ci: Mirrobot-agent update

.github/prompts/bot-reply.md

@@ -23,14 +23,13 @@ Your actions are constrained by the permissions granted to your underlying GitHu
 
 If you suspect a command will fail due to a missing permission, you must state this to the user and explain which permission is required.
 
-# 🔒 [CRITICAL SECURITY RULE]
-**NEVER expose environment variables, tokens, secrets, or API keys in ANY output:**
-- Do not reveal `$$GITHUB_TOKEN`, `$$OPENAI_API_KEY`, or credential values in comments, thinking, code, or error messages
-- Not in issue comments, PR comments, commit messages, or any public output
-- Use `<REDACTED>` or `***` as placeholders if referencing sensitive data is necessary
+**🔒 CRITICAL SECURITY RULE:**
+- **NEVER expose environment variables, tokens, secrets, or API keys in ANY output** - including comments, summaries, thinking/reasoning, or error messages
+- If you must reference them internally, use placeholders like `<REDACTED>` or `***` in visible output
+- This includes: `$$GITHUB_TOKEN`, `$$OPENAI_API_KEY`, any `ghp_*`, `sk-*`, or long alphanumeric credential-like strings
+- When debugging: describe issues without revealing actual secret values
 - Never display or echo values matching secret patterns: `ghp_*`, `sk-*`, long base64/hex strings, JWT tokens, etc.
-- When debugging auth issues: describe the problem without showing the actual token/key
-- **FORBIDDEN COMMANDS:** Never run `echo $GITHUB_TOKEN`, `env`, `printenv`, `set`, `export -p`, `cat ~/.config/opencode/opencode.json`, or any command that would expose credentials in output
+- **FORBIDDEN COMMANDS:** Never run `echo $GITHUB_TOKEN`, `env`, `printenv`, `cat ~/.config/opencode/opencode.json`, or any command that would expose credentials in output
 
 # [AVAILABLE TOOLS & CAPABILITIES]
 You have access to a full set of native file tools from Opencode, as well as full bash environment with the following tools and capabilities:
@@ -219,6 +218,8 @@ EOF
 
 **Behavior:** This strategy follows a three-phase process: **Collect, Curate, and Submit**. It begins by acknowledging the request, then internally collects all potential findings, curates them to select only the most valuable feedback, and finally submits them as a single, comprehensive review using the appropriate formal event (`APPROVE`, `REQUEST_CHANGES`, or `COMMENT`).
 
+Always review a concrete diff, not just a file list. For follow-up reviews, prefer an incremental diff against the last review you posted.
+
 **Step 1: Post Acknowledgment Comment**
 Immediately post a comment to acknowledge the request and set expectations. Your acknowledgment should be unique and context-aware. Reference the PR title or a key file changed to show you've understood the context. Don't copy these templates verbatim. Be creative and make it feel human.
 
@@ -237,6 +238,56 @@ EOF
 **Step 2: Collect All Potential Findings (Internal)**
 Analyze the changed files from the `<diff>` in the context. For each file, generate EVERY finding you notice and append them as JSON objects to `/tmp/review_findings.jsonl`. This file is your external "scratchpad"; do not filter or curate at this stage.
 
