Introduce gitcmd.Runner with channel-based semaphore to cap concurrent
git subprocesses (default 16, configurable via --max-git-procs). Route
all tool-layer and diff-layer git calls through the shared runner.
Also fix diff.Provider.runGit lacking context.Context — now the full
chain (GetDiff → MergeBase → ParseDiffText → finalizeDiff) propagates
the caller's context for proper cancellation and timeout support.
Registry was a plain map alias and DiffMap a shared map[string]string,
both relying on implicit write-before-read ordering with no compile-time
safety. Refactor Registry into an encapsulated struct with Freeze() that
panics on post-freeze writes, and wrap DiffMap as an immutable value type
with defensive copy on construction. Move DiffMap injection to before
filterDiffs to preserve the original behavior of exposing all file diffs.
Add cache_control ephemeral breakpoints on system prompt and tool
definitions to activate Anthropic prompt caching for multi-turn
agent loops. Fix token double-counting by removing the redundant
totalTokensUsed accumulator and computing it from sub-items. Surface
cache read/write statistics in both text and JSON summary output.
Add ctx parameter to Provider.Execute interface and propagate it through
FileReader.Read, code_search.gitGrep/runGitGrep, and file_find.listGitFiles.
This ensures parent task cancellation/timeout properly terminates running
git subprocesses (grep, show, ls-files, ls-tree). Also adds 10s timeout
to file_find and fixes context.Canceled handling in code_search.
Rule doc files were translated from Chinese to English but tests still
expected Chinese substrings. Also added HOME isolation to prevent the
user's ~/.opencodereview/rule.json from interfering with system-default
rule assertions.
Migrated internal/llm from manual net/http implementation to anthropic-sdk-go v1.47.0
and openai-go/v3 v3.39.0, reducing ~400 lines of retry, request-building, and streaming
code. Simplified LLMClient interface to single CompletionsWithCtx method. Fixed Anthropic
auth to use WithAuthToken (Bearer) instead of WithAPIKey (X-Api-Key) for proxy compatibility.
Fixed OpenAI message builder to use ExtractText() for proper []ContentBlock handling.
* ci: add GitHub Actions workflow for automated PR review
- Trigger on PR opened and issue_comment (/open-code-review)
- Install OCR via npm, configure LLM secrets, run review
- Post inline review comments via GitHub PR review API
- Fallback to individual comments if batch posting fails
- Use commit SHA instead of branch ref to support fork PRs
* ci: use pull_request_target to support fork PR secret access
- Switch from pull_request to pull_request_target trigger
- Add synchronize and reopened event types
- Explicitly checkout PR head SHA (pull_request_target defaults to base)
- This ensures secrets are available for PRs from forked repos
* ci: fix pull_request_target handling for fork PRs
- Narrow trigger types to 'opened' only to reduce redundant runs
- Add explicit fetch of PR head ref to ensure fork commits are available
- Fix event name check from 'pull_request' to 'pull_request_target'
StreamCompletion used http.NewRequest without context and retry with
context.Background(), making streaming calls uncancellable. Memory
compression called Completions() without context, leaving async
goroutines unable to be cancelled or timed out.
- Add StreamCompletionWithCtx to LLMClient interface and both
OpenAI/Anthropic implementations
- Propagate context through runCompression, addNextMessage, and
triggerAsyncCompression call chain
- Add 5-minute timeout cap on async compression goroutines
- Cancel in-flight compression HTTP requests when job is superseded
The code_search tool used -E (extended regex) by default, causing
unmatched parentheses in search patterns (e.g. "func Hello()") to
trigger "Unmatched ( or \(" fatal errors on Linux (GNU regex is strict),
while macOS (BSD regex) silently tolerated them. Since the tool
definition states the default mode is "literal text", switch to -F
(fixed string). Also capture stderr separately so real errors are
surfaced instead of being silently reported as "No matches found".
The searchText was placed after '--', causing git to interpret it as a
pathspec instead of a pattern. Use '-e' to explicitly mark the search
pattern and place the ref after it. Also replace CombinedOutput with
Output to prevent stderr from polluting result parsing.
