323 Commits

Author SHA1 Message Date
Colin McDonnell f87e0f878c action: minimize pullfrog.yml permissions and drop actions:read (#594)
* action: minimize pullfrog.yml permissions and drop actions:read

The recommended pullfrog.yml workflow asked for a permissions block that's
broader than what the action actually uses with the workflow GITHUB_TOKEN —
all real work (git push, PR comments, reviews) goes through installation
tokens that the action mints via OIDC. Customer security scanners flagged
the workflow-level block as too permissive.

- Move permissions to the job level and reduce to id-token: write,
  pull-requests: write, issues: write. contents:read is the implicit default
  and covers actions/checkout; contents:write, checks:read are unused by
  any GITHUB_TOKEN consumer; actions:read was only used by post-cleanup's
  listJobsForWorkflowRun call.
- Replace listJobsForWorkflowRun with a SIGTERM/SIGINT handler in main.ts
  that calls core.saveState("cancelled", "true"); post-cleanup reads it
  back via core.getState. Same cancel-vs-failure UX, no extra scope needed.
- Sync the docs (headless-action, getting-started, action/README) and the
  two dogfood pullfrog.yml workflows to the new minimal block. Update the
  post-cleanup wiki to describe the saveState approach.

* action: drop pull-requests/issues from required workflow scopes

Switch postCleanup.ts to mint its own short-lived installation token via OIDC
(acquireNewToken with issues:write + pull_requests:write) instead of using the
workflow GITHUB_TOKEN. Same comment-update behavior, but the workflow no longer
needs those scopes — the only permissions Pullfrog ever asks for are id-token:write
(OIDC exchange) and contents:read (actions/checkout).

Also fixes a bug from the previous commit: setting an explicit permissions block
drops every unlisted scope to none (with metadata as the only exception), so
omitting contents would have broken actions/checkout. Restored at both workflow
and job level.

* action: scope id-token:write to pullfrog job, not workflow level

id-token:write is the powerful one — it lets a job mint OIDC tokens that can
be exchanged for cloud credentials or our installation tokens. Keeping it at
workflow level means any future job added to this file silently inherits it.
Move it to the job level where it's actually used; leave only contents:read
at workflow level as a safe baseline for any future jobs.

* action: move stuck-comment cleanup server-side, drop write perms entirely

The action's post-cleanup step lived inside the runner and used the workflow
GITHUB_TOKEN to update the "Leaping into action…" progress comment when a run
failed/cancelled, requiring pull-requests:write + issues:write at the workflow
level. Move that responsibility to the workflow_run.completed webhook handler:
it already has installation-token access via the GitHub App, runs server-side
(no Pullfrog API dependency loop on failure), and lets us drop both write perms.

Recommended workflow permissions block is now truly minimal:

  permissions:
    contents: read
  jobs:
    pullfrog:
      permissions:
        id-token: write
        contents: read

Server side
- handleWorkflowRunCompleted: when conclusion != "success" and the WorkflowRun
  has progressCommentId, mint installation octokit and update the stuck comment
  in place. Try issues.getComment first, fall back to pulls.getReviewComment on
  404 (we don't store comment type — one wasted GET on the rarer review case).
- Reuses buildPullfrogFooter and updateProgressComment from pullfrog/internal,
  matching the wording the action used to write client-side.

Client side
- Delete action/utils/postCleanup.ts and action/post.ts.
- Remove post: + post-if: from action/action.yml.
- Drop runPostCleanup wiring from action/commands/gha.ts and action/play.ts.
- Remove the SIGTERM/saveState handler I added in main.ts in the previous commit
  (no longer needed; cancel/fail signal comes from the webhook hook payload).

Plumbing
- Extract isLeapingIntoActionCommentBody into action/utils/leapingComment.ts so
  the predicate can be re-exported via pullfrog/internal without dragging the
  MCP server's transitive type graph into the Next.js app's typecheck.
- mcp/comment.ts re-exports from the new location for backward compat.

Wiki
- Delete wiki/post-cleanup.md (obsolete; cleanup is now a one-liner branch in
  the workflow_run webhook handler).

* chore: ignore .worktrees in biome config

Recently-added pnpm worktree feature creates nested git worktrees under
.worktrees/, each with their own biome.jsonc declaring root. Biome's
recursive scan trips on the nested config and fails pnpm lint. Excluding
the directory matches the existing .gitignore entry.

* fix: address PR #594 review findings

Two real bugs caught by code review:

1. handleWorkflowRunWebhook.ts:323 — drop the /m flag on the stuck-comment
   detection regex. With /m, ^ matches any line start, so any finalized
   progress comment that embeds a task list (report_progress writes
   `- [x]`/`- [ ]` lines via todoTracking.ts) would be flagged as "stuck"
   and silently overwritten with the "This run croaked" boilerplate
   whenever the workflow concluded non-success after the agent's final
   summary already landed. Restores the body-start anchoring the original
   in-process postCleanup.ts:90 had.

2. action/scripts/check-entrypoint-imports.ts — drop ../post.ts from the
   esbuild entry-point list (the file was deleted in aa43b9af). The
   `pnpm check:entrypoints` step in test.yml would have failed on every
   run with an unresolvable-entry-point error.

Plus three small follow-ups:
- main.ts:580 — comment said "post-cleanup has its own verify-retry loop"
  but post-cleanup is gone. Updated to describe the new server-side path.
- mcp/comment.ts:443 — comment said "so post script doesn't think the run
  failed". Updated to describe the actual current consumers of wasUpdated.
- commands/gha.ts:84 — `--post` help text said "run post-cleanup flow" but
  with the post-cleanup path removed, --post is only valid alongside the
  `token` subcommand for installation-token revocation. Updated wording.

* fix(action): scope --post help text to gha token subcommand

Root gha help text was documenting --post, but --post only makes sense
paired with the token subcommand (it's how the post step revokes the
installation token previously acquired in the main step). Move it to a
dedicated gha token help section and add a parser layer that rejects
--post on the bare gha command.

  $ pullfrog gha --help
  usage: pullfrog gha [subcommand]
  ...
  options:
    -h, --help   show help

  $ pullfrog gha token --help
  usage: pullfrog gha token [--post]
  ...
  options:
    -h, --help   show help
    --post       revoke the previously-acquired token (post-step usage only)

* webhook: artifact-aware cleanup of stranded leaping comments on success

Previously the workflow_run.completed cleanup only handled non-success
conclusions. Extend it to also catch the rare case where a successful
run leaves a "Leaping into action…" comment stuck (in-process cleanup at
action/main.ts:723 normally handles this, but can be skipped on SIGKILL,
runner host crash, or any exit path that bypasses main()'s finally block).

New behavior in cleanupStuckProgressComment:

  - cancelled       → update with "cancelled 🛑" body  (unchanged)
  - failure (other) → update with "croaked 😵" body    (unchanged)
  - success + artifact recorded → delete the comment (the artifact is the
                                  user-facing surface; the leaping comment
                                  is just stale UI noise at this point)
  - success + no artifact recorded → delete the comment AND alert
                                     team@pullfrog.com via emailAlert

The "success + no artifact" path is "should never happen" territory: the
run claims success but produced no review, PR, issue, plan, or summary
comment. The team alert helps us catch in-process cleanup regressions or
artifact-tracking gaps. hasRecordedArtifact reads {review,pr,issue,
planComment,summaryComment}NodeId off the WorkflowRun row to make the call.

* webhook: narrow stuck-comment detection to leaping prefix only

Drop the stranded-todo-pattern branch from cleanupStuckProgressComment.
The leaping prefix is highly specific and impossible to confuse with a
legitimate summary; a leading todo line is not — the agent's
error-reporting paths can produce useful explanatory comments whose
body leads with a checklist (e.g. "here's what I was working on" + the
incomplete todo list), and we don't want to silently overwrite those
with the generic "croaked" boilerplate.

In-process cleanup at action/main.ts:723 still handles the stranded-todo
case in the common path (gated on !finalSummaryWritten with full access
to the in-memory tool state). Missing the rare runner-died-mid-todo case
server-side is a worthwhile trade vs. the false-positive risk on real
explanatory comments.
2026-05-07 18:59:52 +00:00
pullfrog[bot] 366af55f19 fix(action): sweep stale .git/*.lock and deepen-retry shallow git_fetch (#564) (#578)
- checkoutPrBranch now removes .git/shallow.lock, .git/index.lock, and
  .git/objects/maintenance.lock when older than 30s before the first fetch.
  prior runs that crashed mid-fetch left these behind on self-hosted runners,
  causing checkout_pr to abort with `Unable to create '.git/shallow.lock':
  File exists` until the agent shelled out to rm -f.

- GitFetchTool catches `Could not read <sha>` and `remote did not send all
  necessary objects` on shallow clones and retries once with --deepen=1000
  instead of bouncing the failure back to the agent. agents previously had
  to fall back to checking out FETCH_HEAD, losing branch context.

Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>
Co-authored-by: David Blass <david@arktype.io>
2026-05-06 22:38:41 +00:00
pullfrog[bot] 4c1413d925 fix(action): flip wasUpdated on substantive MCP write tools (#563) (#577)
* fix(action): flip wasUpdated on substantive MCP write tools (#563)

Review/Respond/etc. agents that submit a `create_pull_request_review`,
`create_issue_comment`, or `update_pull_request_body` and exit without
calling `report_progress` were being marked as workflow failures by the
strict completion check in handleAgentResult. Extend the set of tools
that flip toolState.wasUpdated so a substantive user-visible artifact
satisfies the check. The isReviewMode bypass is retained for
IncrementalReview's non-substantive path.

Flag is set BEFORE patchWorkflowRunFields / deleteProgressComment in
each tool so a best-effort cleanup failure does not undo the signal.

* fix(action): use finalSummaryWritten for stranded progress cleanup

The stranded-progress-comment cleanup at the end of main() previously
fired only when toolState.wasUpdated was false (or the tracker was the
last writer). With wasUpdated now set by additional MCP write tools
(create_issue_comment, update_pull_request_body), an agent that produced
a substantive artifact via one of those tools and skipped report_progress
would leave the placeholder "Leaping into action" comment intact — the
post-script then converted it into an error message on a successful run.

Key the cleanup off finalSummaryWritten instead. That flag is only set
when report_progress actually wrote the progress comment, so it cleanly
distinguishes "comment is finalized" from "agent did other work but
never touched the progress comment".

* refactor(mcp): extract markSubstantiveArtifact() helper

replaces 4 inline `ctx.toolState.wasUpdated = true` flips in CreateCommentTool, UpdatePullRequestBodyTool, and CreatePullRequestReviewTool with a single helper in mcp/server.ts. JSDoc on the helper documents the contract (call BEFORE downstream patch/cleanup; gates the strict completion check and stranded-comment cleanup) so future MCP write tool authors only need to grep for one symbol.

no behavioral change.

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(mcp): only flip finalSummaryWritten after non-skipped write

Previously the flag was set unconditionally on any non-plan call,
including paths where reportProgress skipped (silent events, deleted
comment, no issue/PR target). The cleanup check in main.ts is
safeguarded by toolState.progressComment so the bug doesn't manifest
today, but aligning the flag with actual writes matches the wasUpdated
pattern and the design intent in the cleanup plan.

* refactor(mcp): inline markSubstantiveArtifact helper

---------

Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>
Co-authored-by: David Blass <david@arktype.io>
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-06 21:05:53 +00:00
pullfrog[bot] 6db4a6d02e fix(mcp): preserve coveragePreflightRan across checkout_pr refreshes (#576)
checkout_pr unconditionally rebuilds ctx.toolState.diffCoverage via
createDiffCoverageState, which initialised coveragePreflightRan to false.
a second checkout_pr therefore reset the "one-time nudge per review
session" guarantee in runDiffCoveragePreflight, and the next
create_pull_request_review threw the diff-coverage pre-flight error
again — even after the agent had already gone through the
read-and-resubmit dance once.

createDiffCoverageState now accepts an optional previous state and
carries forward coveragePreflightRan. coveredRanges are intentionally
not carried because their line numbers are tied to the previous diff's
content (especially under incremental diffs).

closes #566

Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>
Co-authored-by: David Blass <david@arktype.io>
2026-05-06 20:54:34 +00:00
Colin McDonnell 560e27bda5 refactor progress comments into a bundled type + helper module (#567)
* refactor progress comments into a single bundled type + helper module

introduce ProgressComment ({ id, type: "issue" | "review" }) as the canonical handle for
the GitHub comment a run uses to report progress, and route every read/update/delete/create
through a single helper module (action/utils/progressComment.ts). previously every site that
touched the progress comment hardcoded octokit.rest.issues.*Comment, which made adding a
second comment type (review-thread replies) require duplicating the same branch in 6+ places
— the same shape that bit pullfrog/app#445.

new capability: when the address-reviews trigger fires for a one-off review comment, the
"Leaping into action" comment is now posted as a reply in that review thread instead of as
a top-level PR timeline comment. the helper handles failure (e.g. parent comment deleted)
by silently falling back to a top-level issue comment, so the run never loses its progress
surface.

changes:

- action/utils/progressComment.ts (new) — ProgressComment type + getProgressComment,
  updateProgressComment, deleteProgressCommentApi, createLeapingProgressComment. uses a
  structural Octokit interface to bridge the @octokit/rest version mismatch between the
  action package (v22) and the root project (v21).
- action/internal/index.ts — re-export the new types and helpers for cross-boundary use.
- action/external.ts, action/utils/payload.ts — replace progressCommentId: string with
  progressComment: { id: string, type: "issue" | "review" } in WriteablePayload + JsonPayload.
  wire-format breaking, no legacy fallback (in-flight runs across the deploy lose their
  progress comment, fine).
- action/mcp/server.ts — ToolState.progressCommentId becomes
  progressComment: ProgressComment | null | undefined (same tristate semantics).
- action/main.ts, action/mcp/comment.ts, action/utils/errorReport.ts,
  action/utils/postCleanup.ts — every issues.*Comment call against the progress comment
  routes through the helper module. zero hardcoded API branching outside the helper.
- utils/github/triggerWorkflow.ts — drop createLeapingComment + updateCommentToLeaping;
  dispatchAndTrackWorkflow gains a resolution chain (existingComment → replyToReviewComment
  → triggeringIssue → none) and an existingComment: ProgressComment param plus
  replyToReviewComment: { pullNumber, commentId }.
- utils/webhooks/handleWebhook.ts — dispatch closure threads replyToReviewComment through;
  the one-off review comment branch passes it and skips the now-redundant eyes reaction
  on the comment we're about to reply to.
- app/trigger/[owner]/[repo]/[number]/page.tsx, utils/github/runActionLocal.ts,
  app/api/cli/dispatch/route.ts, app/api/dispatch-workflow/route.ts — call sites updated to
  new shape.

no schema or DB column changes. the existing WorkflowRun.progressCommentId column is still
written by id only; type lives only on the in-flight payload, which is sufficient for
runtime since it's the only thing that needs to know which API to call.

