feat(hooks): warn on Greptile review extraction by created_at — use updated_at + Last reviewed commit footer (#26)

Greptile App on GitHub edits the same review comment in-place on each
re-review (does NOT post a new comment per pass). So:
  - comment.created_at stays frozen at original posting
  - comment.updated_at is what moves on re-review
  - the <sub>Last reviewed commit: ...(commit/HASH)</sub> footer is the
    authoritative source for "which commit this review covers"

Recurring buggy patterns Claude writes (verified twice — most recently
CIV-728 PR #114 forensic 2026-05-25 where the agent picked a stale 3/5
review over the actual 5/5 HEAD review):

  1. gh api .../comments --jq '... | sort_by(.created_at) ...'
  2. greptile ... | head -1   /   greptile ... | tail -1
  3. (.body | capture("/commit/(?<sha>[0-9a-f]+)"))
     -- grabs first /commit/ URL anywhere in body, not the
        "Last reviewed commit:" footer hash

New rule warn-greptile-review-extraction-by-created-at fires on all three
patterns when the same command also references "greptile" and pulls from
gh api .../comments, and does NOT fire when the corrective signals
(Last reviewed commit / updated_at) are present.

Action is `warn` (not `block`) — there are legitimate cases for
creation-order audits. Bypass marker: greptile-extraction-acknowledged.
The warning message paste-includes the corrective pattern so future
Claude sessions get the right code via the hook output, not via memory.

Bumps version 1.16.0 -> 1.17.0 across package.json, .claude-plugin/
plugin.json, .claude-plugin/marketplace.json, README.md header.
CHANGELOG.md gains a 1.17.0 entry.

9 new tests added; full hook test suite passes 219/219.

Memories:
  - feedback_greptile_match_head_not_chronology.md
  - feedback_tail_with_desc_ordering.md

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

Author: lapc506

.claude-plugin/marketplace.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://anthropic.com/claude-code/marketplace.schema.json",
   "name": "make-no-mistakes",
-  "version": "1.16.0",
+  "version": "1.17.0",
   "description": "The disciplined dev lifecycle — implement issues, review PRs, sync releases, test E2E, manage sessions, and stash secrets via OS-native prompts. One plugin to make no mistakes.",
   "owner": {
     "name": "Luis Andres Pena Castillo",
@@ -11,7 +11,7 @@
     {
       "name": "make-no-mistakes",
       "description": "Dev lifecycle orchestrator: disciplined Linear issue execution with worktree isolation, PR review with Greptile gating, team release sync, E2E test generation and execution, test suite previewer, security pentesting, MoSCoW + RICE prioritization, cross-platform secret stash via OS-native GUI prompts (zenity / kdialog / osascript / Get-Credential), and session management. 18 commands, 6 auto-activating skills, 2 specialized agents.",
-      "version": "1.16.0",
+      "version": "1.17.0",
       "author": {
         "name": "Luis Andres Pena Castillo",
         "email": "lapc506@users.noreply.github.com"

.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "make-no-mistakes",
-  "version": "1.16.0",
+  "version": "1.17.0",
   "description": "The disciplined dev lifecycle — implement issues, review PRs, sync releases, test E2E, manage sessions, stash secrets, and enforce manifest-driven tool-call hooks. One plugin to make no mistakes.",
   "author": {
     "name": "Luis Andres Pena Castillo",

CHANGELOG.md

@@ -18,6 +18,38 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.17.0] - 2026-05-25
+
+### Added
+- **New PreToolUse rule `warn-greptile-review-extraction-by-created-at`
+  (Bash).** Warns when a command extracts Greptile review state from
+  `gh api .../comments` using chronology-based patterns that silently
+  return stale data on re-reviews. The motivating bug (verified twice,
+  most recently CIV-728 PR #114 forensic 2026-05-25): Greptile App
+  EDITS the same review comment in-place on each re-review, so
+  `comment.created_at` is frozen at original posting and only
+  `comment.updated_at` moves. Three buggy patterns now trigger the
+  warning:
+  - `sort_by(.created_at)` / `select` on `.created_at` inside a jq
+    expression over Greptile comments.
+  - `greptile` + `head -N` / `tail -N` on the same command (implicit
+    chronology assumption — "first match wins").
+  - `capture("/commit/(?<sha>[0-9a-f]+)")` over a Greptile body — grabs
+    the FIRST `/commit/` URL anywhere in the body (often a permalink
+    quoted inside a finding), not the authoritative
+    `<sub>Last reviewed commit: ...(commit/HASH)</sub>` footer hash.
+
+  The rule's warning message paste-includes the corrective pattern:
+  pull HEAD via `gh pr view --json headRefOid`, filter Greptile
+  comments to those whose `Last reviewed commit:` footer matches HEAD,
+  then `sort_by(.updated_at) | last`. Action is `warn` (not `block`)
+  — there are legitimate reasons to look at creation order (e.g.
+  auditing posting cadence). Bypass marker:
+  `greptile-extraction-acknowledged`.
+
+  Memories: `feedback_greptile_match_head_not_chronology.md`,
+  `feedback_tail_with_desc_ordering.md`.
+
 ## [1.16.0] - 2026-05-20
 