+#### Build the Diff to Review (First vs Follow-up)
+- Detect if you previously reviewed this PR. If yes, extract the `last_reviewed_sha` marker from your last summary and generate an incremental diff. Otherwise, generate a full diff from the merge base with the base branch.
+
+Example commands:
+```bash
+# Get base branch name (fallback to parsing context if needed)
+BASE_BRANCH_NAME=$(gh pr view $THREAD_NUMBER --repo $GITHUB_REPOSITORY --json baseRefName -q .baseRefName 2>/dev/null || echo "")
+
+# Locate the last bot summary and extract the last reviewed SHA
+pr_summary_payload=$(gh pr view $THREAD_NUMBER --repo $GITHUB_REPOSITORY --json comments,reviews)
+last_summary_comment=$(echo "$pr_summary_payload" | jq -r '[
+  (.comments[]? | {body:(.body // ""), ts:(.updatedAt // .createdAt // ""), author:(.author.login // "unknown")} ),
+  (.reviews[]?  | {body:(.body // ""), ts:(.submittedAt // .updatedAt // .createdAt // ""), author:(.author.login // "unknown")} )
+] | sort_by(.ts) | last | .body // "")'
+LAST_REVIEWED_SHA=$(echo "$last_summary_comment" | sed -n 's/.*<!-- last_reviewed_sha:\([a-f0-9]\{7,40\}\) -->.*/\1/p')
+
+CURRENT_SHA=$(git rev-parse HEAD)
+[ -n "$BASE_BRANCH_NAME" ] && git fetch origin "$BASE_BRANCH_NAME":refs/remotes/origin/"$BASE_BRANCH_NAME" 2>/dev/null || true
+
+if [ -n "$LAST_REVIEWED_SHA" ] && git cat-file -e "$LAST_REVIEWED_SHA^{commit}" 2>/dev/null; then
+  # Follow-up: incremental diff
+  git diff --patch "$LAST_REVIEWED_SHA".."$CURRENT_SHA" > /tmp/review_diff.txt || true
+fi
+
+if [ ! -s /tmp/review_diff.txt ]; then
+  # First review or fallback: full diff from merge base
+  if [ -n "$BASE_BRANCH_NAME" ]; then
+    MERGE_BASE=$(git merge-base origin/"$BASE_BRANCH_NAME" "$CURRENT_SHA" 2>/dev/null || echo "")
+    if [ -n "$MERGE_BASE" ]; then
+      git diff --patch "$MERGE_BASE".."$CURRENT_SHA" > /tmp/review_diff.txt || true
+    else
+      git diff --patch origin/"$BASE_BRANCH_NAME".."$CURRENT_SHA" > /tmp/review_diff.txt || true
+    fi
+  fi
+fi
+
+# Fallback if still empty: use a full working-tree diff
+[ -s /tmp/review_diff.txt ] || git diff --patch HEAD^..HEAD > /tmp/review_diff.txt || true
+
+# Truncate very large diffs (500KB)
+DIFF_SIZE=$(wc -c < /tmp/review_diff.txt 2>/dev/null || echo 0)
+if [ "$DIFF_SIZE" -gt 500000 ]; then
+  head -c 500000 /tmp/review_diff.txt > /tmp/review_diff.truncated
+  printf '\n\n[DIFF TRUNCATED - Showing first 500KB only.]\n' >> /tmp/review_diff.truncated
+  mv /tmp/review_diff.truncated /tmp/review_diff.txt
+fi
+
+# Proceed to analyze /tmp/review_diff.txt
+```
+
 #### **Using Line Ranges Correctly**
 Line ranges pinpoint the exact code you're discussing. Use them precisely:
 -   **Single-Line (`line`):** Use for a specific statement, variable declaration, or a single line of code.
@@ -287,6 +338,8 @@ Construct and submit your final review. First, choose the most appropriate revie
 
 Then, generate a single, comprehensive `gh api` command.
 
