Commit graph

162 commits

Author SHA1 Message Date
kite
602e3bbe94 refactor(agent): split agent.go into util.go and compression.go, fix compression bugs
Extract utility functions (stripEmptyPlanBlock, stripMarkdownFences,
buildMessageXML, copyMessages, countMessagesTokens, reviewModeString,
detectGitBranch) into util.go and all compression logic into compression.go
to improve readability (agent.go: 1489 → 1114 lines).

Fix pre-existing compression bugs from commit 14adf6f:
- Return unmodified messages on compression failure instead of truncating
  to frozen zone (which discarded all conversation context)
- Check error in async compression goroutine to avoid applying failed results
- Track snapshot length to append post-snapshot messages when applying async
  compression, preventing silent message loss
- Strip old <previous_review_summary> before appending new one to prevent
  cumulative frozen zone bloat across multiple compressions
- Guard pendingJob cleanup to only clear when it matches the completed job,
  preventing accidental clearing of a newly scheduled job
- Add context.Context and 5s timeout to detectGitBranch
- Deep copy ToolCalls in copyMessages to match session/history.go
- Reuse finalCount in addNextMessage to avoid redundant token counting
2026-06-19 20:16:23 +08:00
kite
ad870f9549 refactor(template): extract prompt strings into standalone .md files
Move all LLM prompt content from inline JSON strings in task_template.json
to individual Markdown files under prompts/, following the same embed.FS
pattern used by internal/config/rules/. This improves maintainability by
enabling native syntax highlighting, cleaner diffs, and separation of
prompt content from runtime configuration.

Also removes two dead config fields (TOOL_REQUEST_WAIT_TIME_MS,
MAX_SUBTASK_EXECUTION_TIME_MINUTES) that had no runtime consumers.
2026-06-19 19:27:29 +08:00
kite
bde36272c5 docs(i18n): add benchmark section to all README translations
Some checks failed
Deploy Pages / build (push) Has been cancelled
Deploy Pages / deploy (push) Has been cancelled
Add benchmark comparison data (metrics table, key conclusion, and
screenshot) to EN, ZH-CN, JA-JP, KO-KR, and RU-RU READMEs.
Non-Chinese languages use the English screenshot.
2026-06-19 00:22:43 +08:00
kite
8059ac7d4b docs(imgs): update highlights screenshots with latest benchmark data
Regenerated highlights-en.png and highlights-zh.png to reflect current
stats: Token Cost 1/9 (was 1/5) and AACR-Bench 25.1% (was 26.1%).
2026-06-18 23:12:42 +08:00
kite
eda3ab5c51 fix(pages): add pointer-events: none to gradient-border pseudo-element
The ::after overlay on .gradient-border was intercepting click events,
preventing benchmark table sort buttons (Precision/Recall) from working.
2026-06-18 22:35:06 +08:00
kite
dfbbc5b3ff feat(pages): update benchmark data and add sortable columns
Update Claude Code benchmark results for Claude-4.8-Opus and GLM-5.1,
refresh token cost ratio (1/5 → 1/9) and F1 score (26.1% → 25.1%) to
reflect latest data. Add clickable sort headers for F1/Precision/Recall
columns with visual indicators. Centralize hardcoded stats into i18n
and use semantic i18n keys for benchmark subtitle.
2026-06-18 21:57:45 +08:00
kite
d5bd701b65 docs(i18n): expand multi-model feature description with preset providers
Some checks are pending
Deploy Pages / build (push) Waiting to run
Deploy Pages / deploy (push) Blocked by required conditions
Add preset provider list (Anthropic, OpenAI, DashScope, DeepSeek, Z.AI)
and custom endpoint support details to the multi-model protocol feature
description in both en.ts and zh.ts.
2026-06-17 21:13:41 +08:00
kite
79aa88dcee docs(i18n): add Rust to supported languages in built-in review rules 2026-06-17 20:59:02 +08:00
kite
76f5c5f957 refactor(pages): redesign benchmark section with new data model and code quality improvements
Extract SVG icons into standalone files under icons/, replace nested ternaries
with lookup maps, use version constants, and adopt stable React keys.
2026-06-17 20:56:22 +08:00
kite
b0e3c059fd fix: add files whitelist to exclude platform binaries from main package
The main npm package included all 6 platform binaries (~243MB) because
.npmignore did not exclude the opencodereview-* artifacts downloaded
during CI. Adding a files whitelist reduces the package from ~243MB
to ~1.4MB.
2026-06-17 17:42:48 +08:00
MuoDoo
75c612e973
Merge pull request #168 from PreethamNoelP/fix/session-file-permissions-cwe-732
fix(session): restrict session dir and file permissions to owner-only
2026-06-17 17:20:38 +08:00
PreethamNoelP
44c1abc8cd fix(session): restrict session dir and file permissions to owner-only
Session directories were created with 0755 (rwxr-xr-x) and session
files with 0644 (rw-r--r--), making them readable by any local user
on shared systems such as multi-user servers and CI runners.