* anneal pass 1: fallback visibility + stale doc/comment updates

- progressComment.ts: when reviewReply→issue fallback fires, prepend a [!NOTE] callout
  with a permalink back to the original review comment. without this, the parent comment
  showed no eyes reaction (deliberately skipped) and no reply, leaving the user with no
  signal that anything happened.
- wiki/post-cleanup.md: update progressCommentId references to progressComment, document
  the new helper-based dispatch by type.
- wiki/main.md: update initToolState({ progressCommentId }) → ({ progressComment })
  in the resolver-chain diagram.
- action/main.ts, action/mcp/review.ts: update two stale comments that referenced the
  old field name.

* anneal pass 2: post-cleanup detection through fallback notice + log cleanup

- isLeapingIntoActionCommentBody: strip a leading GFM blockquote/alert before
  testing the leaping prefix. without this, the [!NOTE] callout that the
  reviewReply→issue fallback prepends would prevent post-cleanup from
  recognizing the stuck "Leaping into action..." comment, leaving it permanently
  on the PR timeline if the workflow died before any progress update.
- progressComment helper: switch from log.warning (action-flavored, emits a
  ::warning:: GitHub Actions annotation) to console.warn so the helper doesn't
  pollute Vercel logs when invoked from the webhook context.
- triggerWorkflow.ts: drop the duplicate caller-side log on review-reply
  failure — the helper already speaks loudly. Reword the catch-branch log to
  reflect that it now only fires when both the reply AND the helper's internal
  fallback failed.
- progressComment.ts: document that the [!NOTE] fallback notice is overwritten
  on the first report_progress call, and explain the trade-off vs persisting
  it through the action payload + ToolState.

* debloat: drop the [!NOTE] fallback callout

Reverting two pieces from the prior anneal pass:

- progressComment.ts: drop the [!NOTE] callout that the reviewReply→issue fallback
  prepended to the leaping body. It disappeared on the agent's first report_progress
  call, which made it half-committed to visibility — worse than either properly
  persisting it (real engineering) or leaving the fallback silent (current choice).
  The console.warn diagnostic and the workflow-run footer link in the leaping
  comment itself give us enough signal for the rare case where both API endpoints
  fail at once.
- isLeapingIntoActionCommentBody: revert the leading-blockquote stripping; only
  needed to compensate for the [!NOTE] callout.

Keeping: the console.warn-vs-log.warning fix (real cross-runtime concern), the
duplicate-log drop in triggerWorkflow.ts, the wiki updates, and the two stale
source-comment fixes.

* fix: prevent stranded task list overwriting post-cleanup message

When a run is cancelled, the action's todoTracker may have an HTTP write in
flight to GitHub when SIGTERM lands. The action process dies, but the request
data has already left the socket — GitHub processes it and updates the comment
body to the (stale) task list. Meanwhile post-cleanup, running in a separate
process, writes the "This run was cancelled 🛑" message. If the tracker's
in-flight write happens to land *after* post-cleanup's write, the user never
sees the cancellation message.

Two-layer fix:
- Action side: cancel the tracker in the SIGTERM signal handler so no new
  debounced writes get scheduled. This shrinks the race window but can't
  un-send a request already on the wire.
- Post-cleanup side: after writing, verify the body landed and re-issue if
  another write clobbered ours. Loops up to 3× with a 3s settle delay so
  delayed in-flight writes from the dying action have time to arrive before
  our read-back check decides whether to retry.

* lint: import createLeapingProgressComment from pullfrog/internal in test script

* address bot review findings: reply-target root, version bump, GET error handling

Three real findings from the bot reviews on #567 plus a small DRY pass:

1. handleWebhook reply-target: `newComments[0]` may be a reply, not a
   top-level review comment. `getReviewCommentsWithReplies` returns root +
   replies for any thread the review touched, and `pull_request_review_id`
   filtering only narrows by *which review submitted*, not *root vs reply*.
   When a user submits a single reply as their entire review (e.g. replying
   to someone else's comment to ping @pullfrog), the reply ID flowed through
   to `createReplyForReviewComment`, which 422s on replies-to-replies and
   degraded to a top-level issue comment — exactly the polluted-PR-timeline
   behavior this PR was built to remove. Walk up `in_reply_to` from the
   already-fetched thread data to find the root and reply there instead.

2. action/package.json: bumped 0.0.202 → 0.0.204. main is at 0.0.203 and
   our wire format changed; without a bump validateCompatibility can't
   surface the mismatch on the deploy boundary, and the merge would have
   gone backwards.

3. postCleanup writeAndVerify: distinguish a thrown verify-GET from a
   "body got overwritten" mismatch. Treating a transient 5xx/rate-limit GET
   the same as a clobber wasted PUT attempts and printed a misleading
   "in-flight writes kept clobbering us" warning. We trust our PUT (which
   returned 200) and exit instead of amplifying writes against a flaky API.

4. Small DRY: extracted parseProgressComment for the
   `{ id: string; type } -> ProgressComment` parse that had drifted across
   server.ts and postCleanup.ts.
2026-05-06 01:50:58 +00:00
David Blass ada5584737 test(mcp): make checkout/reviewComments tests offline (fixture-driven) (#575)
`mcp/checkout.test.ts` and `mcp/reviewComments.test.ts` previously hit
live GitHub on every run via `acquireNewToken()`, requiring `GH_TOKEN`
or `GITHUB_APP_ID` + `GITHUB_PRIVATE_KEY` in the env. that made them:

- cred-gated — the action runtime filters `_KEY$` / `_TOKEN$` from
  subprocess env, so the husky pre-push hook (which runs
  `pnpm -r test`) blocked Pullfrog agents from pushing branches. issues
  #562, #563, #564, #566 all hit this exact blocker and never got their
  fixes pushed.
- non-deterministic and slow (network round-trips for a snapshot test).

both tests are really snapshot tests of pure formatters
(`formatFilesWithLineNumbers`, plus `parseFilePatches` /
`buildThreadBlocks` / `formatReviewThreads` for review data). the live
fetches were just an inefficient way to obtain fixtures.

changes:

1. extract a pure `formatReviewData({ review, threads, prFiles, ... })`
   from `getReviewData` in `mcp/reviewComments.ts`. `getReviewData`
   becomes thin orchestration: fetch + call formatter. preserves the
   "skip listFiles when no threads" perf optimization.

2. add `action/mcp/__fixtures__/` with checked-in JSON captures for the
   three fixture test cases (pullfrog/test-repo#1 listFiles,
   pullfrog/scratch#49 review 3485940013, pullfrog/scratch#64 review
   3531000326). ~14KB total. fixtures store only the fields the
   formatter reads — volatile fields (sha, blob_url, etc.) are dropped.

3. rewrite both test files to load the fixtures and call the pure
   formatters directly. snapshot keys updated; snapshot content
   unchanged (verified by running existing snapshots against the
   refactored tests).

4. add `action/scripts/refresh-test-fixtures.ts` to re-fetch the
   fixtures from live GitHub on demand:
   `node action/scripts/refresh-test-fixtures.ts` (with creds in
   `.env` or env). re-run when the GitHub API response shape changes
   and review the snapshot diff.

trade-off: a silent change to GitHub's `pulls.listFiles` /
`pulls.getReview` / GraphQL `reviewThreads` response shape would no
longer break this test on every push. that tradeoff is worth it: shape
drift on those endpoints is rare (years between changes), and a
dedicated cron that runs the refresh script and opens a PR on diff is
a far better signal than a flaky cred-gated pre-push hook.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-05 23:25:46 +00:00
David Blass b6e2c61d30 fix(push_branch): retry transient push errors and surface full stderr/stdout (#573)
* fix(push_branch): retry transient push errors and surface full stderr/stdout

issue #571 motivated three small improvements to `mcp__pullfrog__push_branch`:

1. classify push errors into `concurrent-push` / `transient` / `unknown`.
   - `concurrent-push` extends the existing `fetch first` / `non-fast-forward`
     matcher to also catch the server-side `cannot lock ref` form (the case
     #571 reports). all three route to the same fetch + integrate + retry
     recovery message; copy now mentions concurrent push as a likely cause.
   - `transient` covers RPC failed, early EOF, connection reset, dns flake,
     HTTP 5xx, HTTP/2 stream not closed, and unexpected sideband disconnect.
     these are retried in-tool with 2s + 5s backoff before surfacing the
     error. push is idempotent so verbatim retry is safe.
   - `unknown` (auth/permission/protected-branch/4xx) is rethrown unchanged —
     retrying these wastes time and noise.

2. surface stdout alongside stderr in `$git` failure messages and include the
   exit code. previously only `stderr.trim()` was forwarded, which could be
   empty in rare HTTPS failure modes (the agent on issue #571's run saw a
   one-line `failed to push some refs` and had nothing to diagnose with).

3. unit tests for the classifier covering all three branches plus the
   concurrent-push-wins-over-transient ordering.

does not introduce auto fetch+rebase+retry inside the tool — that path is
blocked under shell=disabled, can leave the working tree mid-conflict, and
would create unwanted merge commits. the recovery message keeps the agent
in the loop.

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(push_branch): retry 429, jitter backoff, downgrade retry log to info

- treat HTTP 429 (rate-limit / abuse detection) as transient — GitHub
  occasionally surfaces it on git push, where it is retry-safe unlike
  401/403/404
- add ±25% jitter to backoff so concurrent agents hit by the same
  upstream blip don't retry in lockstep
- log retries with log.info instead of log.warning to match retry.ts
  convention; a successful retry shouldn't leave a yellow GHA annotation
  behind in the job summary

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>
2026-05-05 21:59:40 +00:00
Colin McDonnell e58299740d Merge pull request #545 from pullfrog/billing
managed billing + stripe v1
2026-05-05 19:33:46 +00:00
Colin McDonnell 8c01ee3251 guard against duplicate create_pull_request_review calls in the same session (#553)
the agent occasionally submits twice in one Review-mode run — once with
substantive feedback, then again with the canonical "Reviewed — no issues
found." body when the prompt's branch logic re-classifies non-blocking
observations as "no actionable issues" (see colinhacks/zod#5897). the
second submission is always redundant noise on the PR.

duplicateReviewDecision short-circuits the second call when toolState.review
is already populated for the current checkout sha. legitimate follow-up
reviews after new commits still go through because the new-commits-mid-review
path advances toolState.checkoutSha past the prior reviewedSha before
returning, so the next call sees a different sha and is allowed.
2026-05-04 19:23:38 +00:00
Colin McDonnell 8cee07d388 move progress-comment cleanup into create_pull_request_review (#551)
* fix: snapshot review state so progress comment cleanup actually fires

postReviewCleanup deletes toolState.review as its second statement, so
the defense-in-depth `if (toolState.review && progressCommentId)` branch
right after never saw a truthy value. This left an orphaned progress
comment alongside the submitted review whenever the agent called
report_progress despite Review/IncrementalReview mode instructions
(seen in the wild on colinhacks/zod#5767).

Snapshot the boolean before postReviewCleanup runs.

* move progress-comment cleanup into create_pull_request_review

The previous commit snapshotted toolState.review to work around
postReviewCleanup deleting it before the cleanup branch could read it.
That fixed the symptom but kept a fragile design: the rule "review
submitted → progress comment is noise" was enforced from the bottom of
main.ts via a flag set in one place and consumed in another, with a
helper between them that mutated the same flag for unrelated reasons.

Move the rule to its natural owner. create_pull_request_review now
calls deleteProgressComment immediately after the review is persisted,
so the cleanup is atomic with submission. This:

- closes the catch-block hole — a review submitted right before a
  timeout/crash now still cleans up its progress comment.
- removes the dead "defense-in-depth" branch in main.ts that was the
  original bug surface.
- relies on the existing progressCommentId=null no-op path in
  reportProgress to make any later report_progress call a no-op (so
  the misbehavior path can't re-create the orphan).
- only fires for Review/IncrementalReview in practice — those are the
  only modes that call create_pull_request_review, and both are
  prompted not to call report_progress. Build/AddressReviews/Plan
  never reach this code path, so their progress comments remain
  untouched.

Stranded-comment cleanup in main.ts is unchanged and still handles
the truly orphaned case (no review, no report_progress).
2026-05-04 19:20:30 +00:00
Colin McDonnell 55c95e6f50 Fix Node 24 action bootstrap fallback (#556)
* Fix Node 24 action bootstrap fallback

Resolve the published CLI launcher through PATH so runners missing a sibling Node 24 npx can still start, and make post cleanup recognize prefixed leaping comments.

* Bump Pullfrog action package version

Ensure the Node 24 bootstrap and post-cleanup fixes publish to npm and move the v0 action tag.

* Walk PATH for corepack and npx in action bootstrap

ensureActionDependencies and runPackageCli now resolve corepack/npx through
PATH the same way as the npx-via-PATH fix, so Node 24 runner pools missing
either sibling can still bootstrap. Also adds a Zod-mirror settings helper
for the preview-556 repo and documents the per-PR settings workflow.

* log when corepack PATH fallback is used
2026-05-01 15:59:46 +00:00
David Blass 57bd10d6dd run-issues fixes: #5, #11, #12, #15, #16/#25, #20, #21, #22, #31 (#546)
* fix(#15): precompute diff anchors in checkout_pr TOC

* test(#15): update TOC snapshot for precomputed diff anchors

* chore(tests): skip codex-mini-latest models.dev check + refresh latest-by-provider snapshot

* fix(#22): add commitCount and commitLog to checkout_pr return

* fix(#21): include PR body in checkout_pr return

* fix(#5): force-fetch PR refspec to overwrite stale local branch

* fix(#31): rename git tool parameter from subcommand to command

* fix(#11): soft-fail post-checkout hook, bump timeout to 10min

* fix(#16): strengthen diff file usage guidance

Agent was bypassing diffPath and running `git diff` instead. Tighten
instructions in `checkout_pr` result and remove the mixed-signal
"log, diff" listing in the global Git guidance. `git log` and
`git diff --stat` remain allowed for commit-range overview.