* feat: add .ets file extension support for HarmonyOS development
* feat: add complete HarmonyOS review support with ArkTS rules, .json5 config, and oh_modules exclusion
- Add arkts.md rule doc with ArkTS-specific and TypeScript general checks
- Add .json5 to supported file types for HarmonyOS config files
- Map .json5 to json.md rules in system_rules.json
- Exclude oh_modules/** (HarmonyOS dependency dir) from review
- Exclude *.test.ets (HarmonyOS test files) from review
- Add unit tests for all new extensions and patterns
* refactor: merge json and json5 glob patterns into single brace expansion
Store ReviewMode, DiffFrom, DiffTo, and DiffCommit in SessionHistory
and persist them to JSONL (conditionally, only when non-empty). Display
mode in viewer list page and show version details (from/to or commit)
on the session detail page based on review mode.
* chore: remove --audience agent flag and simplify JSON parsing in CI examples
- Remove --audience agent flag from ocr review commands in CI examples
- Simplify JSON output parsing by reading directly without skipping first line
- Update README docs to reflect the simplified CLI usage
* fix: correct typo in .gitlab-ci.yml comment
Change 'confuring' to 'setting' in CI variable configuration comment.
code_search used SplitN(":", 3) to parse git grep output, but in
range/commit mode git grep prefixes each line with the ref
(ref:file:line:content). All matches silently failed Atoi on the
filepath field, returning an empty string that caused the review
session to terminate immediately.
Fix code_search to detect the ref prefix and adjust split/index
accordingly. Also replace the hard stop on empty tool results with
a retry loop (up to 3 consecutive empty rounds) so the LLM can
recover or call task_done gracefully.
file_find and finalizeDiff always read from the working tree, even in
range/commit mode where the review targets a specific git ref. This
caused inconsistent file versions compared to file_read and code_search
which correctly used git show. Fix file_find to use git ls-tree and
finalizeDiff to use git show when a ref is specified.
Replace the hard-coded Chinese-only empty-plan branch with a compiled
regex + helper that strips the "### Review Plan …" wrapper (any language
variant) when the plan phase produces no output.
TWO BUGS fixed:
- The wrapper was only stripped for the Chinese literal `### 审查计划`,
not the actual English `### Review Plan (Optional)` shipped in the
template, so `{{plan_guidance}}` leaked into the rendered prompt on
every review where the plan phase was skipped or failed.
- The strip ran AFTER `ReplaceAll("{{plan_guidance}}", "")`, so the
token was already gone and the regex couldn't match the wrapper.
Fixed ordering: strip BEFORE replace.
Also simplifies the regex alternation per Copilot review feedback:
`Review Plan` and `审查计划` already subsume the `(Optional)`/`(可选)`
suffixes because the trailing `[^\n]*` consumes them.
Adds unit tests for English, Chinese, and integration (production flow).
Co-authored-by: Copilot <copilot-pull-request-reviewer@github.com>
Make encodeRepoPath cross-platform by properly handling volume names, backslash separators, and drive letter colons. Add unit tests covering Unix, Windows, and edge-case inputs.
* fix(agent): skip binary files during code review
Previously, binary files were passed through the review pipeline because
shouldReview only checked path/extension rules. This caused the agent to
incorrectly attempt reviewing binary content.
- Add ExcludeBinary reason to the exclusion filter
- Change shouldReview/whyExcluded to accept model.Diff instead of path
string, enabling access to the IsBinary flag
- Check IsBinary as the first gate in whyExcluded
- Differentiate skip log messages for binary vs path-filtered files
* test: add unit tests for preview.go
* fix: normalize dash to em-dash in binary file skip log message
* test(agent): strengthen UserIncludePattern tests to cover additive semantics
- Document that include patterns are additive, not exclusive
- Add cases verifying include bypasses default-path exclusion
- Add cases for extension filter precedence over include logic
- Add TestWhyExcluded_IncludeBypassesDefaultPath for rescue semantics
- Add TestWhyExcluded_IncludeAndExcludeInteraction for priority order
The viewer's HTTP server (StartServer in internal/viewer/server.go) had no
Host-header validation, so a web page the user visits could DNS-rebind its
own origin to 127.0.0.1:5483 and read every session JSONL — which contains
LLM request messages (= source code being reviewed) and the LLM's analysis.
