[#296] ✨ - Bugbot autofix

[efraespada]

Based on the PR template, branch diff, issue description, and documentation, here is the filled PR description:

---

📌 Summary

This PR introduces the Bugbot Autofix feature, allowing users to request fixes for detected vulnerabilities directly from issue comments or pull request review comments. Users can simply say "fix it", "fix them", or reference specific findings, and OpenCode will interpret the request, apply fixes in its workspace, run verification commands (build/test/lint), and automatically commit and push the changes. This significantly speeds up the resolution of security vulnerabilities and code quality issues by enabling direct interaction with Bugbot findings.

The feature also introduces Do User Request functionality for generic code changes (e.g., "add a test", "refactor this") that are not tied to specific Bugbot findings.

---

🎯 Related Issues / Tickets

• Closes ✨🧑‍💻 - Bugbot autofix #296

---

🧩 Scope of Changes

• Added:

  • Bugbot Autofix feature: detect fix intent, apply fixes via OpenCode Build agent, run verify commands, commit and push changes
  • Do User Request feature: generic code changes from comments
  • Intent detection via OpenCode Plan agent (determines if comment is a fix request, do request, or question)
  • Permission system: only org members or repo owners can trigger file-modifying actions
  • Hidden HTML markers in Bugbot comments to track finding resolution state
  • Branch resolution for issue comments (resolves from open PRs referencing the issue)
  • New configuration inputs: bugbot-fix-verify-commands
  • Comprehensive test coverage for all new use cases
  • New documentation for Bugbot autofix and do-user-request features

• Updated:

  • Issue comment and PR review comment workflows to support autofix and user request flows
  • Workflow files to grant contents: write permission for commit/push operations
  • Bugbot detection flow to publish findings with markers and track resolved findings
  • Architecture documentation to reflect new use case flows
  • CI workflow to include Codecov coverage reporting

---

🛠️ Technical Details

• Two OpenCode agents: The Plan agent detects intent and findings (read-only), while the Build agent applies code changes (read-write). Changes are applied directly to disk in the OpenCode workspace.
• Intent detection: All parsing of user intent ("fix it", "fix vulnerability X", "do this") is done via OpenCode rather than local regex to handle natural language variations.
• Security permissions: Before any file modification, the action checks if the actor is allowed via ProjectRepository.isActorAllowedToModifyFiles(). For organization-owned repos, the actor must be an org member; for user-owned repos, the actor must be the owner.
• Marker system: Bugbot findings use hidden HTML comments (<!-- copilot-bugbot finding_id:"..." resolved:true|false -->) embedded in issue/PR comments to track which findings are open vs resolved.
• Branch handling: For issue comments where no branch is available, the action resolves the branch from an open PR that references the issue (using getHeadBranchForIssue).
• Verify commands: After fixes are applied, configurable commands (e.g., npm run build, npm test) are executed to ensure changes don't break the build before committing.
• Commit strategy: When fixes are applied and verified, the action runs git add -A, commits with a message like fix(#N): bugbot autofix - resolve finding-1, finding-2, and pushes to the remote.

---

🔍 How to Test

1. Setup: Ensure workflows have contents: write permission and bugbot-fix-verify-commands is configured.
2. Detection: Push code to trigger Bugbot detection; verify findings appear as comments on the issue and PR with hidden markers.
3. Fix request: Comment "fix it" or "fix vulnerability X" on the issue or PR review comment.
4. Verify: Check that:
   • OpenCode interprets the intent correctly
   • Fixes are applied in the workspace
   • Verify commands run and pass
   • Changes are committed and pushed
   • Findings are marked as resolved in comments
5. Do request: Comment a generic request like "add a test for this" and verify the action performs the change.
6. Permissions: Test with a non-member/non-owner account to verify the action skips file modifications and runs Think instead.

---

🧪 Test Coverage

• Unit tests
• Integration tests

Test files added/updated:

• detect_bugbot_fix_intent_use_case.test.ts - Intent detection flow
• bugbot_autofix_use_case.test.ts - Autofix application flow
• bugbot_autofix_commit.test.ts - Git commit/push operations
• user_request_use_case.test.ts - Do user request flow
• issue_comment_use_case.test.ts - Full issue comment flow
• pull_request_review_comment_use_case.test.ts - Full PR comment flow
• project_repository.test.ts - Permission checks
• Plus 8 additional test files for markers, context loading, publishing, etc.

