expression: MIT
+License-File: LICENSE
+Keywords: ai,automation,bitbucket,claude,code-review,gemini,github,pull-request
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Software Development :: Quality Assurance
+Requires-Python: >=3.12
+Requires-Dist: click<9,>=8.1
+Requires-Dist: httpx<1,>=0.27
+Requires-Dist: pyyaml<7,>=6.0
+Description-Content-Type: text/markdown
+
+# reviewd
+
+**The review daemon** — local AI code reviewer for GitHub and BitBucket pull requests, powered by Claude Code / Gemini CLI subscriptions.
+
+- Watches your repos for new PRs, reviews them using Claude or Gemini CLI, and posts structured comments
+- All from your machine — no CI pipeline, no cloud service, no new accounts
+- Secure by default — can only access repos you already have locally, as secure as your machine
+
+> If you already have `claude` or `gemini` CLI and local git clones, you're 5 minutes away from automated code reviews.
+
+## Features
+
+- **Reuses what you already have** — your local git repos, your Claude/Gemini CLI subscription, your existing credentials. Nothing new to install or pay for.
+- **Full codebase context** — reviews run on your actual local repos, not shallow CI clones. The AI can read any file, follow imports, and understand the full picture.
+- **Fast via git worktrees** — isolated checkouts that share `.git`. No re-cloning. Reviews start in milliseconds.
+- **Runs real commands** — configure linters, type checkers, and test suites to run during review. Failures are included in the AI's analysis.
+- **Structured output** — severity-tagged findings with inline comments on specific lines and a summary comment.
+- **Daemon or one-shot** — background polling across all repos, or single PR reviews on demand. Dry-run mode to preview.
+- **Multi-repo, multi-AI** — different repos can use different AI backends, models, and review instructions.
+- **Smart re-reviews** — new commits on a PR trigger a fresh review; old comments are deleted automatically.
+- **Draft-aware** — skips draft PRs by default. Add `[review]`, `[claudiu]`, `[ask]`, or `[bot review]` to the title to request a review anyway.
+- **Critical tasks** — optionally creates a BitBucket PR task on critical findings to block merge.
+- **Spam protection** — configurable diff size thresholds, cooldowns, and title/author skip patterns.
+
+## Quick Start
+
+### 1. Install
+
+```bash
+git clone https://github.com/simion/reviewd.git
+cd reviewd
+uv tool install -e .
+```
+
+Requires Python 3.12+ and [`uv`](https://docs.astral.sh/uv/). You also need `claude` or `gemini` CLI installed and authenticated.
+
+### 2. Configure
+
+```bash
+reviewd init   # creates ~/.config/reviewd/config.yaml
+```
+
+<details>
+<summary><b>GitHub setup</b></summary>
+
+1. Create a [Personal Access Token](https://github.com/settings/tokens) with the **`repo`** scope.
+2. Export it: `export GITHUB_TOKEN=ghp_...`
+3. Config:
+
+```yaml
+github:
+  token: ${GITHUB_TOKEN}
+
+repos:
+  - name: my-repo
+    repo_slug: owner/my-repo
+    path: ~/repos/my-repo
+    provider: github
+```
+
+</details>
+
+<details>
+<summary><b>BitBucket setup</b></summary>
+
+1. Create an [App Password](https://bitbucket.org/account/settings/app-passwords/) with **Pull requests: Read** and **Write**.
+2. Export it: `export BB_AUTH_TOKEN=ATCTT3x...`
+3. Config:
+
+```yaml
+bitbucket:
+  your-workspace: ${BB_AUTH_TOKEN}
+
+repos:
+  - name: my-project
+    path: ~/repos/my-project
+    provider: bitbucket
+    workspace: your-workspace
+```
+
+</details>
+
+Both providers can be used in the same config.