Session JSONL files contain full LLM request and response data,
including the complete source code diff, file contents read by the
file_read tool, and the model's analysis — all sensitive material.

Change MkdirAll mode from 0755 to 0700 and OpenFile mode from 0644
to 0600, restricting access to the file owner only. This matches the
0600 permission already used for the config file (which holds the API
key) in cmd/opencodereview/provider_cmd.go.

Fixes #144
2026-06-17 12:45:31 +05:30
kite
810af47d4d fix(ci): prefix local path with ./ to prevent npm GitHub shorthand resolution
npm interprets "npm/darwin-arm64" as a GitHub user/repo shorthand
instead of a local directory, causing git ls-remote failures.
2026-06-17 15:00:08 +08:00
kite
b46f48e40d fix(ci): replace bash here-string with POSIX parameter expansion
The CI container uses sh (not bash), which doesn't support the <<<
here-string syntax, causing "Syntax error: redirection unexpected".
2026-06-17 14:43:06 +08:00
kite
11b42c3826 feat: platform-specific npm packages (esbuild-style binary distribution) 2026-06-17 14:28:04 +08:00
kite
62ec5e7d4f fix: support scope override for platform packages on internal registry
Internal npm registry (anpm) only allows specific scopes like @ali,
not @alibaba-group. Derive scope from OCR_PKG_NAME and apply it to
platform subpackage names during publish. Also make platform.js read
package names from optionalDependencies dynamically instead of relying
solely on the hardcoded scope.
2026-06-17 14:17:03 +08:00
kite
f76d4266ed feat: add platform-specific npm packages to eliminate postinstall download
Ship Go binaries inside per-platform npm packages (@alibaba-group/ocr-{os}-{arch})
so npm install resolves the correct binary via optionalDependencies + os/cpu fields.
This removes the need for a postinstall download from GitHub Releases, which is
extremely slow for users behind restricted networks (e.g. China mainland).

The postinstall download is retained as a fallback for --no-optional installs.
2026-06-17 14:17:03 +08:00
kite
a10a436552 fix: abort publish script on npm publish failure 2026-06-17 14:16:32 +08:00
Jiale Li
848f97b44e
fix: improve LLM test feedback for empty responses (#162)
* fix: show explicit success message and handle empty LLM response

* fix: enhance MaxTokens to accommodate reasoning model tests

* chore: optimize code conventions

* chore: delete \n
2026-06-17 12:56:39 +08:00
wxwxwxw_orange
257f9ac105
feat(llm): add glm-5.2 to z-ai provider models (#163) 2026-06-17 11:46:14 +08:00
kite
9f06912755 fix: apply language directive even when config file is missing
ApplyLanguage was only called when the config file existed, so without
~/.opencodereview/config.json no language instruction was injected and
the LLM picked its own language. Now ApplyLanguage is called
unconditionally, defaulting to English via resolveLang("").

Update all README translations to reflect the corrected default
(English) and clarify that any language name is accepted.
2026-06-17 10:56:35 +08:00
Jiale Li
c673c9475a
feat:add --model flag to override LLM model per review (#122) 2026-06-16 22:38:52 +08:00
MuoDoo
ded7c6a1e0
fix: sort provider picker by display name (#154) 2026-06-16 22:22:55 +08:00
zhuichen
e5f4f976e6
fix(cli): reject --to without --from in review flags (#151)
Co-authored-by: zhuichen <13943847+zhuichen@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
2026-06-16 20:26:22 +08:00
wxwxwxw_orange
16c7734af8
feat(llm): add Tencent TokenHub and Hunyuan Token Plan providers (#142) 2026-06-16 19:54:22 +08:00
kite
e9bd334b7f fix: enforce mandatory checksum verification and HTTPS-only registry access
Previously, checksum failures in install.js were silently downgraded to
warnings, allowing unverified binaries to be installed. Similarly,
update.js accepted HTTP registries and skipped verification when no
matching platform entry was found.