Adds a default-deny host guard that always allows loopback names plus the
concrete bind host. Wildcard binds and extra hostnames go through the new
OCR_VIEWER_ALLOWED_HOSTS env var, so an operator who binds the viewer on a
LAN interface has to acknowledge the exposure explicitly.
Detected by Aeon + manual review.
Severity: high
CWE-346 (Origin Validation Error), CWE-200 (Exposure of Sensitive Info)
Co-authored-by: aeonframework <aeonframework@users.noreply.github.com>
When using --audience agent --format json, the text summary line was
printed before the JSON body, causing parse failures for integrations.
Move summary data into the JSON "summary" field and skip PrintTraceSummary
in JSON mode.
Unify BUILD_PLATFORM macro with optional suffix parameter to eliminate
duplication, centralize IS_WINDOWS/BINARY_NAME exports in install.js,
add Windows-safe rename-then-replace strategy in update.js, and add
PATH guidance in README for Windows users.
* feat(build): add Windows platform support
Add windows/amd64 and windows/arm64 to CI build matrix, Makefile
cross-platform targets, and handle .exe suffix in install/update
scripts and binary wrapper. Skip chmod on Windows where unsupported.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* docs(README): add Windows download instructions
Add Windows x86_64 and ARM64 binary download commands to both
English and Chinese README install sections.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* docs: add CI/CD integration section and examples
- Add CI/CD Integration section to README.md and README.zh-CN.md
- Add GitHub Actions workflow example (examples/github_actions/)
- Add GitLab CI pipeline example (examples/gitlab_ci/)
- Add examples README with overview of integration options
* feat(examples): enhance GitHub Actions demo with comment trigger and improved error handling
- Add issue_comment event trigger with /open-code-review and @open-code-review keywords
- Add PR context resolution for comment-triggered events via GitHub API
- Improve ref handling to support both PR events and comment events
- Add individual comment fallback with retry when batch review fails
- Add posting statistics (success/failed counts) to summary comment
- Update README with comment trigger flow and customization guide
* docs(examples): add --background flag usage guide for GitHub Actions and GitLab CI
Explain how to pass PR/MR title as background context to help OCR
provide more relevant and context-aware review comments.
* feat(examples): simplify PR trigger and add skip-existing-review guide for GitLab CI
- Reduce GitHub Actions PR trigger to 'opened' only (avoid redundant
reviews on synchronize/reopened events)
- Add GitLab CI documentation for checking existing OCR comments before
running review to save LLM tokens
Re-location LLM calls were invisible in session history and their token
consumption was unaccounted for. Refactor the code_comment handling path
to record re-location requests/responses into session JSONL, accumulate
token usage into global counters, and display them in the viewer.
Also fixes: async context cancellation risk (WithoutCancel), duplicate
telemetry recording, missing timeout enforcement, missing {existing_code}
placeholder in the re-location prompt, and renames Parse to ParseComments
for clarity.
* docs: add GitHub issue and PR templates
Add structured issue templates for bug reports, feature requests, and docs reports with YAML forms. Include a pull request template with checklist for contribution quality.
* docs: add bilingual contributing guide (EN & zh-CN)
Provide detailed contribution guidelines covering development setup, coding standards, commit conventions, PR workflow, and community conduct in both English and Chinese.
* feat: add open-code-review skill for agent integration
Add skills/open-code-review/SKILL.md that teaches coding agents
how to invoke ocr for code review, classify issues by priority,
and optionally apply fixes.
* feat: add Claude Code plugin for open-code-review
Add .claude-plugin/marketplace.json and plugins/open-code-review/
with plugin configuration and review command, enabling installation
as a Claude Code slash command plugin.
* docs: add agent integration section to README (EN/ZH)
Add 'Integration into Coding Agents' section covering three methods:
skill installation, Claude Code plugin, and direct command file copy.
Bilingual update for both README.md and README.zh-CN.md.
* docs: update manual setup curl URLs to new plugin path
Allow users to configure either a base URL (e.g. https://api.example.com/v1)
or a full endpoint URL for OpenAI-compatible services. The client now
normalizes the URL on initialization, matching the existing behavior of
the Anthropic client.