Skip to content

Make the Anthropic provider code-aware via PR diff injection#4

Merged
Wenjix merged 10 commits into
mainfrom
anthropic-diff-injection
Jun 14, 2026
Merged

Make the Anthropic provider code-aware via PR diff injection#4
Wenjix merged 10 commits into
mainfrom
anthropic-diff-injection

Conversation

@Wenjix

@Wenjix Wenjix commented Jun 13, 2026
edited by cursor Bot
Loading

Copy link
Copy Markdown
Owner

What

--provider anthropic was effectively blind: the adapter sent only the stitched text prompt to the Messages API — no repo, no diff — so explorations couldn't inspect the PR's code (flagged High by Cursor Bugbot + Devin on PR #1). This makes the Anthropic path code-aware by fetching the PR's unified diff locally and injecting it into each task prompt.

How

  • fetchPrDiff(repo, pr) in github.ts — REST diff media type when a token is set, gh pr diff fallback (reuses existing auth plumbing).
  • Diff fetched once per run (promise-memoized, shared across concurrent tasks), capped, injected via the testable buildDiffPrompt.
  • Graceful degrade: if the diff can't be fetched, warn once and run without code context rather than failing every task.
  • repo/pr threaded into TaskExecutionInput.

Notes

Test

npm test — 34 pass (+3 buildDiffPrompt).

🤖 Generated with Claude Code

Open in Devin Review

Note

Medium Risk
Anthropic runs now send full PR diff text to a third-party API and depend on GitHub read access; npm overrides change install-time transitive versions (documented as low runtime impact on Node ≥22).

Overview
Makes --provider anthropic code-aware by fetching the PR unified diff and injecting it into each Messages API call, instead of sending only the stitched task text.

Anthropic path: New fetchPrDiff in github.ts (REST diff media type when a token exists, gh pr diff fallback). The runner passes repo/pr on TaskExecutionInput. AnthropicAdapter memoizes one diff per PR, retries fetch failures, then builds the user turn via buildDiffPrompt (200k char cap, explicit note when diff is missing). System prompt and max_tokens (8192) are updated for diff-based analysis; the browser-only API header is removed. Tests cover buildDiffPrompt.

Dependencies & contributor docs: .npmrc pins registry.npmjs.org so npm audit works. package.json adds intentional overrides for tar, undici, and @tootallnate/once (transitive @cursor/sdk audit fixes). package-lock.json is re-resolved from npmjs with those pinned versions. AGENTS.md / docs/dependencies.md document registry rules, overrides, and build/run expectations; CLAUDE.md points at AGENTS.md.

Reviewed by Cursor Bugbot for commit e5b57f7. Bugbot is set up for automated code reviews on this repo. Configure here.

devin-ai-integration[bot]

This comment was marked as resolved.

Sign in to view

@cursor

cursor Bot commented Jun 13, 2026

Copy link
Copy Markdown

Bugbot couldn't run - usage limit reached

Bugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit.

A user or team admin can review and increase usage limits in the Cursor dashboard.

(requestId: serverGenReqId_47421aea-d721-4153-bcd8-818a89b08aa9)

Wenjix added 8 commits June 13, 2026 15:45
@Wenjix
Merge pull request #1 from Wenjix/production-polish
21a6dd9 
Production polish: installable, multi-provider, observable
@Wenjix
Merge pull request #2 from Longado/codex/reduce-npm-audit-surface
6d29bd3 
chore: reduce npm audit vulnerabilities
@Wenjix
docs: document npm overrides and standardize on the npmjs registry
bab1c5d 
- AGENTS.md (new): guardrails for humans + coding agents — npmjs registry,
  and do not remove/loosen the overrides or regenerate the lockfile elsewhere
- docs/dependencies.md (new): per-override rationale + consumer chains +
  remove-when, the Node 26 clean-install verification, and why undici 5->6 is
  runtime-inert on Node >=18
- .npmrc (new): pin registry to npmjs.org (npmmirror's advisory endpoint is
  NOT_IMPLEMENTED, which breaks npm audit and caused the mixed-registry lockfile)
- CLAUDE.md: symlink to AGENTS.md so Claude Code loads the same notes

Documents the overrides added in #2; removal tracked in #5.
@Wenjix
chore: converge lockfile to npmjs and annotate overrides
f2d8a15 
- Regenerate package-lock.json against npmjs (.npmrc); no more mixed
  npmmirror/npmjs resolved URLs (was 133/9, now 0/142).
- package.json: add overridesNote pointing at docs/dependencies.md (#5).