* fix(#20): drop invalid inline review comments instead of failing review

Previously, a single inline comment anchored outside a diff hunk would
422 the entire review submission. Pre-validate comments against the
PR file patches via listFiles, drop the invalid ones, and append a
note to the review body listing what was skipped. Include the dropped
list in the tool response so the agent can retry targeted fixes.

* fix(#12): stop MCP server on inner activity kill + filter reconnect noise

Inner-activity-kill zombies were burning multi-hour runner time because
mcp-proxy's SSE reconnect and provider-error retry lines kept the outer
activity timer alive long after the agent subprocess was killed.

- Filter [mcp-proxy] / "provider error detected" chunks so they don't
  count as outer-timer activity.
- Add onActivityTimeout callback to spawn + thread through agent runs.
- main.ts wires that callback to stop the MCP HTTP server (so reconnects
  finally fail instead of looping) and arms a 5min safety-net timer that
  force-rejects the outer timer if the agent promise is still pending.

* audit: harden #12 lifecycle + cover #20/#12 with unit tests

Bugs found during Ralph audit of the prior run-issues fixes:

- main.ts's 5min safety-net setTimeout was never cleared on the happy
  path; also activityTimeout.stop() didn't null the internal rejectFn,
  so a late forceReject from the safety-net could still reject a
  long-resolved promise. Timer now cleared in finally; stop() now
  disarms forceReject.
- mcp server disposal was non-idempotent, so the inner-kill path ran
  server.stop() twice once the outer `await using` block exited. Made
  the returned disposer idempotent.

Tests:

- action/mcp/review.test.ts: 14 tests for commentableLinesForFile
  (multi-hunk, no-count hunks, no-newline marker, empty) and
  validateInlineComments (file not in diff, wrong side, out-of-range
  line and start_line, partitioning batches, default side).
- action/utils/activity.test.ts: 6 tests for isActivityNoise covering
  mcp-proxy lines, provider-error lines, mixed chunks, Buffer input.

* audit(#22): cap commitLog at 200 + scope git-diff restriction to PR review

- cap git log --oneline at 200 entries so a PR with thousands of commits
  cannot blow up the MCP tool response; expose commitLogTruncated so
  callers can warn the agent when the log was clipped
- tighten instruction wording so `git diff` / `git diff --cached` remain
  available for inspecting an agent's own uncommitted changes, while
  PR review content must still come from diffPath

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* audit(#11,#22,#31): surface hook/commit warnings in instructions + polish git tool

- append hookWarning + commitLogTruncated advisories to checkout_pr
  instructions so the agent actually sees the warning inline, not just
  as a field it may skip
- fix stale 'subcommand' wording in git tool redirect for `pull` and
  in the `command` parameter description; the MCP parameter is named
  `command` now, and that's what the agent binds to

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(#20): reassign params.comments even when all inline comments dropped

if every inline comment fails pre-validation, the earlier guard skipped
reassigning params.comments, so the submission still carried the bad
comments and GitHub 422'd on the whole review. always reassign to
validation.valid so the downstream 'nothing left to post' skip fires
and an otherwise-empty review is no-oped cleanly.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* audit(#22): degrade gracefully when base ref isn't resolvable

checkout_pr used to assume \`origin/<base>\` is always reachable, but
it isn't guaranteed after a shallow fetch that only pulled down the PR
head. Failing the whole checkout over metadata we added for ergonomics
would be a regression, so wrap the rev-list / log in a try/catch and
return empty commit metadata instead.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* audit(#12): anchor noise patterns to line start to avoid false positives

before this, a line like "agent said: [mcp-proxy] was there" or
"context: provider error detected in log" in real agent output would
have been treated as noise and failed to reset the outer activity
timer. both patterns now anchor at the start of the (optionally
debug-timestamped) line, matching only lines mcp-proxy or our own
log.info actually emit.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* audit(#20): export and unit-test formatDroppedCommentsNote

covers single-line `path:N`, multi-line `path:start-end`, and
startLine==line fallback so changes to the dropped-comments note
format surface in test diffs instead of only in GitHub UI.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* audit(#20): cap dropped-comment note to stay under GitHub body limit

a pathological run (agent emits hundreds of invalid inline comments
on a huge PR and they all get dropped) would push the review body
past GitHub's ~65KB limit and fail the whole submission with a
body-too-long 422 — the exact all-or-nothing failure #20 was meant
to prevent. cap the detail list at 50 entries with a "…and N more"
line so the note stays bounded.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* audit(#20): distinguish binary/no-patch files in dropped-comment reason

previously a comment on a binary file (or pure rename / mode-only
change) was dropped with "line X is not inside a diff hunk", which
misleads the agent into retrying with different line numbers. call
out the no-textual-diff case explicitly so the agent knows to move
that feedback to the review body instead.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* audit(#11): replace lifecycle timeout string-match with typed sentinel

spawn() now rejects with SpawnTimeoutError (code === SPAWN_TIMEOUT_CODE or
SPAWN_ACTIVITY_TIMEOUT_CODE) instead of a plain Error. executeLifecycleHook
now branches on that code so rewording the error message in subprocess.ts
can no longer silently misroute timeouts into the "transient — retry"
warning.

* audit(#12): route agent hung-vs-failed via typed SpawnTimeoutError

claude.ts and opentoad.ts decide between "hung" and "failed" log wording
based on the subprocess error. move them off the literal "activity
timeout" substring match onto the same SPAWN_ACTIVITY_TIMEOUT_CODE
sentinel used by lifecycle.ts so all three call sites agree on the
source of truth.

* audit(#20): delete leftover pending review when submit fails

Why: `createAndSubmitWithFooter` creates a PENDING review first so we can
mint Fix-links with the review ID, then submits. If submitReview fails
(e.g. 422 from a race where the diff moved between pre-validation and
submission), the draft was left on the PR. GitHub only allows one
pending review per user, so the agent's retry would then fail with
"already has a pending review" — an error the agent has no tools to
clean up from.

Best-effort cleanup: delete the pending draft on submit failure before
re-throwing the original error, so retries start from a clean slate.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* audit(#31): point agent to concrete alternative when rebase/bisect blocked

Why: in disabled-shell mode, `git rebase` and `git bisect` are blocked as
arbitrary-code-execution escape hatches. Previous error messages
explained *why* but left the agent without a next step — especially
painful right after the `pull` redirect, which suggested "merge or
rebase locally." The agent would follow that advice, hit the rebase
block, and loop without knowing what to try next.

Now: rebase block explicitly says "use 'merge' instead"; bisect block
notes that manual bisect is also unavailable through this tool; pull
redirect no longer recommends rebase in shell-disabled contexts.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* audit: import security tables into security.test to prevent drift

Why: the security tests re-declared AUTH_REQUIRED_REDIRECT,
NOSHELL_BLOCKED_SUBCOMMANDS, and NOSHELL_BLOCKED_ARGS inline with
hand-copied message strings. When the runtime messages in git.ts were
tightened (recent rebase/bisect guidance updates), the test copies
drifted and tests validated a stale version of the logic while passing
clean. A missing or mistyped entry in git.ts could therefore slip
through.

Now: export the tables from git.ts and import them into the test file.
If a runtime message changes, the tests exercise the new string
automatically; if an entry is added or removed, tests covering that
command see the change without manual sync.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* audit: widen pending-review cleanup to cover pre-submit throws

getApiUrl() (invoked in footer build) can throw if API_URL is
misconfigured, which would leak a pending draft between createReview
and the previous submitReview try/catch. Move the try/catch to wrap
the entire post-create body so any throw routes through
deletePendingReview cleanup.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* audit: reject leading-dash refs/branch names to block flag injection

git's parseopt accepts options intermixed with positional args, so a ref
like "--upload-pack=evil" passed to git_fetch could be parsed as a flag
rather than a refspec. Add a narrow rejectIfLeadingDash helper to
git_fetch (ref), delete_branch (branchName), and push_branch
(branchName). HTTPS remotes ignore --upload-pack server-side, but the
hygiene matters for defense in depth (ssh remotes, future code paths).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* audit: validate the resolved branch in push_branch too

When branchName is omitted, rev-parse surfaces the current branch name,
which could start with '-' if git state was tampered with. Move the
leading-dash check to after the branch is resolved so both the explicit
and derived paths go through validation.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* audit: cache commentable-lines snapshot at checkout to match review anchor

Review comments are anchored to checkoutSha (commit_id), but validation
was hitting pulls.listFiles at review time — latest HEAD, not the SHA the
agent actually reviewed. If the PR was updated mid-run, valid comments
could be silently dropped (or invalid ones admitted). Snapshot the
commentable lines during checkout_pr so review-time validation matches
the anchor exactly.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* audit(#12): route activity monitor's own debug output around the write wrap

startProcessOutputMonitor monkey-patches process.stdout.write to mark
activity, then called log.debug(...) every 5s to report idle time — which
landed right back in its own wrapper, failed isActivityNoise, and called
markActivity. with ACTIONS_STEP_DEBUG=true (common on reruns) the idle
counter reset every interval and the timeout could never fire,
re-creating the #12 zombie-run bug for any debug-enabled run.

Fix: capture the original stdout.write and use it directly for the
monitor's own diagnostics so they bypass the feedback loop. Added a
tight-timeout regression test that asserts the timeout still rejects in
debug mode.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* audit(#12): noise-filter subprocess.ts monitor logs so outer timer survives debug

activity.ts's own monitor output already bypasses the wrap (c35cd3fb),
but subprocess.ts's spawn activity timer uses log.debug — which goes
straight through process.stdout.write and would still mark activity on
every interval when debug logging is enabled. Pattern-filter those
'(spawn|process) activity (check|timer|monitor)' lines in both local
([DEBUG] ...) and GH-runner (::debug::...) formats so they don't reset
the outer agent-hang timer.

Kept scoped to those specific monitor messages — a blanket [DEBUG]
filter would silently classify any coincidentally-debug-prefixed agent
output as idle, which is a worse failure mode than the one we're
fixing.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* audit(#11): surface spawn ENOENT-style errors in stderr buffer

spawn() resolved with exitCode=1 and an empty stderr when the command
itself couldn't start (missing binary, bad permissions). lifecycle.ts
then reported 'output: (empty)' to the user, who was explicitly told
'retry if the failure looks flaky' — so every run hit the same wall with
no diagnostic trail.

Append the '[spawn] <cmd>: <node error>' line to stderrBuffer before
resolving so the real cause (ENOENT, EACCES, …) flows through to the
hook-warning message.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* audit(#11,#12): cover executeLifecycleHook typed-timeout routing

the typed SpawnTimeoutError + sentinel-code branching introduced in
d7ee7fd2 / ea8dd2c4 classifies hung vs failed lifecycle hooks — critical
for whether agents retry — but had no unit coverage. add tests for all
four branches (no script, exit 0, non-zero exit with retry-if-flaky
guidance, timeout with do-NOT-retry guidance, transient spawn failure).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* audit: re-verify clean tree after prepush hook

the pre-prepush check guarantees we enter the hook with a clean tree, but
if the hook writes tracked files (formatter, type generator, build
artifacts), the push still only sends the pre-hook commit — the hook's
edits silently disappear from the upstream branch while the tool reports
"successfully pushed". add a post-hook status check so the agent sees the
dropped mutations and can commit or discard them before retrying.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* audit: reject push_tags refspec injection via ':' in tag name

without tag validation, a tag like "foo:refs/heads/main" concatenated into
"refs/tags/${tag}" becomes a valid <src>:<dst> refspec — git pushes the
local refs/tags/foo's commit to remote main, bypassing push_branch's
default-branch guard. same shape blocks leading '-' (flag injection) and
other refspec metacharacters (~ ^ ? * [ \) via an allow-list regex.
only reachable in push=enabled today, so this is defense-in-depth, but
hardens the tool in case push_tags is ever exposed in restricted mode.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* audit: stop pointing agents at an internal constant they can't change

the lifecycle-hook timeout warning told agents to "bump
LIFECYCLE_HOOK_TIMEOUT_MS" — but that's a hard-coded constant in the
action, not something the agent or repo owner can tune. the agent would
plausibly loop hunting for where to change it. redirect to the actual
lever they control: ask the repo owner to simplify the hook.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* audit: drop inverted inline-comment ranges locally with precise reason

validateInlineComments only checked that both line and start_line anchor
inside a hunk, not that start_line <= line. an inverted range (e.g.
start=44, line=42) would pass local validation and GitHub would 422 with
"invalid line numbers" — opaque to the agent and unfixable without
reading docs. reject locally with a reason that names the constraint.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* audit: don't let usage-summary write error mask main's outcome

writeGitHubUsageSummaryToFile is called in main's finally block. it can
throw on ENOSPC / EACCES / missing parent dir. a throw here propagates
past the try's successful return or the catch's error return, hiding the
actual run outcome behind an I/O failure on a purely informational file.
swallow the write error (debug-logged) — the summary is nice-to-have, not
load-bearing.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* audit: don't mislabel agent handler errors as JSON parse failures

the onStdout event loop wrapped both JSON.parse and the handler call in
one try/catch that logged every caught error as 'non-JSON stdout line'.
if a handler threw (e.g. todowrite state shape drift), the error was
silently classified as a parse error, making diagnosis impossible. split
the try blocks so JSON errors and handler errors get distinct,
identifying log lines.

* audit: reject leading-dash PR refs before they reach git commands

PR head/base refs come from GitHub and are attacker-controlled on fork
PRs (the PR author picks headRef freely). they flow straight into
`git fetch origin <ref>`, `git checkout -B <ref>`, and config writes.
without a leading-dash check, a ref named like '-upload-pack=evil'
could be parsed as a flag instead of a refspec.

validate both refs at the top of checkoutPrBranch (before any async
work) and cover the two attack shapes with unit tests.

* audit: cover ActivityTimeout.stop()'s forceReject disarming

main.ts's safety-net-timer path depends on ActivityTimeout.stop()
nulling out rejectFn so a late safety-net fire after a successful
agent run is a no-op. that behavior had no direct coverage — removing
the \`rejectFn = null\` in stop() would silently break the happy path
(unhandled rejection / spurious failure) without failing any test.

add three tests covering: forceReject rejects with the reason,
stop() disarms forceReject, and forceReject after timer rejection
is an idempotent no-op.

* audit: stabilize activity-timeout idleSec against late stdout race

* audit: reject 0ms timeout parses to avoid insta-fail from '0m'

* audit: surface raw GitHub error on review 422 instead of assuming anchor cause

* audit: key commentable-lines cache by PR number to prevent cross-PR drift

* audit: enumerate concrete 422 causes and name checkout_pr in review error

* audit: stop shipping ralph-loop runtime state in PR history

.claude/ralph-loop.local.md and .claude/ralph-loop-prompt.md were
accidentally staged in an earlier audit commit. the .local.md suffix is
conventional for gitignored runtime state, and the prompt file is
per-run harness config — neither should merge to main. ignore the
pattern and untrack the existing entries (files remain on disk so the
active loop keeps working).