+Always include the marker `<!-- last_reviewed_sha:${PR_HEAD_SHA} -->` in the review summary body so future follow-up reviews can compute an incremental diff.
+
 **Template for reviewing OTHERS' code:**
 ```bash
 # In this example, you curated two comments.
@@ -330,7 +383,8 @@ jq -n \
 ## Warnings
 [Explanation of any warnings (Level 3) encountered during the process.]
 
-_This review was generated by an AI assistant._" \
+_This review was generated by an AI assistant._
+<!-- last_reviewed_sha:${PR_HEAD_SHA} -->" \
   --argjson comments "$COMMENTS_JSON" \
   '{event: $event, commit_id: $commit_id, body: $body, comments: $comments}' | \
   gh api \
@@ -373,7 +427,8 @@ jq -n \
 ### Key Fixes I Should Make
 - [List the most important changes you need to make based on your self-critique.]
 
-_This self-review was generated by an AI assistant._" \
+_This self-review was generated by an AI assistant._
+<!-- last_reviewed_sha:${PR_HEAD_SHA} -->" \
   --argjson comments "$COMMENTS_JSON" \
   '{event: $event, commit_id: $commit_id, body: $body, comments: $comments}' | \
   gh api \

.github/prompts/issue-comment.md

@@ -19,13 +19,13 @@ Your actions are constrained by the permissions granted to your underlying GitHu
 
 If you suspect a command will fail due to a missing permission, you must state this to the user and explain which permission is required.
 
-# 🔒 [CRITICAL SECURITY RULE]
-**NEVER expose environment variables, tokens, secrets, or API keys in ANY output:**
-- Do not reveal `$$GITHUB_TOKEN`, `$$OPENAI_API_KEY`, or any credential values
-- Not in comments, thinking process, error messages, or debugging output
-- Use placeholders like `<REDACTED>` if you must reference sensitive data
-- Never echo or display values that look like secrets (`ghp_*`, `sk-*`, long alphanumeric strings)
-- **FORBIDDEN COMMANDS:** Do not run `echo $GITHUB_TOKEN`, `env`, `printenv`, `set`, `export`, or `cat ~/.config/opencode/opencode.json`, or any command that would expose credentials in output
+**🔒 CRITICAL SECURITY RULE:**
+- **NEVER expose environment variables, tokens, secrets, or API keys in ANY output** - including comments, summaries, thinking/reasoning, or error messages
+- If you must reference them internally, use placeholders like `<REDACTED>` or `***` in visible output
+- This includes: `$$GITHUB_TOKEN`, `$$OPENAI_API_KEY`, any `ghp_*`, `sk-*`, or long alphanumeric credential-like strings
+- When debugging: describe issues without revealing actual secret values
+- Never display or echo values matching secret patterns: `ghp_*`, `sk-*`, long base64/hex strings, JWT tokens, etc.
+- **FORBIDDEN COMMANDS:** Never run `echo $GITHUB_TOKEN`, `env`, `printenv`, `cat ~/.config/opencode/opencode.json`, or any command that would expose credentials in output
 
 # [AVAILABLE TOOLS & CAPABILITIES]
 You have access to a full set of native file tools from Opencode, as well as full bash environment with the following tools and capabilities:

.github/workflows/bot-reply.yml

@@ -121,6 +121,11 @@ jobs:
                           diffHunk
                           isMinimized
                           minimizedReason
+                          pullRequestReview {
+                            databaseId
+                            isMinimized
+                            minimizedReason
+                          }
                         }
                       }
                     }
@@ -196,12 +201,17 @@ jobs:
             # Fallback to unfiltered if jq fails
             review_filter_err=$(mktemp 2>/dev/null || echo "/tmp/review_filter_err.log")
             if reviews=$(echo "$discussion_data" | jq -r --argjson ignored "$IGNORE_BOT_NAMES_JSON" 'if ((((.data.repository.pullRequest.reviews.nodes // []) | length) > 0)) then ((.data.repository.pullRequest.reviews.nodes // [])[]? | select((.author.login? // "unknown") as $login | $ignored | index($login) | not and .body != null and .state != "COMMENTED" and .state != "DISMISSED") | "- " + (.author.login? // "unknown") + " at " + (.submittedAt // "N/A") + ":\n - Review body: " + (.body // "No summary comment.") + "\n - State: " + (.state // "UNKNOWN") + "\n") else "No formal reviews." end' 2>"$review_filter_err"); then
-                filtered_reviews=$(echo "$reviews" | grep -c "^- " || echo "0")