Verified: overrides intact (tar@7.5.16, undici@6.26.0, @tootallnate/once@2.0.1),
npm audit -> 0, tests green.
@Wenjix
Merge pull request #6 from Wenjix/docs/dependency-overrides
26fe230 
docs: document npm overrides + standardize npm registry
@Wenjix
docs(AGENTS): add build/test/run + Cursor Cloud notes (salvaged from #3)
c9d2324 
Folds the generally-useful run notes from the Cursor Cloud setup PR (#3) into the
existing AGENTS.md: the offline plan-pr / --plan-only flow, --scored for local
input, live-command credentials, and the ~/.cursor canvas-mirror flag.

Corrects #3's now-stale gotcha — plan-pr is plan-only by design on main
(cli.ts dispatches planOnly: true) — and notes prebuild auto-cleans dist. Drops
#3's package-lock change, since main standardized on the npmjs registry in #6.
@Wenjix
Merge pull request #7 from Wenjix/docs/agents-run-notes
df27c7f 
docs(AGENTS): build/test/run notes (salvaged from #3)
@Wenjix
Make the Anthropic provider code-aware via PR diff injection
5a56434 
Replaces the blind Messages-API adapter: --provider anthropic now fetches the
PR's unified diff (REST diff media type, or `gh pr diff` fallback) and injects
it into each task prompt, so the model reasons about the actual changed code
instead of only the finding text.

- github.ts: fetchPrDiff(repo, pr)
- types.ts / runner.ts: thread repo + pr into TaskExecutionInput
- adapters/anthropic.ts: per-run memoized diff fetch shared across tasks;
  testable buildDiffPrompt with a size cap and graceful degrade when the diff
  cannot be fetched; max_tokens 4096 -> 8192
- test/anthropic.test.ts: buildDiffPrompt coverage

Addresses the High-severity bot finding that --provider anthropic had no
repository access. Cursor remains the default provider.
@Wenjix Wenjix changed the base branch from production-polish to main June 14, 2026 22:26
@Wenjix Wenjix force-pushed the anthropic-diff-injection branch from f186360 to 5a56434 Compare June 14, 2026 22:26
cursor[bot]

This comment was marked as resolved.

Sign in to view

@Wenjix
Harden Anthropic diff fetch (Cursor review on #4)
e5b57f7 
- github.ts: fetchPrDiff falls back to `gh pr diff` when the REST request fails
  (token expiry/scope/rate limit), not only when no token is set.
- anthropic.ts: key the diff cache by repo#pr (no cross-PR contamination) and
  wrap the fetch in withRetry so a transient blip doesn't blind the whole run.
@Wenjix Wenjix merged commit 8420df9 into main Jun 14, 2026
2 of 3 checks passed
cursor[bot]
cursor Bot reviewed Jun 14, 2026
View reviewed changes

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using default effort and found 2 potential issues.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit e5b57f7. Configure here.

Comment thread src/adapters/anthropic.ts
"Do not suggest edits, create commits, push branches, or open pull requests.",
"Return a concise human-readable explanation, then end with exactly one fenced JSON block as specified.",
].join("\n");
const diff = await this.loadDiff(input.repo, input.pr);

@cursor cursor Bot Jun 14, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Diff fetch ignores task abort

Medium Severity

runOnce awaits loadDiff before the Anthropic request, but loadDiff’s withRetry never receives input.signal, and fetchPrDiff / gh aren’t cancellable. After the runner’s withTimeout aborts, PR diff work (including retry backoff) can keep running even though the task is already marked timed out.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit e5b57f7. Configure here.

Comment thread src/adapters/anthropic.ts
"",
"<pr_diff>",
body,
"</pr_diff>",

@cursor cursor Bot Jun 14, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Diff can break delimiter tags

Low Severity

buildDiffPrompt wraps the unified diff in literal &lt;pr_diff&gt; / &lt;/pr_diff&gt; markers without escaping. If the PR adds or changes a line containing &lt;/pr_diff&gt;, that substring appears inside the injected body and can split what the model treats as diff versus task instructions.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit e5b57f7. Configure here.

@Wenjix Wenjix deleted the anthropic-diff-injection branch June 16, 2026 20:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Wenjix @Longado