* audit: pin commentable-lines cache to checkoutSha, not just PR number

a second checkout_pr(N) call advances toolState.checkoutSha at line 305
or 334, then runs fetchAndFormatPrDiff + cache population at line 549.
any throw between those two points (rate limit, 5xx, network blip) left
the old snapshot keyed to (pullNumber=N) while checkoutSha now points at
a different sha. review_pr(N) would reuse the stale snapshot, silently
validating comments against the wrong anchor — the original failure this
cache was meant to prevent.

track commentableLinesCheckoutSha alongside the pull number and require
both to match before returning the cache. if either has moved, fall
back to listFiles like any other miss.

* audit: auto-clear leftover pending review from killed prior runs

a workflow timeout or OOM between createReview PENDING and submitReview
leaves GitHub holding a pending draft. the next run hits GitHub's
one-pending-per-user-per-PR limit and 422s at pending-create, with no
way to recover short of a human cleaning up manually.

catch 422 at pending-create, list the PR's reviews (GitHub only exposes
our own pending to us, so the filter is safe), delete the leftover, and
retry once. 404/422 on the cleanup are treated as no-ops (race with
another concurrent cleanup or the draft was submitted); any other
cleanup error rethrows so the real cause reaches the caller.

* audit: extract + unit-test stranded-pending-review cleanup

the recovery branch inside createAndSubmitWithFooter had no direct test
coverage. a regression in any of its guards (status check, message
match, listReviews filter, 404/422 tolerance, non-retryable rethrow)
would silently cause either destructive deletes of unrelated reviews or
the old failure mode where a stranded pending draft blocks every retry.

extract to clearStrandedPendingReview so the cases can be exercised with
a mocked octokit, and add tests for each branch — including the
load-bearing negative cases (non-422 passthrough, non-pending-review 422
passthrough, no-leftover-found passthrough, non-retryable cleanup error
passthrough). no behavior change at the call site.

* audit: document concurrent-run race in clearStrandedPendingReview

two runs on the same PR using the same GitHub App installation token would
both see each other's PENDING draft via listReviews (GitHub exposes PENDING
only to the author, and both runs share authorship). the loser's recovery
path would delete the winner's active draft, causing the winner's
submitReview to 404.

no reliable in-request signal distinguishes a genuinely-stranded prior-run
draft from an active peer's draft — PENDING reviews have no created_at,
and the user field is the same bot in both cases. the correct fix is
workflow-level concurrency (a per-PR concurrency key), not a heuristic
here. document the limitation so future readers don't try to bolt on a
broken heuristic.

* audit: report signal-killed subprocesses as failures, not exit code 0

node's close event delivers (code=null, signal=<name>) when a child is
killed by signal (OOM killer, segfault, external SIGTERM). the close
handler captured only exitCode and coerced null to 0 via `exitCode || 0`,
so lifecycle hooks killed by signal were silently reported as successful —
lifecycle.ts's `if (result.exitCode !== 0)` check skipped the warning and
callers proceeded as if setup/post-checkout/prepush had completed.

now capture signal, append "killed by signal <name>" to stderr, and
resolve with exitCode=1 when code is null but signal is set. adds a
regression test that spawns `kill -KILL \$\$` and asserts a non-zero
exit plus the signal-kill marker in stderr.

* audit: untrack RUN_ISSUES*.md ralph-loop working docs

same pattern called out in 4f14dbf1: these files are per-run harness
state and analysis scratch, not merge-to-main deliverables. the TODO
literally opens with "Ralph loop instructions:", so it's unambiguously
in the same category as .claude/ralph-loop-prompt.md was. files stay on
disk so the active loop keeps working.

* audit: block refs/... + symbolic-ref bypass of default-branch guard

push_branch's restricted-mode guard compared the resolved remoteBranch
against defaultBranch with exact-string equality. an agent passing
branchName "refs/heads/main" flowed through: rejectIfLeadingDash passed,
getPushDestination's fallback preserved the refs/heads/main string as
remoteBranch, so "refs/heads/main" !== "main" and the block was skipped,
yet git push happily resolved refs/heads/main to the local main commit
and pushed to the remote main branch. symbolic refs (HEAD / FETCH_HEAD /
ORIG_HEAD / MERGE_HEAD) are the same class of bypass — they resolve to
whatever commit they point at, unconstrained by the name-based guard.

add rejectSpecialRef to enforce bare branch names at the tool entry, use
it in push_branch and delete_branch. checkout_pr only ever assigns
pr-<number> as the local branch, so nothing legitimate relied on the
refs/... form here.

* audit: keep original 422 visible when listReviews fails during pending-review cleanup

if listReviews threw (e.g. transient 502, rate limit) during the stranded
pending-review recovery path, the listing failure replaced the original
422 "pending review" error when it propagated up through the tool's outer
catch. agents then saw a generic server error with no mention of the real
blocker and stopped retrying the cleanup.

now the listing failure is logged at debug but does not mask the original
422. the caller's retry re-attempts cleanup, which succeeds if the listing
failure was transient.

* audit: block default-branch deletion even under push: enabled

delete_branch required push: enabled, but within that mode the agent
could delete the default branch with no local guard. GitHub branch
protection usually catches this at the remote, but not every repo
has protection configured — and even when it does, relying on remote
config for local safety is wrong. pushing to main is reversible
(revert, force-push old HEAD); deleting main is not (reflog recovery
only, 30-day window).

block deletion of the resolved default_branch in DeleteBranchTool
regardless of push permission. push: enabled authorizes pushes, not
wholesale removal of the repository's primary branch.

* audit: attach no-op catch to agentPromise so a late rejection can't crash cleanup

agentPromise raced against activityTimeout.promise (and the --timeout
timeoutPromise), both of which had .catch(() => {}) handlers. agentPromise
did not. if a timeout won the race, agentPromise became stranded and its
subsequent rejection was an unhandled rejection — under node 15+'s default
unhandled-rejection policy that terminates the process, which would kill
main() mid-cleanup and lose the error-reporting and usage-summary work
queued in the catch/finally blocks.

the race still sees the rejection (the original promise is shared); this
catch only prevents node from treating a post-race rejection as unobserved.

* audit: close push_branch refspec-injection via ':' / '+' in branchName

rejectSpecialRef only forbade leading-dash, `refs/` prefix, and symbolic
refs. git push accepts `[+]src[:dst]` refspec syntax, so an agent under
push:restricted could smuggle a full refspec through branchName and bypass
the downstream exact-string default-branch guard:

  "evil:refs/heads/main"  → push local 'evil' to remote main
  ":refs/heads/main"      → delete remote main
  ":other"                → delete arbitrary branches (outside grant)
  "+main"                 → force-push refspec prefix

reject ':', '+', '^', '~', '?', '*', '[', '\\', and whitespace — git's own
check-ref-format forbids all of them in branch names, so the allow-list
cannot false-positive against a legitimate branch. add regression tests.

* audit: stop suggesting blocked 'rebase' in push_rejected advice under shell=disabled

Why: when push fails with non-fast-forward, the advice told the agent to run 'git rebase origin/...'. In shell=disabled mode the git MCP tool blocks rebase (as an arbitrary-code-execution escape hatch), so the agent's only path forward was to hit the block, read the fallback message, and try merge — one wasted round trip.

Now: under shell=disabled we directly suggest 'git merge origin/...', which always works. Under other modes the advice keeps the rebase/merge choice but leads with merge so the example is copy-pastable either way.

* audit: harden includeIf cleanup against shell-injection via subsection names

setupGit read `includeif.*` keys via `git config --get-regexp`, split on the
first space, and fed the result into `execSync(\`git config --unset
"${key}"\`)`. git config subsection values preserve arbitrary characters,
so a crafted `[includeIf "gitdir:$(touch${IFS}/tmp/pwn)safe"]` entry
round-trips through `--get-regexp` with its `$(...)` command substitution
intact, survives the split-on-space filter (IFS-bypass leaves the payload
space-free), and gets evaluated when interpolated into the shell command.

Confirmed reachable as an RCE sink in local repro.

Switch to `--get-regexp -z` (null-terminated, no ambiguity on whitespace)
and call `$("git", ["config", "--unset-all", key])` which uses spawn-array
and never hands the key to a shell. Extract the logic into
`removeIncludeIfEntries` and add regression tests covering the injection
payload, whitespace-in-subsection keys, benign entries, and the no-op case.

* audit: clear SIGKILL escalator on clean SIGTERM exit

the overall-timeout path scheduled a 5s SIGKILL follow-up without
capturing the timer id. if the child cooperated with SIGTERM and
`close` fired promptly, the escalator stayed pending in the event
loop for up to 5s — delaying any subsequent clean shutdown (e.g.
the main action exiting after an agent timeout) by that long.

capture sigkillEscalatorId alongside timeoutId and clear it in both
close and error handlers. regression test asserts the active-timer
count does not grow past the pre-spawn baseline after a timed-out
child exits on SIGTERM.

* audit: correct rebase-availability hints to reflect shell=restricted

the MCP git tool only blocks rebase when shell=disabled
(NOSHELL_BLOCKED_SUBCOMMANDS check in GitTool). under
shell=restricted, git({command: "rebase"}) works fine through the
tool — NOSHELL_BLOCKED_SUBCOMMANDS doesn't apply. but two
agent-facing messages implied rebase is only available with
shell=enabled:

- AUTH_REQUIRED_REDIRECT["pull"] said "rebase is only available
  when shell is enabled"
- push-rejected integrateStep (non-disabled branch) said
  "(or 'rebase' if shell is enabled)"

under shell=restricted, agents reading these would wrongly think
they had to pick merge — pushing them toward merge commits when
rebase would have been cleaner. the push-rejected branch is
already ternary-gated on shell !== "disabled", so the qualifier
there was just redundant noise.

* audit: block difftool/mergetool under shell=disabled

git difftool -x <cmd> is the short form of --extcmd. the args
blocklist only matches --extcmd / --extcmd=*, so -x slipped
through and let an agent run arbitrary commands even when
shell=disabled. globally blocking -x would false-positive on
git cherry-pick -x, which only appends metadata, so block
difftool (and mergetool, same shape via mergetool.<name>.cmd)
at the subcommand level instead. agents have no legitimate need
for either — diffs go through diff/show and merges are resolved
by file edits.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* audit: recover stranded PENDING drafts on no-body createReview too

The body path already clears a stranded PENDING draft from a prior
crashed run via createAndSubmitWithFooter's own try/catch. The no-body
path (approve-with-no-feedback or comments-only) called createReview
directly — so a PR whose previous body-path run crashed between
createReview(PENDING) and submitReview would permanently 422 any
subsequent no-body review with "already has a pending review" until a
body-path run happened to clear it.

Factored out createReviewWithStrandedRecovery so both paths get the
same recovery treatment, and added regression tests covering the
no-stranded / stranded-and-retry / non-stranded-422-no-retry cases.

* audit: reject timeouts past node's setTimeout ceiling

a user-supplied timeout like "999h" parses fine (parseTimeString has no
upper cap) but falls off the 2^31-1 ms limit setTimeout clamps to 1ms.
the agent run would reject with "timed out after 999h" in a single tick.

extract a resolveTimeoutMs helper that centralizes the zero/overflow/
unparseable checks (previously scattered behind inline boolean logic in
main.ts) and cover the behavior with unit tests including the boundary
value.

* fix(#22): replace parameter property in SpawnTimeoutError

node --experimental-strip-types rejects readonly/public/private param
properties in constructors. tests run via node directly (no tsc), so CI
was hitting ERR_UNSUPPORTED_TYPESCRIPT_SYNTAX on every action-agents /
action-agnostic job before any test code ran.

declare the field and assign in the body instead.

* audit: tighten git tool description and delete_branch refspec

- `git` tool description previously implied `pull` had a dedicated MCP tool
  alongside `push_branch`/`git_fetch`. it doesn't — the redirect sends the
  agent back to the same git tool with `command: "merge"` (or `rebase`).
  update the description to teach this directly instead of letting agents
  discover it through the redirect error.
- `delete_branch` now passes `refs/heads/${branchName}` to `git push --delete`
  so a same-named tag can't be silently deleted when both exist on the
  remote. `rejectSpecialRef` already guarantees the bare-name invariant, so
  the template construction stays injection-safe.

Made-with: Cursor

* audit: polish review.ts per anneal findings

- drop `as "LEFT" | "RIGHT"` cast in `validateInlineComments` — octokit
  types `side?: string` at the createReview endpoint, so narrow via
  `c.side === "LEFT" ? "LEFT" : "RIGHT"`. no cast, no redundant
  annotation — TS infers the literal union from the ternary.
- consolidate `clearStrandedPendingReview` from 3 params to 2 by folding
  `originalErr` into `params`, per AGENTS.md "max 2 parameters" rule.
  updates both call sites (`createReviewWithStrandedRecovery`,
  `createAndSubmitWithFooter`) and all 7 test paths.
- upgrade `listReviews`-during-cleanup failure log from `log.debug` to
  `log.info` so operators not running at debug still see that recovery
  was attempted before the original 422 bubbles up. message now reads
  "surfacing original 422" to make the intent unambiguous.

Made-with: Cursor

* audit: signal partial commit metadata in checkout_pr

previously a rev-list/log failure (e.g. shallow fetch where
`origin/<base>` isn't reachable) silently returned `commitCount: 0,
commitLog: ""` — indistinguishable from "this PR has no commits past
base", which could mislead review reasoning about scope.

add a `commitLogUnavailable: boolean` field to `CheckoutPrResult`, set
when the rev-list/log calls throw. instructions footer now tells the
agent to treat the values as "unknown" rather than "no commits" in that
case. message phrased to cover the rare case where rev-list succeeds
but git log throws (partial, not strictly zero) metadata.

Made-with: Cursor

* audit: fix parseDiffTocEntries to match production ' · diff-<sha>' TOC suffix

the regex required $ right after the line range, but formatFilesWithLineNumbers
in checkout.ts appends ` · diff-<sha256>` so agents have the GitHub "Files Changed"
anchor precomputed. result: tocEntries was always empty on real PR reviews,
breakdown.files was empty, and runDiffCoveragePreflight never fired its
one-time "read the diff" nudge. add an optional suffix to the regex and a
regression test that uses the exact production TOC shape.