 ### Added

README.md

@@ -1,6 +1,6 @@
 # make-no-mistakes
 
-**Version: 1.16.0** · [CHANGELOG](./CHANGELOG.md) · [Marketplace](https://github.com/DojoCodingLabs/make-no-mistakes-toolkit)
+**Version: 1.17.0** · [CHANGELOG](./CHANGELOG.md) · [Marketplace](https://github.com/DojoCodingLabs/make-no-mistakes-toolkit)
 
 The disciplined dev lifecycle — implement issues, review PRs, sync releases, test E2E, and manage sessions. One plugin to make no mistakes.
 

hooks/rules/rules.json

@@ -2785,5 +2785,126 @@
         "expected_exit": 0
       }
     ]
+  },
+  {
+    "id": "warn-greptile-review-extraction-by-created-at",
+    "description": "Warn when a Bash command extracts Greptile review state but uses created_at / chronology / first-commit-URL capture — Greptile edits the same comment in-place, so updated_at + the \"Last reviewed commit:\" footer hash are the authoritative signals (memory feedback_greptile_match_head_not_chronology.md)",
+    "applies_to": [
+      "Bash"
+    ],
+    "match": [
+      {
+        "field": "command",
+        "pattern": "gh[[:space:]]+api\\b.*\\bcomments\\b"
+      },
+      {
+        "field": "command",
+        "pattern": "greptile",
+        "flags": "i"
+      },
+      {
+        "field": "command",
+        "pattern": "(\\bcreated_at\\b|\\b(head|tail)[[:space:]]+-n?[[:space:]]*[0-9]+|capture\\([^)]*/commit/)"
+      },
+      {
+        "field": "command",
+        "not_pattern": "(Last reviewed commit|\\bupdated_at\\b)"
+      }
+    ],
+    "action": "warn",
+    "bypass_marker": "greptile-extraction-acknowledged",
+    "memory_ref": "feedback_greptile_match_head_not_chronology.md",
+    "references": [
+      "feedback_tail_with_desc_ordering.md — sister rule on DESC|tail bug",
+      "CIV-728 PR #114 forensic 2026-05-25 — stale 3/5 review picked over 5/5 HEAD review"
+    ],
+    "message": "WARN: Bash command extracts Greptile review state with a chronology-based\npattern (created_at / head -N / tail -N / capture(.../commit/...)).\n\nGreptile App on GitHub EDITS the same review comment in-place on each\nre-review. As a result:\n  - comment.created_at is FROZEN at original posting; it DOES NOT\n    change when Greptile re-analyzes a new commit.\n  - comment.updated_at IS what moves with each re-review.\n  - The \"<sub>Last reviewed commit: ...(commit/HASH)</sub>\" footer in\n    the body is the authoritative source for \"which commit this review\n    is about\" — NOT the first /commit/ URL captured anywhere in the\n    body (which is often a permalink quoted inside a finding).\n\nUse this pattern instead (copy-paste-able):\n\n  HEAD=$(gh pr view <N> --json headRefOid --jq '.headRefOid')\n  export SHORT=${HEAD:0:10}\n  gh api \"repos/<owner>/<repo>/issues/<N>/comments\" --jq '\n    [.[] | select(.user.login | test(\"greptile\";\"i\")) | {\n      updated: .updated_at,\n      commit: ((.body | split(\"Last reviewed commit:\")[1] // \"\" |\n                split(\"commit/\")[1] // \"\" | split(\")\")[0])[0:10]),\n      score: ((.body | capture(\"<h3>Confidence Score: (?<s>[0-9]/5)</h3>\").s) // \"?\")\n    }] | map(select(.commit == env.SHORT)) | sort_by(.updated) | last'\n\nThis:\n  1. Pulls the PR's actual HEAD SHA up front.\n  2. Filters Greptile comments to ONLY those whose \"Last reviewed\n     commit:\" footer matches HEAD (so a stale older review can't win).\n  3. Among the matching reviews, picks the latest by updated_at.\n\nPer feedback_greptile_match_head_not_chronology.md: out-of-order parallel\nre-runs make creation order misleading. Per feedback_tail_with_desc_\nordering.md: same failure mode (trust an implicit order without\nvalidating it).\n\nBypass marker (greptile-extraction-acknowledged) ONLY for legitimate\ncases (e.g., you explicitly WANT the creation order to audit posting\ncadence, not the latest state).\n",