Now both scripts treat checksum verification as mandatory when configured:
all failure paths (download error, compute error, mismatch, missing
platform entry) abort the operation and clean up downloaded files.
update.js also drops the http module and silently skips version checks
for non-HTTPS registries.
2026-06-16 16:15:14 +08:00
kite
14d82ff0f0 docs: sync Russian README with interactive provider setup changes
Align README.ru-RU.md with the English README updates from 72aad2c:
add interactive provider/model setup (Option A), restructure config
options into A/B/C, and add new commands to the reference table.
2026-06-16 15:04:40 +08:00
kite
a37bee50fb fix: sanitize terminal control characters in text output to prevent escape-sequence injection (#143)
Strip C0/C1 control characters and DEL from model/diff-derived strings
before printing to the terminal, preventing OSC 52 clipboard hijack,
screen erasure spoofing, and other ANSI injection attacks (CWE-150).
JSON output is unaffected as encoding/json already escapes control chars.
2026-06-16 14:48:56 +08:00
Lei Zhang
813205552d
fix: use text/tabwriter for dynamic column alignment in ocr llm providers (#146)
- Replace hardcoded fmt.Printf width specifiers with text/tabwriter
- Column widths now adapt to actual content, preventing overflow
- Eliminates risk of misaligned columns when provider names exceed preset width
2026-06-16 10:54:15 +08:00
kite
15b8817c39 docs: update providers screenshot with newly added providers 2026-06-15 15:41:38 +08:00
kite
0a7d14e453 fix: remove duplicate kimi provider and fix test locale
Remove the duplicate kimi provider entry introduced by overlapping PRs
(#130 and #134). Keep the Kimi Moonshot API entry with MOONSHOT_API_KEY.

Set LC_ALL=C in Makefile test target to ensure git outputs English
messages regardless of system locale.
2026-06-15 15:32:53 +08:00
wxwxwxw_orange
2bde478993
feat(llm): add volcengine and kimi providers (#134)
* feat(llm): add volcengine and kimi providers
Add pay-as-you-go OpenAI-compatible presets for Volcano Engine Ark
and Kimi Moonshot API.

Co-authored-by: Cursor <cursoragent@cursor.com>

* Apply suggestions from code review

Co-authored-by: lizhengfeng <lizhengfeng.lzf@alibaba-inc.com>

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: lizhengfeng <lizhengfeng.lzf@alibaba-inc.com>
2026-06-15 15:23:19 +08:00
MuoDoo
86380286be
fix: sort provider selection list (#135) 2026-06-15 14:55:41 +08:00
DanielWalnut
3236a610ec
fix: remove sonnet 4.7&4.8 (#133) 2026-06-15 12:53:48 +08:00
kite
7c0b70b02b test(diff): add unit tests for readWorkspaceFileForDiff
Cover all key branches: regular file read, path traversal rejection,
directory rejection, parent symlink escape, external/internal symlink
target handling, and nonexistent file error.
2026-06-15 11:51:51 +08:00
不许对我狗叫丶
3b68c93013
feat: add Kimi provider (#130)
* feat: add build-in kimi provider

Co-authored-by: lizhengfeng <lizhengfeng.lzf@alibaba-inc.com>
2026-06-15 11:50:25 +08:00
不许对我狗叫丶
17c5edca8a
feat: add minimax provider (#131)
* feat: add build-in minimax provider


Co-authored-by: lizhengfeng <lizhengfeng.lzf@alibaba-inc.com>
2026-06-15 11:49:14 +08:00
不许对我狗叫丶
957132e3b6
fix: change mimo token plan url to api url and add mimo flash model (#132) 2026-06-15 09:57:04 +08:00
MuoDoo
4b3f41df10
Fix workspace symlink diff containment (#125)
* Fix workspace symlink diff containment

* Share repository path containment helpers
2026-06-15 00:03:36 +08:00
不许对我狗叫丶
6b8d269c0b
feat: add mimo provider (#124)
Some checks failed
Deploy Pages / build (push) Has been cancelled
Deploy Pages / deploy (push) Has been cancelled
2026-06-14 22:31:30 +08:00
ZheNing Hu
283ec8558c
fix(diff): detect renamed and deleted files correctly in diff parsing (#105)
When a file was renamed on the target branch, ocr review emitted
'[ocr] WARNING: cannot read file <old path> at ref <to>: exit status 128'.