Made-with: Cursor

* audit(#20): skip empty downgraded-APPROVE reviews before they 422

GitHub rejects `event: "COMMENT"` reviews with no body and no inline
comments (HTTP 422 "Unprocessable Entity", verified empirically on
repos/pullfrog/preview-546-run-issues-fixes/pulls/1). the runtime
`prApproveEnabled` downgrade folds approved=true into event=COMMENT
when the repo flag is off, so an agent asking to APPROVE a PR with no
other feedback produces exactly that rejected shape — but the existing
empty-review skip only fired for !approved cases, so the tool POSTed
the doomed COMMENT, octokit returned what looked like a success-with-
no-persisted-review shape, and agents reported a phantom reviewId that
404s on any subsequent GET.

extract the skip decision into `reviewSkipDecision` and add a second
branch for approved + !prApproveEnabled + empty. the function returns
null when the review should be submitted, so a real bare APPROVE
(approved + prApproveEnabled + empty) still goes through unchanged —
GitHub accepts empty APPROVE reviews because the stamp itself is the
content.

surfaced in the PR #546 preview e2e run 24678139563 (reviewId
4141786854 reported by the agent but absent from every reviews
listing). TC13 run 24680349445 re-ran the same scenario with
prApproveEnabled=enabled and the review persisted correctly, isolating
the cause to the downgrade + empty interaction.

* audit(#31): drop misleading rebase mention from pull redirect

AUTH_REQUIRED_REDIRECT["pull"] and the git tool's top-level description
both said "use git_fetch then this tool with command 'merge' (or
'rebase' unless shell is disabled)". the "(or 'rebase' unless shell is
disabled)" qualifier is active misinformation when the agent is
already running under shell=disabled: rebase is blocked there by
NOSHELL_BLOCKED_SUBCOMMANDS, so the suggestion sends the agent into a
second block on the next tool call.

3b83ee97 already fixed this pattern for the push-rejected advice at
line 248, but the pull redirect at line 280 and the tool description
at line 351 were missed. the right copy isn't a conditional qualifier
that agents have to parse against their own shell mode — it's just
naming the one alternative that works everywhere (merge). agents under
shell=restricted/enabled who want rebase can invoke it directly; the
redirect doesn't need to advertise it.

verified in preview e2e run 24679728733 (TC8 probe 6) where the agent
correctly captured the verbatim redirect message under shell=disabled
and explicitly flagged the "(or 'rebase' unless shell is disabled)"
clause as confusing — the new test in security.test.ts asserts the
message names merge and never rebase in every shell mode.

* audit: drop vestigial entry/post references + add preview-546 settings util

followup to d79860c6 "refactor: flatten action entrypoints" (Apr 10),
which moved action.yml from built `entry`/`post` files to source
`entry.ts`/`post.ts` but left three stale references lying around:

- .gitignore: `action/run/entry` / `action/dispatch/entry` paths no
  longer exist anywhere in the build.
- .github/workflows/pull-from-action.yml: agent instruction told the
  upstream sync agent to "Ignore `entry` files (they are built artifacts
  and .gitignored in this repo)". there are no built entry artifacts
  anymore — entry.ts is source.
- .cursor/settings.json: search.exclude pattern "**/entry" excluded the
  old built files that no longer exist.

none of these were load-bearing on their own, but the same drift had
already broken preview e2e end-to-end: the pullfrog/template workflow's
three-file copy step (cp .../entry, cp .../post) silently failed with
cp: no such file on every preview PR since Apr 10. that template fix
went to pullfrog/template@7ec7c8d and the preview-546 mirror at
@17ab585, which is what unblocked this PR's full e2e validation.

also adds scripts/preview-546-settings.ts, the helper used during the
e2e validation to show/set/reset DB-level repo settings on the Neon
preview branch (push, shell, prApproveEnabled, hook scripts). scoped
to this preview repo ID so it can't accidentally mutate prod.

* audit(#11): scope removeIncludeIfEntries to repoDir under inherited GIT_*

the function takes `repoDir` as the target, but plain execSync / $(...)
inherit GIT_DIR, GIT_WORK_TREE, and GIT_INDEX_FILE from the parent
process — and `git config --local` honors GIT_DIR over cwd. when this
runs as a child of another git invocation (notably the pre-push hook,
but also any future caller embedded inside a git subcommand), the
cleanup silently targets the outer repo instead of repoDir. latent
today because the real caller is ASKPASS setup, which runs before any
git-subcommand ancestor exists, but the function's contract still
promised the wrong thing — and the test suite hit exactly this bug
when invoked through `git push`.

- envScopedToRepo() strips GIT_* before both the get-regexp and unset
  calls, so cwd wins.
- swap the $(...) shell helper for execFileSync on the unset call. $()
  would merge our scoped env with a "restricted" base that's tuned for
  hook execution (no tokens) — overkill here and it re-introduces the
  shell-vs-argv distinction this function was explicitly hardened
  against in a9aa3b2b. execFileSync with argv is the right tool for a
  call where the key can contain arbitrary characters.
- setup.test.ts also strips GIT_* in its own execSync harness so the
  suite passes identically under `pnpm vitest run`, `pnpm -r test`,
  and `git push`'s pre-push hook.

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Colin McDonnell <colinmcd94@gmail.com>
2026-04-20 21:12:17 +00:00
Colin McDonnell 6533ffddae intercept arktype's standard-schema jsonSchema.input for Gemini sanitizer
The previous sanitizer proxied `schema.toJsonSchema()`, but fastmcp 3.x uses
`xsschema.toJsonSchema()` which reads `schema["~standard"].jsonSchema.input(...)`
directly when the StandardJSONSchemaV1 extension is present (arktype 2.x).
Our proxy was never invoked, so the sanitizer was a silent no-op.

Proxy the entire `~standard` → `jsonSchema` → `input` chain so the transform
runs regardless of which path xsschema picks. Also add case 1 (add `type:"string"`
to enum-only schemas) — arktype 2.x emits `{enum:["A","B"]}` without a type
field, which is the exact form Gemini rejects with
"only allowed for STRING type".

Verified locally: wrapped schema now emits `{type:"string", enum:[...]}` and
drops `$schema`; validation still works.
2026-04-16 23:18:05 +00:00
Colin McDonnell c608051b79 sanitize mcp schemas for Gemini; fix gpt-codex-mini alias; add matrix filter
Gemini's generateContent API rejects arktype's `{anyOf:[{enum:[...]}]}` string-enum
encoding, `$schema` metadata, and `anyOf` with sibling fields. Port the old
sanitizer back as an isolated module (action/mcp/geminiSanitizer.ts) and gate it
on `isGeminiRouted(ctx)` so non-gemini routes see the original schema. Wires
`resolvedModel` onto ToolContext so the sanitizer can see the upstream specifier.

Also bumps `openai/gpt-codex-mini` alias from the deprecated `codex-mini-latest`
to `gpt-5.1-codex-mini`, matching the openrouter resolve.

Adds a `filter` workflow_dispatch input + MATRIX_FILTER env that restricts the
models-live matrix to aliases matching a substring, so we can iterate on a
single provider (e.g. `filter=gemini`) without paying to run every model.
2026-04-16 23:09:32 +00:00
Colin McDonnell 56a5d29598 add diff coverage preflight for PR review submissions (#544)
* add one-time diff coverage preflight for PR reviews

track diff read coverage from agent tool-use events and run a one-time pre-flight before review submission, with explicit coverage skip reasons for low-value files like lockfiles.

Made-with: Cursor

* add manual dispatch fallback for preview deploy workflow

allow preview repo and preview sync jobs to be run via workflow_dispatch with explicit PR number and branch inputs, so preview provisioning can be retriggered when pull_request events fail to fire.

Made-with: Cursor

* fix manual preview dispatch PR input wiring

use normalized PR number and branch env values for comment creation and script env wiring so workflow_dispatch preview runs can create and update PR-specific preview resources.

Made-with: Cursor

* remove obsolete snapshots invalidated by checkout instructions change

* fix diff coverage read offset handling and add local sanity-check guidance

normalize read offset semantics for diff coverage tracking, reuse shared range counting in review preflight, add focused diff coverage unit tests, and document the local play.ts testing workflow in AGENTS.md.

Made-with: Cursor

* add regenerated mcp test snapshots

capture snapshot files generated by the review comment and checkout formatting tests during pre-push validation so the branch remains clean and reproducible.

Made-with: Cursor

* add diff coverage preflight instrumentation logs

log diff coverage initialization in checkout_pr and emit preflight state/breakdown diagnostics in create_pull_request_review to debug missing coverage enforcement in preview e2e runs.

Made-with: Cursor

* add env override to force local cli execution in action runtime

support explicit local-cli execution via PULLFROG_FORCE_LOCAL_CLI so preview workflows can run branch action code instead of the npm fallback package during e2e debugging.

Made-with: Cursor

* add preview e2e debugging learnings for action runtime validation

capture the preview execution-path gotchas and one-time preflight verification pattern in AGENTS.md so future investigations validate the real runtime and avoid npm fallback confusion.

Made-with: Cursor

* reduce diff coverage log noise while preserving failure visibility

downgrade verbose diff coverage lifecycle diagnostics to debug, keep a concise info-level pre-flight failure signal, and document preview runtime debugging learnings in AGENTS.md.

Made-with: Cursor

* WIP

* tune sync.md: ff override + softer overlap verification

Made-with: Cursor

* chore: bump models snapshot for claude-opus-4-7

Made-with: Cursor

* rip out coverage_skips waiver from diff coverage pre-flight

Made-with: Cursor

---------

Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>
2026-04-16 21:51:44 +00:00
Colin McDonnell 18c8d34da6 remove task list from review bodies; keep in progress comments only (#542)
review bodies were embedding a task-list snapshot that could capture
stale in-progress state due to timing between the agent's final
TodoWrite and the review submission API call. progress comments
are the authoritative checklist surface — remove the review-body
embedding entirely so there is a single source of truth.

also adds a `completeInProgress` option to `renderCollapsible` so
the progress-comment path can finalize any in-progress items at
render time without mutating tracker state.

Made-with: Cursor
2026-04-15 20:31:15 +00:00
Colin McDonnell 2799cce4bf homepage redesign + docs cleanup + agent prompting (#540)
* homepage redesign + docs cleanup + agent prompting improvements

- rewrote hero section: new tagline, responsive font sizing with clamp(),
  extracted shared constants for copy management
- added feature screenshots (shell isolation, github permissions, mcp tools,
  agent browser) and ensured consistent image sizing
- reworked feature section mobile layout: caption-style descriptions, bigger
  h3s, image padding
- made CTA buttons visible on all breakpoints (stacked on mobile, row on md+)
- reorganized docs/tools.mdx into single table with category dividers,
  simplified tool descriptions
- added markdown image syntax instruction to agent system prompt
- fixed InfoPopover overflow on small screens
- misc: InlineCode proportional sizing, OnboardingCard updates, shell/security
  doc improvements

Made-with: Cursor

* update pnpm-lock.yaml for agent-browser 0.25.4

Made-with: Cursor
2026-04-15 00:29:32 +00:00
Colin McDonnell b748355cbe homepage copy refresh + fix skills CLI installation (#539)
* add wiki/betterstack.md documenting log querying, request-ID grouping, and MCP usage

Made-with: Cursor

* fix webhook race conditions: separate runId assignment from data updates

the workflow_run webhook handler had a race where concurrent handlers assigned
the same runId to different pending records. the loser's P2002 silently dropped
data updates (jobId, status, completedAt). fix by splitting into two steps:
assignRunId() handles the race-safe unique assignment, then data updates always
target where: { runId } so they hit the correct record regardless of who won.

also downgrade R2 ObjectLockedByBucketPolicy errors from error to warn level
since duplicate webhook deliveries writing the same key is expected under load.

Made-with: Cursor

* homepage copy refresh + fix skills CLI installation

- update hero to "Agent x GitHub" with new subtagline
- rewrite intro paragraphs: workflow, harness capabilities, billing
- add feature sections: bash isolation, headless browser, MCP tools
- update FAQ answers, footer attribution, free-for-oss copy
- update APP_DESCRIPTION for SEO
- fix skills install: use npx from tmpdir instead of local binary
  (the bundled action has no node_modules; running npx from tmpdir
  avoids project .npmrc with pnpm settings breaking binary resolution)
- instruct agents to use markdown image syntax in upload_file tool
- start dependency installation eagerly from main.ts
- include event title in task instructions

Made-with: Cursor
2026-04-14 20:37:20 +00:00
David Blass a4c7c0fc15 feat: workflow run artifact chips + GraphQL url resolution (#447) (#527)
* plan: issue 447 run artifact tracking and UI (supersedes stale pill notes)

Made-with: Cursor

* feat: workflow run artifact urls, chips, and safe PATCH validation

Made-with: Cursor

* chore(action): refresh latest-by-provider model snapshot

Made-with: Cursor

* refactor: resolve artifact urls via GraphQL nodes(ids), drop stored url columns

Made-with: Cursor

* docs: finalize issue 447 run-artifacts plan; remove demo backfill script

Made-with: Cursor

* refactor: DRY node-id constraint, replace margin with padding wrapper

Made-with: Cursor

* refactor: DRY audit — shared row info, derived types, unified Prisma select

- extract WorkflowRunRowInfo component (description + issue link + time + pills)
  shared by ActiveWorkflowRunsSection and WorkflowRunHistory
- derive API payload types via Omit + & instead of manual field lists;
  serialize with spread + override for bigint/date fields
- extract workflowRunListSelect shared Prisma select base; history extends
  with completedAt
- inline updateCommentNodeId → direct patchWorkflowRunFields calls
- derive WorkflowRunArtifactSlice from canonical exported types
- delete cancelling-out URL column migrations (no schema change vs main)

Made-with: Cursor

* refactor: artifact chips as inline CTAs with proper vertical alignment

- chips now render as action links: "Open PR #N", "View summary", etc.
- only render chips with resolved URLs; remove inert span fallback
- inline chips in the row (right-justified) instead of a separate line
- fix vertical alignment: remove ul/li wrappers that caused line-height
  mismatch, render chips as direct row siblings via flat flex layout
- change row to items-center, remove compensating self-start/pt nudges
- cancelled run X icon uses red-600

Made-with: Cursor

* chore(action): refresh latest-by-provider model snapshot

Made-with: Cursor

---------

Co-authored-by: Colin McDonnell <colinmcd94@gmail.com>
2026-04-14 04:42:40 +00:00
Colin McDonnell 8a6696dd1d fix lint errors, consolidate husky hooks into root .husky
action/.husky prepare script was overriding root husky config, so the
pre-push hook (lint + typecheck + test) never ran. merged the lockfile
sync pre-commit into root .husky/pre-commit and removed action/.husky.
also auto-fixed biome format/import-sort errors from last commit.