+
+### 3. Review
+
+```bash
+reviewd pr my-project 42           # one-shot
+reviewd pr my-project 42 --dry-run # preview
+reviewd watch -v                   # daemon mode
+```
+
+## How It Works
+
+```
+Poll API → Check State (SQLite) → Fetch & Worktree → AI Review (Claude/Gemini) → Parse JSON → Post Comments → Cleanup
+```
+
+1. Fetches open PRs from GitHub/BitBucket
+2. Skips already-reviewed commits, drafts, cooldowns, and small diffs
+3. Creates a git worktree, runs configured test commands
+4. Invokes the AI CLI with a structured prompt and JSON output schema
+5. Posts inline comments + summary comment, tracks state in SQLite
+
+## Configuration
+
+### Global (`~/.config/reviewd/config.yaml`)
+
+```yaml
+poll_interval_seconds: 60
+
+github:
+  token: ${GITHUB_TOKEN}
+
+bitbucket:
+  your-workspace: ${BB_AUTH_TOKEN}
+  other-workspace: ${OTHER_BB_TOKEN}
+
+cli: claude                    # or "gemini"
+# model: claude-sonnet-4-5-20250514
+
+# review_title: "Code Review by Nea' ~~Caisă~~ Claudiu"
+# footer: "Automated review by ..."
+# skip_title_patterns: ['[no-review]', '[wip]', '[no-claudiu]']
+# skip_authors: []
+
+instructions: |
+  Be concise and constructive.
+  Every issue must include a concrete suggested fix.
+
+repos:
+  - name: gh-backend
+    repo_slug: owner/gh-backend
+    path: ~/repos/gh-backend
+    provider: github
+
+  - name: bb-frontend
+    path: ~/repos/bb-frontend
+    provider: bitbucket
+    workspace: your-workspace
+    cli: gemini
+    model: gemini-2.5-pro
+```
+
+### Per-project (`.reviewd.yaml` in repo root)
+
+```yaml
+instructions: |
+  Python 3.12+, Django 5.x.
+  Check for missing select_related/prefetch_related.
+
+test_commands:
+  - uv run ruff check .
+  - uv run pytest tests/ -x -q
+
+skip_severities: [nitpick]       # options: critical, suggestion, nitpick, good
+inline_comments_for: [critical]  # rest goes in summary
+# max_inline_comments: 5         # skip all inline if exceeded
+# min_diff_lines: 0              # initial review threshold (0 = disabled)
+# min_diff_lines_update: 5       # re-review threshold for pushed commits
+# review_cooldown_minutes: 30
+# approve_if_no_critical: false
+# critical_task: true            # create PR task on critical findings (BitBucket)
+```
+
+## CLI Reference
+
+```bash
+reviewd init                                  # create config file
+reviewd ls                                    # list repos and open PRs
+reviewd watch -v                              # daemon mode
+reviewd watch -v --dry-run                    # preview, no posting
+reviewd watch -v --review-existing            # review not-yet-reviewed open PRs
+reviewd pr <repo> <id>                        # one-shot review
+reviewd pr <repo> <id> --force                # re-review (bypasses draft/skip)
+reviewd status <repo>                         # review history
+```
+
+## Architecture
+
+- **Polling, not webhooks** — no tunnel or public endpoint needed
+- **Git worktrees** — near-instant isolated checkouts
+- **Full AI tool access** — the AI reads files, runs commands, explores code
+- **JSON schema** — structured findings, the tool just parses and posts
+- **SQLite state** — tracks `(repo, pr_id, commit)` to avoid duplicates
+- **Provider abstraction** — GitHub and BitBucket, extensible
+
+## Security
+
+> reviewd gives the AI CLI full tool access in git worktrees on your machine. Only watch repos where you trust the contributors.
+
+## Disclaimer
+
+> This project is **100% vibe-coded** — written entirely through AI-assisted development with Claude Code. Why is that fine? It's a read-only tool that posts PR comments. The worst it can do is post a bad review.
+
+## License
+
+MIT