-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexample.diffgate.json
More file actions
110 lines (98 loc) · 4.76 KB
/
Copy pathexample.diffgate.json
File metadata and controls
110 lines (98 loc) · 4.76 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
{
"//": "Drop this file (renamed to .diffgate.json) at your repo root. Run `diffgate init` to generate one.",
"//extends": "Inherit org-wide policy packs (base-first; this file wins on conflicts). Entries are paths (./team.diffgate.json) or package names resolved under node_modules (@acme/diffgate-policy). Arrays (deprecated/customPatterns/ignore) concat; objects (rules/ai/gate) merge.",
"extends": [],
"testCommand": "npm test",
"//testScope": "Down-tier non-exempt orange findings in test/fixture/mock files (orange → yellow, non-blocking) so intentional test scaffolding (mock SQL, eval in a harness, sample payloads) doesn't block the gate. Exempt — stay blocking even in tests: hardcoded-secret, db-schema-destructive, and the graph-owned public-surface rules. Set false to gate test code exactly like production.",
"testScope": true,
"gate": {
"mode": "working",
"failOn": "orange",
"//agent": "How an agent consumer (MCP / `check --agent`) is gated — graded advice with a budget, not a block on every finding. mode 'advisory' (default) only blocks on hard rules (secrets/destructive-SQL/injection) and graph-confirmed taint; everything else is surfaced as 'review' (exit 0). 'gated' = legacy (orange blocks). 'off' = never blocks. trustSource 'deterministic' keeps LLM output out of the gate decision.",
"agent": {
"mode": "advisory",
"autoFixFloor": "orange",
"maxFixesPerTurn": 3,
"escalateAfterTurns": 2,
"trustSource": "deterministic"
}
},
"ai": {
"//": "provider: anthropic | openai | openrouter | groq | together | lmstudio | ollama | custom",
"enabled": false,
"provider": "anthropic",
"apiKeyEnv": "ANTHROPIC_API_KEY",
"model": "claude-sonnet-4-6",
"//model-routing": "model can also be a per-tier map, e.g. { \"orange\": \"<strong>\", \"default\": \"<cheap>\" }",
"//openai-example": "{ provider: 'openai', apiKeyEnv: 'OPENAI_API_KEY', model: 'gpt-5.4-mini' }",
"//openrouter-example": "{ provider: 'openrouter', apiKeyEnv: 'OPENROUTER_API_KEY', model: 'openai/gpt-5.4-mini' }",
"//local-example": "{ provider: 'lmstudio', model: 'your-loaded-model' } (no API key needed)",
"//custom-example": "{ provider: 'custom', baseURL: 'http://host:8000/v1', apiKeyEnv: 'MY_KEY', model: 'm' }",
"maxTokens": 700,
"temperature": 0
},
"deprecated": [
{
"pattern": "UserService.getLegacyAvatar",
"replacedBy": "UserService.getUser().avatarUrl",
"author": "Dave (Senior Codeowner)",
"pr": "PR #412"
},
{
"pattern": "UserService.fetchUser",
"replacedBy": "UserService.getUser",
"author": "Alice (Tech Lead)",
"pr": "PR #389"
},
{
"pattern": "StripeClient.charge",
"replacedBy": "StripeClient.createPaymentIntent",
"author": "Finance Team",
"pr": "PR #204"
}
],
"customPatterns": [
{
"id": "no-direct-process-env",
"tier": "yellow",
"pattern": "process\\.env\\.",
"message": "Read config through the typed config module, not process.env directly."
}
],
"rules": {
"todo-marker": false,
"network-call": { "tier": "green" }
},
"//graph": "Optional cross-file blast radius via a code graph (github.com/codegraph-ai/CodeGraph). enabled 'auto' = use it when an index exists, silent otherwise. A public-surface change with callers stays orange and names the reviewers; one with zero callers de-escalates to yellow. Pin a rule's tier (e.g. \"signature-drift\": { \"tier\": \"orange\" }) to opt out of de-escalation.",
"graph": {
"enabled": "auto",
"provider": "codegraph",
"command": "codegraph-server",
"mode": "cli",
"maxCallers": 20,
"escalateThreshold": 1,
"timeoutMs": 4000,
"prContext": true,
"relatedTests": true,
"editContext": true,
"//security": "Pro taint graph for injection findings. 'auto' = use when present. securityDeescalate true lets a proven-clean sink down-tier (off = enrich-only, the safe default).",
"security": "auto",
"securityDeescalate": false
},
"//guidelines": "Review the diff against your repo's own AGENTS.md/CLAUDE.md/.cursorrules (nearest file wins per directory). evaluator 'auto' = use the calling agent's model when none is configured (no API key), else the configured provider.",
"guidelines": {
"enabled": true,
"autoDetect": true,
"files": [],
"maxDepth": 3,
"maxBytesPerFile": 8000,
"tier": "yellow",
"blocking": false,
"evaluator": "auto"
},
"//learnings": "Merge shared dismiss/confirm verdicts across repos so noise suppression is org-wide. Each entry is a repo root, a .diffgate dir, or a learnings.json path. Local verdicts override shared ones.",
"learnings": {
"shared": []
},
"ignore": ["**/node_modules/**", "**/dist/**", "**/build/**"]
}