Made-with: Cursor
2026-04-12 18:57:48 +00:00
Colin McDonnell 8ee9e3176a remove generate-proxies postinstall hack, resolve pullfrog source via bundler config
the postinstall script referenced scripts/generate-proxies.ts which isn't
included in the published npm package, silently breaking every npx install.
replaced the proxy stub approach with turbopack resolveAlias and webpack
conditionNames so both bundlers resolve pullfrog imports to TypeScript
source directly — matching what tsc already does via customConditions.

also moves PR summary format from handleWebhook into modes.ts so the
summarize mode prompt includes it directly.

Made-with: Cursor
2026-04-12 17:31:46 +00:00
Colin McDonnell b282e8b599 Improve incremental review output and fix todo tracker race (#529)
* improve incremental review output and fix todo tracker race

- reviewed changes section: summarize at logical-change level with
  past-tense verbs, not per-file enumerations
- add TodoTracker.completeAll() to mark all non-cancelled items as
  completed before snapshotting the collapsible in review/progress posts

Made-with: Cursor

* completeAll -> completeInProgress: only mark in-progress items as completed

Pending items that were genuinely skipped stay as-is in the collapsible,
so the task list honestly reflects what the agent actually did.

Made-with: Cursor
2026-04-10 20:15:34 +00:00
Colin McDonnell 08101a0e67 summarize mode: drop subagent delegation and dead effort hint
the "delegate a subagent" instruction doubled LLM sessions for
every summary run, and "use mini or auto effort" was a no-op
since the agent always runs at high/max effort.

Made-with: Cursor
2026-04-08 18:31:46 +00:00
Colin McDonnell b3112e4a15 Fix typos in AGENTS.md (#525)
* fix WorkflowRun mis-assignment when multiple dispatches are in flight

workflow_run_requested fires before GitHub applies the custom run-name,
so display_title has no [suffix]. the old desc ordering picked the newest
pending record, cross-linking enrichment ↔ auto-label records.

switch to FIFO (asc) ordering so records are claimed in dispatch order,
and add a 15s createdAt window to avoid claiming stale records.

fixes #523

Made-with: Cursor

* WIP

* plan: update issue indexing resolution to R2-backed lazy filesystem

replace the direct GitHub tarball + in-memory extraction approach with a
two-phase architecture: streaming tarball sync to R2 (per-file, via
tar-stream) and on-demand lazy loading via just-bash InMemoryFs backed
by R2 GETs. scales to 200K+ file monorepos at <50MB memory overhead.

Made-with: Cursor

* plan: switch to tarball + R2 range requests, add design alternatives rule

update issue indexing plan to use a single uncompressed tar in R2 with
byte-offset index instead of per-file uploads. 2 PUTs per sync vs 10K,
5000x cheaper, trivial lifecycle.

add AGENTS.md rule: generate 3 alternatives before committing to a design.

Made-with: Cursor

* fix typos in AGENTS.md

---------

Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>
2026-04-08 16:15:59 +00:00
David Blass 1c730300b6 Clarify push, prepush, and progress errors in agent prompts (#521) 2026-04-06 20:47:43 +00:00
Colin McDonnell 426ef8c0d8 review: append todo list to review body, always delete progress comment
- in Review mode, stop the todo tracker and append the completed task
  list as a collapsible section to the review body before submitting
- always delete the progress comment after a review is submitted,
  regardless of whether the agent called report_progress

Made-with: Cursor
2026-04-04 21:59:29 +00:00
Colin McDonnell 2ea447a780 refactor: replace narrow parameter types with context objects (#519)
* refactor: replace narrow parameter types with context objects across action/

pass broader context objects (ToolContext, PromptContext, PostCleanupContext) to
utility functions instead of cherry-picking fields into single-use interfaces.
deletes 8 narrow types, simplifies call sites, and makes buildCommentFooter
synchronous by reading ctx.runId/ctx.jobId directly instead of re-deriving
from env vars and making an extra API call.

Made-with: Cursor

* fix: replace non-null assertion with local guard in validatePushDestination

addresses review feedback — the function now validates pushUrl itself instead
of relying on the caller's check, eliminating the ! assertion.

Made-with: Cursor

* revert: remove GH_TOKEN injection from restricted shell

the original change exposed the git token in restricted-mode shell so
`gh` CLI would work. this is a security regression for public repos: MCP
tools are deliberately constrained (no merge, no release, no arbitrary
API calls), but `gh api` with the token gives full GitHub API access to
any prompt-injected agent.

Made-with: Cursor
2026-04-04 20:51:49 +00:00
Colin McDonnell b9b6503315 reorder prompt sections: task-first with dynamic TOC (#513)
* reorder prompt sections: task-first with dynamic TOC

put the actual task at the top of the prompt for primacy, add a
dynamic table of contents, and push system/runtime metadata to the end.

new section order: TOC → YOUR TASK → PROCEDURE → EVENT CONTEXT →
SYSTEM → LEARNINGS → RUNTIME

Made-with: Cursor

* enforce clean working tree: continue session if agent leaves uncommitted changes

after each agent run, check `git status --porcelain`. if dirty, resume
the same session with instructions to commit on a new branch, push, and
open a PR. retries up to 3 times before giving up.

- claude code: capture session_id from result event, use --resume <id>
- opencode: use --continue to resume the last session
- remove --no-session-persistence from claude (needed for --resume)
- update Task mode to clarify branch/push/PR is the default finalize step

Made-with: Cursor

* log full prompt in collapsible group for debugging

Made-with: Cursor

* fix: format tool refs in buildCommitPrompt via formatMcpToolRef

* enforce clean git status: general instructions, stop hook, and Task mode

Made-with: Cursor

* fix: rename stale titleBody references after body leak fix

Made-with: Cursor

---------

Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>
2026-04-04 19:37:44 +00:00
Colin McDonnell 6b93e6b368 review/incremental-review: always submit review, never call report_progress (#516)
* WIP

* WIP

* review/incremental-review: always submit review, never call report_progress

The progress comment is auto-deleted by the stranded-comment cleanup in
main.ts when the agent skips report_progress. This makes reviews the
sole PR artifact for both modes, reducing noise.

- soften report_progress tool description to allow mode opt-out
- Review mode: always submit exactly one review (approve or request changes)
- IncrementalReview mode: submit review for substantive outcomes, silently
  exit for non-substantive changes (formatting-only pushes produce zero artifacts)

Made-with: Cursor

* incremental-review: clarify approval condition for substantive no-issues case

Made-with: Cursor

* report_progress: s/completed/current task list

Made-with: Cursor

* system instructions: align report_progress guidance with mode opt-out

Made-with: Cursor
2026-04-04 18:34:10 +00:00
Colin McDonnell 36cc5cde14 Code quality sweep: 30+ bug fixes, security hardening, and UX improvements (#507)
* Update waitlist, run ralph experiments

* fix PR files pagination: use octokit.paginate() for >100 files

* fix garbled FAQ answer on landing page

* track cache read/write tokens in OpenCode agent usage

* wrap dispatch() calls in try/catch to prevent webhook retries on transient failures

* replace raw error messages with generic responses in API routes

* guard request.json() calls with try-catch returning 400 on malformed bodies

* log warning when GraphQL review thread/comment counts hit pagination limits

* reduce review comment cache TTL from 24 hours to 10 minutes

* use select instead of include for proxyKey in workflow run queries

* align Claude agent activity timeout to 5 minutes to match OpenCode agent

* add in-memory dedup for PR close webhooks to prevent duplicate indexing

* extract isPullfrogLogin() helper for shared Pullfrog detection logic

* check response.ok on log fetch in checkSuite.ts

* add 10s timeouts to checkSuite API calls and log fetch

* parallelize proxy key usage API calls with Promise.allSettled

* fix three typos on landing page: colleage, dectects, reponse

* move MAX_STDERR_LINES constant to shared.ts

* add indexes on Repo.accountId and PFUser.accountId FK columns

* remove unused Permission enum from Prisma schema

* populate author and keywords in action/package.json

* use crypto.timingSafeEqual for all secret comparisons

* add missing env vars to globals.ts: R2, webhook, and API secrets

* remove commented-out UserRepo model from Prisma schema

* replace console.log/error with log utility in production API routes

* replace catch(error: any) with proper type guards in getUserRole

* remove stale TODO comment on console page

* handle repository_transferred webhook to update owner

* show toast.error instead of console.error on mode/workflow mutation failures

* add Space key handler for keyboard navigation on workflow run links

* replace role=link spans with button elements for proper accessibility

* add root 404 page with Pullfrog branding

* update ISSUES.md: mark completed items

* mark remaining low-priority UX items as addressed

* add error logging alongside toasts, add check script, update ralph commands

* address review feedback: squash migrations, fix try/catch scope, wire up globals consumers

- squash drop_permission_enum migration into add_indexes migration (one migration per PR)
- move getPullRequest() outside try/catch in mention handler so errors aren't mislogged as "dispatch failed"
- restore key ID in proxyKeys.ts Promise.allSettled error log
- remove accidental asdf.txt and ralph.md files
- wire up globals.ts exports to consumers (r2-uploads, r2-private, verifyHookdeckSignature, sync-usage, forwardPreviewWebhook, dispatch-workflow)

Made-with: Cursor

* update model snapshot (qwen3.6-plus-preview renamed to qwen3.6-plus)

Made-with: Cursor
2026-04-02 21:02:38 +00:00
Colin McDonnell 70d56ebc89 improve review quality: add --effort flag, subagent guidance, remove dead prompts (#508)
* Update waitlist, run ralph experiments

* improve review quality: add --effort flag, subagent guidance, remove dead prompts

- add --effort high/max to Claude Code CLI (max for Opus, high for Sonnet/Haiku).
  default was silently dropped from high to medium in March 2026.
- add subagent guidance to Review/IncrementalReview modeGuidance for parallel
  investigation of large cross-cutting PRs (read-only, no side effects).
- remove "THINK HARDER" from mode prompts (vestigial, no longer controls thinking).
- remove redundant mode.prompt bodies from modes.ts — the actual guidance lives in
  modeGuidance (selectMode.ts) and mode.prompt was dead code for all built-in modes
  since the delegation system was removed in March.

Made-with: Cursor

* make Mode.prompt optional, remove ModeSchema dead code

prompt is only needed by custom user-defined modes (validated by Zod
modeSchema in utils/schemas/modes.ts). built-in modes get their guidance
from modeGuidance in selectMode.ts. the arktype ModeSchema was never
imported anywhere.

Made-with: Cursor

* make modes.ts the single source of truth for mode guidance

move all mode guidance from modeGuidance in selectMode.ts into
mode.prompt in modes.ts. selectMode.ts now only contains the runtime
tool logic (resolving modes, merging user instructions, handling
PlanEdit/SummaryUpdate overrides). this eliminates the confusing
fallback chain where someone editing mode instructions had to know
to look in selectMode.ts rather than modes.ts.

Made-with: Cursor

* add self-review subagent step to Build mode, update wiki

Build mode now delegates a read-only subagent to review the diff
before committing, catching bugs/logic errors/edge cases that the
builder might miss. Also updates wiki/modes.md to reflect the
single-source-of-truth architecture (modes.ts owns all guidance,
selectMode.ts is pure runtime logic).

Made-with: Cursor

* update model snapshot (openrouter qwen3.6-plus rename)

Made-with: Cursor
2026-04-02 20:04:09 +00:00
Colin McDonnell 6c5d228c04 allow external_directory reads — not a security boundary
Made-with: Cursor
2026-03-30 21:37:36 +00:00
Mateusz Burzyński a7b8dcbced Rework incremental diffing (#499)
* Improve our deepening logic

* Use consistent SHA for PR-related operations in CheckoutPrTool

* compute `deepenDepth` at more appropriate time

* fix stale comment

* add comments for `alreadyOnBranch`

* ensure before sha is available

* small cleanup

* computeIncrementalDiff

* move the util

* improve algorithm

* improve algorithm further

* get rid of temp result array

* add comment

* compute incremental diff and updte instructions

* add comment

* update stale comment

* get rid of redundant rev-parse call

* improve comment

* strenghten the instructions

* make diff paths unique
2026-03-27 16:09:13 +00:00
Colin McDonnell cb8e33360c feat: add prepush lifecycle hook (#498)
* feat: add prepush lifecycle hook

Add `prepushScript` configuration — an optional shell script that runs
automatically before pushing code to the remote repository. Reuses the
existing `executeLifecycleHook` infrastructure (bash execution, 2-min
timeout, error propagation on non-zero exit). When unconfigured the
hook is a no-op.

Made-with: Cursor

* fix: add prepushScript to run-context API response, fix UI separator

Include prepushScript in the settings returned by the run-context
endpoint so the hook actually fires in production. Also fix the
separator pattern in AgentSettings to match the existing convention
(spacer + hr + spacer instead of margin).

Made-with: Cursor
2026-03-26 04:28:24 +00:00
Mateusz Burzyński c0f6f9ef2a Browser skill (#485)
* Add `BrowserTool`

* add some logging

* go with npm install -g

* remove dep changes since the switch to npm install -g

* tweak

* tweak

* tweak

* tweak

* tweak timeout

* tweak

* remove logs

* skill investigation doc

* wip

* wip

* tweak

* lock agent-browser version

* tweak

* logs

* logs

* more logs

* more debug stuff

* try this

* try this

* try this

* fix PATH

* try this

* tweak

* tweak

* tweak

* update wiki entries

* update wiki once again

* lint fix

---------

Co-authored-by: Colin McDonnell <colinmcd94@gmail.com>
2026-03-25 19:36:13 +00:00
David Blass 6b18b6730b live todo tracking, collapsible task list in final progress, hide set_output outside standalone (#492)
* fix false "without reporting progress" error + live todo tracking

clean up orphaned progress comments when review is skipped or only
set_output is used, preventing the false positive in handleAgentResult.

parse todowrite events from OpenCode's NDJSON stream and render a
live markdown checklist in the PR progress comment (2s debounce).
agent's explicit report_progress always takes priority.

Made-with: Cursor

* fix contradictory review/progress prompting

align Review and IncrementalReview mode prompts with their guidance —
mode prompts said "always submit" while guidance said "skip if clean."
remove the empty-approval submission that was silently dropped by the
tool. make progress comment lifecycle explicit: created on first call,
updated in place, removed after review submission.