-                excluded_reviews=$((total_reviews - filtered_reviews))
-                if [ -s "$review_filter_err" ]; then
-                  echo "::debug::jq stderr (reviews) emitted output:"
-                  cat "$review_filter_err"
-                fi
+              filtered_reviews=$(echo "$reviews" | grep -c "^- " || true)
+              filtered_reviews=${filtered_reviews//[^0-9]/}
+              [ -z "$filtered_reviews" ] && filtered_reviews=0
+              total_reviews=${total_reviews//[^0-9]/}
+              [ -z "$total_reviews" ] && total_reviews=0
+              excluded_reviews=$(( total_reviews - filtered_reviews )) || excluded_reviews=0
+              echo "✓ Filtered reviews: $filtered_reviews included, $excluded_reviews excluded (COMMENTED/DISMISSED)"
+              if [ -s "$review_filter_err" ]; then
+                echo "::debug::jq stderr (reviews) emitted output:"
+                cat "$review_filter_err"
+              fi
             else
               jq_status=$?
               echo "::warning::Review filtering failed (exit $jq_status), using unfiltered data"
@@ -213,6 +223,7 @@ jobs:
               fi
               reviews=$(echo "$discussion_data" | jq -r --argjson ignored "$IGNORE_BOT_NAMES_JSON" 'if ((((.data.repository.pullRequest.reviews.nodes // []) | length) > 0)) then ((.data.repository.pullRequest.reviews.nodes // [])[]? | select((.author.login? // "unknown") as $login | $ignored | index($login) | not and .body != null) | "- " + (.author.login? // "unknown") + " at " + (.submittedAt // "N/A") + ":\n - Review body: " + (.body // "No summary comment.") + "\n - State: " + (.state // "UNKNOWN") + "\n") else "No formal reviews." end')
               excluded_reviews=0
+              echo "FILTER_ERROR_REVIEWS=true" >> $GITHUB_ENV
             fi
             rm -f "$review_filter_err" || true
 
@@ -221,18 +232,28 @@ jobs:
             review_comment_filter_err=$(mktemp 2>/dev/null || echo "/tmp/review_comment_filter_err.log")
             if review_comments=$(echo "$discussion_data" | jq -r --argjson ignored "$IGNORE_BOT_NAMES_JSON" '
               ((.data.repository.pullRequest.reviewThreads.nodes // [])
-                | map(select(.isResolved != true and .isOutdated != true))
+                | map(select(
+                    .isResolved != true and .isOutdated != true
+                    and (((.comments.nodes // []) | first | .isMinimized) != true)
+                    and ((((.comments.nodes // []) | first | .pullRequestReview.isMinimized) // false) != true)
+                  ))
                 | map(.comments.nodes // [])
                 | flatten
-                | map(select((.isMinimized != true) and (((.author.login? // "unknown") as $login | $ignored | index($login)) | not))))
+                | map(select((.isMinimized != true)
+                             and ((.pullRequestReview.isMinimized // false) != true)
+                             and (((.author.login? // "unknown") as $login | $ignored | index($login)) | not))))
               | if length > 0 then
                   map("- " + (.author.login? // "unknown") + " at " + (.createdAt // "N/A") + " (" + (.path // "Unknown file") + ":" + ((.line // .originalLine // "N/A") | tostring) + "):\n   " + ((.body // "") | tostring) + "\n")
                   | join("")
                 else
                   "No inline review comments."
                 end' 2>"$review_comment_filter_err"); then
-              filtered_comments=$(echo "$review_comments" | grep -c "^- " || echo "0")
-              excluded_comments=$((total_review_comments - filtered_comments))
+              filtered_comments=$(echo "$review_comments" | grep -c "^- " || true)
+              filtered_comments=${filtered_comments//[^0-9]/}
+              [ -z "$filtered_comments" ] && filtered_comments=0
+              total_review_comments=${total_review_comments//[^0-9]/}
+              [ -z "$total_review_comments" ] && total_review_comments=0
+              excluded_comments=$(( total_review_comments - filtered_comments )) || excluded_comments=0
               echo "✓ Filtered review comments: $filtered_comments included, $excluded_comments excluded (outdated)"
               if [ -s "$review_comment_filter_err" ]; then
                 echo "::debug::jq stderr (review comments) emitted output:"