Two compounding bugs:

1. The parser required 'a/'/'b/' prefixes when matching '--- /dev/null' /
   '+++ /dev/null', but git emits these lines without prefixes, so
   IsNew/IsDeleted were never set and deleted files fell through to a
   doomed 'git show ref:<old path>'.

2. 'rename from' / 'rename to' extended headers were never parsed, and
   git diff/show call sites did not force rename detection, so renames
   degraded to delete+add whenever the user had diff.renames=false.

Fixes:
- Parse 'rename from'/'rename to', 'new file mode', 'deleted file mode'
  and unprefixed /dev/null markers in ParseDiffText.
- Pass --find-renames to all git diff/show invocations so rename
  detection no longer depends on user config.
- Add IsRenamed to model.Diff (json: is_renamed) and prefer it in
  diffStatus.
- Add parser unit tests and a range-mode rename regression test.

Fixes #99
2026-06-14 22:29:02 +08:00
kite
689b5f185e fix(tui): widen cpAuth input to prevent placeholder truncation
The cpAuth text input width was 40, which truncated the 51-character
placeholder "optional, leave empty for default (Authorization)".
Increased to 55 so the full text is visible.
2026-06-14 21:59:21 +08:00
kite
72aad2c77c feat: add interactive provider setup with TUI and documentation 2026-06-14 10:49:33 +08:00
kite
f577742c04 ci: drop npm provenance flag incompatible with self-hosted runners
Sigstore provenance verification only supports GitHub-hosted runners,
causing E422 on publish. Remove --provenance and the unused id-token
permission.
2026-06-13 11:08:45 +08:00
kite
372802d294 ci: fix npm publish auth failure on self-hosted runners
The node:20 container lacks automatic NODE_AUTH_TOKEN mapping to npm
registry credentials. Add explicit .npmrc configuration step before
npm publish.
2026-06-13 11:08:45 +08:00
MuoDoo
64552aee9b
fix(security): block git ref option injection (#112) 2026-06-13 11:07:59 +08:00
MuoDoo
9f81cbe486
fix(tool): constrain workspace file reads to repo (#109) 2026-06-12 17:57:28 +08:00
Lei Zhang
76b4d5a3b5
ci: use self-hosted runners with container images for build and deplo… (#107)
* ci: use self-hosted runners with container images for build and deploy workflows

- deploy-pages: switch to self-hosted runner with node:20 container, remove redundant setup-node

- release: use self-hosted runner with golang:1.26.4 container for build job, remove redundant setup-go

- release: use self-hosted runner with ubuntu:24.04 container for release job

- release: use self-hosted runner with node:20 container for npm-publish job, remove redundant setup-node

- release: add jq installation step for version injection in npm-publish

* ci: fix dubious ownership in self-hosted container jobs

- Add git safe.directory trust step after checkout in release.yml build and npm-publish jobs
- Add git safe.directory trust step after checkout in deploy-pages.yml build job
- Switch deploy-pages deploy job from ubuntu-latest to self-hosted with node:20 container
2026-06-12 14:30:51 +08:00
Daniel Grießhaber
c2c7c37e0f
fix(agent): user includes should have higher priority than system supported extensions (#51) 2026-06-12 14:29:47 +08:00
Fedor
9c0c6f2393
docs: add Russian translations for README and CONTRIBUTING (#101)
Add README.ru-RU.md and CONTRIBUTING.ru-RU.md following the existing
localization pattern (zh-CN, ja-JP, ko-KR), and add the Русский link to
the language switcher line in all README and CONTRIBUTING variants.
Also add the previously missing 한국어 link to the CONTRIBUTING.zh-CN.md
and CONTRIBUTING.ja-JP.md switchers.

Closes #100
2026-06-12 11:49:04 +08:00