---

⚠️ Breaking Changes

• None

---

🚀 Deployment Notes

• Requires environment variable changes

Details:

• Workflows for issue_comment and pull_request_review_comment events must include permissions: contents: write to allow the action to commit and push autofix changes.
• New optional input bugbot-fix-verify-commands should be configured via repository variables (e.g., BUGBOT_AUTOFIX_VERIFY_COMMANDS) to specify build/test/lint commands to run after fixes.

---

🔒 Security Considerations

• Authentication / authorization changes

Details:

• File-modifying actions (autofix and do user request) are restricted to organization members (for org-owned repos) or the repository owner (for user-owned repos).
• Non-permitted users receive a Think response (AI answer) instead of file modifications.
• All file paths are validated to prevent directory traversal (..) and absolute paths.
• User comments are sanitized before being sent to OpenCode prompts.

---

📈 Performance Impact

• No performance impact

Details:

• Intent detection and autofix only run on comment events, not on every push.
• The detection phase already existed; this PR adds the fix phase which is triggered only by user request.

---

📝 Notes for Reviewers

• The PR includes comprehensive documentation in docs/bugbot/ covering detection, autofix, do-user-request, configuration, and examples.
• All new use cases follow the existing pattern of separating plan agents (read-only) from build agents (read-write).
• The marker system for tracking findings is backwards-compatible with existing Bugbot comments.

---

✅ Checklist

• I have self-reviewed my code
• Code follows project standards and conventions
• Tests have been added or updated
• Documentation has been updated (if applicable)
• No new warnings or lint errors
• Changes are backward compatible or breaking changes are documented

---

📚 Additional Context

• Documentation: See docs/bugbot/ for detailed guides on detection, autofix, and do-user-request flows.
• Plan document: docs/plan-bugbot-autofix.md contains the full implementation plan and architecture details.
• Cursor rules: Updated .cursor/rules/bugbot.mdc and .cursor/rules/usecase-flows.mdc with technical reference for developers.

---

[docs-page]

To view this pull requests documentation preview, visit the following URL:

docs.page/vypdev/copilot~298

Documentation is deployed and generated using docs.page.

[vypbot]

✨ Feature Actions

1. The pull request's title was updated from Feature/296 bugbot autofix to [#296] ✨ - Bugbot autofix.
2. The pull request was assigned to @efraespada (creator).
3. @vypbot was requested to review the pull request.
4. The pull request was linked to vypdev and moved to the column In Progress.
5. The base branch was temporarily updated to master.
6. The description was temporarily modified to include a reference to issue ✨🧑‍💻 - Bugbot autofix #296.
7. The base branch was reverted to its original value: develop.
8. The temporary issue reference ✨🧑‍💻 - Bugbot autofix #296 was removed from the description.
9. Priority set to P2 in vypdev.

🚀 Happy coding!

[vypbot]

Duplicate hasChanges function remains

Severity: low

Location: src/usecase/steps/commit/bugbot/bugbot_autofix_commit.ts:163

The hasChanges() function at lines 163-165 is a duplicate that simply calls hasUncommittedChanges(). This unnecessary wrapper adds maintenance burden and confusion. It is called at line 213 and 289.
Suggested fix:
Remove the hasChanges() function and update all callers to use hasUncommittedChanges() directly.

[codecov-commenter]

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

Thanks for integrating Codecov - We've got you covered ☂️

[vypbot]

Redundant hasChanges wrapper function

Severity: low

Location: src/usecase/steps/commit/bugbot/bugbot_autofix_commit.ts:163

The hasChanges() function at lines 163-165 is a redundant wrapper that simply calls hasUncommittedChanges(). This adds unnecessary code complexity and maintenance burden. The function is used at lines 213 and 289.
Suggested fix:
Remove the hasChanges() wrapper function and update all callers to use hasUncommittedChanges() directly.

[vypbot]

✨ Feature Actions

1. ✨🧑‍💻 - Bugbot autofix #296 was automatically closed after merging this pull request.

🚀 Happy coding!

[vypbot]

ReDoS vulnerability when extracting title from untrusted PR comments

Severity: medium

Location: src/usecase/steps/commit/bugbot/detect_bugbot_fix_intent_use_case.ts:92

In detect_bugbot_fix_intent_use_case.ts lines 92-93, extractTitleFromBody is called on p.fullBody which contains untrusted issue/PR comment data from external users. The extractTitleFromBody function uses regex /^##\s+(.+)$/m without any input length limits, making it vulnerable to ReDoS attacks with malicious input containing many newlines and hash characters.
Suggested fix:
Add input length validation before calling extractTitleFromBody, or truncate the fullBody to a reasonable limit (e.g., 4000 chars) before extracting the title.