Made-with: Cursor

* centralize todo tracking into shared TodoTracker module

extract inline todo tracking logic (~95 lines) from opentoad.ts into
action/utils/todoTracking.ts. the tracker is created once in main.ts
and passed to agents via AgentRunContext.todoTracker, making it
agent-agnostic and reusable for future agent implementations.

Made-with: Cursor

* fix todoTracker optional type to match file convention

add | undefined to todoTracker in AgentRunContext, matching every
other optional property in the same interface.

Made-with: Cursor

* instruct agents to always maintain a task list for live progress

system prompt now tells agents to create an internal task list at
the start of every run. the tracker renders it to the progress
comment automatically. report_progress is reserved for final
results only — no more intermediate "Checking..." messages that
cancel the tracker and leave stale text on the comment.

Made-with: Cursor

* require report_progress summary at end of every run

agents must always call report_progress with a final summary —
the completed task list should never be the end state of the
progress comment. updated all review mode prompts to call
report_progress after submitting (or not submitting) a review.

Made-with: Cursor

* keep progress comment after review with final summary

stop deleting the progress comment after review submission —
the agent now always calls report_progress with a summary at
the end, and that summary should persist as a record of what
was done.

Made-with: Cursor

* harden stranded progress comment cleanup

- main.ts: detect when tracker was last writer (agent never called
  report_progress) and delete the stranded checklist instead of
  leaving it as the final comment state
- postCleanup.ts: expand stuck-comment detection to also catch
  stranded todo checklists (regex match for checklist patterns)
  when the process is killed before normal cleanup runs
- modes.ts + selectMode.ts: add report_progress step to Summarize
  and SummaryUpdate modes (only modes that were missing it)

Made-with: Cursor

* fix stale comments, typo, and build mode redundancy

- comment.ts: update deleteProgressComment docstring and inline comment
  to reflect current usage (stranded-comment cleanup, not post-review)
- modes.ts: merge duplicate report_progress steps (8 + 10) into single
  step 9, fix "optimizatfixons" typo
- wiki/post-cleanup.md: document checklist detection regex

Made-with: Cursor

* collapsible completed todos in final progress, hide set_output outside standalone mode

- add renderCollapsible() to TodoTracker, append completed task list as
  <details> section when agent calls report_progress
- cancel tracker after agent's final report_progress so it doesn't
  overwrite with raw checklist
- conditionally register SetOutputTool only in standalone mode or when
  output_schema is provided
- remove unconditional set_output instruction from orchestrator task section
- update Summarize/SummaryUpdate mode guidance to not reference set_output

Made-with: Cursor

* show completion count in collapsible task list summary

Made-with: Cursor

* only count completed (not cancelled) in collapsible task list summary

Made-with: Cursor

* reinforce concise summary prompting across system prompt, modes, and tool description

Made-with: Cursor

* address review feedback: wasUpdated bypass, tracker false-positive, race condition

- remove wasUpdated=true from cleanup paths so handleAgentResult correctly
  detects genuinely silent runs
- add hadProgressComment to ToolState as immutable snapshot for the safety check
- use todoTracker.hasPublished instead of enabled for stranded-comment cleanup
- serialize onUpdate calls via inflightPromise chain with post-cancel guard
- add settled() to wait for in-flight updates before writing final summary

Made-with: Cursor

* address round-2 review: hasPublished after success, finalSummaryWritten flag

- set hasPublished only after onUpdate resolves (not before) so failed
  writes are not counted as published
- add finalSummaryWritten flag to ToolState, set after successful
  non-plan reportProgress; decouple cleanup detection from
  todoTracker.enabled so it survives API failures where cancel() ran
  but the write didn't succeed

Made-with: Cursor
2026-03-25 19:35:31 +00:00
David Blass 64f2238316 Repo Intelligence: agent-managed per-repo learnings with revision history (#487)
* add repo learnings feature with edit history

introduces a new "Learnings" section in the repo console where agents can
persist operational knowledge (setup steps, test commands, conventions) at
the end of runs via an MCP tool. users can also edit learnings manually.

- add `learnings` field to Repo model and `LearningsRevision` audit table
- add `update_learnings` MCP tool for agents to persist repo knowledge
- integrate learnings into prompt assembly as REPO LEARNINGS section
- add learnings step to mode guidance (Build, AddressReviews, Plan, Fix, Task)
- add PATCH /api/repo/[owner]/[repo]/learnings endpoint (JWT auth)
- add GET /api/repo/[owner]/[repo]/learnings/history endpoint (Clerk auth)
- add LearningsSection component with textarea, save-on-blur, and history modal
- record revision history with actor tracking (agent vs user) and pruning (50 max)
- gate UI behind owner === "pullfrog" for internal dogfooding

Made-with: Cursor

* fix prisma enum import path for LearningsActor

Made-with: Cursor

* simplify learnings schema: remove LearningsActor enum, store model name directly

the actor/actorName split was unnecessary — learnings are only written by
agents so the revision table just needs a model column. removes all user
editing concepts from schema, API, and frontend.

Made-with: Cursor

* fix migration: add separate migration instead of rewriting existing one

restores original learnings_revisions migration and adds a new migration
that drops actor/actorName columns, backfills model from actorName, and
drops the LearningsActor enum.

Made-with: Cursor

* polish learnings feature: rename to Repo Intelligence, fix atomicity, fix review skip

- rename user-facing "learnings" to "Repo Intelligence" (UI, prompt section, wiki, sidebar)
- simplify description to "Automatically discovered by the agent across runs."
- wrap repo.update + revision create in $transaction for atomicity
- refactor recordLearningsRevision to pruneLearningsRevisions (prune-only)
- fix empty review skip: don't block APPROVE reviews with no body
- fix broken docs anchor: #free-options → #free-models
- update agent guidance to require flat bullet list format with pruning
- add accessibility: aria-expanded, sr-only loading, output element
- add chevron rotation, stale data clear on modal close, max-h scroll
- trim + length-limit model field, remove type cast, restore pre-existing comment
- update wiki prompt examples with actual bullet-formatted content
- update model test snapshot

Made-with: Cursor

* fix stale free model name in docs, rename utility file to match export

- docs/keys.mdx: MiMo V2 Flash → MiMo V2 Pro (matches model code change)
- rename recordLearningsRevision.ts → pruneLearningsRevisions.ts

Made-with: Cursor

* Add skill, .neon

* polish learnings UI and remove verbose log

- learnings code block: read-only appearance with muted text, copy button, rounded corners
- history modal: full-width rows with cursor-pointer, chevron moved to right, no preview text
- drop noisy update_learnings log line

Made-with: Cursor

* inject learningsStep into all modes, drop seed script, soften revision styling

Made-with: Cursor

* Drop seed

---------

Co-authored-by: Colin McDonnell <colinmcd94@gmail.com>
2026-03-25 19:15:43 +00:00
Colin McDonnell b31800c213 clarify PR summary instructions for readable section titles
Made-with: Cursor
2026-03-20 16:17:59 +00:00
Colin McDonnell 026cc7a276 skip empty review submissions instead of posting noise
when create_pull_request_review is called with no body and no inline
comments, return early with a clear log message instead of hitting
GitHub's 422 or posting a useless "approved" comment.

Made-with: Cursor
2026-03-17 20:09:33 +00:00
Colin McDonnell c6a3ee0e9a show model name in footer, drop pullfrog.com link (#484)
* show model name in footer, drop pullfrog.com link

add model slug to buildPullfrogFooter so every Pullfrog comment
displays the active model (e.g. "Using `Big Pickle` (free)" or
"Using `Claude Opus`"). remove the pullfrog.com link from all footers.

Made-with: Cursor

* reject <br/> tags in comment bodies, add prompt guidance

add runtime validation in addFooter that throws if <br/> is followed
by a non-blank line (breaks GitHub heading rendering). the agent sees
the error and retries with clean markdown. also update Summarize mode
prompt to explicitly forbid <br/> tags.

Made-with: Cursor

* fix <br/> guidance: move to event instructions, clarify blank line rule

the formatting rule belongs in DEFAULT_PR_SUMMARY_INSTRUCTIONS (event
instructions), not the Summarize mode prompt. clarify that <br/> must
always be followed by a blank line before headings.

Made-with: Cursor

* generalize block-level HTML rule in summary instructions

add a prominent top-level rule about requiring blank lines between ALL
block-level HTML elements and markdown syntax, not just <br/>.

Made-with: Cursor

* move model to toolState instead of threading through params

model is set once at startup and read everywhere — it belongs on
toolState, not threaded as a separate param through 8 call sites.
postCleanup runs without toolState so it just omits the model label.

Made-with: Cursor

* update models.dev snapshot (openai latest changed)

Made-with: Cursor

* add comment to models snapshot test explaining its purpose

Made-with: Cursor
2026-03-17 19:59:11 +00:00
Colin McDonnell 8a734c32f4 fix workflow detection, duplicate summaries, review resilience (#482)
* fix workflow detection when repos have many workflows

Switch workflow lookup to GitHub's direct workflow-by-filename API so pullfrog.yml is found even when list endpoints paginate, and paginate installation scans in maintenance scripts to avoid partial coverage.

Made-with: Cursor

* fix review comment line resolution: pre-validate against diff hunks + auto-bisect fallback

when submitting a review with inline comments, the tool now:
1. fetches the PR diff and validates each comment's line range against the actual hunk boundaries
2. moves invalid comments to the review body with a clear explanation
3. on 422 from GitHub (rare API quirks where valid-looking lines are rejected), bisects
   comments using disposable pending reviews to isolate failures
4. retries with only the comments GitHub accepts

also fixes getHttpStatus (previously isStatusError) which wasn't recognizing Octokit errors,
and warns in the tool description that each call creates a permanent visible review.

Made-with: Cursor

* remove bisect fallback, anchor review to checkout sha, make start_line optional

- drop the auto-bisect-on-422 logic entirely; pre-validation catches the
  real issues and the 422 catch now just throws a clear actionable error
- anchor review submission to checkoutSha so line numbers match the diff
  the agent actually analyzed (avoids stale-line 422s from new pushes)
- make start_line optional and only set start_line/start_side when it
  differs from line (single-line comments don't need the range fields)
- improve headMovedDuringReview detection to use latestHeadSha directly

Made-with: Cursor

* drop review comment pre-validation in favor of pinned commit_id

The pre-validation (listFiles + hunk parsing) was checking comments
against the current PR diff, but the review is now anchored to
checkoutSha. When HEAD moves, pre-validation checks the wrong diff
and can false-reject valid comments. GitHub's own commit_id-anchored
validation is the correct source of truth.

Made-with: Cursor

* add logging to fetchExistingSummaryComment for duplicate summary debug

Made-with: Cursor

* fix duplicate summary comments: guard create_issue_comment for existing summaries

When select_mode finds an existing summary comment (existingSummaryCommentId),
create_issue_comment with type: "Summary" now auto-redirects to update instead
of creating a new comment. Belt-and-suspenders for the token fix in selectMode.ts.

Made-with: Cursor

* document api auth patterns to prevent token misuse

add wiki/api-auth.md explaining the two auth patterns (GitHub token vs
Pullfrog JWT) and when to use each. add auth comments to all action-facing
routes and their callers so the correct token is obvious.

Made-with: Cursor

* fix models.dev snapshot: filter beta models, add tiebreaker

Skip models with any status (beta, deprecated) so nightly/experimental
releases don't cause snapshot churn. Add lexicographic tiebreaker for
stable ordering when release dates match.

Made-with: Cursor

* add tests to pre-push hook

Made-with: Cursor

* fix: decouple summary dispatch from re-review gate on pull_request_synchronize

The summary workflow was never dispatched on new commits because the
pull_request_synchronize handler broke early when prReReview was disabled,
before reaching the prSummaryComment check. Now re-review and summary
are dispatched independently.

Made-with: Cursor

* resolve merge conflicts in rebase.md and checkout.ts

Made-with: Cursor

* fix: restore checkout.ts and rebase.md from remote

Made-with: Cursor
2026-03-16 18:12:11 +00:00
Colin McDonnell 4a8c432a48 add Summarize mode for updatable PR summary comments (#470)
* add Summarize mode for updatable PR summary comments

Introduces a Summarize mode that manages a single summary comment per PR,
updated in place on subsequent pushes. Mirrors the Plan/PlanEdit pattern:
API endpoint for existing-comment lookup at select_mode time, node ID
tracking on WorkflowRun, and SummaryUpdate guidance for edits.

Also fixes summary format instructions: Before/After uses inline <br/>
to avoid double line breaks, metadata line placed after key changes,
SHA-256 anchor instructions strengthened against fabrication.

Made-with: Cursor

* fix pre-existing lint error in checkout.ts

Made-with: Cursor

* fix dead restricted param in deepenForBeforeSha

GitAuthOptions dropped the restricted field in the ASKPASS refactor (#478)
but deepenForBeforeSha (#471) still passed it. Remove the field and the
now-unused shell param from DeepenForBeforeShaParams.

Made-with: Cursor
2026-03-12 05:32:17 +00:00
Colin McDonnell 6d25adfd1a Agent & model refactor (#478)
* agent & model refactor with ASKPASS git auth, UI restructure, clerk v7

Made-with: Cursor

* fix stale agent/effort refs, add tests for askpass + model resolution

- reviewCleanup.ts: payload.agent -> payload.model, remove effort
- selectMode.ts PlanEdit: remove delegation/subagent/effort references
- pullfrog.yml.ts: update env vars (drop GOOGLE_API_KEY/CURSOR_API_KEY,
  add GOOGLE_GENERATIVE_AI_API_KEY/XAI_API_KEY/MOONSHOT_API_KEY/OPENCODE_API_KEY)
- FlagsSettings/RepoInstructionsSection: remove stale effort/timeout copy
- new: gitAuthServer.test.ts (10 tests — lifecycle, token delivery, tamper detection, script gen)
- new: agent.test.ts (4 tests — default opentoad, AGENT_OVERRIDE, invalid override)
- new: models.test.ts (19 tests — parseModel, resolution, registry invariants)
- update models.dev snapshot

Made-with: Cursor

* fix changed-agents.sh to filter legacy agent files from CI matrix

legacy agent files (claude.ts, codex.ts, etc.) are @ts-nocheck and not
exported from index.ts. changed-agents.sh now reads index.ts imports to
build the active agent set and treats changes to inactive files as
non-agent changes (opentoad canary only).