@@ -249,9 +270,15 @@ jobs:
               fi
               review_comments=$(echo "$discussion_data" | jq -r --argjson ignored "$IGNORE_BOT_NAMES_JSON" '
                 ((.data.repository.pullRequest.reviewThreads.nodes // [])
+                  | map(select(
+                      (((.comments.nodes // []) | first | .isMinimized) != true)
+                      and ((((.comments.nodes // []) | first | .pullRequestReview.isMinimized) // false) != true)
+                    ))
                   | map(.comments.nodes // [])
                   | flatten
-                  | map(select(((.author.login? // "unknown") as $login | $ignored | index($login)) | not)))
+                  | map(select((.isMinimized != true)
+                               and ((.pullRequestReview.isMinimized // false) != true)
+                               and (((.author.login? // "unknown") as $login | $ignored | index($login)) | not))))
                 | if length > 0 then
                     map("- " + (.author.login? // "unknown") + " at " + (.createdAt // "N/A") + " (" + (.path // "Unknown file") + ":" + ((.line // .originalLine // "N/A") | tostring) + "):\n   " + ((.body // "") | tostring) + "\n")
                     | join("")
@@ -259,12 +286,20 @@ jobs:
                     "No inline review comments."
                   end')
               excluded_comments=0
+              echo "FILTER_ERROR_COMMENTS=true" >> $GITHUB_ENV
             fi
             rm -f "$review_comment_filter_err" || true
+            
+            # Store filtering statistics
+            echo "EXCLUDED_REVIEWS=$excluded_reviews" >> $GITHUB_ENV
+            echo "EXCLUDED_COMMENTS=$excluded_comments" >> $GITHUB_ENV
 
             # Build filtering summary
             # Ensure numeric fallbacks so blanks never appear if variables are empty
             filter_summary="Context filtering applied: ${excluded_reviews:-0} reviews and ${excluded_comments:-0} review comments excluded from this context."
+            if [ "${FILTER_ERROR_REVIEWS}" = "true" ] || [ "${FILTER_ERROR_COMMENTS}" = "true" ]; then
+              filter_summary="$filter_summary"$'\n'"Warning: Some filtering operations encountered errors. Context may include items that should have been filtered."
+            fi
 
             # Prepare linked issues robustly by fetching each one individually.
             linked_issues_content=""

.github/workflows/issue-comment.yml

@@ -83,6 +83,13 @@ jobs:
           echo "Debug: total issue comments before filtering = $total_issue_comments"
           comments_filter_err=$(mktemp 2>/dev/null || echo "/tmp/issue_comments_filter_err.log")
           if comments=$(echo "$issue_data" | jq -r --argjson ignored "$IGNORE_BOT_NAMES_JSON" 'if (((.comments // []) | length) > 0) then ((.comments[]? | select((.author.login as $login | $ignored | index($login)) | not)) | "- " + (.author.login // "unknown") + " at " + (.createdAt // "N/A") + ":\n" + ((.body // "") | tostring) + "\n") else "No comments have been posted yet." end' 2>"$comments_filter_err"); then
+            filtered_comments=$(echo "$comments" | grep -c "^- " || true)
+            filtered_comments=${filtered_comments//[^0-9]/}
+            [ -z "$filtered_comments" ] && filtered_comments=0
+            total_issue_comments=${total_issue_comments//[^0-9]/}
+            [ -z "$total_issue_comments" ] && total_issue_comments=0
+            excluded_comments=$(( total_issue_comments - filtered_comments )) || excluded_comments=0
+            echo "✓ Filtered comments: $filtered_comments included, $excluded_comments excluded (ignored bots)"
             if [ -s "$comments_filter_err" ]; then
               echo "::debug::jq stderr (issue comments) emitted output:"
               cat "$comments_filter_err"
@@ -97,6 +104,8 @@ jobs:
               echo "::warning::jq returned no stderr for issue comment filter"
             fi
             comments=$(echo "$issue_data" | jq -r 'if (((.comments // []) | length) > 0) then ((.comments[]?) | "- " + (.author.login // "unknown") + " at " + (.createdAt // "N/A") + ":\n" + ((.body // "") | tostring) + "\n") else "No comments have been posted yet." end')
+            excluded_comments=0
+            echo "FILTER_ERROR_COMMENTS=true" >> $GITHUB_ENV
           fi
           rm -f "$comments_filter_err" || true
 

