From 55ca0f9df44240d0f7945477bbadabf80a72011a Mon Sep 17 00:00:00 2001 From: Alexey Samoylov Date: Fri, 10 Jul 2026 18:34:51 +0600 Subject: [PATCH 1/2] docs: generate site from canonical v1 docs Build flat public routes from a locked main-repository commit, remove duplicated Markdown, and require consent before loading analytics.\n\nRefs: dp-zsy.4 --- .github/workflows/ci.yml | 13 +- .github/workflows/pages.yml | 11 + .gitignore | 3 + .vitepress/config.mts | 26 +- .vitepress/theme/ConsentAnalytics.vue | 63 +++++ .vitepress/theme/Layout.vue | 12 + .vitepress/theme/custom.css | 51 ++++ .vitepress/theme/index.ts | 6 +- README.md | 19 +- artifacts.md | 69 ----- azure-pipelines.md | 148 ---------- cli.md | 242 ----------------- codex.md | 114 -------- comparison.md | 39 --- concepts.md | 17 -- configuration.md | 261 ------------------ copilot.md | 96 ------- custom-acp.md | 94 ------- custom-ci.md | 187 ------------- docs-source.json | 4 + docs.md | 76 ------ exit-behavior.md | 59 ---- faq.md | 81 ------ findings-feedback-and-gates.md | 55 ---- findings-schema.md | 132 --------- getting-started.md | 54 ---- github-actions.md | 156 ----------- github-quickstart.md | 107 -------- gitlab-ci.md | 148 ---------- glossary.md | 61 ----- guides.md | 11 - help.md | 12 - how-diffpal-works.md | 67 ----- index.md | 1 + integrations.md | 89 ------ next-steps.md | 45 ---- opencode.md | 92 ------- package-lock.json | 373 +++++++++++++++++--------- package.json | 10 +- privacy.md | 23 ++ providers-and-agents.md | 44 --- providers.md | 65 ----- public/llms.txt | 2 + reference.md | 17 -- review-lifecycle.md | 57 ---- scripts/check-privacy.mjs | 12 + scripts/sync-docs.mjs | 87 ++++++ secrets-and-fork-prs.md | 140 ---------- security.md | 58 ---- support-matrix.md | 50 ---- troubleshooting.md | 331 ----------------------- verify-first-review.md | 70 ----- versioning.md | 57 ---- 53 files changed, 564 insertions(+), 3553 deletions(-) create mode 100644 .vitepress/theme/ConsentAnalytics.vue create mode 100644 .vitepress/theme/Layout.vue delete mode 100644 artifacts.md delete mode 100644 azure-pipelines.md delete mode 100644 cli.md delete mode 100644 codex.md delete mode 100644 comparison.md delete mode 100644 concepts.md delete mode 100644 configuration.md delete mode 100644 copilot.md delete mode 100644 custom-acp.md delete mode 100644 custom-ci.md create mode 100644 docs-source.json delete mode 100644 docs.md delete mode 100644 exit-behavior.md delete mode 100644 faq.md delete mode 100644 findings-feedback-and-gates.md delete mode 100644 findings-schema.md delete mode 100644 getting-started.md delete mode 100644 github-actions.md delete mode 100644 github-quickstart.md delete mode 100644 gitlab-ci.md delete mode 100644 glossary.md delete mode 100644 guides.md delete mode 100644 help.md delete mode 100644 how-diffpal-works.md delete mode 100644 integrations.md delete mode 100644 next-steps.md delete mode 100644 opencode.md create mode 100644 privacy.md delete mode 100644 providers-and-agents.md delete mode 100644 providers.md delete mode 100644 reference.md delete mode 100644 review-lifecycle.md create mode 100644 scripts/check-privacy.mjs create mode 100644 scripts/sync-docs.mjs delete mode 100644 secrets-and-fork-prs.md delete mode 100644 security.md delete mode 100644 support-matrix.md delete mode 100644 troubleshooting.md delete mode 100644 verify-first-review.md delete mode 100644 versioning.md diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 772a199..aac7387 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,6 +16,17 @@ jobs: - name: Checkout uses: actions/checkout@v5 + - name: Resolve canonical docs source + id: docs-source + run: echo "ref=$(node -p \"require('./docs-source.json').ref\")" >> "$GITHUB_OUTPUT" + + - name: Checkout canonical DiffPal docs + uses: actions/checkout@v5 + with: + repository: diffpal/diffpal + ref: ${{ steps.docs-source.outputs.ref }} + path: .source/diffpal + - name: Setup Node uses: actions/setup-node@v6 with: @@ -26,4 +37,4 @@ jobs: run: npm ci - name: Build - run: npm run docs:build + run: npm run check diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml index 0d949a0..cb5493d 100644 --- a/.github/workflows/pages.yml +++ b/.github/workflows/pages.yml @@ -22,6 +22,17 @@ jobs: - name: Checkout uses: actions/checkout@v5 + - name: Resolve canonical docs source + id: docs-source + run: echo "ref=$(node -p \"require('./docs-source.json').ref\")" >> "$GITHUB_OUTPUT" + + - name: Checkout canonical DiffPal docs + uses: actions/checkout@v5 + with: + repository: diffpal/diffpal + ref: ${{ steps.docs-source.outputs.ref }} + path: .source/diffpal + - name: Setup Node uses: actions/setup-node@v6 with: diff --git a/.gitignore b/.gitignore index c37add9..a9bdfbf 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,7 @@ node_modules/ +.generated/ +.generated-rewrites.json +.source/ .vitepress/cache/ .vitepress/dist/ .DS_Store diff --git a/.vitepress/config.mts b/.vitepress/config.mts index 1d39913..c7514d0 100644 --- a/.vitepress/config.mts +++ b/.vitepress/config.mts @@ -1,40 +1,28 @@ import { defineConfig } from 'vitepress' +import fs from 'node:fs' const siteTitle = 'DiffPal' const siteDescription = 'Open-source AI PR review you control.' const mainRepo = 'https://github.com/diffpal/diffpal' const examplesBase = `${mainRepo}/tree/main/examples` const changelog = `${mainRepo}/blob/main/CHANGELOG.md` -const googleAnalyticsId = 'G-B8G6D7K9SQ' +const docsSource = JSON.parse(fs.readFileSync('docs-source.json', 'utf8')) +const rewrites = JSON.parse(fs.readFileSync('.generated-rewrites.json', 'utf8')) export default defineConfig({ lang: 'en-US', title: siteTitle, description: siteDescription, base: '/', + srcDir: '.generated', + rewrites, cleanUrls: true, lastUpdated: true, - srcExclude: ['README.md', 'AGENTS.md'], sitemap: { hostname: 'https://diffpal.github.io' }, head: [ ['link', { rel: 'icon', type: 'image/png', href: '/logo-mark.png' }], - [ - 'script', - { - async: '', - src: `https://www.googletagmanager.com/gtag/js?id=${googleAnalyticsId}` - } - ], - [ - 'script', - {}, - `window.dataLayer = window.dataLayer || []; -function gtag(){dataLayer.push(arguments);} -gtag('js', new Date()); -gtag('config', '${googleAnalyticsId}');` - ], ['meta', { name: 'theme-color', content: '#2563eb' }], ['meta', { property: 'og:type', content: 'website' }], ['meta', { property: 'og:title', content: siteTitle }], @@ -50,7 +38,7 @@ gtag('config', '${googleAnalyticsId}');` provider: 'local' }, editLink: { - pattern: 'https://github.com/diffpal/diffpal.github.io/edit/main/:path', + pattern: `${mainRepo}/edit/${docsSource.ref}/docs/:path`, text: 'Edit this page on GitHub' }, socialLinks: [ @@ -61,6 +49,7 @@ gtag('config', '${googleAnalyticsId}');` { text: 'Docs', link: '/docs' }, { text: 'Examples', link: examplesBase }, { text: 'Security', link: '/security' }, + { text: 'Privacy', link: '/privacy' }, { text: 'Changelog', link: changelog }, { text: 'GitHub', link: mainRepo } ], @@ -113,6 +102,7 @@ gtag('config', '${googleAnalyticsId}');` { text: 'Verify first review', link: '/verify-first-review' }, { text: 'Next steps', link: '/next-steps' }, { text: 'Secrets and fork PRs', link: '/secrets-and-fork-prs' }, + { text: 'Migrate to v1', link: '/migrate-to-v1' }, { text: 'Examples gallery', link: examplesBase } ] }, diff --git a/.vitepress/theme/ConsentAnalytics.vue b/.vitepress/theme/ConsentAnalytics.vue new file mode 100644 index 0000000..d6204a3 --- /dev/null +++ b/.vitepress/theme/ConsentAnalytics.vue @@ -0,0 +1,63 @@ + + + + + diff --git a/.vitepress/theme/Layout.vue b/.vitepress/theme/Layout.vue new file mode 100644 index 0000000..a515337 --- /dev/null +++ b/.vitepress/theme/Layout.vue @@ -0,0 +1,12 @@ + + + diff --git a/.vitepress/theme/custom.css b/.vitepress/theme/custom.css index 65b8448..8efbdb8 100644 --- a/.vitepress/theme/custom.css +++ b/.vitepress/theme/custom.css @@ -34,6 +34,57 @@ max-width: 680px; } +.privacy-consent { + position: fixed; + z-index: 100; + right: 1rem; + bottom: 1rem; + max-width: 34rem; + padding: 1rem; + border: 1px solid var(--vp-c-divider); + border-radius: 0.75rem; + background: var(--vp-c-bg-soft); + box-shadow: var(--vp-shadow-3); +} + +.privacy-consent p { + margin: 0 0 0.75rem; +} + +.privacy-consent div { + display: flex; + justify-content: flex-end; + gap: 0.5rem; +} + +.privacy-consent button, +.privacy-choice-button { + padding: 0.45rem 0.75rem; + border: 1px solid var(--vp-c-divider); + border-radius: 0.5rem; + cursor: pointer; +} + +.privacy-consent .accept { + color: white; + border-color: var(--vp-c-brand-1); + background: var(--vp-c-brand-1); +} + +.privacy-consent .decline, +.privacy-choice-button { + color: var(--vp-c-text-1); + background: var(--vp-c-bg); +} + +.privacy-choice-button { + position: fixed; + z-index: 90; + right: 1rem; + bottom: 1rem; + font-size: 0.8rem; +} + @media (max-width: 640px) { .vp-doc table { display: block; diff --git a/.vitepress/theme/index.ts b/.vitepress/theme/index.ts index 42fe9a9..094cbe0 100644 --- a/.vitepress/theme/index.ts +++ b/.vitepress/theme/index.ts @@ -1,4 +1,8 @@ import DefaultTheme from 'vitepress/theme' +import Layout from './Layout.vue' import './custom.css' -export default DefaultTheme +export default { + extends: DefaultTheme, + Layout +} diff --git a/README.md b/README.md index 0ec59a8..0c9fa51 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,11 @@ This repository contains the public documentation website for DiffPal. Production site: https://diffpal.github.io/ -Public documentation Markdown lives at the repository root so the organization-level GitHub Pages site publishes at `/`, not under a project path. +Canonical public documentation lives in the main +[`diffpal/diffpal`](https://github.com/diffpal/diffpal/tree/main/docs) +repository. This site records an immutable source commit in `docs-source.json` +and generates its documentation pages into `.generated/` before each build. +Only the homepage, theme, privacy policy, and site metadata are maintained here. ## Local Development @@ -14,6 +18,13 @@ Install dependencies: npm ci ``` +Check out the locked canonical documentation source: + +```bash +git clone https://github.com/diffpal/diffpal.git .source/diffpal +git -C .source/diffpal checkout "$(node -p "require('./docs-source.json').ref")" +``` + Start the local VitePress server: ```bash @@ -28,6 +39,12 @@ Build the static site: npm run docs:build ``` +Run the complete build, privacy, and synchronization checks with: + +```bash +npm run check +``` + Preview the generated site: ```bash diff --git a/artifacts.md b/artifacts.md deleted file mode 100644 index 2eda91a..0000000 --- a/artifacts.md +++ /dev/null @@ -1,69 +0,0 @@ -# Artifacts Reference - -DiffPal writes artifacts under `.artifacts/diffpal/` by default. - -## Artifact Table - -| Path | Created when | Format | Intended consumer | -| --- | --- | --- | --- | -| `.artifacts/diffpal/findings.json` | Every successful provider-backed review and `debug prompt` unless `--out` changes it. | DiffPal findings JSON | CI automation, audit logs, downstream converters. | -| `.artifacts/diffpal/summary.md` | Non-dry-run host review commands when the `summary` surface is enabled; custom CI examples may capture local stdout here. | Markdown | Humans, CI job summaries, retained review record. | -| `.artifacts/diffpal/diffpal.sarif` | Non-dry-run GitHub and GitLab host review commands; `diffpal sarif`; any file-publishing run that enables the SARIF surface. | SARIF 2.1.0 JSON | Code scanning or SARIF upload consumers. | -| `.artifacts/diffpal/codequality.json` | GitLab host review commands. | GitLab Code Quality JSON | GitLab Code Quality report ingestion. | -| `.artifacts/diffpal/github-comments.json` | GitHub file-output publishing plan when GitHub comment surface is emitted to files. | JSON | Debugging or API publishing handoff. | -| `.artifacts/diffpal/gitlab-discussions.json` | GitLab file-output publishing plan for discussions. | JSON | Debugging or API publishing handoff. | -| `.artifacts/diffpal/gitlab-status.json` | GitLab status file output. | JSON | Debugging or API publishing handoff. | -| `.artifacts/diffpal/azure-threads.json` | Azure file-output publishing plan for PR threads. | JSON | Debugging or API publishing handoff. | -| `.artifacts/diffpal/azure-status.json` | Azure status file output. | JSON | Debugging or API publishing handoff. | - -## Canonical Versus Host-Specific - -`findings.json` is the canonical DiffPal artifact. It contains validated -structured findings and metadata independent of a code host. - -Host-specific artifacts are derived from the canonical bundle: - -- SARIF is derived for SARIF consumers. -- GitLab Code Quality is derived for GitLab report ingestion. -- Comments, discussions, threads, and status JSON files are publishing plans or - status payloads for host integrations. - -## Creation Conditions - -`diffpal review local`: - -- writes `findings.json` or the `--out` path; -- prints Markdown to stdout; -- does not automatically create `summary.md`. - -Non-dry-run `diffpal review github`: - -- writes `findings.json`; -- creates `summary.md` and `diffpal.sarif`; -- creates GitHub comment artifacts when `feedback=review` file outputs are - generated. - -Non-dry-run `diffpal review gitlab`: - -- writes `findings.json`; -- creates `summary.md`, `diffpal.sarif`, `codequality.json`, - `gitlab-status.json`; -- creates `gitlab-discussions.json` when `feedback=review` file outputs are - generated. - -Non-dry-run `diffpal review ado`: - -- writes `findings.json`; -- creates `summary.md` and `azure-status.json`; -- creates `azure-threads.json` when `feedback=review` file outputs are - generated. - -`diffpal debug prompt` writes a mock findings bundle to `--out`. -`diffpal sarif` reads a findings bundle and writes SARIF to `--out`. - -## Retention Advice - -Upload `.artifacts/diffpal/` from CI when you need audit records, downstream -automation, or report ingestion after the job completes. Retain at least -`findings.json` for machine processing and `summary.md` for human review -history when host summaries are not enough. diff --git a/azure-pipelines.md b/azure-pipelines.md deleted file mode 100644 index 4253810..0000000 --- a/azure-pipelines.md +++ /dev/null @@ -1,148 +0,0 @@ -# Azure Pipelines - -Use this page to run DiffPal in Azure Pipelines pull request validation. - -## Supported Outputs - -- Azure PR summary thread. -- File-bound PR threads for actionable findings. -- Azure PR status named `DiffPal Review`. - -## Prerequisites - -- An Azure Repos project with PR validation. -- The DiffPal Review extension installed, or `diffpal` available in the job. -- A committed DiffPal config at `.config/diffpal/config.yaml`. -- A provider secret such as `OPENAI_API_KEY`. -- Pipeline access to `System.AccessToken`. - -See [Shared Setup](/integrations#shared-setup) and -[Providers](/providers). - -## Required Checkout Behavior - -Use full checkout history: - -```yaml -- checkout: self - fetchDepth: 0 -``` - -When `base` and `head` are omitted, `DiffPalReview@1` uses PR metadata and the -target branch to compute the merge base. - -## Required Token And Minimum Permissions - -Enable **Allow scripts to access the OAuth token** and pass -`SYSTEM_ACCESSTOKEN` to the review task: - -```yaml -env: - SYSTEM_ACCESSTOKEN: $(System.AccessToken) -``` - -Use `SYSTEM_ACCESSTOKEN` for pipeline-scoped access. Use -`AZURE_DEVOPS_EXT_PAT` only when your organization requires a dedicated PAT. -Keep host tokens separate from provider credentials such as `OPENAI_API_KEY`. - -## Provider Installation And Authentication - -Install and authenticate the selected provider before the DiffPal step. Use -[Providers](/providers) for Codex, Copilot, OpenCode, and custom -ACP-compatible CLI setup. - -Provider credentials allow the selected third-party provider to process the -review input. Store them as secret variables and keep credentialed review steps -behind trusted-source conditions. See -[Secrets and fork PRs](/secrets-and-fork-prs). - -## Minimal Pipeline - -```yaml -trigger: none -pr: - - main - -pool: - vmImage: ubuntu-latest - -steps: - - checkout: self - fetchDepth: 0 - - - task: UseNode@1 - inputs: - version: "22.x" - - - script: npm install --global @openai/codex@0.139.0 @normahq/codex-acp-bridge@1.6.3 - displayName: Install Codex provider - - - script: printf '%s' "$OPENAI_API_KEY" | codex login --with-api-key - displayName: Authenticate Codex - condition: and(succeeded(), ne(variables['System.PullRequest.IsFork'], 'True')) - env: - OPENAI_API_KEY: $(OPENAI_API_KEY) - - - task: DiffPalReview@1 - displayName: DiffPal review - condition: and(succeeded(), ne(variables['System.PullRequest.IsFork'], 'True')) - inputs: - diffpalVersion: latest - profile: ci - feedback: review - gate: true - env: - OPENAI_API_KEY: $(OPENAI_API_KEY) - SYSTEM_ACCESSTOKEN: $(System.AccessToken) -``` - -## Feedback Modes - -Use `feedback: review` for status, summary thread, and PR threads. Use -`feedback: summary` for status and summary thread without file-bound PR -threads. - -See [Feedback Modes](/integrations#feedback-modes). - -## Merge-Gate Setup - -Set `gate: true` on `DiffPalReview@1`. Blocking findings fail the task and set -the Azure PR status to failed. - -See [Merge Gates](/integrations#merge-gates). - -## Fork Or Untrusted-Contribution Behavior - -Keep credentialed review steps behind: - -```yaml -condition: and(succeeded(), ne(variables['System.PullRequest.IsFork'], 'True')) -``` - -Use stricter organization-specific trusted-source conditions when needed. See -[Secrets and fork PRs](/secrets-and-fork-prs). - -## Expected Results - -- Azure PR threads for actionable findings when feedback is `review`. -- A PR summary thread headed `DiffPal Review Summary`. -- An Azure PR status named `DiffPal Review`. -- Failed task only for blocking gated findings or incomplete review setup. - -## Common Failures - -- `fetchDepth: 0` is missing. -- **Allow scripts to access the OAuth token** is disabled. -- `SYSTEM_ACCESSTOKEN` is not passed to the review task. -- Provider variables are unavailable in fork PR validation. - -See [Common Failures](/integrations#common-failures). - -## Related Examples - -- [Codex API key](https://github.com/diffpal/diffpal/blob/main/examples/ci/azure-pipelines/codex-api-key.yml) -- [Codex subscription auth](https://github.com/diffpal/diffpal/blob/main/examples/ci/azure-pipelines/codex-subscription.yml) -- [Copilot token](https://github.com/diffpal/diffpal/blob/main/examples/ci/azure-pipelines/copilot-github-token.yml) - -Next step: use [Verify First Review](/verify-first-review) -after the first Azure Pipelines run completes. diff --git a/cli.md b/cli.md deleted file mode 100644 index 315c8e9..0000000 --- a/cli.md +++ /dev/null @@ -1,242 +0,0 @@ -# CLI Reference - -The public CLI entrypoint is `diffpal`. - -## Installation - -Verified distribution paths in this repository: - -| Method | Command or entrypoint | Notes | -| --- | --- | --- | -| npm one-shot | `npx -y @diffpal/diffpal@latest ` | Used by the quickstart. | -| npm global | `npm install --global @diffpal/diffpal@latest` | Provides the `diffpal` executable. | -| GitHub Action | `diffpal/action@v1` | Wraps DiffPal for GitHub Actions. See [GitHub Actions](/github-actions). | -| Azure extension | `DiffPalReview@1` | Wraps DiffPal for Azure Pipelines. See [Azure Pipelines](/azure-pipelines). | - -Release builds are produced by Omnidist for npm packages and platform binaries. -The npm meta-package is `@diffpal/diffpal`. - -## Global Flags - -| Flag | Default | Purpose | -| --- | --- | --- | -| `--config-dir` | empty | Extra config root directory searched before `.config/diffpal/config.yaml`. | -| `--debug` | `false` | Enable debug logging. | -| `--profile` | empty | Config profile name. | - -## Command Overview - -| Command | Purpose | -| --- | --- | -| `diffpal init` | Generate starter workspace configuration. | -| `diffpal review local` | Run provider-backed local review and print Markdown. | -| `diffpal review github` | Run review and publish/emit GitHub outputs. | -| `diffpal review gitlab` | Run review and publish/emit GitLab outputs. | -| `diffpal review ado` | Run review and publish/emit Azure DevOps outputs. Alias: `azure`. | -| `diffpal doctor` | Validate runtime, provider, workspace, and platform auth. | -| `diffpal debug prompt` | Render prompts and task snapshots without a provider call. | -| `diffpal sarif` | Convert a findings bundle to SARIF. | -| `diffpal version` | Print version metadata. | -| `diffpal completion` | Generate shell completion scripts. | - -All public commands take flags only; there are no positional arguments in the -commands documented below. - -## `diffpal init` - -Generates `.config/diffpal/config.yaml`, `.config/diffpal/.gitignore`, -`.config/diffpal/templates/*`, `.config/diffpal/state/`, and `.diffpalignore`. - -| Flag | Default | Allowed values | -| --- | --- | --- | -| `--wizard` | `false` | boolean | -| `--setup` | `codex-api-key` | `codex-api-key`, `codex-subscription`, `copilot-github-token`, `opencode-acp`, `generic-acp` | -| `--platform` | `auto` | `auto`, `github`, `gitlab`, `azure`, `none` | -| `--profile` | `ci` | letters, numbers, `.