Made-with: Cursor

* remove MCP file tools, old agent harnesses, and obsolete security tests

ASKPASS-based git auth makes the old MCP file tool security layer unnecessary:
- token never in subprocess env, so symlink/gitattributes/hook attacks can't exfiltrate it
- agents now use native file tools (OpenCode builtin read/edit)

deleted:
- action/mcp/file.ts (file_read, file_write, file_edit, file_delete, list_directory)
- action/mcp/index.ts (dead re-export)
- agent harnesses: claude.ts, codex.ts, cursor.ts, gemini.ts, opencode.ts
- opencode-runner.ts (inlined into opentoad.ts)
- security tests that validated MCP file tool restrictions
- commented-out three-step review flow (~300 lines)
- sanitizeSchema/wrapSchema dead code from mcp/shared.ts
- OPENCODE_MODEL_MINI/MAX env vars (effort-level model overrides removed)

updated test prompts to use generic file ops instead of MCP tool names.
restored pkg-json-scripts + requirements-txt-attack (test --ignore-scripts defense).

Made-with: Cursor

* bump actions/checkout v4 → v6 (node 24)

node 20 actions deprecated june 2, 2026.

Made-with: Cursor

* temporarily disable fail-fast on agnostic tests to debug checkout@v6

Made-with: Cursor

* re-enable fail-fast on agnostic tests

Made-with: Cursor

* fix test token mismatch: mint OIDC tokens scoped to target repo

CI tests override GITHUB_REPOSITORY to pullfrog/test-repo but inherit
the runner's GITHUB_TOKEN (scoped to pullfrog/app), causing 401s on
every run-context fetch. Clear GITHUB_TOKEN in the test subprocess so
ensureGitHubToken() mints a properly scoped token via OIDC.

Also centralizes the default GITHUB_REPOSITORY in runAgentStreaming
instead of repeating it in every test file, and fixes preview-cleanup
to remove workers from all queues (not just name-matching ones).

Made-with: Cursor

* fix ensureGitHubToken to try OIDC when app credentials are absent

ensureGitHubToken only attempted token minting when GITHUB_APP_ID and
GITHUB_PRIVATE_KEY were set. In CI, OIDC is available but app creds
aren't exposed — so the guard prevented minting entirely.

Made-with: Cursor

* dead code cleanup: remove remnants of deleted agents, file tools, effort system

remove unused @anthropic-ai/claude-agent-sdk and @openai/codex-sdk deps,
orphaned file-tool security tests, dead GEMINI_MODEL passthrough, stale
opencode-runner wiki refs, deleted test file references, and MCP file tool
docs. rename docs/effort → docs/models. fix vitest setup: move dotenv to
globalSetup (runs once before forks instead of per-file, 19s → 200ms).

Made-with: Cursor

* address review feedback: remove dead code, update stale references

- remove AGENT_OVERRIDE (only opentoad exists)
- remove shellToolName plumbing (always restricted shell)
- bump action version to 0.0.179
- remove CURSOR_API_KEY from all workflows/configs
- remove OPENCODE_MODEL_MINI/MAX from workflows/docs
- delete wiki/effort.md, rewrite docs/effort.mdx as "Models"
- rewrite wiki/modes.md: orchestrator/subagent → single agent
- simplify flag system: drop builtin flag extraction (debug, effort,
  timeout, agent), keep custom flag replacement only
- reserve all legacy flag names to prevent custom flag conflicts

Made-with: Cursor

* regenerate lockfile after removing claude-agent-sdk and codex-sdk

Made-with: Cursor

* fix import ordering, add lockfile check to pre-push hook

Made-with: Cursor

* remove dead debug payload field, stale packageExtensions

Made-with: Cursor

* merge proc-sandbox and token-exfil into a single test

proc-sandbox and token-exfil were duplicative — both tested that
SANDBOX_TEST_TOKEN couldn't be exfiltrated. consolidated into
token-exfil with shell:restricted (which actually exercises filterEnv)
and the /proc attack vector hints from proc-sandbox.

Made-with: Cursor

* fix wiki adversarial.md to match actual tokenExfil validator

Made-with: Cursor
2026-03-12 05:22:51 +00:00
David Blass 5bcfae990a restructure dashboard UI, add mode instructions, post-review follow-up dispatch (#453)
* add mode instructions and restructure dashboard sidebar

- add modeInstructions JSONB field to Repo model for per-mode user instructions
- thread modeInstructions through settings API, run-context API, RepoSettings, ToolContext, and selectMode runtime
- merge user-defined mode instructions with hardcoded orchestrator guidance, with IncrementalReview inheriting from Review
- reduce visible built-in modes from 7 to 4 (Build, Review, Plan, Fix) with editable Instructions textareas
- add TRIGGERS group header to sidebar above Mentions, Pull requests, Issues
- add wiki/modes.md documenting triggers and modes conceptual model

Made-with: Cursor

* fix leaping comment deletion and address review feedback

- wrap post-createReview operations in try/finally so deleteProgressComment
  runs even when updateReview or reportReviewNodeId throws
- add parseModeInstructions runtime guard to filter non-string values
  from the JSONB field before passing to buildOrchestratorGuidance
- add useEffect sync for localInstructions when props change
- guard onBlur to skip save when instructions haven't changed
- update wiki/modes.md to reflect V2 is implemented (no longer "proposed")

Made-with: Cursor

* harden review cleanup, fix type cast, stabilize mode instructions state

- wrap deleteProgressComment in try/catch inside finally to prevent masking original errors
- replace `as Record<string,string>` cast with runtime parseModeInstructions + useMemo
- fix wiki dual-prompt table to reflect mode.prompt fallback status

Made-with: Cursor

* fix wiki tense and heading ambiguity from PR review

Made-with: Cursor

* fix review "edited" badge by using pending review + submit flow

create review as PENDING first (no event/body), build the footer with
the now-known review ID, then submitReview with the full body. single
atomic publish — no updateReview edit needed.

Made-with: Cursor

* add post-agent follow-up re-review dispatch

After the agent exits, check if PR HEAD moved past the reviewed commit
and dispatch a follow-up re-review. This closes the gap where push
webhooks are suppressed during in-flight reviews.

Made-with: Cursor

* add silent flag to follow-up re-review dispatch

Made-with: Cursor

* restructure dashboard for consistency and clarity

- consolidate tools into single grouped card (was 4 separate cards)
- merge coding + autofix CI into one section
- remove redundant trigger section descriptions
- add bidirectional crosslinks between modes and triggers
- inline instruction links (review/plan/build) into descriptions
- add save status indicators to all sections
- restructure flags with grouped built-in/custom cards
- flatten sidebar (remove dividers and group headers)
- tighten all descriptions

Made-with: Cursor

* update PR screenshots for new dashboard layout

Made-with: Cursor

* extend review context inline instead of dispatching new workflow

when commits are pushed during a review, the agent now handles them
inline: create_pull_request_review detects HEAD movement, returns
instructions to pull and review the incremental diff, and the agent
submits a second review covering only the new changes. this avoids
the cost of spinning up a full new workflow run.

also fixes a bug where reviewedSha was set to the submission HEAD
(current) rather than the checkout HEAD (what was actually reviewed),
which caused commits pushed between checkout and submission to be
silently missed by postReviewCleanup.

the workflow dispatch is kept as a safety net for agent timeout/error.

Made-with: Cursor

* polish dashboard UI: fix debug markers, crosslinks, title consistency, descriptions

- remove all red debug borders/labels and CM component
- remove all inline style={{}} debug outlines from crosslinks
- fix ambiguous crosslinks: Build→"Coding ↓", Plan→"Enrich issues ↓"
- add missing "Edit build instructions ↑" backlink on Auto-address reviews
- normalize card title weight to text-sm font-semibold across all cards
- rename "Default" subcard to "Setup" with broader description
- fix Mentions description to imperative tone
- broaden Flags section description to cover built-in and custom
- remove useless fragments in ModesSection and ToolsSettings
- restructure Agent section: remove ConsoleSection wrappers, add sidebar indent support

Made-with: Cursor

* extract PR quick links as standalone card, consistent with issues

- PR quick links is now its own card under Reviews (was a sub-toggle inside Review PRs disabled state)
- Review PRs OFF sets prCreated="none" instead of auto-falling back to "links"
- Review PRs card hides sub-toggles when disabled (re-review/approve don't apply)
- Both PRs and Issues now have identical Quick links card structure

Made-with: Cursor

* update reviews screenshot with standalone quick links card

Made-with: Cursor

* polish dashboard UI: revert quick links to inline toggles, fix fonts and spacing

- revert standalone PR/issue Quick Links cards back to inline toggles inside
  Review PRs and Enrich Issues cards (fixes prCreated state coupling bug)
- restore original font-medium card titles across all trigger/settings cards
- fix sidebar: add CONSOLE heading, remove nested indentation, remove truncation
- right-justify Enrich Issues mode dropdown, group description with label
- move instructions links inline with behavior descriptions
- replace text save indicators with icon spinner/checkmark
- standardize section title spacing, move footer below danger zone

Made-with: Cursor

* fix formatting for biome lint

Made-with: Cursor

* address PR review feedback: cleanup guard, shared util, wiki update

- clear ctx.toolState.review after read to prevent double-execution of postReviewCleanup
- forward authorPermission in safety-net re-review dispatch
- extract parseModeInstructions to utils/schemas/modeInstructions.ts
- update wiki/modes.md: remove stale v1/v2 language, fix dashboard layout
- add typecheck to pre-push hook

Made-with: Cursor

* add action typecheck to pre-push, fix exactOptionalPropertyTypes errors

Made-with: Cursor

* fix duplicate actuallyReviewedSha from rebase

Made-with: Cursor

* remove PR screenshots

Made-with: Cursor

* add label/textarea association for mode instruction accessibility

Made-with: Cursor

---------

Co-authored-by: Colin McDonnell <colinmcd94@gmail.com>
2026-03-11 04:24:09 +00:00
Colin McDonnell 089a05b13e fix bodyless review bug by using pending + submit flow (#469)
* fix bodyless review bug by using pending + submit flow

createReview with event:"COMMENT" publishes immediately, so the
subsequent updateReview (to add footer with Fix links) fails when
the agent omits the review-level body — GitHub rejects editing a
bodyless review. this left ghost reviews and caused retries with
a garbage body like `" "`.

switch to a two-phase flow: createReview without event (PENDING),
then submitReview with the full body + footer. single atomic
publish, no updateReview needed.

Made-with: Cursor

* support bodyless reviews — skip footer when no body provided

Made-with: Cursor

* early return for bodyless reviews

Made-with: Cursor

* extract submitAndCleanup and buildReviewFooter helpers

Made-with: Cursor

* fix: default approved to false for buildReviewFooter

Made-with: Cursor

* run action typecheck alongside root tsc

Made-with: Cursor

* refactor: extract submitReview helper, keep cleanup inline

Made-with: Cursor

* skip pending+submit for bodyless reviews — single createReview instead

Made-with: Cursor

* restore pre-existing comments

Made-with: Cursor
2026-03-11 01:56:57 +00:00
Anna Bocharova 9c99bcbbac feat: Improving the plan revisions (#465)
* feat(plans): Suggested plan for plan revisions.

* fix: add planCommentId to reduce GitHub API calls.

* Revert "fix: add planCommentId to reduce GitHub API calls."

This reverts commit ef9c24811fa291b12ac3601cc4cd3edb7c9a0fca.

* Improving plan revision: the implementation draft.

* fix schema composition order.

* fix: reusing existing retry helper (action) for reportPlanCommentToRun.

* mv: updatePlanCommentId.

* fix: higher severity for logging error.

* fix: add error handling when calling findExistingPlanCommentIdForIssue.

* feat: improving the revisit plan request detection by adding PLAN_REVISION_VERBS.

* Updating the plan with alternative non-determenistic solution.

* add more verbs to PLAN_REVISION_VERBS.

* fix: supply the previous plan in the event context as previousPlanBody, updating Plan mode instructions.

* fix: adjusting the way PLAN_REVISION_VERBS are used in sentences.

* fix: using GraphQL approach with NodeId to find commentId in findExistingPlanCommentIdForIssue.

* fix: use double word boundaries (both sides).

* fix condition in findExistingPlanCommentIdForIssue.

* fix: rm unused args from findExistingPlanCommentIdForIssue.

* bump the action version.

* fix(plan): rm everything related to approach A.

* fix(plan): No limit for progress comments.

* feat(plan): the new plan.

* Revert: changed to webhook (no longer involved).

* feat: mv plan comment lookup into a new API endpoint.

* Revert: changes to select_mode tool.

* FEAT: The new implementation.

* fix arktype issues.

* fix plan diagram.

* fix(selectMode): e2e type constraints for fetchExistingPlanComment.

* Revert "fix(selectMode): e2e type constraints for fetchExistingPlanComment."

This reverts commit 53f3b6650a9928e3080700faa9eead0052e94333.

* fix(selectMode): type constraints (copy) for fetchExistingPlanComment.

* feat: improving isHttpError helper and reusing it consistently instead of casting.

* address review: remove unconditional retry, add plan comment warning, dedupe type, remove dead guard, fix GraphQL types

* Fix: tightening the PlanEdit guidance.

* fix(select_mode): Providing the agent with existingPlanCommentId as well.

* fix(instructions): Adjusting the primary guidance to prefer Plan mode for issue-related ambiguous requests.

* fix(wiki): updating the delegation docs according to the current instructions.

* fix(instructions): rm implication to call for issue details.

* fix(select_mode): tweak for PlanEdit.

* fix(select_mode): more tweaks to PlanEdit.

* fix(select_mode): tweaks for the order of instructions and context.

* revert: to the state of 5c400efce1f1fec0a0855eeacad2bc3b721fd1bf.

* fix(select_mode): Correcting the guideline.

* rm the plan from the branch (impletemented).

---------

Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>
2026-03-10 20:34:54 +00:00
Mateusz Burzyński 6c9747585f Reject push_branch when working tree has uncommitted changes (#468) 2026-03-10 20:16:42 +00:00
Mateusz Burzyński f87073fcef Get rid of the fastmcp schema workarounds (#457)
* Get rid of the fastmcp schema workarounds

* tweak

* update lock
2026-03-06 18:12:44 +00:00
Colin McDonnell ed91fbb18d use compare API to deepen by exact divergence instead of fixed 1000 2026-03-05 23:50:22 +00:00
pullfrog[bot] 8bac460177 fix: add concurrency protection to action sync workflows (#451)
* fix: add concurrency protection to action sync workflows

* style: fix formatting in action/modes.ts

---------

Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>
2026-03-05 23:44:55 +00:00