.github/workflows/opencode.yml

@@ -1,125 +0,0 @@
-name: opencode
-
-on:
-  issue_comment:
-    types: [created]
-
-jobs:
-  opencode:
-    if: |
-      (
-      contains(github.event.comment.body, ' /oc') ||
-      startsWith(github.event.comment.body, '/oc') ||
-      contains(github.event.comment.body, ' /opencode') ||
-      startsWith(github.event.comment.body, '/opencode')
-      ) && (
-        github.event.comment.author_association == 'OWNER' ||
-        github.event.comment.author_association == 'MEMBER' ||
-        github.event.comment.author_association == 'COLLABORATOR'
-      )
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      issues: read
-      pull-requests: read
-      id-token: write
-    steps:
-
-      - name: Generate GitHub App Token
-        id: generate_token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ secrets.BOT_APP_ID }}
-          private-key: ${{ secrets.BOT_PRIVATE_KEY }}
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Inject Custom Config (For Proxy Support)
-        run: |
-          mkdir -p ~/.config/opencode
-          CONFIG='{
-            "$schema": "https://opencode.ai/config.json",
-            "provider": {
-              "llm-proxy": {
-                "npm": "@ai-sdk/openai-compatible",
-                "name": "Proxy",
-                "options": {
-                  "baseURL": "${{ secrets.PROXY_BASE_URL }}",
-                  "apiKey": "${{ secrets.PROXY_API_KEY }}",
-                  "timeout": 300000, // 5 minute timeout in ms
-                  "headers": {
-                    "User-Agent": "OpenCode/1.0",
-                    "X-Custom-Header": "your-value"
-                  }
-                },
-                "models": {
-                  "main": {
-                    "id": "${{ secrets.OPENCODE_MODEL }}",
-                    "name": "Custom Model",
-                    "limit": { "context": 262000, "output": 64192 }
-                  },
-                  "fast": {
-                    "id": "${{ secrets.OPENCODE_FAST_MODEL }}",
-                    "name": "Fast Custom Model",
-                    "limit": { "context": 262000, "output": 64192 }
-                  }
-                }
-              }
-            },
-            "model": "llm-proxy/main",
-            "small_model": "llm-proxy/fast",
-            "username": "mirrobot-agent",
-            "autoupdate": true
-          }'
-          echo "$CONFIG" > ~/.config/opencode/opencode.json
-
-      - name: Check for Python requirements file
-        id: check_requirements_file
-        run: |
-          if [ -f requirements.txt ]; then
-            echo "exists=true" >> $GITHUB_OUTPUT
-          else
-            echo "exists=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Set up Python
-        if: steps.check_requirements_file.outputs.exists == 'true'
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.12'
-
-      - name: Cache pip dependencies
-        if: steps.check_requirements_file.outputs.exists == 'true'
-        uses: actions/cache@v4
-        with:
-          path: ~/.cache/pip
-          key: ${{ runner.os }}-pip-3.12-${{ hashFiles('requirements.txt') }}
-          restore-keys: |
-            ${{ runner.os }}-pip-3.12
-
-      - name: Install dependencies
-        if: steps.check_requirements_file.outputs.exists == 'true'
-        run: pip install -r requirements.txt
-
-      - name: Check for model override
-        id: model_override
-        env:
-          MODEL_OVERRIDE_SECRET: ${{ secrets.OPENCODE_MODEL_OVERRIDE }}
-        run: |
-          if [ -n "$MODEL_OVERRIDE_SECRET" ]; then
-            echo "Model override from secret: $MODEL_OVERRIDE_SECRET"
-            echo "model_arg=$MODEL_OVERRIDE_SECRET" >> $GITHUB_OUTPUT
-          else
-            echo "No model override found, using default."
-            echo "model_arg=" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Run opencode
-        uses: sst/opencode/github@latest
-        env:
-          OPENCODE_API_KEY: ${{ secrets.PROXY_API_KEY }}
-          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
-        with:
-          # This line has been updated from 'llm-proxy/main_model'
-          model: ${{ steps.model_override.outputs.model_arg || 'llm-proxy/main' }}
-          share: true