`, `_`, `-` | -| `--block-on` | `high` | `low`, `medium`, `high`, `critical` | -| `--config` | `.config/diffpal/config.yaml` | path | -| `--state` | `.config/diffpal/state` | path | -| `--force` | `false` | overwrite existing files | - -Example: - -```bash -npx -y @diffpal/diffpal@latest init --wizard --setup codex-api-key --platform github -``` - -## Review Commands - -Shared review flags: - -| Flag | Default | Purpose | -| --- | --- | --- | -| `--base` | empty | Base revision. Host commands can also resolve this from CI metadata. | -| `--head` | empty | Head revision. Host commands can also resolve this from CI metadata. | -| `--repo` | `local` | Repository ID used in deterministic fingerprints and links. | -| `--review-id` | command-specific | Review identifier used in deterministic output. | -| `--out` | `.artifacts/diffpal/findings.json` | Findings bundle output path. | -| `--language` | config value | Language for findings and summaries. | -| `--instructions` | config value | Replace config review instructions for this run. | -| `--instructions-file` | empty | Append instructions from a file. | -| `--block-on` | config value or `high` | Minimum blocking severity. | -| `--feedback` | `review` | `summary` or `review`. | -| `--gate` | `false` | Return non-zero when blocking findings exist. | - -### `diffpal review local` - -Outputs: - -- writes the findings bundle to `--out`; -- prints Markdown summary or review output to stdout. - -Example: - -```bash -diffpal --profile ci review local \ - --base origin/main \ - --head HEAD \ - --feedback summary \ - --out .artifacts/diffpal/findings.json -``` - -### `diffpal review github` - -Additional flags: - -| Flag | Default | Purpose | -| --- | --- | --- | -| `--review-channel` | `diffpal` | GitHub publishing channel for PR reviews. | -| `--summary-overview` | `true` | Include semantic change overview in summaries. | -| `--dry-run` | `false` | Print host review Markdown without publishing. Supported for GitHub only. | - -Environment inputs: - -- `GITHUB_TOKEN` for publishing unless config auth supplies a token; -- `GITHUB_REPOSITORY`, `GITHUB_EVENT_PATH`, `GITHUB_EVENT_NAME` from GitHub - Actions; -- `GITHUB_BASE_SHA` and `GITHUB_HEAD_SHA` as fallback base/head inputs; -- `DIFFPAL_GITHUB_API_URL` for tests or GitHub Enterprise API override. - -Default surfaces: - -- `summary`: SARIF and summary; -- `review`: PR review comments, SARIF, and summary. - -Example: - -```bash -diffpal --profile ci review github \ - --base "$BASE_SHA" \ - --head "$HEAD_SHA" \ - --repo "$GITHUB_REPOSITORY" \ - --review-id "github-pr-${PR_NUMBER}" \ - --feedback review \ - --gate -``` - -### `diffpal review gitlab` - -`--dry-run` appears in the shared host help, but GitLab review rejects it. - -Environment inputs: - -- `GITLAB_TOKEN` or `CI_JOB_TOKEN` for publishing unless config auth supplies a - token; -- `CI_PROJECT_PATH`, `CI_MERGE_REQUEST_IID`, - `CI_MERGE_REQUEST_DIFF_BASE_SHA`, `CI_MERGE_REQUEST_SOURCE_BRANCH_SHA`, - `CI_COMMIT_SHA`, `CI_COMMIT_SHORT_SHA`; -- `GITLAB_EVENT_PATH` or `CI_MERGE_REQUEST_EVENT_PATH` as payload fallback; -- `CI_JOB_URL` for status target URL; -- `DIFFPAL_GITLAB_API_URL` for tests or self-managed GitLab API override. - -Default surfaces: - -- `summary`: Code Quality, SARIF, status, and summary; -- `review`: Code Quality, discussions, status, SARIF, and summary. - -### `diffpal review ado` - -Alias: `diffpal review azure`. - -`--dry-run` appears in the shared host help, but Azure review rejects it. - -Environment inputs: - -- `SYSTEM_ACCESSTOKEN` or `AZURE_DEVOPS_EXT_PAT` for publishing unless config - auth supplies a token; -- `SYSTEM_COLLECTIONURI`, `SYSTEM_TEAMPROJECT`, `BUILD_REPOSITORY_NAME`, - `BUILD_REPOSITORY_ID`, `BUILD_REPOSITORY_URI`, `BUILD_BUILDID`; -- `SYSTEM_PULLREQUEST_PULLREQUESTID`, `SYSTEM_PULLREQUEST_SOURCEBRANCH`, - `SYSTEM_PULLREQUEST_TARGETBRANCH`, `SYSTEM_PULLREQUEST_SOURCECOMMITID`, - `SYSTEM_PULLREQUEST_TARGETCOMMITID`; -- `BUILD_SOURCEVERSION` as a head/base fallback; -- `SYSTEM_PULLREQUEST_EVENT_PAYLOAD` as payload fallback. - -Default surfaces: - -- `summary`: status and summary; -- `review`: PR threads, status, and summary. - -## `diffpal doctor` - -Validates local runtime and environment. - -| Flag | Default | Allowed values | -| --- | --- | --- | -| `--mode` | `local` | `local`, `github`, `gitlab`, `ado` | - -Outputs diagnostic lines to stdout. Missing selected-provider auth is a warning -in local mode and an error in host modes. Platform auth is checked for host -modes. - -```bash -diffpal --profile ci doctor --mode github -``` - -## `diffpal debug prompt` - -Renders the system prompt, task snapshot, and a mock findings bundle without a -provider call. It still loads config and resolves the review scope. - -Additional flags: - -| Flag | Default | Allowed values | -| --- | --- | --- | -| `--format` | `text` | `text`, `json` | -| `--dry-run` | `true` | suppress normal review summary output | - -It also accepts the shared review analysis and policy flags. - -```bash -diffpal --profile ci debug prompt --base origin/main --head HEAD --format text -``` - -## `diffpal sarif` - -Converts a findings bundle to SARIF. - -| Flag | Default | Purpose | -| --- | --- | --- | -| `--input` | `.artifacts/diffpal/findings.json` | Input findings bundle. | -| `--out` | `.artifacts/diffpal/diffpal.sarif` | Output SARIF report. | - -Output line: - -```text -sarif= findings= version= -``` - -## `diffpal version` - -Prints: - -```text -diffpal + () -``` - -Development builds use `0.0.0-dev+unknown (unknown)`. - -## `diffpal completion` - -Generates Cobra shell completion scripts. Use `diffpal completion --help` for -the shell-specific subcommands generated by the CLI framework. diff --git a/codex.md b/codex.md deleted file mode 100644 index fa54774..0000000 --- a/codex.md +++ /dev/null @@ -1,114 +0,0 @@ -# Codex Provider - -## When To Use This Provider - -Use Codex when you want the default DiffPal onboarding path, a copy-paste Codex -API-key setup, or trusted CI that restores an existing Codex auth file. - -## Prerequisites - -- A DiffPal config committed at `.config/diffpal/config.yaml`. -- Node.js available in the CI job. -- Either an `OPENAI_API_KEY` CI secret or a trusted `CODEX_AUTH_JSON_B64` CI - secret generated from your own Codex login. - -## Installation - -Install the Codex CLI and ACP bridge in CI: - -```bash -npm install --global @openai/codex@0.139.0 @normahq/codex-acp-bridge@1.6.3 -``` - -## Authentication In CI - -For API-key auth, store `OPENAI_API_KEY` as a protected CI secret and run: - -Do not expose `OPENAI_API_KEY` to untrusted fork jobs. Keep the credentialed -review job limited to trusted branches, same-repository pull requests, or -maintainer-approved jobs that do not execute fork-controlled code. - -```bash -printf '%s' "$OPENAI_API_KEY" | codex login --with-api-key -``` - -For subscription auth, generate `CODEX_AUTH_JSON_B64` with the recipe in -[`examples/README.md`](https://github.com/diffpal/diffpal/blob/main/examples/README.md#generate-codex_auth_json_b64), -then restore it only in trusted CI: - -Do not expose restored Codex auth files to untrusted fork jobs. - -```bash -mkdir -p "$HOME/.codex" -printf '%s' "$CODEX_AUTH_JSON_B64" | base64 --decode > "$HOME/.codex/auth.json" -chmod 600 "$HOME/.codex/auth.json" -``` - -## Minimal Verified Configuration - -Use [`examples/configs/codex-api-key/config.yaml`](https://github.com/diffpal/diffpal/blob/main/examples/configs/codex-api-key/config.yaml) -for API-key auth or -[`examples/configs/codex-subscription/config.yaml`](https://github.com/diffpal/diffpal/blob/main/examples/configs/codex-subscription/config.yaml) -for subscription auth. - -The provider selection is: - -```yaml -runtime: - providers: - codex-acp: - type: codex_acp - codex_acp: - reasoning_effort: low - -diffpal: - provider: codex-acp -``` - -## How To Test Provider Connectivity - -Validate the local runtime first: - -```bash -diffpal doctor --profile ci --mode local -``` - -Then run a provider-backed smoke review on a trusted branch: - -```bash -diffpal --profile ci review local \ - --base origin/main \ - --head HEAD \ - --feedback summary \ - --out .artifacts/diffpal/findings.json -``` - -## Expected Result - -The smoke review should complete, write -`.artifacts/diffpal/findings.json`, and print a Markdown summary to stdout. - -## Security Considerations - -Do not expose `OPENAI_API_KEY` or restored Codex auth files to untrusted fork -jobs. Keep Codex credentials in protected CI secrets and run secret-backed -review only in trusted branches, same-repository pull requests, or -maintainer-approved jobs that do not execute untrusted code with secrets. - -## Common Failures - -- The Codex CLI or ACP bridge is not installed before DiffPal runs. -- `OPENAI_API_KEY` or `CODEX_AUTH_JSON_B64` is missing from the trusted CI job. -- Subscription auth was generated from an expired or invalid local login. -- The selected `diffpal.provider` does not match the `codex-acp` provider entry. - -## Links To Complete CI Examples - -- [GitHub Actions with Codex API key](https://github.com/diffpal/diffpal/blob/main/examples/ci/github-actions/codex-api-key.yml) -- [GitHub Actions with Codex subscription auth](https://github.com/diffpal/diffpal/blob/main/examples/ci/github-actions/codex-subscription.yml) -- [GitLab CI with Codex API key](https://github.com/diffpal/diffpal/blob/main/examples/ci/gitlab/codex-api-key.yml) -- [GitLab CI with Codex subscription auth](https://github.com/diffpal/diffpal/blob/main/examples/ci/gitlab/codex-subscription.yml) -- [Azure Pipelines with Codex API key](https://github.com/diffpal/diffpal/blob/main/examples/ci/azure-pipelines/codex-api-key.yml) -- [Azure Pipelines with Codex subscription auth](https://github.com/diffpal/diffpal/blob/main/examples/ci/azure-pipelines/codex-subscription.yml) - -Next step: choose the host-specific CI example that matches your code host. diff --git a/comparison.md b/comparison.md deleted file mode 100644 index c3d0771..0000000 --- a/comparison.md +++ /dev/null @@ -1,39 +0,0 @@ -# Comparison Guide - -DiffPal is best understood as an open-source control plane for AI pull request -review. It does not try to be the model, the hosted review platform, or a -general lint result router. - -## DiffPal Vs Hosted AI Reviewers - -Use DiffPal when you want: - -- provider choice through `runtime.providers` -- review config, instructions, artifacts, and gate policy committed with the - repository -- CI-native execution without a mandatory hosted DiffPal review service -- consistent outputs across GitHub, GitLab, and Azure DevOps - -Hosted reviewers can be a better fit when your team wants a fully managed -product experience, centralized account management, or provider decisions made -for you. - -## DiffPal Vs Lint Publishers - -Lint publishers take existing tool output and annotate pull requests. DiffPal -resolves the review scope, asks a selected AI provider for review findings, -validates the structured output, and publishes both human feedback and -machine-readable artifacts. - -Use both together when you want deterministic linters plus policy-aware AI -review in the same CI workflow. - -## DiffPal Vs CI Convention Bots - -CI convention bots are good at enforcing explicit repository rules. DiffPal is -for review feedback that needs model reasoning over a pull request diff while -still producing auditable findings and merge gates. - -Use DiffPal when the important choice is not "which hosted reviewer do we buy?" -but "how do we standardize AI review while keeping control of provider, -workflow, and artifacts?" diff --git a/concepts.md b/concepts.md deleted file mode 100644 index 18025f0..0000000 --- a/concepts.md +++ /dev/null @@ -1,17 +0,0 @@ -# Concepts - -Use this section to understand DiffPal's product model before configuring CI. - -- [How DiffPal works](/how-diffpal-works) explains DiffPal's product, - provider, publisher, and configuration boundaries. -- [Review lifecycle](/review-lifecycle) explains the flow from review scope - resolution to provider review, validation, publishing, artifacts, and optional - gates. -- [Providers and agents](/providers-and-agents) explains the provider versus - agent distinction and who owns authentication. -- [Findings, feedback, and gates](/findings-feedback-and-gates) explains the - concepts behind summaries, inline feedback, artifacts, and merge blocking. -- [Glossary](/glossary) defines the short terms used across guides and - reference pages. -- [Comparison guide](/comparison) explains how DiffPal differs from hosted AI - reviewers, lint publishers, and CI convention bots. diff --git a/configuration.md b/configuration.md deleted file mode 100644 index 04aed78..0000000 --- a/configuration.md +++ /dev/null @@ -1,261 +0,0 @@ -# Configuration Reference - -DiffPal reads repository configuration from `.config/diffpal/config.yaml`. -The file is YAML, uses top-level `version: v1`, and keeps review policy with -the repository. - -Task-oriented setup lives in [Getting Started](/getting-started), -[Providers](/providers), and [Integrations](/integrations). - -## Loading And Overrides - -Default config root: - -- `.config/diffpal/config.yaml` - -When `--config-dir ` is set, DiffPal searches: - -1. `/diffpal/config.yaml` -2. `/config.yaml` -3. `.config/diffpal/config.yaml` - -Profiles are selected by `--profile` or `DIFFPAL_PROFILE`. Environment -overrides are applied after config loading and before validation. - -## Complete Hierarchy - -```yaml -version: v1 - -runtime: - providers: - : - type: - mcp_servers: [] - system_instructions: "" - : {} - mcp_servers: - : - type: stdio - -diffpal: - provider: - gate: - block_on: high - review: - language: en - instructions: "" - timeout: 5m - platforms: - github: - auth: - token: "" - gitlab: - auth: - job_token: "" - api_token: "" - azure: - auth: - system_access_token: "" - pat: "" - -profiles: - ci: - runtime: {} - diffpal: {} -``` - -## Required Fields - -| Field | Required | Default | Allowed values | -| --- | --- | --- | --- | -| `version` | Optional | `v1` from defaults | empty or `v1` | -| `runtime.providers` | Required for review | empty | map of provider IDs | -| `runtime.providers..type` | Required | none | `generic_acp`, `gemini_acp`, `codex_acp`, `opencode_acp`, `copilot_acp`, `claude_code_acp`, `openai`, `aistudio`, `pool` | -| `diffpal.provider` | Required | empty | provider ID present in `runtime.providers` | -| `diffpal.gate.block_on` | Optional | `high` | `low`, `medium`, `high`, `critical` | -| `diffpal.review.language` | Optional | `en` | any single-line language value | -| `diffpal.review.instructions` | Optional | empty | string | -| `diffpal.review.timeout` | Optional | `5m` | positive Go duration such as `180s`, `5m`, `10m` | - -`diffpal.provider` must match one key in `runtime.providers`. - -## Runtime Providers - -Each provider is discriminated by `type`; the matching block contains -type-specific settings. - -```yaml -runtime: - providers: - codex-acp: - type: codex_acp - codex_acp: - reasoning_effort: low - -diffpal: - provider: codex-acp -``` - -Common provider fields: - -| Field | Applies to | Purpose | -| --- | --- | --- | -| `mcp_servers` | all providers | IDs from `runtime.mcp_servers` attached to this provider. | -| `system_instructions` | all providers | Provider-level instructions applied by the runtime. | -| `generic_acp`, `gemini_acp`, `codex_acp`, `opencode_acp`, `copilot_acp`, `claude_code_acp` | ACP providers | ACP runtime block. | -| `openai`, `aistudio` | hosted API providers | Hosted API runtime block. | -| `pool` | pool provider | Ordered failover member list. | - -ACP runtime block fields: - -| Field | Required | Default | Allowed values | -| --- | --- | --- | --- | -| `cmd` | Optional | provider alias default, or required for custom `generic_acp` use | string list | -| `extra_args` | Optional | empty | string list | -| `model` | Optional | provider-specific | non-blank string | -| `reasoning_effort` | Optional | provider-specific | `minimal`, `low`, `medium`, `high`, `xhigh` | -| `mode` | Optional | provider-specific | non-blank string | - -Hosted API block fields: - -| Field | Required | Default | Notes | -| --- | --- | --- | --- | -| `api_key` | Required for hosted review unless supplied by env | empty | `OPENAI_API_KEY` for `openai`, `GEMINI_API_KEY` for `aistudio`. | -| `model` | Required for hosted review | empty | Can be overridden for `openai` by `DIFFPAL_OPENAI_MODEL`. | - -Pool block fields: - -| Field | Required | Default | Notes | -| --- | --- | --- | --- | -| `members` | Optional | empty | Provider IDs in ordered failover order. | - -Provider installation and authentication are documented in -[Providers](/providers). - -## MCP Servers - -MCP servers are declared once and referenced by provider ID: - -```yaml -runtime: - mcp_servers: - repo-docs: - type: stdio - cmd: ["your-docs-mcp-server"] - args: ["--root", "."] - env: - DOCS_TOKEN: "${DOCS_TOKEN}" - providers: - codex-acp: - type: codex_acp - mcp_servers: [repo-docs] - codex_acp: - reasoning_effort: low -``` - -MCP server fields: - -| Field | Required | Applies to | Purpose | -| --- | --- | --- | --- | -| `type` | Required | all | `stdio`, `http`, or `sse`. | -| `cmd` | Optional | `stdio` | Executable argv prefix. | -| `args` | Optional | `stdio` | Arguments appended after `cmd`. | -| `env` | Optional | `stdio` | Environment variables for the server process. | -| `working_dir` | Optional | `stdio` | Server working directory. | -| `url` | Optional | `http`, `sse` | Server endpoint. | -| `headers` | Optional | `http`, `sse` | Request headers. | - -Keep MCP credentials in CI secrets. - -## Review Settings - -| Field | Default | Notes | -| --- | --- | --- | -| `diffpal.review.language` | `en` | Used for finding text and summaries. Must be one line. | -| `diffpal.review.instructions` | empty | Appended to the review prompt as repository-owned tuning. | -| `diffpal.review.timeout` | `5m` | Per-attempt provider review timeout. | - -`--language`, `--instructions`, and `--instructions-file` can override or -append instructions for one CLI run. See [CLI](/cli). - -## Review Contract And Severity Matrix - -DiffPal asks providers to report only discrete issues the pull request author -would likely fix before merging, only when the issue is introduced or made -worse by the patch. Providers must use the DiffPal finding taxonomy, prefer -high signal over high recall, use the smallest useful changed-line range, and -may return `review_result` when they can summarize the outcome. - -Severity is based on concrete impact, not confidence or preference. - -- critical: changed code can directly cause severe compromise, destructive data loss, privilege bypass, total outage, or unrecoverable corruption. -- high: changed code can cause an exploitable security flaw, user-visible data corruption, frequent crash, major outage risk, or severe performance regression on a common path. -- medium: changed code can cause an edge-case correctness failure, intermittent reliability issue, meaningful performance cost, confusing maintainability risk, or missing coverage for important behavior. -- low: changed code has a localized maintainability, testing, or style issue with clear evidence and a concrete improvement, but no immediate user-visible failure. -- security: use critical for direct compromise, credential exposure, destructive access, or privilege bypass; high for exploitable vulnerabilities with meaningful impact; medium for plausible weaknesses requiring extra conditions; low for hardening gaps with limited direct exploitability. -- correctness: use critical for unrecoverable corruption or system-wide wrong behavior; high for common-path wrong results or data corruption; medium for plausible edge-case failures; low for small inconsistencies with bounded impact. -- reliability: use critical for total outage, deadlock, or unrecoverable resource exhaustion; high for frequent crashes, leaks, or retry storms; medium for intermittent failure modes; low for localized resilience or observability gaps. -- performance: use critical for regressions that can make the service unavailable or explode cost; high for severe common-path latency, memory, or query regressions; medium for measurable inefficient behavior; low for small avoidable inefficiencies with clear evidence. -- maintainability: use critical only when the change creates an immediate operational hazard; high when the change makes future safe modification very risky; medium for confusing structure likely to cause defects; low for localized clarity or consistency issues. -- testing: use critical only when missing validation can allow severe unsafe behavior to ship; high for untested high-risk behavior; medium for missing meaningful coverage of new behavior; low for small missing edge-case coverage. -- style: use critical, high, or medium only when the issue has a non-style impact and should usually be reclassified; use low for repo-enforced style/readability issues that are actionable. - -## Gate - -```yaml -diffpal: - gate: - block_on: high -``` - -`block_on` sets the minimum severity that counts as blocking. The allowed values -are `low`, `medium`, `high`, and `critical`. Use `--gate` in CI to make -blocking findings fail the process. See [Exit behavior](/exit-behavior). - -## Platform Auth - -Platform auth can live in config, but standard CI environment variables are -preferred. - -| Platform | Config field | Preferred env | -| --- | --- | --- | -| GitHub | `diffpal.platforms.github.auth.token` | `GITHUB_TOKEN` | -| GitLab | `diffpal.platforms.gitlab.auth.job_token` | `CI_JOB_TOKEN` | -| GitLab | `diffpal.platforms.gitlab.auth.api_token` | `GITLAB_TOKEN` | -| Azure DevOps | `diffpal.platforms.azure.auth.system_access_token` | `SYSTEM_ACCESSTOKEN` | -| Azure DevOps | `diffpal.platforms.azure.auth.pat` | `AZURE_DEVOPS_EXT_PAT` | - -Blank auth values fail validation. Missing optional config values are allowed -when the matching environment variable will be present in CI. - -## Profiles - -Profiles override the same root sections: - -```yaml -profiles: - ci: - diffpal: - gate: - block_on: high - review: - language: en -``` - -Select a profile with `--profile ci` or `DIFFPAL_PROFILE=ci`. - -## Environment Overrides - -| Variable | Overrides | -| --- | --- | -| `DIFFPAL_PROFILE` | selected profile when `--profile` is not set | -| `DIFFPAL_PROVIDER` | `diffpal.provider` | -| `DIFFPAL_BLOCK_ON` | `diffpal.gate.block_on` | -| `DIFFPAL_OPENAI_MODEL` | `runtime.providers.