fix(reviews): aggregate accepts repoRoot to resolve repo-relative paths

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: JohnMcLear

.claude/commands/release-review.md

@@ -55,7 +55,7 @@ Block until all four complete. Verify each output JSON exists. For any that didn
 
 ```bash
 pnpm --filter ep_etherpad-lite exec tsx node/utils/releaseReview/cli.ts \
-  aggregate /tmp/release-review/<run-id> docs/reviews/known-findings.yml medium
+  aggregate /tmp/release-review/<run-id> docs/reviews/known-findings.yml medium "$(git rev-parse --show-toplevel)"
 ```
 (Replace `<run-id>` with the literal run-id from Phase 0.)
 Reads all `*.json` from the run-dir except `merged.json` / `triage.json`. Writes `merged.json`.

src/node/utils/releaseReview/cli.ts

@@ -29,17 +29,18 @@ const cmds: Record<string, (args: string[]) => void> = {
   },
 
   aggregate: (args) => {
-    const [runDir, supPath, floor] = args;
-    if (!runDir || !supPath || !floor) die('usage: aggregate <runDir> <suppressionPath> <severityFloor>');
+    const [runDir, supPath, floor, repoRoot] = args;
+    if (!runDir || !supPath || !floor || !repoRoot) die('usage: aggregate <runDir> <suppressionPath> <severityFloor> <repoRoot>');
     const fileLineCache = new Map<string, string[]>();
     const readLines = (file: string): string[] => {
-      if (!fileLineCache.has(file)) {
+      const abs = path.isAbsolute(file) ? file : path.join(repoRoot, file);
+      if (!fileLineCache.has(abs)) {
         fileLineCache.set(
-          file,
-          fs.existsSync(file) ? fs.readFileSync(file, 'utf8').split('\n') : [],
+          abs,
+          fs.existsSync(abs) ? fs.readFileSync(abs, 'utf8').split('\n') : [],
         );
       }
-      return fileLineCache.get(file)!;
+      return fileLineCache.get(abs)!;
     };
     const enrich = (raw: any): Finding => {
       // Subagent JSON may be top-level array OR {findings: [...]}.

src/tests/backend/specs/releaseReview-utils.ts

@@ -320,7 +320,7 @@ describe(__filename, function () {
       ]));
       const supPath = path.join(tmpDir, 'sup.yml');
       fs.writeFileSync(supPath, 'findings: []\n');
-      runCli(['aggregate', runDir, supPath, 'medium']);
+      runCli(['aggregate', runDir, supPath, 'medium', '/']);
       const merged = JSON.parse(fs.readFileSync(path.join(runDir, 'merged.json'), 'utf8'));
       assert.equal(merged.length, 1);
       assert.equal(merged[0].severity, 'high');
@@ -339,11 +339,36 @@ describe(__filename, function () {
       }));
       const supPath = path.join(tmpDir, 'sup-empty.yml');
       fs.writeFileSync(supPath, 'findings: []\n');
-      runCli(['aggregate', runDir, supPath, 'medium']);
+      runCli(['aggregate', runDir, supPath, 'medium', '/']);
       const merged = JSON.parse(fs.readFileSync(path.join(runDir, 'merged.json'), 'utf8'));
       assert.equal(merged.length, 1);
       assert.match(merged[0].fingerprint, /^[0-9a-f]{64}$/);
     });
+
+    it('aggregate resolves repo-relative file paths against repoRoot', function () {
+      this.timeout(15000);
+      const runDir = path.join(tmpDir, 'run-2026-05-09-3');
+      fs.mkdirSync(runDir);
+      // Use a relative path that requires repoRoot resolution.
+      const fakeRepoRoot = FIXTURE_DIR;
+      const relPath = 'sample-source.ts';  // exists at FIXTURE_DIR/sample-source.ts
+      fs.writeFileSync(path.join(runDir, 'auth-sessions.json'), JSON.stringify({
+        findings: [
+          {source: 'auth-sessions', severity: 'high', category: 'bug', file: relPath, line: 6, ruleId: 'auth-sessions.x', message: 'm'},
+        ],
+      }));
+      const supPath = path.join(tmpDir, 'sup-rel.yml');
+      fs.writeFileSync(supPath, 'findings: []\n');
+      runCli(['aggregate', runDir, supPath, 'medium', fakeRepoRoot]);
+      const merged = JSON.parse(fs.readFileSync(path.join(runDir, 'merged.json'), 'utf8'));
+      assert.equal(merged.length, 1);
+      // Fingerprint should be computed from real file content.
+      // Compare to a known fingerprint we can derive directly.
+      const {computeFingerprint} = require('../../../node/utils/releaseReview/fingerprint');
+      const lines = fs.readFileSync(path.join(fakeRepoRoot, relPath), 'utf8').split('\n');
+      const expected = computeFingerprint('auth-sessions.x', relPath, 6, lines);
+      assert.equal(merged[0].fingerprint, expected);
+    });
   });
 
   describe('suppression', function () {