+    "tests": [
+      {
+        "name": "warns-on-sort-by-created-at-greptile-comments",
+        "input": {
+          "tool_input": {
+            "command": "gh api repos/o/r/issues/1/comments --jq '[.[] | select(.user.login | test(\"greptile\";\"i\"))] | sort_by(.created_at) | last'"
+          }
+        },
+        "expected_exit": 0,
+        "expected_stderr_contains": "warn-greptile-review-extraction-by-created-at"
+      },
+      {
+        "name": "warns-on-greptile-grep-then-tail",
+        "input": {
+          "tool_input": {
+            "command": "gh api repos/o/r/issues/1/comments --jq '.[].body' | grep -i greptile | tail -1"
+          }
+        },
+        "expected_exit": 0,
+        "expected_stderr_contains": "warn-greptile-review-extraction-by-created-at"
+      },
+      {
+        "name": "warns-on-greptile-grep-then-head",
+        "input": {
+          "tool_input": {
+            "command": "gh api repos/o/r/issues/1/comments --jq '.[] | select(.body | test(\"greptile\";\"i\"))' | grep 'Confidence Score' | head -1"
+          }
+        },
+        "expected_exit": 0,
+        "expected_stderr_contains": "warn-greptile-review-extraction-by-created-at"
+      },
+      {
+        "name": "warns-on-capture-commit-sha-from-greptile-body",
+        "input": {
+          "tool_input": {
+            "command": "gh api repos/o/r/issues/1/comments --jq '[.[] | select(.user.login | test(\"greptile\";\"i\")) | {commit: (.body | capture(\"/commit/(?<sha>[0-9a-f]+)\").sha)}]'"
+          }
+        },
+        "expected_exit": 0,
+        "expected_stderr_contains": "warn-greptile-review-extraction-by-created-at"
+      },
+      {
+        "name": "allows-correct-pattern-updated-at-and-last-reviewed-commit",
+        "input": {
+          "tool_input": {
+            "command": "gh api \"repos/o/r/issues/1/comments\" --jq '\n  [.[] | select(.user.login | test(\"greptile\";\"i\")) | {\n    updated: .updated_at,\n    commit: ((.body | split(\"Last reviewed commit:\")[1] // \"\" | split(\"commit/\")[1] // \"\" | split(\")\")[0])[0:10]),\n    score: ((.body | capture(\"<h3>Confidence Score: (?<s>[0-9]/5)</h3>\").s) // \"?\")\n  }] | sort_by(.updated) | last'\n"
+          }
+        },
+        "expected_exit": 0
+      },
+      {
+        "name": "allows-non-greptile-comments-call",
+        "input": {
+          "tool_input": {
+            "command": "gh api repos/o/r/issues/1/comments --jq '[.[] | .body] | sort_by(.created_at)'"
+          }
+        },
+        "expected_exit": 0
+      },
+      {
+        "name": "allows-greptile-with-updated-at-and-sort",
+        "input": {
+          "tool_input": {
+            "command": "gh api repos/o/r/issues/1/comments --jq '[.[] | select(.user.login | test(\"greptile\";\"i\"))] | sort_by(.updated_at) | last'"
+          }
+        },
+        "expected_exit": 0
+      },
+      {
+        "name": "allows-gh-search-greptile-not-api-comments",
+        "input": {
+          "tool_input": {
+            "command": "gh search prs --label greptile-approved"
+          }
+        },
+        "expected_exit": 0
+      },
+      {
+        "name": "allows-bypass-marker",
+        "input": {
+          "tool_input": {
+            "command": "gh api repos/o/r/issues/1/comments --jq '[.[] | select(.user.login | test(\"greptile\";\"i\"))] | sort_by(.created_at) | last' # hook-bypass: greptile-extraction-acknowledged"
+          }
+        },
+        "expected_exit": 0
+      }
+    ]
   }
 ]