*.openai.model` | -| `DIFFPAL_REVIEW_LANGUAGE` | `diffpal.review.language` | -| `DIFFPAL_REVIEW_INSTRUCTIONS` | `diffpal.review.instructions` | -| `DIFFPAL_REVIEW_TIMEOUT` | `diffpal.review.timeout` | - -Config loading also expands `$VAR` and `${VAR}` placeholders before YAML -parsing. Missing placeholder variables fail config loading. diff --git a/copilot.md b/copilot.md deleted file mode 100644 index 3657566..0000000 --- a/copilot.md +++ /dev/null @@ -1,96 +0,0 @@ -# Copilot Provider - -## When To Use This Provider - -Use Copilot when your organization already uses Copilot and can provide a -supported Copilot token to the CI job that runs DiffPal. - -## Prerequisites - -- A DiffPal config committed at `.config/diffpal/config.yaml`. -- Node.js available in the CI job. -- A `COPILOT_GITHUB_TOKEN` CI secret for the Copilot CLI. - -## Installation - -Install the Copilot CLI in CI: - -```bash -npm install --global @github/copilot@1.0.61 -``` - -## Authentication In CI - -Store `COPILOT_GITHUB_TOKEN` as a protected CI secret. The Copilot CLI reads -`COPILOT_GITHUB_TOKEN`, `GH_TOKEN`, then `GITHUB_TOKEN`; use -`COPILOT_GITHUB_TOKEN` for DiffPal so the provider token stays separate from -the platform publishing token. - -Do not expose `COPILOT_GITHUB_TOKEN` to untrusted fork jobs. Keep the -credentialed review job limited to trusted branches, same-repository pull -requests, or maintainer-approved jobs that do not execute fork-controlled code. - -## Minimal Verified Configuration - -Use [`examples/configs/copilot-github-token/config.yaml`](https://github.com/diffpal/diffpal/blob/main/examples/configs/copilot-github-token/config.yaml). - -The provider selection is: - -```yaml -runtime: - providers: - copilot-acp: - type: copilot_acp - copilot_acp: - model: auto - -diffpal: - provider: copilot-acp -``` - -## How To Test Provider Connectivity - -Validate the local runtime first: - -```bash -diffpal doctor --profile ci --mode local -``` - -Then run a provider-backed smoke review on a trusted branch: - -```bash -diffpal --profile ci review local \ - --base origin/main \ - --head HEAD \ - --feedback summary \ - --out .artifacts/diffpal/findings.json -``` - -## Expected Result - -The smoke review should complete, write -`.artifacts/diffpal/findings.json`, and print a Markdown summary to stdout. - -## Security Considerations - -Do not reuse the platform publishing token as the Copilot provider token. Keep -`COPILOT_GITHUB_TOKEN` in protected CI secrets and run secret-backed review only -in trusted branches, same-repository pull requests, or maintainer-approved jobs -that do not execute untrusted code with secrets. - -## Common Failures - -- The Copilot CLI is not installed before DiffPal runs. -- `COPILOT_GITHUB_TOKEN` is missing from the trusted CI job. -- The token lacks the Copilot Requests permission required by the Copilot CLI. -- A classic PAT is used where the Copilot CLI requires a fine-grained token. -- The selected `diffpal.provider` does not match the `copilot-acp` provider - entry. - -## Links To Complete CI Examples - -- [GitHub Actions with Copilot token](https://github.com/diffpal/diffpal/blob/main/examples/ci/github-actions/copilot-github-token.yml) -- [GitLab CI with Copilot token](https://github.com/diffpal/diffpal/blob/main/examples/ci/gitlab/copilot-github-token.yml) -- [Azure Pipelines with Copilot token](https://github.com/diffpal/diffpal/blob/main/examples/ci/azure-pipelines/copilot-github-token.yml) - -Next step: choose the host-specific CI example that matches your code host. diff --git a/custom-acp.md b/custom-acp.md deleted file mode 100644 index 76a146b..0000000 --- a/custom-acp.md +++ /dev/null @@ -1,94 +0,0 @@ -# Custom ACP-Compatible CLI - -## When To Use This Provider - -Use a custom ACP-compatible CLI when you have another agent process that can -start an ACP stdio server and you want DiffPal to keep the same review, -artifact, publishing, and gate workflow. - -## Prerequisites - -- A DiffPal config committed at `.config/diffpal/config.yaml`. -- A CLI that can start an ACP stdio server. -- Provider-specific credentials configured in trusted CI. - -## Installation - -Install your ACP-compatible CLI before running DiffPal. Pin the package, -container image, or source revision in CI so review behavior is repeatable. - -## Authentication In CI - -Authenticate the CLI with its own supported mechanism before running DiffPal. -Store provider credentials in protected CI secrets and do not commit them to the -DiffPal config. - -Do not expose provider credentials to untrusted fork jobs. Keep the -credentialed review job limited to trusted branches, same-repository pull -requests, or maintainer-approved jobs that do not execute fork-controlled code. - -## Minimal Verified Configuration - -Use [`examples/configs/generic-acp/config.yaml`](https://github.com/diffpal/diffpal/blob/main/examples/configs/generic-acp/config.yaml) -as the starting point and replace `generic_acp.cmd` with the command that -starts your provider's ACP stdio server: - -```yaml -runtime: - providers: - my-review-agent: - type: generic_acp - generic_acp: - cmd: ["your-acp-cli", "acp", "--stdio"] - -diffpal: - provider: my-review-agent -``` - -## How To Test Provider Connectivity - -Validate the local runtime first: - -```bash -diffpal doctor --profile ci --mode local -``` - -Then run a provider-backed smoke review on a trusted branch: - -```bash -diffpal --profile ci review local \ - --base origin/main \ - --head HEAD \ - --feedback summary \ - --out .artifacts/diffpal/findings.json -``` - -## Expected Result - -The smoke review should complete, write -`.artifacts/diffpal/findings.json`, and print a Markdown summary to stdout. - -## Security Considerations - -DiffPal delegates provider-specific model, account, tool, sandbox, and approval -policy to the ACP CLI you configure. Keep credentials in protected CI secrets -and run secret-backed review only in trusted branches, same-repository pull -requests, or maintainer-approved jobs that do not execute untrusted code with -secrets. - -## Common Failures - -- `generic_acp.cmd` does not start an ACP stdio server. -- The CLI is not installed in the CI job. -- Required provider-specific credentials are missing. -- The configured command requires interactive input in CI. -- The selected `diffpal.provider` does not match the provider ID under - `runtime.providers`. - -## Links To Complete CI Examples - -- [Generic ACP config](https://github.com/diffpal/diffpal/blob/main/examples/configs/generic-acp/config.yaml) -- [Custom CI/CD guide](/custom-ci) - -Next step: replace `generic_acp.cmd` with your ACP command, then run the -portable [Custom CI/CD](/custom-ci) flow. diff --git a/custom-ci.md b/custom-ci.md deleted file mode 100644 index eb853bc..0000000 --- a/custom-ci.md +++ /dev/null @@ -1,187 +0,0 @@ -# Custom CI/CD - -Use this page to run DiffPal from Jenkins, Buildkite, CircleCI, Bitbucket -Pipelines, an internal runner, or any other CI system. This is a portable -integration contract, not native product support for those CI systems. - -## Integration Modes - -| Mode | What DiffPal does | -| --- | --- | -| Artifact-only review | Runs review, writes artifacts, and prints Markdown output without publishing to a code host. | -| Review plus publishing | Runs review and publishes feedback to GitHub, GitLab, or Azure DevOps when the job has host credentials. | -| Review with a blocking gate | Runs review and returns a non-zero result when blocking findings meet the configured threshold. | - -Native publishers exist for GitHub, GitLab, and Azure DevOps. Other code hosts -can still receive artifact-only output from `diffpal review local`, but DiffPal -does not publish native comments or statuses to unsupported hosts. - -## Required Inputs - -Your CI job must provide: - -- repository working tree; -- full git history for the reviewed range; -- base and head revisions; -- DiffPal configuration at `.config/diffpal/config.yaml`; -- provider executable and credentials; -- host credentials when publishing to GitHub, GitLab, or Azure DevOps. - -## Generic Execution Lifecycle - -1. Checkout the repository. -2. Fetch enough git history to resolve base and head. -3. Install the provider executable. -4. Authenticate the provider. -5. Install DiffPal. -6. Validate required environment variables and revisions. -7. Execute review. -8. Publish output when using a native host publisher. -9. Upload `.artifacts/diffpal/`. -10. Enforce the process exit result. - -## Base And Head Resolution - -DiffPal needs two revisions: - -| Value | Meaning | -| --- | --- | -| `base` | The target branch revision or merge-base used as the comparison start. | -| `head` | The pull request, merge request, or candidate commit being reviewed. | - -Your CI system must supply these values from pull-request metadata or from its -own build variables. Shallow clones, missing target branches, and deleted base -refs break review scope resolution because DiffPal cannot compute the reviewed -change range. Fetch full history or explicitly fetch the target branch before -running DiffPal. - -## Portable Example - -This vendor-neutral shell example performs an artifact-only review. It uses the -current CLI command and flags for `diffpal review local`. The provider setup -shown is the Codex API-key path; use [Providers](/providers) to -replace those install and authentication commands for another provider. - -```bash -set -eu - -: "${DIFFPAL_BASE_REV:?set DIFFPAL_BASE_REV to the target/base revision}" -: "${DIFFPAL_HEAD_REV:?set DIFFPAL_HEAD_REV to the reviewed/head revision}" -: "${DIFFPAL_REPO_ID:?set DIFFPAL_REPO_ID to a stable repository id}" -: "${OPENAI_API_KEY:?set OPENAI_API_KEY for the Codex provider}" -``` - -`OPENAI_API_KEY` is a provider credential. Do not expose it to untrusted fork -builds or jobs that execute fork-controlled code. - -```bash -git fetch --tags --prune -git rev-parse --verify "$DIFFPAL_BASE_REV^{commit}" -git rev-parse --verify "$DIFFPAL_HEAD_REV^{commit}" - -npm install --global @openai/codex@0.139.0 @normahq/codex-acp-bridge@1.6.3 -printf '%s' "$OPENAI_API_KEY" | codex login --with-api-key -npm install --global @diffpal/diffpal@latest -mkdir -p .artifacts/diffpal - -diffpal --profile ci review local \ - --base "$DIFFPAL_BASE_REV" \ - --head "$DIFFPAL_HEAD_REV" \ - --repo "$DIFFPAL_REPO_ID" \ - --review-id "custom-ci-${DIFFPAL_HEAD_REV}" \ - --feedback review \ - --out .artifacts/diffpal/findings.json \ - > .artifacts/diffpal/summary.md -``` - -To publish to a native host, use the matching command and host credentials: - -- `diffpal review github` -- `diffpal review gitlab` -- `diffpal review ado` - -Pass `--gate` when blocking findings should fail the CI job. - -## CI Concept Mapping - -| CI concept | Capability to configure | -| --- | --- | -| Checkout | Clone the repository and fetch the target/base revision plus the reviewed/head revision. | -| Protected secrets | Expose provider credentials, and host credentials when publishing, only to trusted jobs. | -| Pull-request metadata | Provide stable base revision, head revision, repository id, and review id. | -| Artifact upload | Persist the files created by the selected review command. | -| Required check/gate | Use the DiffPal process exit result as the CI job result when `--gate` is enabled. | - -## Outputs - -Verified local artifact paths for the portable `review local` example: - -| Path | Purpose | -| --- | --- | -| `.artifacts/diffpal/findings.json` | Canonical structured findings bundle. | -| `.artifacts/diffpal/summary.md` | Human-readable review summary captured from stdout. | - -Native host publishers can create additional platform artifacts: - -| Path | Purpose | -| --- | --- | -| `.artifacts/diffpal/diffpal.sarif` | SARIF report when enabled by the platform output. | -| `.artifacts/diffpal/codequality.json` | GitLab Code Quality report. | - -Publishing is available only through the native GitHub, GitLab, and Azure -commands. `feedback` controls what DiffPal tries to publish or print: -`summary` omits file-level findings, while `review` includes file-level -feedback where the selected mode supports it. - -Gating is separate from feedback. `--gate` controls whether blocking findings -make the process return non-zero. Feedback can still show blocking findings -when the gate is disabled. - -## Expected Results - -The portable artifact-only example should create -`.artifacts/diffpal/findings.json` and a captured -`.artifacts/diffpal/summary.md`. Native host commands should additionally -publish the feedback surfaces listed in the -[support matrix](/support-matrix). - -## Security - -Do not expose provider or host secrets to untrusted fork builds. Run -secret-backed review only for trusted branches, same-repository pull requests, -or maintainer-approved jobs that do not execute untrusted code with secrets. - -For untrusted contributions, run no-secret CI checks only, or require a -maintainer-controlled rerun after reviewing the submitted workflow changes. -Artifact-only review still runs a provider-backed review, so it must not receive -provider credentials in a job that executes untrusted fork code. - -Use [Secrets and fork PRs](/secrets-and-fork-prs) for the full -credential and fork PR guide. - -## Failure Handling - -DiffPal returns success when the review completes and no enabled gate blocks the -job. With `--gate`, blocking findings return a non-zero process result. -Configuration, provider authentication, review scope resolution, and publishing -failures also return non-zero because the review result is incomplete. - -Treat the process exit result as the stable public contract. Do not depend on -specific numeric exit codes unless they are documented as stable for the -command you are using. - -## Boundaries - -DiffPal has native publishers for: - -- GitHub; -- GitLab; -- Azure DevOps. - -When running against another code host, DiffPal can still produce local -Markdown and artifacts, including `findings.json`, but it does not create -native comments, discussions, threads, checks, statuses, or branch-policy -signals for that host. - -Next step: upload `.artifacts/diffpal/` from your CI job and verify the first -run with [Verify First Review](/verify-first-review). diff --git a/docs-source.json b/docs-source.json new file mode 100644 index 0000000..1ffb718 --- /dev/null +++ b/docs-source.json @@ -0,0 +1,4 @@ +{ + "repository": "diffpal/diffpal", + "ref": "78c6b3e9fdc60366e60c3d7b02574364c9c5bfd5" +} diff --git a/docs.md b/docs.md deleted file mode 100644 index 2aeef6c..0000000 --- a/docs.md +++ /dev/null @@ -1,76 +0,0 @@ -# DiffPal Docs - -Choose the section that matches what you want to do. - -## Getting Started - -Use [Getting Started](/getting-started) for the first successful -review path. Start with the -[GitHub quickstart](/github-quickstart), then verify the -expected summary, comments, artifacts, and gate behavior with -[Verify First Review](/verify-first-review). Continue with -[Next Steps](/next-steps) after the first run works. - -## Concepts - -Use [Concepts](/concepts) to understand how DiffPal turns pull request -diffs into structured findings and host-native feedback. The section also -includes the [comparison guide](/comparison). - -- [How DiffPal works](/how-diffpal-works) -- [Review lifecycle](/review-lifecycle) -- [Providers and agents](/providers-and-agents) -- [Findings, feedback, and gates](/findings-feedback-and-gates) -- [Glossary](/glossary) - -## Integrations - -Use [Integrations](/integrations) for CI setup and host-specific -requirements: - -- [GitHub Actions](/github-actions) -- [GitLab CI](/gitlab-ci) -- [Azure Pipelines](/azure-pipelines) -- [Custom CI/CD](/custom-ci) - -## Providers - -Use [Providers](/providers) to choose Codex, Copilot, OpenCode, or a -custom ACP-compatible CLI: - -- [Codex](/codex) -- [Copilot](/copilot) -- [OpenCode](/opencode) -- [Custom ACP-compatible CLI](/custom-acp) - -## Guides - -Use [Guides](/guides) for operational guidance that spans setup and -reference material: - -- [Secrets and fork PRs](/secrets-and-fork-prs) -- [Security controls](/security) - -## Reference - -Use [Reference](/reference) for stable contracts: - -- [Configuration](/configuration) -- [CLI](/cli) -- [Findings schema](/findings-schema) -- [Artifacts](/artifacts) -- [Exit behavior](/exit-behavior) -- [Versioning](/versioning) -- [Support matrix](/support-matrix) - -## Help - -Use [Help](/help) for operational fixes, including -[troubleshooting](/troubleshooting) for missing comments, token failures, -fork PRs, and incomplete diffs. Use the [FAQ](/faq) for short answers -to common product, provider, CI, and artifact questions. - -## Examples - -Use the [examples gallery](https://github.com/diffpal/diffpal/blob/main/examples/README.md) for copy-paste configs and CI -files. diff --git a/exit-behavior.md b/exit-behavior.md deleted file mode 100644 index 34e9965..0000000 --- a/exit-behavior.md +++ /dev/null @@ -1,59 +0,0 @@ -# Exit Behavior - -DiffPal uses process exit status to distinguish completed review, blocked -review, setup problems, provider problems, publishing problems, and internal -tooling failures. - -| Code | Meaning | -| --- | --- | -| `0` | Command completed successfully. Review may still contain findings when gate is disabled. | -| `2` | Configuration, profile, provider validation, CLI flag, platform auth, or diff context/setup failure. | -| `3` | Transient provider failure such as provider timeout or retryable provider error. | -| `4` | Publishing or conversion failure, including platform API publishing and SARIF conversion. | -| `5` | Internal tooling or local file/output failure. | -| `10` | Blocking findings detected and `--gate` was enabled. | -| `130` | Interrupted or cancelled by the process environment. | - -## Success - -Without `--gate`, a review command returns `0` when review, artifact writing, -and any requested publishing complete. Findings can still be present and can -still be marked `blocking` in artifacts and summaries. - -## Blocking Findings - -With `--gate`, DiffPal counts findings whose severity meets -`diffpal.gate.block_on` or `--block-on`. If any are blocking, the command -returns exit code `10` after review output is written and publishing has been -attempted. - -## Setup Failure - -Exit code `2` covers invalid config, missing config, invalid feedback mode, -invalid review channel, invalid instructions file, missing platform token, and -missing host context such as base/head/repository metadata. - -Review scope resolution failures are setup/context failures and also return `2`. - -## Provider Failure - -Provider validation failures return `2`. Transient provider runtime failures -return `3`. Other provider/runtime failures return `5`. - -## Publishing Failure - -Host publishing failures return `4`. This includes platform API failures and -publishing file conversion errors. The `diffpal sarif` command also returns `4` -for failed input reading, SARIF conversion, or SARIF output writing. - -## Behavior With And Without Gating - -| Gate enabled | Blocking findings exist | Exit code | Feedback/artifacts | -| --- | --- | --- | --- | -| no | no | `0` | written/published | -| no | yes | `0` | written/published, may report blocking status in output | -| yes | no | `0` | written/published | -| yes | yes | `10` | written/published before the gate error | - -Tooling failures return their failure code regardless of gate setting because -the review result is incomplete. diff --git a/faq.md b/faq.md deleted file mode 100644 index 73b6efb..0000000 --- a/faq.md +++ /dev/null @@ -1,81 +0,0 @@ -# FAQ - -## Is A Hosted DiffPal Service Required? - -No. DiffPal runs in your CI. It can publish to supported code hosts from that -CI job when you provide host credentials. - -See [How DiffPal works](/how-diffpal-works). - -## Can Existing Agents Be Used? - -Yes, when they are exposed through a supported provider type or an -ACP-compatible CLI. DiffPal selects the provider from `diffpal.provider` and -`runtime.providers`. - -See [Providers](/providers) and -[Providers and agents](/providers-and-agents). - -## Which Hosts Are Supported? - -DiffPal has native publishers for GitHub pull requests, GitLab merge requests, -and Azure DevOps pull requests. Unsupported code hosts can still use local -Markdown and artifacts through custom CI. - -See the [support matrix](/support-matrix). - -## Is Custom CI Supported? - -Yes. Jenkins, Buildkite, CircleCI, Bitbucket Pipelines, internal runners, and -other CI systems can run DiffPal through the stable custom CI contract. That -does not imply native support for those CI products. - -See [Custom CI/CD](/custom-ci). - -## How Are Provider Costs And Accounts Handled? - -DiffPal does not own, create, bill, or manage third-party provider accounts. -Provider credentials, quotas, billing, and model access belong to the provider -account you configure in CI. - -See [Providers](/providers) and -[Secrets and fork PRs](/secrets-and-fork-prs). - -## What Happens When No Findings Exist? - -A completed review can legitimately produce no findings. The summary and -artifacts should still show that the review ran. With no blocking findings, an -enabled gate passes. - -See [Verify First Review](/verify-first-review) and -[Exit behavior](/exit-behavior). - -## Can Comments And Gates Be Configured Independently? - -Yes. `feedback` controls summary versus inline feedback. `--gate` or -`gate: true` controls whether blocking findings fail the job. A run can publish -feedback without blocking merges, or block based on findings after output is -written. - -See [Findings, feedback, and gates](/findings-feedback-and-gates) -and [Merge gates](/integrations#merge-gates). - -## How Are Fork PRs Handled? - -Secret-backed DiffPal review should run only for trusted branches, -same-repository pull requests, or maintainer-approved jobs that do not execute -fork-controlled code with secrets. Fork PRs should run no-secret CI unless a -maintainer uses a safe trusted workflow. - -See [Secrets and fork PRs](/secrets-and-fork-prs). - -## Where Are Artifacts Written? - -DiffPal writes artifacts under `.artifacts/diffpal/` by default. The canonical -findings bundle is `.artifacts/diffpal/findings.json`. Host commands can also -write `summary.md`, SARIF, Code Quality, and host-specific publishing payloads. - -See [Artifacts](/artifacts). - -Next step: use [Getting Started](/getting-started) when you are -ready to configure the first review. diff --git a/findings-feedback-and-gates.md b/findings-feedback-and-gates.md deleted file mode 100644 index 0f45b5a..0000000 --- a/findings-feedback-and-gates.md +++ /dev/null @@ -1,55 +0,0 @@ -# Findings, Feedback, And Gates - -DiffPal separates the review result from where it is shown and whether it -blocks a merge. - -## Finding - -A finding is one concrete issue returned by the provider and validated by -DiffPal. It includes a category, severity, message, impact, and changed-file -location when the issue can be anchored inline. - -## Severity - -Severity describes concrete impact, not confidence or preference. DiffPal uses -severity to decide which findings are advisory and which meet the configured -blocking threshold. - -## Summary - -The summary is the top-level human-readable review output. It explains the -reviewed change and the review result even when there are no actionable -findings. - -## Inline Feedback - -Inline feedback is file-level feedback on changed lines, such as GitHub review -comments, GitLab discussions, or Azure PR threads. Inline feedback depends on -the selected host publisher and feedback mode. - -## Output Artifact - -An output artifact is a file written by DiffPal, such as -`.artifacts/diffpal/findings.json`, `summary.md`, SARIF, or GitLab Code Quality -JSON. Artifacts let CI retain the review result even when no inline comments -are published. - -## Blocking Threshold - -The blocking threshold is the minimum severity that counts as blocking. A -repository might start with `high` so only high and critical findings block the -gate. - -## Feedback And Merge Blocking Are Separate - -Feedback visibility answers "what should users see?" Merge blocking answers -"should this CI job fail?" Keeping them separate lets teams roll out DiffPal -safely: - -- publish summaries and artifacts without inline comments; -- show inline feedback without failing merges; -- enable a gate only after the team agrees on the blocking threshold; -- lower the threshold later without changing provider setup. - -Use [Integrations](/integrations) for host feedback modes and -[Configuration](/configuration#gate) for the gate field. diff --git a/findings-schema.md b/findings-schema.md deleted file mode 100644 index 1896095..0000000 --- a/findings-schema.md +++ /dev/null @@ -1,132 +0,0 @@ -# Findings Schema - -The canonical review artifact is -`.artifacts/diffpal/findings.json`, a JSON serialization of DiffPal's findings -bundle. New review writes use `version: "v3"` unless a bundle version is -already set by the caller. - -## Canonical Bundle - -| Field | Required | Meaning | -| --- | --- | --- | -| `version` | yes | Bundle version. New writes use `v3`; readers accept `v1`, `v2`, and `v3`. | -| `review_id` | yes | Stable review identifier. | -| `base_sha` | yes | Base revision used for the review. | -| `head_sha` | yes | Head revision used for the review. | -| `language` | no | Language requested for generated text. | -| `prompt` | no | Prompt metadata. | -| `inspection` | no | Provider inspection metadata. | -| `change_summary` | no | Human-readable summary bullets. | -| `review_result` | no | Human-readable review outcome sentence. | -| `files` | no | Reviewed files. | -| `findings` | yes | Finding array. May be empty. | - -Prompt metadata fields: - -| Field | Meaning | -| --- | --- | -| `prompt_id` | Prompt identifier, currently `diffpal.review` for review output. | -| `prompt_version` | Prompt version used for the review. | -| `purpose` | Prompt purpose. | -| `schema_version` | Prompt output schema version, currently `findings.v3`. | - -Inspection metadata fields: - -| Field | Meaning | -| --- | --- | -| `provider_type` | Runtime provider type when available. | -| `required` | Whether inspection metadata was required by the runtime. | -| `tool_calls` | Tool call names when available. | -| `diff_inspected` | Whether the provider reported diff inspection. | -| `context_inspected` | Whether the provider reported context inspection. | - -## Finding Fields - -| Field | Required | Meaning | -| --- | --- | --- | -| `id` | written by DiffPal | Deterministic fingerprint. | -| `review_id` | written by DiffPal when missing | Review identifier copied from the bundle. | -| `category` | yes | Finding category. | -| `severity` | yes | `low`, `medium`, `high`, or `critical`. | -| `confidence` | yes | Number from `0` to `1`. | -| `path` | yes | File path for the finding. | -| `start_line` | yes | Positive start line. | -| `end_line` | yes | Positive end line, greater than or equal to `start_line`. | -| `changed_span` | yes for v2/v3 | Changed-line span that anchors the finding. | -| `supporting_span` | no | Additional context span. | -| `title` | yes | Short finding title. | -| `message` | yes | Finding explanation. | -| `evidence` | yes | Structured evidence for v2/v3. | -| `impact` | yes | Structured impact for v2/v3. | -| `suggestion` | no | Suggested fix. | -| `blocking` | written by DiffPal | Whether the finding meets the active threshold. | -| `provider` | no | Provider ID that produced the finding. | - -Line span representation: - -```json -{ - "path": "internal/session.go", - "start_line": 12, - "end_line": 14 -} -``` - -Evidence representation: - -```json -{ - "anchor": "changed lines call exec with request input", - "reasoning_basis": "the command arguments now include unsanitized user data", - "source": "changed_line" -} -``` - -Impact representation: - -```json -{ - "summary": "users can execute unintended shell commands", - "scope": "request handling path" -} -``` - -## Severity And Location - -Allowed severities are `low`, `medium`, `high`, and `critical`. -DiffPal normalizes severity to lowercase. - -Location is represented twice for compatibility: - -- `path`, `start_line`, and `end_line` are the primary line fields; -- `changed_span` carries the same changed-line anchor in structured form. - -For v2/v3, `changed_span.path`, `changed_span.start_line`, and -`changed_span.end_line` are required and must be positive. - -## Compatibility - -DiffPal readers accept: - -- `v1` bundles where `evidence` and `impact` may be legacy strings; -- `v2` bundles with structured evidence and impact; -- `v3` bundles with optional `review_result`. - -New writes use `v3`. Consumers should ignore unknown fields and treat -`findings[]` as the canonical machine-readable issue list. - -## Consumer Example - -Fail a CI step when the canonical bundle contains blocking findings: - -```bash -jq -e '[.findings[] | select(.blocking == true)] | length == 0' \ - .artifacts/diffpal/findings.json -``` - -Count high and critical findings regardless of whether the gate was enabled: - -```bash -jq '[.findings[] | select(.severity == "high" or .severity == "critical")] | length' \ - .artifacts/diffpal/findings.json -``` diff --git a/getting-started.md b/getting-started.md deleted file mode 100644 index 5af2f94..0000000 --- a/getting-started.md +++ /dev/null @@ -1,54 +0,0 @@ -# Getting Started - -Use this section to choose the shortest path to your first useful DiffPal -review. - -## Prerequisites - -Before you start, have: - -- a repository on GitHub, GitLab, or Azure DevOps; -- permission to add CI configuration and repository secrets; -- one supported review provider or ACP-compatible agent; -- a pull request or merge request you can use for a trusted first test. - -If the terms are new, read [How DiffPal works](/how-diffpal-works) -and the [Glossary](/glossary) first. -Before adding provider secrets, read -[Secrets and fork PRs](/secrets-and-fork-prs). - -## Choose Code Host - -| Host | Start here | -| --- | --- | -| GitHub Actions | [GitHub quickstart](/github-quickstart) | -| GitLab CI | [GitLab CI guide](/gitlab-ci) | -| Azure Pipelines | [Azure Pipelines guide](/azure-pipelines) | -| Custom CI/CD | [Custom CI/CD guide](/custom-ci) | - -## Choose Provider - -The fastest GitHub path uses the Codex API-key recipe because it is ready to -copy. Codex is not the product boundary: the same DiffPal workflow works with -other supported providers and ACP-compatible agents. - -| Provider path | Start here | -| --- | --- | -| Codex API key | [GitHub quickstart](/github-quickstart) | -| Codex subscription auth, Copilot, OpenCode, or generic ACP | [Providers](/providers) | - -## Choose Feedback Mode - -| Mode | Use when | -| --- | --- | -| `summary` | You want a PR/MR summary and non-file artifacts without inline review comments. | -| `review` | You want the summary plus file-level comments, discussions, or PR threads. | - -The GitHub quickstart uses `review` so the first run shows the full review -surface. - -## Start - -Use [GitHub quickstart](/github-quickstart) to install DiffPal in a new GitHub -repository, then use [Verify First Review](/verify-first-review) to confirm -the first run worked. After that, continue with [Next Steps](/next-steps). diff --git a/github-actions.md b/github-actions.md deleted file mode 100644 index c89190d..0000000 --- a/github-actions.md +++ /dev/null @@ -1,156 +0,0 @@ -# GitHub Actions - -Use this page to run DiffPal in GitHub Actions. For the shortest first setup, -start with the [GitHub quickstart](/github-quickstart). - -## Supported Outputs - -- Pull request review summary. -- File-level review comments on changed lines. -- SARIF upload output when enabled by the workflow. -- CI check result from the `diffpal` workflow. - -## Prerequisites - -- A GitHub repository with Actions enabled. -- Permission to add repository secrets and workflows. -- A committed DiffPal config at `.config/diffpal/config.yaml`. -- A provider secret such as `OPENAI_API_KEY`. - -See [Shared Setup](/integrations#shared-setup) and -[Providers](/providers). - -## Required Checkout Behavior - -Use a full checkout so DiffPal can compare the pull request base and head: - -```yaml -- uses: actions/checkout@v4 - with: - fetch-depth: 0 -``` - -## Required Token And Minimum Permissions - -GitHub provides `GITHUB_TOKEN`. Grant the workflow only the permissions DiffPal -needs to read code and publish PR feedback: - -```yaml -permissions: - contents: read - pull-requests: write -``` - -`GITHUB_TOKEN` is the host publishing credential. Keep it separate from provider -credentials such as `OPENAI_API_KEY`. - -## Provider Installation And Authentication - -Install and authenticate the selected provider before the DiffPal step. Use -[Providers](/providers) for Codex, Copilot, OpenCode, and custom -ACP-compatible CLI setup. - -Provider credentials allow the selected third-party provider to process the -review input. Store them as GitHub secrets and keep the credentialed review job -restricted to trusted pull requests. See -[Secrets and fork PRs](/secrets-and-fork-prs). - -## Minimal Pipeline - -```yaml -name: diffpal - -on: - pull_request: - types: [opened, synchronize, reopened, ready_for_review] - -jobs: - review: - if: ${{ !github.event.pull_request.draft && github.event.pull_request.head.repo.full_name == github.repository }} - runs-on: ubuntu-latest - permissions: - contents: read - pull-requests: write - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - uses: actions/setup-node@v4 - with: - node-version: 22 - - - name: Install Codex provider - run: npm install --global @openai/codex@0.139.0 @normahq/codex-acp-bridge@1.6.3 - - - name: Authenticate Codex - run: printf '%s' "$OPENAI_API_KEY" | codex login --with-api-key - env: - OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - - - name: Review pull request - uses: diffpal/action@v1 - with: - profile: ci - base: ${{ github.event.pull_request.base.sha }} - head: ${{ github.event.pull_request.head.sha }} - repo: ${{ github.repository }} - review-id: github-pr-${{ github.event.pull_request.number }} - feedback: review - gate: true - env: - OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} -``` - -## Feedback Modes - -Use `feedback: review` for a PR summary plus file-level comments. Use -`feedback: summary` for the summary and non-file artifacts only. - -See [Feedback Modes](/integrations#feedback-modes). - -## Merge-Gate Setup - -Set `gate: true` on `diffpal/action@v1`. Blocking findings fail the workflow -when they meet `diffpal.gate.block_on`. - -See [Merge Gates](/integrations#merge-gates). - -## Fork Or Untrusted-Contribution Behavior - -Keep provider credentials out of fork PR code. The minimal pipeline restricts -secret-backed review to same-repository PRs with: - -```yaml -if: ${{ !github.event.pull_request.draft && github.event.pull_request.head.repo.full_name == github.repository }} -``` - -See [Secrets and fork PRs](/secrets-and-fork-prs). - -## Expected Results - -- A PR review headed `DiffPal Review Summary`. -- Inline review comments when actionable findings exist and feedback is - `review`. -- `.artifacts/diffpal/findings.json` in the workflow workspace. -- A failed workflow only for blocking gated findings or incomplete review setup. - -## Common Failures - -- `pull-requests: write` is missing. -- `fetch-depth: 0` is missing. -- `OPENAI_API_KEY` is missing or invalid. -- The PR is from a fork, so the same-repository guard skipped secret-backed - review. - -See [Common Failures](/integrations#common-failures). - -## Related Examples - -- [Codex API key](https://github.com/diffpal/diffpal/blob/main/examples/ci/github-actions/codex-api-key.yml) -- [Codex subscription auth](https://github.com/diffpal/diffpal/blob/main/examples/ci/github-actions/codex-subscription.yml) -- [Copilot token](https://github.com/diffpal/diffpal/blob/main/examples/ci/github-actions/copilot-github-token.yml) - -Next step: use [Verify First Review](/verify-first-review) -after the first GitHub Actions run completes. diff --git a/github-quickstart.md b/github-quickstart.md deleted file mode 100644 index 84f4534..0000000 --- a/github-quickstart.md +++ /dev/null @@ -1,107 +0,0 @@ -# GitHub Quickstart - -Use this page to add DiffPal to a new GitHub repository and see the first PR -review. - -This path uses the Codex API-key recipe because it is a complete copy-paste -GitHub Actions setup. Codex is not the product boundary; other supported -providers and ACP agents can use the same DiffPal workflow. -See [Codex Provider](/codex) for provider-specific setup -details. - -## 1. Create A Setup Branch - -Run this from the repository root: - -```bash -git switch -c diffpal-onboarding -``` - -## 2. Add The Provider Secret - -Add this repository secret in GitHub: - -| Secret | Purpose | -| --- | --- | -| `OPENAI_API_KEY` | Lets the Codex CLI act as the review provider. | - -DiffPal runs in your CI and sends review input to the provider you configure. -For this setup, `OPENAI_API_KEY` belongs to the Codex provider, not to GitHub. -Store it as a repository secret and do not expose it to untrusted fork PR code. - -With GitHub CLI: - -```bash -gh secret set OPENAI_API_KEY -``` - -Keep secret-backed DiffPal review limited to same-repository pull requests and -let forks run no-secret CI only. See -[Secrets and fork PRs](/secrets-and-fork-prs) for the security -rationale. - -## 3. Initialize Config - -Run this from the repository root: - -```bash -npx -y @diffpal/diffpal@latest init --wizard --setup codex-api-key --platform github -``` - -This creates `.config/diffpal/config.yaml` with Codex ACP as the provider, -`block_on: high`, a `ci` profile, and a GitHub platform block. Existing files -are preserved unless you pass `--force`. - -Commit the generated config: - -```bash -git add .config/diffpal/config.yaml .config/diffpal/.gitignore -git commit -m "chore: add diffpal config" -``` - -## 4. Install Workflow - -Copy the GitHub Actions example: - -```bash -mkdir -p .github/workflows -cp examples/ci/github-actions/codex-api-key.yml .github/workflows/diffpal.yml -``` - -Commit the workflow: - -```bash -git add .github/workflows/diffpal.yml -git commit -m "ci: add diffpal review" -``` - -The workflow performs a full checkout, installs the Codex provider command, -authenticates with `OPENAI_API_KEY`, runs `diffpal/action@v1`, publishes review -feedback, and enables the gate. - -## 5. Test A Trusted Pull Request - -Push the branch and open a pull request from a branch in the same repository: - -```bash -git push -u origin HEAD -``` - -Use a same-repository pull request for the first test so the provider secret is -available to the workflow. - -## Expected Result - -After the workflow completes, the pull request should show: - -- a `DiffPal Review Summary` review; -- inline review comments when actionable findings exist; -- a `diffpal` workflow check; -- `.artifacts/diffpal/findings.json` in the workflow workspace. - -If the run has no actionable findings, the review summary and artifacts should -still appear. If setup, authentication, review scope resolution, or publishing -fails, the workflow should fail because the review is incomplete. - -Use [Verify First Review](/verify-first-review) to check the first run, then -continue with [Next Steps](/next-steps). diff --git a/gitlab-ci.md b/gitlab-ci.md deleted file mode 100644 index 2a7c55e..0000000 --- a/gitlab-ci.md +++ /dev/null @@ -1,148 +0,0 @@ -# GitLab CI - -Use this page to run DiffPal in GitLab merge request pipelines. - -## Supported Outputs - -- Merge request summary discussion. -- File-level discussions for actionable findings. -- Code Quality report. -- SARIF report. -- Commit status named `DiffPal Review`. - -## Prerequisites - -- A GitLab project with merge request pipelines. -- A committed DiffPal config at `.config/diffpal/config.yaml`. -- A provider secret such as `OPENAI_API_KEY`. -- A platform token path that can publish MR feedback. - -See [Shared Setup](/integrations#shared-setup) and -[Providers](/providers). - -## Required Checkout Behavior - -Set full git depth so DiffPal can compare base and head: - -```yaml -variables: - GIT_DEPTH: "0" -``` - -Pass `--base "$CI_MERGE_REQUEST_DIFF_BASE_SHA"` and -`--head "$CI_COMMIT_SHA"` when running `diffpal review gitlab`. - -## Required Token And Minimum Permissions - -DiffPal can publish with: - -| Token | Use when | -| --- | --- | -| `CI_JOB_TOKEN` | Your instance allows MR API publishing with the built-in job token. | -| `GITLAB_TOKEN` | You need a dedicated API token for MR discussions/status publishing. | - -Use protected/masked variables for provider tokens. Prefer the least-privilege -token that can create MR discussions, publish commit status, and upload reports. -Keep host tokens separate from provider credentials such as `OPENAI_API_KEY`. - -## Provider Installation And Authentication - -Install and authenticate the selected provider before the DiffPal step. Use -[Providers](/providers) for Codex, Copilot, OpenCode, and custom -ACP-compatible CLI setup. - -Provider credentials allow the selected third-party provider to process the -review input. Store them as protected and masked variables, and expose them only -to trusted pipelines. See -[Secrets and fork PRs](/secrets-and-fork-prs). - -## Minimal Pipeline - -```yaml -stages: - - review - -diffpal-review: - stage: review - image: node:22 - rules: - - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_SOURCE_PROJECT_PATH == $CI_PROJECT_PATH && $DIFFPAL_TRUSTED_REVIEW == "true"' - when: manual - allow_failure: false - - when: never - resource_group: "diffpal:$CI_MERGE_REQUEST_IID" - before_script: - - npm install --global @diffpal/diffpal@latest @openai/codex@0.139.0 @normahq/codex-acp-bridge@1.6.3 - - printf '%s' "$OPENAI_API_KEY" | codex login --with-api-key - script: - - >- - diffpal --profile ci review gitlab - --base "$CI_MERGE_REQUEST_DIFF_BASE_SHA" - --head "$CI_COMMIT_SHA" - --repo "$CI_PROJECT_PATH" - --review-id "gitlab-mr-$CI_MERGE_REQUEST_IID" - --feedback review - --gate - variables: - GIT_DEPTH: "0" - artifacts: - when: always - paths: - - .artifacts/diffpal/ - reports: - codequality: .artifacts/diffpal/codequality.json - sarif: .artifacts/diffpal/diffpal.sarif -``` - -## Feedback Modes - -Use `--feedback review` for a summary discussion plus file-level discussions. -Use `--feedback summary` for summary, status, Code Quality, and SARIF without -file-level discussions. - -See [Feedback Modes](/integrations#feedback-modes). - -## Merge-Gate Setup - -Pass `--gate`. Blocking findings return exit code `10` after publishing -succeeds and are represented by unresolved blocker discussions plus the -`DiffPal Review` status. - -See [Merge Gates](/integrations#merge-gates) and -[Exit behavior](/exit-behavior). - -## Fork Or Untrusted-Contribution Behavior - -Keep provider credentials available only to trusted pipelines. For fork merge -requests, use no-secret CI or a maintainer-approved manual job. The minimal -pipeline and examples use same-project conditions, a manual -`DIFFPAL_TRUSTED_REVIEW` guard, and protected variables for secret-backed -review. - -See [Secrets and fork PRs](/secrets-and-fork-prs). - -## Expected Results - -- GitLab discussions for actionable findings when feedback is `review`. -- A merge request summary discussion. -- Code Quality and SARIF artifacts. -- A commit status named `DiffPal Review`. -- `.artifacts/diffpal/summary.md` in job artifacts. - -## Common Failures - -- `GIT_DEPTH: "0"` is missing. -- `CI_JOB_TOKEN` lacks MR API permissions; use `GITLAB_TOKEN`. -- Provider variables are not protected/masked or are unavailable to the job. -- The pipeline is not a merge request pipeline, so MR context is missing. - -See [Common Failures](/integrations#common-failures). - -## Related Examples - -- [Codex API key](https://github.com/diffpal/diffpal/blob/main/examples/ci/gitlab/codex-api-key.yml) -- [Codex subscription auth](https://github.com/diffpal/diffpal/blob/main/examples/ci/gitlab/codex-subscription.yml) -- [Copilot token](https://github.com/diffpal/diffpal/blob/main/examples/ci/gitlab/copilot-github-token.yml) - -Next step: use [Verify First Review](/verify-first-review) -after the first GitLab pipeline completes. diff --git a/glossary.md b/glossary.md deleted file mode 100644 index 38ebde6..0000000 --- a/glossary.md +++ /dev/null @@ -1,61 +0,0 @@ -# Glossary - -## PR/MR - -Pull request or merge request. DiffPal uses the term for a proposed code change -that can be reviewed before merge. - -## Provider - -The configured runtime entry selected by `diffpal.provider` from -`runtime.providers`. - -## ACP - -Agent Client Protocol. DiffPal can run ACP-compatible CLIs as review agents. - -## Finding - -A structured review issue with severity, category, impact, message, and -location metadata. - -## Publisher - -The DiffPal component that turns validated review output into host-native -feedback such as comments, discussions, statuses, SARIF, or Code Quality -reports. - -## Feedback - -The visible review output users see in a host or local report, such as a -summary, inline comment, discussion, or thread. - -## Gate - -The optional CI behavior that returns a failing result when findings meet or -exceed the configured blocking threshold. - -## Profile - -A named config override selected for a run, commonly `ci`, that adjusts the -base repository config without changing the whole file. - -## Artifact - -A file written by DiffPal, usually under `.artifacts/diffpal/`, that records -the review result for CI uploads, auditing, or downstream processing. - -## Base - -The revision used as the comparison start. In PR/MR review, it is usually the -target branch revision or a merge base. - -## Head - -The revision being reviewed. In PR/MR review, it is usually the source branch -commit. - -## Merge Base - -The common ancestor used to compare a source branch against a target branch -when the host or CI system does not provide an exact base commit. diff --git a/guides.md b/guides.md deleted file mode 100644 index 4da1b31..0000000 --- a/guides.md +++ /dev/null @@ -1,11 +0,0 @@ -# Guides - -Use this section for operational guidance that spans getting started, -integrations, providers, and reference pages. - -- [Secrets and fork PRs](/secrets-and-fork-prs): credentials, trusted - pipelines, fork pull request safety, artifact retention, and security - reporting. - -Next step: read [Secrets and fork PRs](/secrets-and-fork-prs) before adding -or changing provider credentials. diff --git a/help.md b/help.md deleted file mode 100644 index 19ecaa3..0000000 --- a/help.md +++ /dev/null @@ -1,12 +0,0 @@ -# Help - -Use this section when a DiffPal run does not produce the expected host feedback -or artifacts, or when you need a short factual answer before choosing a guide. - -- [Troubleshooting](/troubleshooting) starts from observable symptoms such as - missing jobs, auth failures, missing summaries, artifact gaps, and gate - surprises. -- [FAQ](/faq) answers common product, provider, host, CI, fork PR, gate, and - artifact questions. -- [Secrets and fork PRs](/secrets-and-fork-prs) covers credential - handling and untrusted contribution safety. diff --git a/how-diffpal-works.md b/how-diffpal-works.md deleted file mode 100644 index 543d276..0000000 --- a/how-diffpal-works.md +++ /dev/null @@ -1,67 +0,0 @@ -# How DiffPal Works - -DiffPal is an open-source pull request and merge request review engine that -runs in your CI workflow. It standardizes how a repository asks an AI provider -for review, validates the response, publishes feedback, writes artifacts, and -optionally blocks a merge. - -## Product Boundary - -DiffPal owns the review workflow around the provider: - -- resolving the requested base/head range and review scope; -- building the review request; -- validating provider output against changed files and lines; -- rendering summaries, findings, and artifacts; -- publishing to supported code hosts; -- applying the configured gate. - -DiffPal is not the model, the provider account, or a mandatory hosted review -service. - -When a remote provider is configured, DiffPal sends review input to that -provider from the CI job. Use -[Security controls](/security) before enabling secret-backed review. - -## Provider Boundary - -The selected provider or ACP-compatible CLI owns model reasoning, model access, -provider-specific tools, credentials, sandboxing, and account management. -DiffPal chooses a provider through `diffpal.provider`, sends the review task, -and expects structured review output back. - -Use [Providers and agents](/providers-and-agents) for the provider model and -[Providers](/providers) for setup pages. - -## Publisher Boundary - -DiffPal publishers turn validated findings into host-native feedback. GitHub, -GitLab, and Azure DevOps have native publishers. Custom CI can still produce -local artifacts, and can publish through a supported code host when the job has -the required host metadata and credentials. - -Use the [support matrix](/support-matrix) for supported host -outputs. - -## Repository-Owned Configuration - -DiffPal reads `.config/diffpal/config.yaml` from the repository. That file owns -the selected provider, review settings, platform publishing settings, profiles, -and gate threshold. CI files install/authenticate the provider and pass host -context, but the review policy stays with the repository. - -```mermaid -flowchart LR - A[PR or MR event] --> B[CI job] - B --> C[Repository DiffPal config] - C --> D[DiffPal review engine] - D --> E[Selected provider or ACP agent] - E --> F[Structured findings] - F --> G[Publisher] - F --> H[Artifacts] - F --> I[Optional gate] -``` - -For the first setup path, start with the -[GitHub quickstart](/github-quickstart). For supported -hosts and outputs, see the [support matrix](/support-matrix). diff --git a/index.md b/index.md index bf97596..7bfec64 100644 --- a/index.md +++ b/index.md @@ -1,5 +1,6 @@ --- layout: home +editLink: false hero: name: DiffPal diff --git a/integrations.md b/integrations.md deleted file mode 100644 index 7a8436e..0000000 --- a/integrations.md +++ /dev/null @@ -1,89 +0,0 @@ -# Integrations - -Use this section to run DiffPal in CI and publish review feedback to your code -host. Host-specific pages all follow the same shape: - -For the review flow behind these CI steps, see -[Review lifecycle](/review-lifecycle). - -- [GitHub Actions](/github-actions) -- [GitLab CI](/gitlab-ci) -- [Azure Pipelines](/azure-pipelines) -- [Custom CI/CD](/custom-ci) - -Copy-paste configs and pipelines live in [`examples/`](https://github.com/diffpal/diffpal/blob/main/examples/README.md). -Use the [GitHub quickstart](/github-quickstart) when you -want the shortest first setup path. -Use [Providers](/providers) to choose Codex, Copilot, OpenCode, or -a custom ACP-compatible CLI. - -## Shared Setup - -Every host needs: - -1. Full git history for the reviewed pull request or merge request. -2. A DiffPal config committed at `.config/diffpal/config.yaml`. -3. The provider CLI runtime required by the selected - [provider](/providers). -4. A provider auth secret. -5. A platform token with permission to publish review feedback. - -DiffPal runs in your CI and sends review input to the provider you configure. -Protect provider credentials before enabling secret-backed review. See -[Secrets and fork PRs](/secrets-and-fork-prs). - -For Jenkins, Buildkite, CircleCI, Bitbucket Pipelines, internal runners, or any -other CI system, use the [Custom CI/CD guide](/custom-ci). - -## Feedback Modes - -Use `feedback` for normal setup: - -| Feedback | Behavior | -| --- | --- | -| `summary` | PR/MR summary plus non-file artifacts such as status, SARIF, or Code Quality. No file-level findings are published. | -| `review` | Summary plus file-level comments, threads, or discussions for the platform. Non-blocking findings remain visible without becoming merge blockers. | - -Default review publish surfaces: - -| Platform | Default surfaces | -| --- | --- | -| GitHub | `comments,sarif,summary` | -| GitLab | `code-quality,discussions,status,sarif,summary` | -| Azure | `threads,status,summary` | - -Common artifacts are listed in the [artifacts reference](/artifacts). - -## Merge Gates - -Enable `gate` when blocking findings should fail the CI job. Start with -`block_on: high`; lower the threshold only after tuning review policy. See the -[configuration gate reference](/configuration#gate) and -[exit behavior](/exit-behavior). - -Tooling failures such as setup, provider auth, review scope resolution, or -publishing fail the job because the review result is incomplete, even when the -merge gate is disabled. - -## Untrusted Contributions - -Keep provider credentials out of untrusted fork pipelines. Run secret-backed -DiffPal review only for trusted branches, same-repository pull requests, or -maintainer-approved workflows that do not execute untrusted code with secrets. - -See [Secrets and fork PRs](/secrets-and-fork-prs). - -## Common Failures - -Most integration failures come from: - -- shallow checkout; -- missing provider secret; -- provider CLI not installed or authenticated; -- platform token missing write permission; -- running secret-backed review on an untrusted fork PR. - -Use the [troubleshooting guide](/troubleshooting) for fixes. - -Next step: open the host-specific integration page for the CI system that will -run DiffPal. diff --git a/next-steps.md b/next-steps.md deleted file mode 100644 index 3af9bbd..0000000 --- a/next-steps.md +++ /dev/null @@ -1,45 +0,0 @@ -# Next Steps - -Use this page after your first DiffPal review is working. - -## Change Provider - -Switch providers by changing the selected `runtime.providers` entry and the -matching CI install/authentication step. Start with the -[Providers](/providers) section or use -[Custom ACP-Compatible CLI](/custom-acp) for a custom agent. - -## Enable Review Comments - -Set feedback mode to `review` when you want file-level comments, discussions, or -PR threads. Use `summary` when you only want the summary and non-file artifacts. -See [Feedback Modes](/integrations#feedback-modes). - -## Configure Policy - -Tune review language, repository instructions, profiles, MCP servers, and -severity policy in `.config/diffpal/config.yaml`. See the -[configuration reference](/configuration). - -## Enable A Merge Gate - -Enable the gate in CI when blocking findings should fail the job. Start with -`block_on: high`; lower the threshold only after your team has tuned the review -policy. See [Gate](/configuration#gate). - -## Retain Artifacts - -Upload `.artifacts/diffpal/` from CI when you need audit records, SARIF, Code -Quality reports, or the canonical findings bundle after the job completes. See -the [artifacts reference](/artifacts). - -## Move To Another Host Or CI - -Use the same DiffPal config shape and change the CI host setup: - -- [GitLab CI](/gitlab-ci) -- [Azure Pipelines](/azure-pipelines) -- [Custom CI/CD](/custom-ci) - -Next step: choose the integration page for the CI system that will run the next -DiffPal review. diff --git a/opencode.md b/opencode.md deleted file mode 100644 index 0a8248b..0000000 --- a/opencode.md +++ /dev/null @@ -1,92 +0,0 @@ -# OpenCode Provider - -## When To Use This Provider - -Use OpenCode when your CI environment already installs and authenticates an -OpenCode CLI that can run as the selected DiffPal provider. - -## Prerequisites - -- A DiffPal config committed at `.config/diffpal/config.yaml`. -- An OpenCode CLI available in the CI job. -- Provider credentials configured with OpenCode's own authentication flow. - -## Installation - -Install OpenCode in CI using the installation method you use for OpenCode in -that environment. Pin the OpenCode package or source revision in your CI setup -the same way you pin other provider CLIs. - -## Authentication In CI - -Authenticate OpenCode before running DiffPal. Store any OpenCode credentials in -protected CI secrets and pass them to the OpenCode CLI using its supported -authentication mechanism. - -Do not expose OpenCode credentials to untrusted fork jobs. Keep the -credentialed review job limited to trusted branches, same-repository pull -requests, or maintainer-approved jobs that do not execute fork-controlled code. - -## Minimal Verified Configuration - -Use [`examples/configs/opencode-acp/config.yaml`](https://github.com/diffpal/diffpal/blob/main/examples/configs/opencode-acp/config.yaml). - -The provider selection is: - -```yaml -runtime: - providers: - opencode-acp: - type: opencode_acp - opencode_acp: - model: opencode/big-pickle - -diffpal: - provider: opencode-acp -``` - -## How To Test Provider Connectivity - -Validate the local runtime first: - -```bash -diffpal doctor --profile ci --mode local -``` - -Then run a provider-backed smoke review on a trusted branch: - -```bash -diffpal --profile ci review local \ - --base origin/main \ - --head HEAD \ - --feedback summary \ - --out .artifacts/diffpal/findings.json -``` - -## Expected Result - -The smoke review should complete, write -`.artifacts/diffpal/findings.json`, and print a Markdown summary to stdout. - -## Security Considerations - -DiffPal does not manage OpenCode accounts, credentials, models, or sandbox -settings. Keep OpenCode credentials in protected CI secrets and run -secret-backed review only in trusted branches, same-repository pull requests, or -maintainer-approved jobs that do not execute untrusted code with secrets. - -## Common Failures - -- The OpenCode CLI is not installed before DiffPal runs. -- OpenCode authentication is missing from the trusted CI job. -- The configured model is not available to the authenticated OpenCode account. -- The selected `diffpal.provider` does not match the `opencode-acp` provider - entry. - -## Links To Complete CI Examples - -- [OpenCode ACP config](https://github.com/diffpal/diffpal/blob/main/examples/configs/opencode-acp/config.yaml) -- [Integration guides](/integrations) - -Next step: adapt the OpenCode config, then choose the integration page for your -CI host. diff --git a/package-lock.json b/package-lock.json index 040cac4..55bec97 100644 --- a/package-lock.json +++ b/package-lock.json @@ -369,9 +369,9 @@ } }, "node_modules/@esbuild/aix-ppc64": { - "version": "0.21.5", - "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.21.5.tgz", - "integrity": "sha512-1SDgH6ZSPTlggy1yI6+Dbkiz8xzpHJEVAlF/AM1tHPLsf5STom9rwtjE4hKAF20FfXXNTFqEYXyJNWh1GiZedQ==", + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.25.12.tgz", + "integrity": "sha512-Hhmwd6CInZ3dwpuGTF8fJG6yoWmsToE+vYgD4nytZVxcu1ulHpUQRAB1UJ8+N1Am3Mz4+xOByoQoSZf4D+CpkA==", "cpu": [ "ppc64" ], @@ -382,13 +382,13 @@ "aix" ], "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/android-arm": { - "version": "0.21.5", - "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.21.5.tgz", - "integrity": "sha512-vCPvzSjpPHEi1siZdlvAlsPxXl7WbOVUBBAowWug4rJHb68Ox8KualB+1ocNvT5fjv6wpkX6o/iEpbDrf68zcg==", + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.25.12.tgz", + "integrity": "sha512-VJ+sKvNA/GE7Ccacc9Cha7bpS8nyzVv0jdVgwNDaR4gDMC/2TTRc33Ip8qrNYUcpkOHUT5OZ0bUcNNVZQ9RLlg==", "cpu": [ "arm" ], @@ -399,13 +399,13 @@ "android" ], "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/android-arm64": { - "version": "0.21.5", - "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.21.5.tgz", - "integrity": "sha512-c0uX9VAUBQ7dTDCjq+wdyGLowMdtR/GoC2U5IYk/7D1H1JYC0qseD7+11iMP2mRLN9RcCMRcjC4YMclCzGwS/A==", + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.25.12.tgz", + "integrity": "sha512-6AAmLG7zwD1Z159jCKPvAxZd4y/VTO0VkprYy+3N2FtJ8+BQWFXU+OxARIwA46c5tdD9SsKGZ/1ocqBS/gAKHg==", "cpu": [ "arm64" ], @@ -416,13 +416,13 @@ "android" ], "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/android-x64": { - "version": "0.21.5", - "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.21.5.tgz", - "integrity": "sha512-D7aPRUUNHRBwHxzxRvp856rjUHRFW1SdQATKXH2hqA0kAZb1hKmi02OpYRacl0TxIGz/ZmXWlbZgjwWYaCakTA==", + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.25.12.tgz", + "integrity": "sha512-5jbb+2hhDHx5phYR2By8GTWEzn6I9UqR11Kwf22iKbNpYrsmRB18aX/9ivc5cabcUiAT/wM+YIZ6SG9QO6a8kg==", "cpu": [ "x64" ], @@ -433,13 +433,13 @@ "android" ], "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/darwin-arm64": { - "version": "0.21.5", - "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.21.5.tgz", - "integrity": "sha512-DwqXqZyuk5AiWWf3UfLiRDJ5EDd49zg6O9wclZ7kUMv2WRFr4HKjXp/5t8JZ11QbQfUS6/cRCKGwYhtNAY88kQ==", + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.25.12.tgz", + "integrity": "sha512-N3zl+lxHCifgIlcMUP5016ESkeQjLj/959RxxNYIthIg+CQHInujFuXeWbWMgnTo4cp5XVHqFPmpyu9J65C1Yg==", "cpu": [ "arm64" ], @@ -450,13 +450,13 @@ "darwin" ], "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/darwin-x64": { - "version": "0.21.5", - "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.21.5.tgz", - "integrity": "sha512-se/JjF8NlmKVG4kNIuyWMV/22ZaerB+qaSi5MdrXtd6R08kvs2qCN4C09miupktDitvh8jRFflwGFBQcxZRjbw==", + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.25.12.tgz", + "integrity": "sha512-HQ9ka4Kx21qHXwtlTUVbKJOAnmG1ipXhdWTmNXiPzPfWKpXqASVcWdnf2bnL73wgjNrFXAa3yYvBSd9pzfEIpA==", "cpu": [ "x64" ], @@ -467,13 +467,13 @@ "darwin" ], "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/freebsd-arm64": { - "version": "0.21.5", - "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.21.5.tgz", - "integrity": "sha512-5JcRxxRDUJLX8JXp/wcBCy3pENnCgBR9bN6JsY4OmhfUtIHe3ZW0mawA7+RDAcMLrMIZaf03NlQiX9DGyB8h4g==", + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.25.12.tgz", + "integrity": "sha512-gA0Bx759+7Jve03K1S0vkOu5Lg/85dou3EseOGUes8flVOGxbhDDh/iZaoek11Y8mtyKPGF3vP8XhnkDEAmzeg==", "cpu": [ "arm64" ], @@ -484,13 +484,13 @@ "freebsd" ], "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/freebsd-x64": { - "version": "0.21.5", - "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.21.5.tgz", - "integrity": "sha512-J95kNBj1zkbMXtHVH29bBriQygMXqoVQOQYA+ISs0/2l3T9/kj42ow2mpqerRBxDJnmkUDCaQT/dfNXWX/ZZCQ==", + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.25.12.tgz", + "integrity": "sha512-TGbO26Yw2xsHzxtbVFGEXBFH0FRAP7gtcPE7P5yP7wGy7cXK2oO7RyOhL5NLiqTlBh47XhmIUXuGciXEqYFfBQ==", "cpu": [ "x64" ], @@ -501,13 +501,13 @@ "freebsd" ], "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/linux-arm": { - "version": "0.21.5", - "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.21.5.tgz", - "integrity": "sha512-bPb5AHZtbeNGjCKVZ9UGqGwo8EUu4cLq68E95A53KlxAPRmUyYv2D6F0uUI65XisGOL1hBP5mTronbgo+0bFcA==", + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.25.12.tgz", + "integrity": "sha512-lPDGyC1JPDou8kGcywY0YILzWlhhnRjdof3UlcoqYmS9El818LLfJJc3PXXgZHrHCAKs/Z2SeZtDJr5MrkxtOw==", "cpu": [ "arm" ], @@ -518,13 +518,13 @@ "linux" ], "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/linux-arm64": { - "version": "0.21.5", - "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.21.5.tgz", - "integrity": "sha512-ibKvmyYzKsBeX8d8I7MH/TMfWDXBF3db4qM6sy+7re0YXya+K1cem3on9XgdT2EQGMu4hQyZhan7TeQ8XkGp4Q==", + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.25.12.tgz", + "integrity": "sha512-8bwX7a8FghIgrupcxb4aUmYDLp8pX06rGh5HqDT7bB+8Rdells6mHvrFHHW2JAOPZUbnjUpKTLg6ECyzvas2AQ==", "cpu": [ "arm64" ], @@ -535,13 +535,13 @@ "linux" ], "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/linux-ia32": { - "version": "0.21.5", - "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.21.5.tgz", - "integrity": "sha512-YvjXDqLRqPDl2dvRODYmmhz4rPeVKYvppfGYKSNGdyZkA01046pLWyRKKI3ax8fbJoK5QbxblURkwK/MWY18Tg==", + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.25.12.tgz", + "integrity": "sha512-0y9KrdVnbMM2/vG8KfU0byhUN+EFCny9+8g202gYqSSVMonbsCfLjUO+rCci7pM0WBEtz+oK/PIwHkzxkyharA==", "cpu": [ "ia32" ], @@ -552,13 +552,13 @@ "linux" ], "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/linux-loong64": { - "version": "0.21.5", - "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.21.5.tgz", - "integrity": "sha512-uHf1BmMG8qEvzdrzAqg2SIG/02+4/DHB6a9Kbya0XDvwDEKCoC8ZRWI5JJvNdUjtciBGFQ5PuBlpEOXQj+JQSg==", + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.25.12.tgz", + "integrity": "sha512-h///Lr5a9rib/v1GGqXVGzjL4TMvVTv+s1DPoxQdz7l/AYv6LDSxdIwzxkrPW438oUXiDtwM10o9PmwS/6Z0Ng==", "cpu": [ "loong64" ], @@ -569,13 +569,13 @@ "linux" ], "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/linux-mips64el": { - "version": "0.21.5", - "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.21.5.tgz", - "integrity": "sha512-IajOmO+KJK23bj52dFSNCMsz1QP1DqM6cwLUv3W1QwyxkyIWecfafnI555fvSGqEKwjMXVLokcV5ygHW5b3Jbg==", + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.25.12.tgz", + "integrity": "sha512-iyRrM1Pzy9GFMDLsXn1iHUm18nhKnNMWscjmp4+hpafcZjrr2WbT//d20xaGljXDBYHqRcl8HnxbX6uaA/eGVw==", "cpu": [ "mips64el" ], @@ -586,13 +586,13 @@ "linux" ], "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/linux-ppc64": { - "version": "0.21.5", - "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.21.5.tgz", - "integrity": "sha512-1hHV/Z4OEfMwpLO8rp7CvlhBDnjsC3CttJXIhBi+5Aj5r+MBvy4egg7wCbe//hSsT+RvDAG7s81tAvpL2XAE4w==", + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.25.12.tgz", + "integrity": "sha512-9meM/lRXxMi5PSUqEXRCtVjEZBGwB7P/D4yT8UG/mwIdze2aV4Vo6U5gD3+RsoHXKkHCfSxZKzmDssVlRj1QQA==", "cpu": [ "ppc64" ], @@ -603,13 +603,13 @@ "linux" ], "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/linux-riscv64": { - "version": "0.21.5", - "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.21.5.tgz", - "integrity": "sha512-2HdXDMd9GMgTGrPWnJzP2ALSokE/0O5HhTUvWIbD3YdjME8JwvSCnNGBnTThKGEB91OZhzrJ4qIIxk/SBmyDDA==", + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.25.12.tgz", + "integrity": "sha512-Zr7KR4hgKUpWAwb1f3o5ygT04MzqVrGEGXGLnj15YQDJErYu/BGg+wmFlIDOdJp0PmB0lLvxFIOXZgFRrdjR0w==", "cpu": [ "riscv64" ], @@ -620,13 +620,13 @@ "linux" ], "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/linux-s390x": { - "version": "0.21.5", - "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.21.5.tgz", - "integrity": "sha512-zus5sxzqBJD3eXxwvjN1yQkRepANgxE9lgOW2qLnmr8ikMTphkjgXu1HR01K4FJg8h1kEEDAqDcZQtbrRnB41A==", + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.25.12.tgz", + "integrity": "sha512-MsKncOcgTNvdtiISc/jZs/Zf8d0cl/t3gYWX8J9ubBnVOwlk65UIEEvgBORTiljloIWnBzLs4qhzPkJcitIzIg==", "cpu": [ "s390x" ], @@ -637,13 +637,13 @@ "linux" ], "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/linux-x64": { - "version": "0.21.5", - "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.21.5.tgz", - "integrity": "sha512-1rYdTpyv03iycF1+BhzrzQJCdOuAOtaqHTWJZCWvijKD2N5Xu0TtVC8/+1faWqcP9iBCWOmjmhoH94dH82BxPQ==", + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.25.12.tgz", + "integrity": "sha512-uqZMTLr/zR/ed4jIGnwSLkaHmPjOjJvnm6TVVitAa08SLS9Z0VM8wIRx7gWbJB5/J54YuIMInDquWyYvQLZkgw==", "cpu": [ "x64" ], @@ -654,13 +654,30 @@ "linux" ], "engines": { - "node": ">=12" + "node": ">=18" + } + }, + "node_modules/@esbuild/netbsd-arm64": { + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.25.12.tgz", + "integrity": "sha512-xXwcTq4GhRM7J9A8Gv5boanHhRa/Q9KLVmcyXHCTaM4wKfIpWkdXiMog/KsnxzJ0A1+nD+zoecuzqPmCRyBGjg==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "netbsd" + ], + "engines": { + "node": ">=18" } }, "node_modules/@esbuild/netbsd-x64": { - "version": "0.21.5", - "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.21.5.tgz", - "integrity": "sha512-Woi2MXzXjMULccIwMnLciyZH4nCIMpWQAs049KEeMvOcNADVxo0UBIQPfSmxB3CWKedngg7sWZdLvLczpe0tLg==", + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.25.12.tgz", + "integrity": "sha512-Ld5pTlzPy3YwGec4OuHh1aCVCRvOXdH8DgRjfDy/oumVovmuSzWfnSJg+VtakB9Cm0gxNO9BzWkj6mtO1FMXkQ==", "cpu": [ "x64" ], @@ -671,13 +688,30 @@ "netbsd" ], "engines": { - "node": ">=12" + "node": ">=18" + } + }, + "node_modules/@esbuild/openbsd-arm64": { + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.25.12.tgz", + "integrity": "sha512-fF96T6KsBo/pkQI950FARU9apGNTSlZGsv1jZBAlcLL1MLjLNIWPBkj5NlSz8aAzYKg+eNqknrUJ24QBybeR5A==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "openbsd" + ], + "engines": { + "node": ">=18" } }, "node_modules/@esbuild/openbsd-x64": { - "version": "0.21.5", - "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.21.5.tgz", - "integrity": "sha512-HLNNw99xsvx12lFBUwoT8EVCsSvRNDVxNpjZ7bPn947b8gJPzeHWyNVhFsaerc0n3TsbOINvRP2byTZ5LKezow==", + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.25.12.tgz", + "integrity": "sha512-MZyXUkZHjQxUvzK7rN8DJ3SRmrVrke8ZyRusHlP+kuwqTcfWLyqMOE3sScPPyeIXN/mDJIfGXvcMqCgYKekoQw==", "cpu": [ "x64" ], @@ -688,13 +722,30 @@ "openbsd" ], "engines": { - "node": ">=12" + "node": ">=18" + } + }, + "node_modules/@esbuild/openharmony-arm64": { + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.25.12.tgz", + "integrity": "sha512-rm0YWsqUSRrjncSXGA7Zv78Nbnw4XL6/dzr20cyrQf7ZmRcsovpcRBdhD43Nuk3y7XIoW2OxMVvwuRvk9XdASg==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "openharmony" + ], + "engines": { + "node": ">=18" } }, "node_modules/@esbuild/sunos-x64": { - "version": "0.21.5", - "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.21.5.tgz", - "integrity": "sha512-6+gjmFpfy0BHU5Tpptkuh8+uw3mnrvgs+dSPQXQOv3ekbordwnzTVEb4qnIvQcYXq6gzkyTnoZ9dZG+D4garKg==", + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.25.12.tgz", + "integrity": "sha512-3wGSCDyuTHQUzt0nV7bocDy72r2lI33QL3gkDNGkod22EsYl04sMf0qLb8luNKTOmgF/eDEDP5BFNwoBKH441w==", "cpu": [ "x64" ], @@ -705,13 +756,13 @@ "sunos" ], "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/win32-arm64": { - "version": "0.21.5", - "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.21.5.tgz", - "integrity": "sha512-Z0gOTd75VvXqyq7nsl93zwahcTROgqvuAcYDUr+vOv8uHhNSKROyU961kgtCD1e95IqPKSQKH7tBTslnS3tA8A==", + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.25.12.tgz", + "integrity": "sha512-rMmLrur64A7+DKlnSuwqUdRKyd3UE7oPJZmnljqEptesKM8wx9J8gx5u0+9Pq0fQQW8vqeKebwNXdfOyP+8Bsg==", "cpu": [ "arm64" ], @@ -722,13 +773,13 @@ "win32" ], "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/win32-ia32": { - "version": "0.21.5", - "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.21.5.tgz", - "integrity": "sha512-SWXFF1CL2RVNMaVs+BBClwtfZSvDgtL//G/smwAc5oVK/UPu2Gu9tIaRgFmYFFKrmg3SyAjSrElf0TiJ1v8fYA==", + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.25.12.tgz", + "integrity": "sha512-HkqnmmBoCbCwxUKKNPBixiWDGCpQGVsrQfJoVGYLPT41XWF8lHuE5N6WhVia2n4o5QK5M4tYr21827fNhi4byQ==", "cpu": [ "ia32" ], @@ -739,13 +790,13 @@ "win32" ], "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/win32-x64": { - "version": "0.21.5", - "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.21.5.tgz", - "integrity": "sha512-tQd/1efJuzPC6rCFwEvLtci/xNFcTZknmXs98FYDfGE4wP9ClFV98nyKrzJKVPMhdDnjzLhdUyMX4PsQAPjwIw==", + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.25.12.tgz", + "integrity": "sha512-alJC0uCZpTFrSL0CCDjcgleBXPnCrEAhTBILpeAp7M/OFgoqtAetfBzX0xM00MUsVVPpVjlPuMbREqnZCXaTnA==", "cpu": [ "x64" ], @@ -756,7 +807,7 @@ "win32" ], "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@iconify-json/simple-icons": { @@ -1706,9 +1757,9 @@ } }, "node_modules/esbuild": { - "version": "0.21.5", - "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.21.5.tgz", - "integrity": "sha512-mg3OPMV4hXywwpoDxu3Qda5xCKQi+vCTZq8S9J/EpkhB2HzKXq4SNFZE3+NK93JYxc8VMSep+lOUSC/RVKaBqw==", + "version": "0.25.12", + "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.25.12.tgz", + "integrity": "sha512-bbPBYYrtZbkt6Os6FiTLCTFxvq4tt3JKall1vRwshA3fdVztsLAatFaZobhkBC8/BrPetoa0oksYoKXoG4ryJg==", "dev": true, "hasInstallScript": true, "license": "MIT", @@ -1716,32 +1767,35 @@ "esbuild": "bin/esbuild" }, "engines": { - "node": ">=12" + "node": ">=18" }, "optionalDependencies": { - "@esbuild/aix-ppc64": "0.21.5", - "@esbuild/android-arm": "0.21.5", - "@esbuild/android-arm64": "0.21.5", - "@esbuild/android-x64": "0.21.5", - "@esbuild/darwin-arm64": "0.21.5", - "@esbuild/darwin-x64": "0.21.5", - "@esbuild/freebsd-arm64": "0.21.5", - "@esbuild/freebsd-x64": "0.21.5", - "@esbuild/linux-arm": "0.21.5", - "@esbuild/linux-arm64": "0.21.5", - "@esbuild/linux-ia32": "0.21.5", - "@esbuild/linux-loong64": "0.21.5", - "@esbuild/linux-mips64el": "0.21.5", - "@esbuild/linux-ppc64": "0.21.5", - "@esbuild/linux-riscv64": "0.21.5", - "@esbuild/linux-s390x": "0.21.5", - "@esbuild/linux-x64": "0.21.5", - "@esbuild/netbsd-x64": "0.21.5", - "@esbuild/openbsd-x64": "0.21.5", - "@esbuild/sunos-x64": "0.21.5", - "@esbuild/win32-arm64": "0.21.5", - "@esbuild/win32-ia32": "0.21.5", - "@esbuild/win32-x64": "0.21.5" + "@esbuild/aix-ppc64": "0.25.12", + "@esbuild/android-arm": "0.25.12", + "@esbuild/android-arm64": "0.25.12", + "@esbuild/android-x64": "0.25.12", + "@esbuild/darwin-arm64": "0.25.12", + "@esbuild/darwin-x64": "0.25.12", + "@esbuild/freebsd-arm64": "0.25.12", + "@esbuild/freebsd-x64": "0.25.12", + "@esbuild/linux-arm": "0.25.12", + "@esbuild/linux-arm64": "0.25.12", + "@esbuild/linux-ia32": "0.25.12", + "@esbuild/linux-loong64": "0.25.12", + "@esbuild/linux-mips64el": "0.25.12", + "@esbuild/linux-ppc64": "0.25.12", + "@esbuild/linux-riscv64": "0.25.12", + "@esbuild/linux-s390x": "0.25.12", + "@esbuild/linux-x64": "0.25.12", + "@esbuild/netbsd-arm64": "0.25.12", + "@esbuild/netbsd-x64": "0.25.12", + "@esbuild/openbsd-arm64": "0.25.12", + "@esbuild/openbsd-x64": "0.25.12", + "@esbuild/openharmony-arm64": "0.25.12", + "@esbuild/sunos-x64": "0.25.12", + "@esbuild/win32-arm64": "0.25.12", + "@esbuild/win32-ia32": "0.25.12", + "@esbuild/win32-x64": "0.25.12" } }, "node_modules/estree-walker": { @@ -1751,6 +1805,24 @@ "dev": true, "license": "MIT" }, + "node_modules/fdir": { + "version": "6.5.0", + "resolved": "https://registry.npmjs.org/fdir/-/fdir-6.5.0.tgz", + "integrity": "sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=12.0.0" + }, + "peerDependencies": { + "picomatch": "^3 || ^4" + }, + "peerDependenciesMeta": { + "picomatch": { + "optional": true + } + } + }, "node_modules/focus-trap": { "version": "7.8.0", "resolved": "https://registry.npmjs.org/focus-trap/-/focus-trap-7.8.0.tgz", @@ -2037,6 +2109,19 @@ "dev": true, "license": "ISC" }, + "node_modules/picomatch": { + "version": "4.0.5", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.5.tgz", + "integrity": "sha512-RvwwcruNjI1ncT5xRakeyS9Lf8lcItv34KD+aif+VH9kduAyfYBipGh12274xtenIPZ119/R9BdTBa8gAwSh0A==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/sponsors/jonschlinkert" + } + }, "node_modules/postcss": { "version": "8.5.15", "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.15.tgz", @@ -2258,6 +2343,23 @@ "dev": true, "license": "MIT" }, + "node_modules/tinyglobby": { + "version": "0.2.17", + "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.17.tgz", + "integrity": "sha512-wXR/dYpcqKmfWpEdZjiKJOwCNFndD0DMnrW/cYjVGttEkBfVgcLFHoNrlj47mjOVic9yyNu65alsgF4NQyTa2g==", + "dev": true, + "license": "MIT", + "dependencies": { + "fdir": "^6.5.0", + "picomatch": "^4.0.4" + }, + "engines": { + "node": ">=12.0.0" + }, + "funding": { + "url": "https://github.com/sponsors/SuperchupuDev" + } + }, "node_modules/trim-lines": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/trim-lines/-/trim-lines-3.0.1.tgz", @@ -2373,21 +2475,24 @@ } }, "node_modules/vite": { - "version": "5.4.21", - "resolved": "https://registry.npmjs.org/vite/-/vite-5.4.21.tgz", - "integrity": "sha512-o5a9xKjbtuhY6Bi5S3+HvbRERmouabWbyUcpXXUA1u+GNUKoROi9byOJ8M0nHbHYHkYICiMlqxkg1KkYmm25Sw==", + "version": "6.4.3", + "resolved": "https://registry.npmjs.org/vite/-/vite-6.4.3.tgz", + "integrity": "sha512-NTKlcQjlAK7MlQoyb6LgaqHc8sso/pVyUJYWMws3jg21uTJw/LddqIFPcPqP6PzpgbIcZyKI85sFE4HBrQDA8A==", "dev": true, "license": "MIT", "dependencies": { - "esbuild": "^0.21.3", - "postcss": "^8.4.43", - "rollup": "^4.20.0" + "esbuild": "^0.25.0", + "fdir": "^6.4.4", + "picomatch": "^4.0.2", + "postcss": "^8.5.3", + "rollup": "^4.34.9", + "tinyglobby": "^0.2.13" }, "bin": { "vite": "bin/vite.js" }, "engines": { - "node": "^18.0.0 || >=20.0.0" + "node": "^18.0.0 || ^20.0.0 || >=22.0.0" }, "funding": { "url": "https://github.com/vitejs/vite?sponsor=1" @@ -2396,19 +2501,25 @@ "fsevents": "~2.3.3" }, "peerDependencies": { - "@types/node": "^18.0.0 || >=20.0.0", + "@types/node": "^18.0.0 || ^20.0.0 || >=22.0.0", + "jiti": ">=1.21.0", "less": "*", "lightningcss": "^1.21.0", "sass": "*", "sass-embedded": "*", "stylus": "*", "sugarss": "*", - "terser": "^5.4.0" + "terser": "^5.16.0", + "tsx": "^4.8.1", + "yaml": "^2.4.2" }, "peerDependenciesMeta": { "@types/node": { "optional": true }, + "jiti": { + "optional": true + }, "less": { "optional": true }, @@ -2429,6 +2540,12 @@ }, "terser": { "optional": true + }, + "tsx": { + "optional": true + }, + "yaml": { + "optional": true } } }, diff --git a/package.json b/package.json index 5393595..879c8b7 100644 --- a/package.json +++ b/package.json @@ -3,10 +3,14 @@ "private": true, "type": "module", "scripts": { - "docs:dev": "vitepress .", - "docs:build": "vitepress build .", + "docs:sync": "node scripts/sync-docs.mjs", + "docs:dev": "npm run docs:sync && vitepress .", + "docs:build": "npm run docs:sync && vitepress build .", "docs:preview": "vitepress preview .", - "check": "npm run docs:build" + "check": "npm run docs:build && node scripts/check-privacy.mjs" + }, + "overrides": { + "vite": "6.4.3" }, "devDependencies": { "vitepress": "1.6.4" diff --git a/privacy.md b/privacy.md new file mode 100644 index 0000000..12f7549 --- /dev/null +++ b/privacy.md @@ -0,0 +1,23 @@ +--- +editLink: false +--- + +# Privacy + +DiffPal's documentation site uses Google Analytics only after you choose +**Accept analytics**. No analytics script or request is loaded before consent. + +When enabled, analytics helps the DiffPal maintainers understand aggregate page +usage, navigation, device category, and approximate region. DiffPal does not use +the site analytics integration for advertising or sell analytics data. Google +processes analytics data under its own terms and privacy controls. + +Your choice is stored in your browser's local storage. Use the **Privacy +choices** control at the bottom of any page to change or withdraw that choice. +Withdrawing consent prevents future analytics collection from this browser; it +does not retroactively delete aggregate data already processed. + +For questions about this site or its privacy practices, contact the DiffPal +maintainers through the [DiffPal GitHub organization](https://github.com/diffpal). + +Last updated: July 10, 2026. diff --git a/providers-and-agents.md b/providers-and-agents.md deleted file mode 100644 index c7e0042..0000000 --- a/providers-and-agents.md +++ /dev/null @@ -1,44 +0,0 @@ -# Providers And Agents - -DiffPal separates provider selection from CI and code host setup. - -## Provider Versus Agent - -A provider is the configured runtime entry under `runtime.providers`. It tells -DiffPal which review runtime to use and which provider-specific settings belong -to that runtime. - -An agent is the actual process that performs model-backed review work. For -ACP-based providers, the agent is a CLI process that starts an ACP stdio server. -For hosted provider types, the runtime talks to the hosted API described by the -provider config. - -DiffPal sends the review task and validates the response. The provider or agent -owns model behavior, account access, provider tools, sandbox behavior, and -credentials. - -## Built-In Provider Type Versus Generic ACP - -Built-in provider types encode the known config shape for supported runtimes, -such as Codex ACP, Copilot ACP, and OpenCode ACP. They keep common setup -predictable and let generated configs use stable provider IDs. - -`generic_acp` is the escape hatch for any CLI that can start an ACP stdio -server. DiffPal does not need provider-specific behavior for that path; it only -needs the command that starts the ACP-compatible agent. - -Use [Providers](/providers) for setup pages and -[Configuration](/configuration) for the exhaustive config -contract. - -## Authentication Ownership - -DiffPal does not create, license, or manage third-party provider accounts. -Provider authentication belongs to the provider and to your CI secret -management. Install and authenticate the selected provider before the DiffPal -review step, keep provider credentials out of untrusted fork jobs, and avoid -committing secrets to `.config/diffpal/config.yaml`. - -Platform publishing credentials are separate from provider credentials. A CI -job may need both: one credential lets the provider perform review reasoning, -and another lets DiffPal publish feedback to GitHub, GitLab, or Azure DevOps. diff --git a/providers.md b/providers.md deleted file mode 100644 index 30f0bfa..0000000 --- a/providers.md +++ /dev/null @@ -1,65 +0,0 @@ -# Providers - -Use this section to choose and configure the review provider that DiffPal runs -inside your CI job. - -DiffPal does not own or manage third-party provider accounts. Create, license, -authenticate, and secure the provider account or CLI with that provider's own -tools. - -For the conceptual difference between providers and agents, see -[Providers and agents](/providers-and-agents). - -## Concepts - -| Term | Meaning | -| --- | --- | -| Code host | The system that owns pull requests or merge requests, such as GitHub, GitLab, or Azure DevOps. | -| CI system | The runner that checks out the repository and executes DiffPal, such as GitHub Actions, GitLab CI, Azure Pipelines, or a custom runner. | -| Provider | The configured runtime entry that DiffPal asks to perform review reasoning. | -| Agent | The provider-backed CLI or ACP-compatible process that inspects the requested change or repository context and returns structured review output. | - -The code host decides where feedback is published. The CI system decides how -commands and secrets run. The provider or agent decides which model, account, -tools, sandbox, and credentials are used for review. - -## Provider Selection - -DiffPal selects one provider by matching `diffpal.provider` to an entry under -`runtime.providers`: - -```yaml -runtime: - providers: - codex-acp: - type: codex_acp - codex_acp: - reasoning_effort: low - -diffpal: - provider: codex-acp -``` - -The selected provider ID must exist in `runtime.providers`. Profiles and the -`DIFFPAL_PROVIDER` environment variable can override the selected provider for a -specific CI job. - -## Choose A Provider - -| Provider path | Use when | Setup name | Config example | -| --- | --- | --- | --- | -| [Codex](/codex) | You want the default copy-paste onboarding path or an existing Codex auth file in trusted CI. | `codex-api-key` or `codex-subscription` | [`examples/configs/codex-api-key/config.yaml`](https://github.com/diffpal/diffpal/blob/main/examples/configs/codex-api-key/config.yaml) | -| [Copilot](/copilot) | Your organization already uses Copilot and can provide a supported Copilot token to CI. | `copilot-github-token` | [`examples/configs/copilot-github-token/config.yaml`](https://github.com/diffpal/diffpal/blob/main/examples/configs/copilot-github-token/config.yaml) | -| [OpenCode](/opencode) | You want DiffPal to run through an OpenCode ACP provider already installed and authenticated in CI. | `opencode-acp` | [`examples/configs/opencode-acp/config.yaml`](https://github.com/diffpal/diffpal/blob/main/examples/configs/opencode-acp/config.yaml) | -| [Custom ACP CLI](/custom-acp) | You have another CLI that can start an ACP stdio server. | `generic-acp` | [`examples/configs/generic-acp/config.yaml`](https://github.com/diffpal/diffpal/blob/main/examples/configs/generic-acp/config.yaml) | - -These setup names are accepted by: - -```bash -diffpal init --wizard --setup --platform github -``` - -Use the provider page for install and authentication, then use the -[Integrations](/integrations) section for host-specific CI syntax. - -Next step: open the setup page for the provider you plan to authenticate in CI. diff --git a/public/llms.txt b/public/llms.txt index d255209..3a67bdc 100644 --- a/public/llms.txt +++ b/public/llms.txt @@ -50,6 +50,8 @@ - [FAQ](/faq): Short answers for product, provider, CI, and artifact questions. - [Security Controls](/security): Trust boundaries, credentials, and artifact handling. - [Secrets And Fork Pull Requests](/secrets-and-fork-prs): Safe patterns for secret-backed review. +- [Migrate To v1](/migrate-to-v1): Remove obsolete local state and verify host reconciliation. +- [Privacy](/privacy): Consent-first analytics and privacy choices. ## Optional diff --git a/reference.md b/reference.md deleted file mode 100644 index 275551c..0000000 --- a/reference.md +++ /dev/null @@ -1,17 +0,0 @@ -# Reference - -Use this section for stable user-facing contracts. - -- [Configuration](/configuration): config hierarchy, defaults, required - fields, allowed values, profiles, platform auth, and environment overrides. -- [CLI](/cli): installation, commands, flags, environment inputs, outputs, and - examples. -- [Findings schema](/findings-schema): canonical findings bundle and - compatibility expectations. -- [Artifacts](/artifacts): public output paths, formats, creation conditions, - consumers, and retention advice. -- [Exit behavior](/exit-behavior): success, blocking, setup, provider, diff, - publishing, and gate behavior. -- [Versioning](/versioning): CLI/package, config, and artifact compatibility. -- [Support matrix](/support-matrix): supported hosts, publishers, feedback - surfaces, provider types, and stability. diff --git a/review-lifecycle.md b/review-lifecycle.md deleted file mode 100644 index 8c5fce6..0000000 --- a/review-lifecycle.md +++ /dev/null @@ -1,57 +0,0 @@ -# Review Lifecycle - -DiffPal review is a CI job lifecycle. Each stage has a distinct role so -failures are clear and artifacts are consistent. - -## Review Scope Resolution - -DiffPal resolves the base and head revisions for the pull request, merge -request, or candidate commit. It records changed files, changed line ranges, -and related metadata that define the review scope. - -Shallow clones, missing target branches, or incorrect base/head values usually -break this stage. Host-specific setup pages describe the required checkout -behavior. - -## Review Request - -DiffPal combines the review scope metadata, repository configuration, review -instructions, language, and gate threshold into a provider request. The selected -provider or ACP-compatible agent inspects the requested `base..head` change with -its available tools. - -## Structured Findings - -The provider returns structured review output: a change summary and zero or -more findings. A finding describes a concrete issue, its severity, category, -impact, and the changed lines it applies to. - -## Validation - -DiffPal validates and normalizes provider output before publishing it. Findings -must map back to the reviewed change and the configured schema. Invalid or -unanchored output is not treated as publishable inline feedback. - -## Publishing - -When a native publisher is selected, DiffPal turns validated output into host -feedback such as a pull request summary, merge request discussion, file-level -comment, status, SARIF, or Code Quality report. The exact surfaces depend on -the code host and feedback mode. - -## Artifact Generation - -DiffPal writes machine-readable and human-readable artifacts under -`.artifacts/diffpal/`. These artifacts are useful for audit trails, downstream -CI steps, and supported report surfaces. - -## Optional Gate - -The gate is separate from feedback. When enabled, DiffPal compares findings to -the configured blocking threshold and returns a failing CI result if blocking -findings exist. When disabled, feedback and artifacts can still show blocking -findings without failing the merge check. - -For exact config fields and exit behavior, use -[Configuration](/configuration) and -[Exit behavior](/exit-behavior). diff --git a/scripts/check-privacy.mjs b/scripts/check-privacy.mjs new file mode 100644 index 0000000..f87ff02 --- /dev/null +++ b/scripts/check-privacy.mjs @@ -0,0 +1,12 @@ +import fs from 'node:fs' +import path from 'node:path' + +const dist = path.resolve('.vitepress/dist') +const index = fs.readFileSync(path.join(dist, 'index.html'), 'utf8') +if (index.includes('googletagmanager.com') || index.includes('G-B8G6D7K9SQ')) { + throw new Error('analytics must not be embedded in the initial HTML response') +} +if (!fs.existsSync(path.join(dist, 'privacy.html'))) { + throw new Error('privacy page was not generated') +} +console.log('consent-first analytics checks passed') diff --git a/scripts/sync-docs.mjs b/scripts/sync-docs.mjs new file mode 100644 index 0000000..22fb8e1 --- /dev/null +++ b/scripts/sync-docs.mjs @@ -0,0 +1,87 @@ +import fs from 'node:fs' +import path from 'node:path' + +const root = process.cwd() +const lock = JSON.parse(fs.readFileSync(path.join(root, 'docs-source.json'), 'utf8')) +const sourceDir = path.resolve(root, process.env.DIFFPAL_DOCS_DIR || '.source/diffpal/docs') +const repositoryRoot = path.dirname(sourceDir) +const generatedDir = path.join(root, '.generated') + +if (!fs.existsSync(sourceDir)) { + throw new Error(`canonical docs directory not found: ${sourceDir}`) +} + +function markdownFiles(dir) { + return fs.readdirSync(dir, { withFileTypes: true }).flatMap((entry) => { + const fullPath = path.join(dir, entry.name) + if (entry.isDirectory()) return markdownFiles(fullPath) + return entry.isFile() && entry.name.endsWith('.md') ? [fullPath] : [] + }) +} + +function destinationFor(relativePath) { + const normalized = relativePath.split(path.sep).join('/') + if (normalized === 'README.md') return 'docs.md' + if (path.posix.basename(normalized) === 'README.md') { + return `${path.posix.basename(path.posix.dirname(normalized))}.md` + } + return path.posix.basename(normalized) +} + +const sources = markdownFiles(sourceDir) +const destinations = new Map() +const sourceByAbsolutePath = new Map() +for (const source of sources) { + const relative = path.relative(sourceDir, source).split(path.sep).join('/') + const destination = destinationFor(relative) + if (destinations.has(destination)) { + throw new Error(`duplicate flattened docs destination ${destination}`) + } + destinations.set(destination, relative) + sourceByAbsolutePath.set(path.resolve(source), destination) +} + +function rewriteTarget(target, source) { + if (/^(?:[a-z]+:|#|\/)/i.test(target)) return target + const match = target.match(/^([^#?]+)([?#].*)?$/) + if (!match) return target + const resolved = path.resolve(path.dirname(source), match[1]) + const suffix = match[2] || '' + const destination = sourceByAbsolutePath.get(resolved) + if (destination) return `/${destination.replace(/\.md$/, '')}${suffix}` + if (!resolved.startsWith(repositoryRoot + path.sep)) return target + + const relative = path.relative(repositoryRoot, resolved).split(path.sep).join('/') + const kind = fs.existsSync(resolved) && fs.statSync(resolved).isDirectory() ? 'tree' : 'blob' + return `https://github.com/${lock.repository}/${kind}/${lock.ref}/${relative}${suffix}` +} + +function rewriteMarkdown(content, source) { + return content.replace(/(!?\[[^\]]*\]\()([^\s)]+)([^)]*\))/g, (_match, prefix, target, suffix) => { + return `${prefix}${rewriteTarget(target, source)}${suffix}` + }) +} + +fs.rmSync(generatedDir, { recursive: true, force: true }) +fs.mkdirSync(generatedDir, { recursive: true }) + +const rewrites = {} +for (const [destination, relative] of destinations) { + const source = path.join(sourceDir, relative) + const output = path.join(generatedDir, relative) + fs.mkdirSync(path.dirname(output), { recursive: true }) + fs.writeFileSync(output, rewriteMarkdown(fs.readFileSync(source, 'utf8'), source)) + const stat = fs.statSync(source) + fs.utimesSync(output, stat.atime, stat.mtime) + rewrites[relative] = destination +} + +for (const sitePage of ['index.md', 'privacy.md']) { + const output = path.join(generatedDir, 'site', sitePage) + fs.mkdirSync(path.dirname(output), { recursive: true }) + fs.copyFileSync(path.join(root, sitePage), output) + rewrites[`site/${sitePage}`] = sitePage +} + +fs.writeFileSync(path.join(root, '.generated-rewrites.json'), `${JSON.stringify(rewrites, null, 2)}\n`) +console.log(`generated ${destinations.size} canonical docs pages from ${lock.repository}@${lock.ref}`) diff --git a/secrets-and-fork-prs.md b/secrets-and-fork-prs.md deleted file mode 100644 index 86ee0ea..0000000 --- a/secrets-and-fork-prs.md +++ /dev/null @@ -1,140 +0,0 @@ -# Secrets And Fork Pull Requests - -Use this guide when you add provider credentials, host publishing tokens, or -fork pull request handling to a DiffPal workflow. - -DiffPal runs in your CI and sends review input to the provider you configure. -When you use a remote provider, the reviewed diff and review instructions can -leave the CI job and be processed by that third-party provider. - -## What Receives Repository Content - -The CI job checks out the repository working tree and runs DiffPal in that -workspace. DiffPal resolves the configured base/head review scope, reads -repository-owned configuration, and applies review instructions. - -The selected provider or ACP-compatible agent receives the review request that -DiffPal builds for that scope. For remote providers, that request is sent outside -the CI runner according to the provider's own service terms and account settings, -and the provider or agent may inspect source context according to its -configuration. - -Host publishers receive validated review output. GitHub, GitLab, and Azure -DevOps receive summaries, comments, discussions, threads, statuses, or reports -only when you run a publishing command or action with host credentials. - -## Credential Types - -Provider credentials authenticate the AI provider or agent. Examples include: - -| Credential | Belongs to | -| --- | --- | -| `OPENAI_API_KEY` | Codex API-key provider authentication | -| `CODEX_AUTH_JSON_B64` | Codex subscription auth restored inside CI | -| `COPILOT_GITHUB_TOKEN` | Copilot CLI provider authentication | -| Custom provider secrets | The ACP-compatible CLI or provider you configure | - -Host credentials authenticate the code host publisher. Examples include: - -| Credential | Belongs to | -| --- | --- | -| `GITHUB_TOKEN` | GitHub pull request review and comments | -| `CI_JOB_TOKEN` or `GITLAB_TOKEN` | GitLab merge request discussions, status, and reports | -| `SYSTEM_ACCESSTOKEN` or `AZURE_DEVOPS_EXT_PAT` | Azure DevOps PR threads and status | - -Keep provider credentials separate from host credentials so each secret can use -the least privilege needed for its own system. - -## Minimum Host Permissions - -Use the smallest host permission set that supports the configured feedback -mode. - -| Host | Minimum verified permissions | -| --- | --- | -| GitHub | `contents: read` and `pull-requests: write` for PR summaries and review comments. | -| GitLab | A job token or API token that can read the project, create merge request discussions, and publish commit status. Code Quality and SARIF reports are uploaded by the CI artifacts mechanism. | -| Azure DevOps | Pipeline OAuth access through `System.AccessToken` for PR threads and status, or a dedicated PAT with equivalent PR thread/status permission when required by the organization. | - -Artifact-only `diffpal review local` does not need a host publishing token, but -it still needs provider credentials when the configured provider is remote. - -## Protected And Masked Secrets - -Store provider and host credentials as CI secrets or protected variables. Mark -them masked when the CI system supports masking, and restrict them to trusted -branches, protected environments, same-repository pull requests, or -maintainer-approved jobs. - -Do not commit provider credentials to `.config/diffpal/config.yaml`, workflow -files, examples, artifacts, or issue comments. - -## Fork Pull Request Safety - -Untrusted fork pipelines must not receive provider credentials. A fork author -can change workflow files, package scripts, build hooks, provider commands, or -test code in ways that run before or during the review job. - -Safe patterns for external contributions: - -- Run normal no-secret CI on fork pull requests. -- Run DiffPal with provider credentials only on same-repository pull requests. -- Use a maintainer-approved job that does not execute fork-controlled code with - secrets. -- Review workflow changes before manually re-running any credentialed job. -- Keep `pull_request_target` jobs away from PR-head checkout, package installs, - build scripts, hooks, provider CLIs, and other fork-controlled execution. - -GitHub Actions workflows should keep a same-repository guard next to the -credentialed review job: - -```yaml -if: ${{ !github.event.pull_request.draft && github.event.pull_request.head.repo.full_name == github.repository }} -``` - -GitLab CI can combine same-project merge request conditions, protected -variables, and a manual maintainer gate such as `DIFFPAL_TRUSTED_REVIEW`. - -Azure Pipelines can skip credentialed review for fork validation with: - -```yaml -condition: and(succeeded(), ne(variables['System.PullRequest.IsFork'], 'True')) -``` - -## Artifact Retention - -DiffPal artifacts can contain file paths, line numbers, findings, summaries, -and snippets or descriptions derived from reviewed code. Treat -`.artifacts/diffpal/` as repository-sensitive output. - -Retain artifacts long enough for audit, debugging, SARIF ingestion, or Code -Quality ingestion. Avoid uploading them to public storage from private -repositories, and apply the same retention rules you use for CI logs and test -reports. - -## Log Redaction - -CI systems usually mask exact secret values, but masking is not a complete -redaction boundary. Avoid `set -x`, do not echo tokens, and do not print -restored provider auth files. Be careful with derived values, encoded secrets, -provider debug logs, and command-line arguments because they may not match the -secret value the CI system knows how to mask. - -If you need provider debugging, use the provider's own safe logging controls -and remove sensitive logs from retained artifacts. - -## Report A Security Issue - -This repository does not currently include a `SECURITY.md` policy file. If the -GitHub repository exposes **Report a vulnerability** on the Security tab, use -that private channel. Otherwise, open a GitHub issue with only a minimal, -non-sensitive description and ask maintainers for a private reporting channel. - -Do not paste secrets, exploit details, private code, provider responses, or -private artifacts into a public issue. - -See the public [Security controls](/security) page for the shorter control -summary. - -Next step: apply the trusted-source guard from your host integration page before -enabling provider credentials in CI. diff --git a/security.md b/security.md deleted file mode 100644 index 160c778..0000000 --- a/security.md +++ /dev/null @@ -1,58 +0,0 @@ -# Security Controls - -DiffPal runs in your CI and sends review input to the provider you configure. -This page summarizes the public security controls users should understand -before enabling provider-backed review. - -## Boundaries - -- The CI runner receives the repository checkout, DiffPal configuration, and - provider credentials made available to the job. -- DiffPal resolves the configured base/head review scope and sends review input - to the selected provider or ACP-compatible agent. -- The provider owns model execution, provider account security, and provider - credentials. -- GitHub, GitLab, and Azure DevOps publishers receive review output only when a - publishing command or action runs with host credentials. - -## Credential Controls - -Keep provider credentials and host credentials separate. - -Provider credentials include values such as `OPENAI_API_KEY`, -`CODEX_AUTH_JSON_B64`, `COPILOT_GITHUB_TOKEN`, and custom ACP provider tokens. -Host credentials include `GITHUB_TOKEN`, `CI_JOB_TOKEN`, `GITLAB_TOKEN`, -`SYSTEM_ACCESSTOKEN`, and `AZURE_DEVOPS_EXT_PAT`. - -Store credentials as protected and masked CI secrets. Give host tokens only the -minimum permission needed to publish the selected feedback mode. - -## Fork Pull Requests - -Do not expose provider or host credentials to untrusted fork code. Run -secret-backed DiffPal review only for same-repository pull requests, trusted -branches, or maintainer-approved jobs that do not execute fork-controlled code -with secrets. - -Use [Secrets and fork PRs](/secrets-and-fork-prs) for host-specific -guards and safe external contribution patterns. - -## Artifacts And Logs - -DiffPal artifacts and logs can contain repository-sensitive review output. -Retain `.artifacts/diffpal/` only where you need audit records, SARIF or Code -Quality ingestion, or troubleshooting. Do not rely on CI masking as the only -protection for debug logs or restored provider auth files. - -## Reporting Security Issues - -This repository does not currently include a `SECURITY.md` policy file. If the -GitHub repository exposes **Report a vulnerability** on the Security tab, use -that private channel. Otherwise, open a GitHub issue with a minimal, -non-sensitive description and ask maintainers for a private reporting channel. - -Do not include secrets, exploit details, private code, provider responses, or -private artifacts in a public issue. - -Next step: read [Secrets and fork PRs](/secrets-and-fork-prs) before -enabling provider credentials in CI. diff --git a/support-matrix.md b/support-matrix.md deleted file mode 100644 index 0ac0e7c..0000000 --- a/support-matrix.md +++ /dev/null @@ -1,50 +0,0 @@ -# Support Matrix - -This page lists the supported public surface confirmed by the repository. - -## Code Hosts And Publishers - -| Host / mode | Native publisher | Stable status | Guide | -| --- | --- | --- | --- | -| GitHub pull requests | GitHub publisher | Stable public surface | [GitHub Actions](/github-actions) | -| GitLab merge requests | GitLab publisher | Stable public surface | [GitLab CI](/gitlab-ci) | -| Azure DevOps pull requests | Azure DevOps publisher | Stable public surface | [Azure Pipelines](/azure-pipelines) | -| Custom CI/CD with unsupported code host | No native publisher | Artifact-only support | [Custom CI/CD](/custom-ci) | - -## Feedback Surfaces - -| Host | `summary` feedback | `review` feedback | -| --- | --- | --- | -| GitHub | Summary and SARIF | Summary, file-level PR review comments, SARIF | -| GitLab | Summary, status, SARIF, Code Quality | Summary, discussions, status, SARIF, Code Quality | -| Azure DevOps | Summary and status | Summary, PR threads, status | -| Custom CI/CD unsupported host | Local Markdown and artifacts | Local Markdown and artifacts | - -## Artifact Surfaces - -| Surface | GitHub | GitLab | Azure | Local/custom | -| --- | --- | --- | --- | --- | -| Findings bundle | yes | yes | yes | yes | -| Summary Markdown | yes | yes | yes | stdout unless captured | -| SARIF | yes | yes | no native surface | via `diffpal sarif` | -| GitLab Code Quality | no | yes | no | no | -| Host status | GitHub check/workflow status | GitLab commit status | Azure PR status | CI job status | - -## Provider Types - -Supported runtime provider types: - -| Type | Status | Notes | -| --- | --- | --- | -| `codex_acp` | Stable public setup | Default onboarding provider type. | -| `copilot_acp` | Stable public setup | Documented provider page and examples. | -| `opencode_acp` | Stable public setup | Documented provider page and config example. | -| `generic_acp` | Stable public setup | Bring your own ACP-compatible CLI. | -| `openai` | Supported config type | Hosted API config type; use when explicitly configured. | -| `aistudio` | Supported config type | Hosted API config type; use when explicitly configured. | -| `gemini_acp` | Supported runtime type | No dedicated public setup page in this docs set. | -| `claude_code_acp` | Supported runtime type | No dedicated public setup page in this docs set. | -| `pool` | Supported runtime type | Ordered provider failover config. | - -No provider account is managed by DiffPal. Provider authentication belongs to -the selected provider and CI secret management. diff --git a/troubleshooting.md b/troubleshooting.md deleted file mode 100644 index f52242e..0000000 --- a/troubleshooting.md +++ /dev/null @@ -1,331 +0,0 @@ -# Troubleshooting - -Use this page when a DiffPal run does not produce the expected host feedback, -artifacts, or gate result. Each entry starts from what you can observe in CI or -on the pull request. - -## Job Does Not Start - -**Symptom:** The DiffPal workflow, job, or task is not created for the pull -request or merge request. - -**Likely causes:** The CI trigger does not include PR/MR events, the PR is a -draft, a same-repository or trusted-review guard skipped the job, the workflow -file is not on the default branch, or the CI system is disabled for the -repository. - -**Diagnostic:** Check the CI event and guard expression first. For GitHub -Actions, confirm the workflow has a `pull_request` trigger and inspect whether -the job condition matches the PR: - -```yaml -if: ${{ !github.event.pull_request.draft && github.event.pull_request.head.repo.full_name == github.repository }} -``` - -**Fix:** Enable the PR/MR trigger for the selected CI system. Keep fork-safety -guards in place, but test the first run with a same-repository, non-draft pull -request. - -**Related:** [GitHub quickstart](/github-quickstart), -[GitHub Actions](/github-actions), and -[Secrets and fork PRs](/secrets-and-fork-prs). - -## Provider Authentication Fails - -**Symptom:** The job starts, but provider login or provider validation fails -before review output is produced. - -**Likely causes:** The provider CLI is not installed, the selected -`diffpal.provider` entry does not match an installed/authenticated provider, -the provider secret is missing in the trusted job, or the secret belongs to a -different provider account. - -**Diagnostic:** Run the host-specific doctor after provider installation and -authentication: - -```bash -diffpal --profile ci doctor --mode github -``` - -Use `--mode gitlab`, `--mode ado`, or `--mode local` for other runs. - -**Fix:** Install the provider command before DiffPal runs, expose the provider -secret only to trusted jobs, and follow the selected provider page for the -exact authentication command. - -**Related:** [Providers](/providers), -[CLI doctor](/cli#diffpal-doctor), and -[Secrets and fork PRs](/secrets-and-fork-prs). - -## DiffPal Cannot Find The Base Or Head Revision - -**Symptom:** The review fails during review scope resolution with missing, -ambiguous, or invalid base/head revisions. - -**Likely causes:** The checkout is shallow, the target branch was not fetched, -CI metadata is unavailable, `--base` or `--head` is empty, or the job is not -running in a PR/MR context. - -**Diagnostic:** Verify the revisions in the CI workspace: - -```bash -git rev-parse --verify "$BASE_SHA^{commit}" -git rev-parse --verify "$HEAD_SHA^{commit}" -git merge-base "$BASE_SHA" "$HEAD_SHA" -``` - -**Fix:** Use full checkout history. In GitHub Actions set `fetch-depth: 0`; in -GitLab CI set `GIT_DEPTH: "0"`; in Azure Pipelines set `fetchDepth: 0`. For -custom CI, explicitly fetch the target branch and pass stable `--base` and -`--head` values. - -**Related:** [GitHub Actions checkout](/github-actions#required-checkout-behavior), -[GitLab checkout](/gitlab-ci#required-checkout-behavior), -[Azure checkout](/azure-pipelines#required-checkout-behavior), -and [Custom CI base/head resolution](/custom-ci#base-and-head-resolution). - -## Review Completes But No Summary Appears - -**Symptom:** The provider-backed review finishes, but the PR/MR does not show a -DiffPal summary. - -**Likely causes:** Host publishing was denied, the wrong host command was used, -`diffpal review local` printed Markdown to stdout without publishing, GitHub -`--dry-run` was used, or `summary.md` was not retained from artifacts. - -**Diagnostic:** Check whether the command wrote a summary artifact: - -```bash -test -s .artifacts/diffpal/summary.md -``` - -For local review, check the redirected stdout file if your CI captures one. - -**Fix:** Use the matching host command or action for GitHub, GitLab, or Azure -DevOps. Ensure the host token is present with write permission and upload -`.artifacts/diffpal/` for retained summaries. - -**Related:** [Artifacts reference](/artifacts), -[Support matrix](/support-matrix), and -[Integrations](/integrations). - -## Summary Appears But Inline Findings Do Not - -**Symptom:** The PR/MR has a DiffPal summary, but no file-level comments, -discussions, or threads appear. - -**Likely causes:** `feedback` is set to `summary`, the host does not support -inline feedback for the selected mode, findings could not be anchored to -changed lines, or the provider returned no actionable file-level findings. - -**Diagnostic:** Confirm the run used review feedback: - -```bash -diffpal --profile ci review local --base origin/main --head HEAD --feedback review -``` - -Inspect `.artifacts/diffpal/findings.json` to see whether findings have changed -file locations. - -**Fix:** Set `feedback: review` or pass `--feedback review`. If findings exist -without changed-line locations, review the provider output and diff range; only -changed-file locations can become inline host feedback. - -**Related:** [Feedback modes](/integrations#feedback-modes), -[Findings, feedback, and gates](/findings-feedback-and-gates), -and [Findings schema](/findings-schema). - -## No Findings Were Produced - -**Symptom:** The review summary says no actionable findings were found, or the -findings bundle contains an empty findings list. - -**Likely causes:** The change has no issues that meet the review contract, the -diff range is too small or wrong, provider instructions are too narrow, or the -provider returned a valid no-findings result. - -**Diagnostic:** Confirm that the reviewed diff is the expected range: - -```bash -git diff --stat "$BASE_SHA" "$HEAD_SHA" -``` - -Then inspect `.artifacts/diffpal/findings.json`. - -**Fix:** If the diff range is wrong, fix base/head resolution. If the diff is -right, treat no findings as a completed review and tune repository instructions -only when the provider is consistently missing issues your team expects. - -**Related:** [Verify First Review](/verify-first-review), -[Review lifecycle](/review-lifecycle), and -[Configuration review settings](/configuration#review-settings). - -## Publishing Is Denied - -**Symptom:** Review generation succeeds, but publishing comments, discussions, -threads, statuses, SARIF, or reports fails. - -**Likely causes:** The host token is missing, read-only, scoped to the wrong -repository/project, unavailable to the job, or the host API URL is wrong for an -enterprise/self-managed instance. - -**Diagnostic:** Run doctor in the host mode: - -```bash -diffpal --profile ci doctor --mode gitlab -``` - -Use `github` or `ado` for the other native publishers. - -**Fix:** Provide the host credential documented for the selected platform and -grant the minimum write permission needed for the selected feedback surface. -Keep host credentials separate from provider credentials. - -**Related:** [Secrets and fork PRs](/secrets-and-fork-prs), -[GitHub token permissions](/github-actions#required-token-and-minimum-permissions), -[GitLab tokens](/gitlab-ci#required-token-and-minimum-permissions), -and [Azure token setup](/azure-pipelines#required-token-and-minimum-permissions). - -## Fork PRs Are Skipped - -**Symptom:** DiffPal does not run, or only no-secret CI runs, for a fork pull -request. - -**Likely causes:** The workflow intentionally protects provider and host -credentials from untrusted fork code. GitHub, GitLab, or Azure guards can skip -credentialed review for fork contributions. - -**Diagnostic:** Inspect the CI condition or rules. GitHub examples use: - -```yaml -if: ${{ !github.event.pull_request.draft && github.event.pull_request.head.repo.full_name == github.repository }} -``` - -Azure examples use `System.PullRequest.IsFork`; GitLab examples use -same-project MR conditions and a maintainer-controlled trusted-review guard. - -**Fix:** Keep the skip for untrusted fork code. For external contributions, run -no-secret CI or use a maintainer-approved workflow that does not execute -fork-controlled code with secrets. - -**Related:** [Secrets and fork PRs](/secrets-and-fork-prs), -[GitHub Actions fork behavior](/github-actions#fork-or-untrusted-contribution-behavior), -[GitLab fork behavior](/gitlab-ci#fork-or-untrusted-contribution-behavior), -and [Azure fork behavior](/azure-pipelines#fork-or-untrusted-contribution-behavior). - -## Expected Artifacts Are Missing - -**Symptom:** The CI job finishes, but `.artifacts/diffpal/findings.json`, -`summary.md`, or host-specific artifacts are not available after the job. - -**Likely causes:** The command failed before writing artifacts, `--out` changed -the findings path, `diffpal review local` printed Markdown to stdout instead -of creating `summary.md`, CI did not upload `.artifacts/diffpal/`, or a dry-run -did not create host artifacts. - -**Diagnostic:** List the artifact directory inside the job: - -```bash -find .artifacts/diffpal -maxdepth 1 -type f -print -``` - -**Fix:** Upload `.artifacts/diffpal/` from CI. For local review, redirect -stdout to `.artifacts/diffpal/summary.md` when you want a retained summary. -Check `--out` if `findings.json` was intentionally moved. - -**Related:** [Artifacts reference](/artifacts) and -[Custom CI outputs](/custom-ci#outputs). - -## SARIF Or Code Quality Output Is Missing - -**Symptom:** The review completes, but `.artifacts/diffpal/diffpal.sarif` or -`.artifacts/diffpal/codequality.json` is absent. - -**Likely causes:** SARIF is not a native Azure surface, Code Quality is a -GitLab-specific output, the run used `review local`, GitHub dry-run was used, -or the file was not uploaded as a CI artifact/report. - -**Diagnostic:** Check the selected host and command against the artifact table. -To create SARIF from a findings bundle manually, run: - -```bash -diffpal sarif --input .artifacts/diffpal/findings.json --out .artifacts/diffpal/diffpal.sarif -``` - -**Fix:** Use GitHub or GitLab host review when you expect SARIF from a native -run. Use GitLab CI report configuration for Code Quality. For custom CI or -Azure, convert findings to SARIF explicitly when needed. - -**Related:** [Artifacts reference](/artifacts), -[Support matrix](/support-matrix), and -[CLI SARIF command](/cli#diffpal-sarif). - -## Gate Blocks Unexpectedly - -**Symptom:** The job fails with blocking findings even though publishing and -artifacts completed. - -**Likely causes:** `--gate` or `gate: true` is enabled, and at least one -finding severity meets `diffpal.gate.block_on` or `--block-on`. - -**Diagnostic:** Check the process exit code and configured threshold. Blocking -findings with an enabled gate return exit code `10`. - -**Fix:** Inspect `findings.json` and the review summary. If the finding should -not block, raise `diffpal.gate.block_on` to a higher severity or improve review -instructions. If it should block, fix the code. - -**Related:** [Exit behavior](/exit-behavior), -[Configuration gate](/configuration#gate), and -[Findings, feedback, and gates](/findings-feedback-and-gates). - -## Gate Does Not Block - -**Symptom:** Findings appear in the summary or comments, but the CI job still -passes. - -**Likely causes:** The gate is disabled, findings are below the blocking -threshold, the command did not pass `--gate`, or the CI wrapper is not using the -DiffPal process result as the job result. - -**Diagnostic:** Confirm the run enables the gate and check the threshold: - -```bash -diffpal --profile ci review local --base origin/main --head HEAD --gate -``` - -**Fix:** Enable `gate: true` in the action/task or pass `--gate` to the CLI. -Set `diffpal.gate.block_on` to the minimum severity that should fail the job. - -**Related:** [Merge gates](/integrations#merge-gates), -[Exit behavior](/exit-behavior), and -[Configuration gate](/configuration#gate). - -## Local Execution Works But CI Execution Fails - -**Symptom:** `diffpal review local` works on a developer machine, but the same -repository fails in CI. - -**Likely causes:** CI has a shallow checkout, missing provider installation, -missing or protected secrets, different profile selection, missing host -metadata, a different working directory, or no artifact upload step. - -**Diagnostic:** Compare local and CI environments with doctor and version: - -```bash -diffpal version -diffpal --profile ci doctor --mode local -``` - -In host CI, use the matching host mode. - -**Fix:** Pin the same provider install path in CI, use full checkout history, -make the intended profile explicit, expose secrets only to trusted jobs, and -pass host metadata or base/head values from CI variables. - -**Related:** [CLI reference](/cli), -[Custom CI lifecycle](/custom-ci#generic-execution-lifecycle), -and [Providers](/providers). - -Next step: after applying the fix, rerun `diffpal doctor` in the same CI mode -that failed. diff --git a/verify-first-review.md b/verify-first-review.md deleted file mode 100644 index f982824..0000000 --- a/verify-first-review.md +++ /dev/null @@ -1,70 +0,0 @@ -# Verify First Review - -Use this page to confirm that the first DiffPal run produced a complete review, -even when it found no issues. - -## Pull Request Signals - -The PR or MR must show: - -- a `DiffPal Review Summary` review, discussion, or thread; -- inline comments, discussions, or PR threads when actionable findings exist; -- a check, commit status, or PR status for the DiffPal review job. - -## Required Artifacts - -The CI workspace must contain: - -| Path | Purpose | -| --- | --- | -| `.artifacts/diffpal/findings.json` | Canonical structured findings bundle. | -| `.artifacts/diffpal/summary.md` | Human-readable review summary. | - -Depending on the host and feedback mode, the run may also write: - -| Path | Purpose | -| --- | --- | -| `.artifacts/diffpal/diffpal.sarif` | SARIF report when enabled by the platform output. | -| `.artifacts/diffpal/codequality.json` | GitLab Code Quality report. | - -## No Findings Vs Broken Review - -`No findings` is healthy when: - -- the review summary appears; -- `findings.json` exists and is valid JSON; -- the CI job succeeds unless a configured gate blocks it; -- logs show DiffPal resolved the review scope and completed publishing. - -A broken review usually has one of these symptoms: - -- no summary appears in the PR/MR; -- `findings.json` is missing; -- provider authentication failed; -- the workflow used a shallow checkout and could not compare base and head; -- the platform token could not publish feedback. - -## Gate Behavior - -When gating is enabled, DiffPal fails the CI job if at least one finding meets -`diffpal.gate.block_on`. Setup, authentication, review scope resolution, and -publishing failures also fail the job because the review result is incomplete. - -When gating is disabled, blocking findings can still be published as review -feedback, but they do not fail the CI job. Tooling failures still fail because -DiffPal did not produce a complete review. - -## Troubleshooting - -- Missing summary or inline comments: - [Review Completes But No Summary Appears](/troubleshooting#review-completes-but-no-summary-appears) -- Missing or incomplete diff: - [DiffPal Cannot Find The Base Or Head Revision](/troubleshooting#diffpal-cannot-find-the-base-or-head-revision) -- Provider auth failures: - [Provider Authentication Fails](/troubleshooting#provider-authentication-fails) -- Gate failures: - [Gate Blocks Unexpectedly](/troubleshooting#gate-blocks-unexpectedly) -- Fork PR secrets: - [Secrets and fork PRs](/secrets-and-fork-prs) - -After the first run is healthy, continue with [Next Steps](/next-steps). diff --git a/versioning.md b/versioning.md deleted file mode 100644 index 0f7ee06..0000000 --- a/versioning.md +++ /dev/null @@ -1,57 +0,0 @@ -# Versioning - -DiffPal uses SemVer for user-facing releases. - -## CLI And Package Versions - -The CLI version is built into release binaries with Omnidist ldflags: - -- `Version` -- `GitCommit` -- `BuildDate` - -`diffpal version` prints: - -```text -diffpal + () -``` - -The npm package `@diffpal/diffpal` is the public CLI package. Omnidist also -builds platform-specific packages and release binaries from the same version. -Consumers should pin exact versions in credentialed CI jobs when repeatability -matters. - -GitHub Action users can use the stable major tag, for example -`diffpal/action@v1`, or pin a more specific release. Azure users can use the -published DiffPal extension task version. - -## Configuration Schema Compatibility - -Configuration files use `version: v1`. DiffPal accepts an empty version or -`v1`; any other config version is rejected. - -Minor releases should preserve `v1` compatibility. New optional fields may be -added without requiring existing configs to change. - -## Artifact And Schema Compatibility - -New findings writes use bundle `version: v3`. DiffPal readers accept `v1`, -`v2`, and `v3` findings bundles. - -Consumers should: - -- treat `findings.json` as the canonical artifact; -- ignore unknown fields; -- use `version` and `prompt.schema_version` when they need compatibility - branching; -- avoid depending on host-specific publishing plan files unless they are part of - the selected integration. - -## Upgrade Guidance - -1. Pin the DiffPal CLI, provider CLI, and CI wrapper versions in credentialed - jobs. -2. Upgrade in a branch and run `diffpal doctor --mode `. -3. Run a same-repository PR/MR review before enabling gates on the new version. -4. Keep uploaded artifacts for the first upgraded runs so schema or publisher - differences are easy to inspect. From 1d8d9c17f45364143e5554df8a75b106a658153c Mon Sep 17 00:00:00 2001 From: Alexey Samoylov Date: Fri, 10 Jul 2026 18:47:04 +0600 Subject: [PATCH 2/2] chore(security): harden documentation delivery Refs: dp-zsy.2 --- .github/CODEOWNERS | 5 +++++ .github/ISSUE_TEMPLATE/bug.yml | 23 +++++++++++++++++++++++ .github/ISSUE_TEMPLATE/config.yml | 5 +++++ .github/PULL_REQUEST_TEMPLATE.md | 9 +++++++++ .github/workflows/ci.yml | 10 ++++++---- .github/workflows/pages.yml | 16 +++++++++------- SECURITY.md | 10 ++++++++++ 7 files changed, 67 insertions(+), 11 deletions(-) create mode 100644 .github/CODEOWNERS create mode 100644 .github/ISSUE_TEMPLATE/bug.yml create mode 100644 .github/ISSUE_TEMPLATE/config.yml create mode 100644 .github/PULL_REQUEST_TEMPLATE.md create mode 100644 SECURITY.md diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..a4e0491 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,5 @@ +* @metalagman + +/.github/ @metalagman +/docs/.vitepress/ @metalagman +/scripts/ @metalagman diff --git a/.github/ISSUE_TEMPLATE/bug.yml b/.github/ISSUE_TEMPLATE/bug.yml new file mode 100644 index 0000000..3d1959d --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug.yml @@ -0,0 +1,23 @@ +name: Documentation or site bug +description: Report incorrect documentation, broken links, or site behavior +title: "docs: " +labels: [bug] +body: + - type: input + id: page + attributes: + label: Page URL + validations: + required: true + - type: textarea + id: problem + attributes: + label: Problem + validations: + required: true + - type: textarea + id: expected + attributes: + label: Expected content or behavior + validations: + required: true diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 0000000..5bfc33f --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,5 @@ +blank_issues_enabled: true +contact_links: + - name: Security or privacy report + url: https://github.com/diffpal/diffpal.github.io/security/advisories/new + about: Report sensitive issues privately. diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..12dbeed --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,9 @@ +## Summary + + + +## Validation + +- [ ] Documentation synchronization and production build pass. +- [ ] Privacy checks pass and analytics consent behavior is unchanged or documented. +- [ ] Links and user-facing version references are current. diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index aac7387..61e95b4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,21 +14,23 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Resolve canonical docs source id: docs-source - run: echo "ref=$(node -p \"require('./docs-source.json').ref\")" >> "$GITHUB_OUTPUT" + run: | + ref=$(node -p "require('./docs-source.json').ref") + echo "ref=$ref" >> "$GITHUB_OUTPUT" - name: Checkout canonical DiffPal docs - uses: actions/checkout@v5 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: repository: diffpal/diffpal ref: ${{ steps.docs-source.outputs.ref }} path: .source/diffpal - name: Setup Node - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 22 cache: npm diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml index cb5493d..ebe4379 100644 --- a/.github/workflows/pages.yml +++ b/.github/workflows/pages.yml @@ -20,27 +20,29 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Resolve canonical docs source id: docs-source - run: echo "ref=$(node -p \"require('./docs-source.json').ref\")" >> "$GITHUB_OUTPUT" + run: | + ref=$(node -p "require('./docs-source.json').ref") + echo "ref=$ref" >> "$GITHUB_OUTPUT" - name: Checkout canonical DiffPal docs - uses: actions/checkout@v5 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: repository: diffpal/diffpal ref: ${{ steps.docs-source.outputs.ref }} path: .source/diffpal - name: Setup Node - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 22 cache: npm - name: Configure Pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4 - name: Install dependencies run: npm ci @@ -49,7 +51,7 @@ jobs: run: npm run docs:build - name: Upload artifact - uses: actions/upload-pages-artifact@v3 + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 with: path: .vitepress/dist @@ -62,4 +64,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..c226038 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,10 @@ +# Security Policy + +Do not open a public issue for a suspected vulnerability or privacy flaw. +Report it through +[GitHub private vulnerability reporting](https://github.com/diffpal/diffpal.github.io/security/advisories/new) +with reproduction steps and impact. We aim to acknowledge reports within three +business days and coordinate remediation and disclosure with the reporter. + +Issues in the DiffPal product should be reported to the +[core repository](https://github.com/diffpal/diffpal/security/advisories/new).