Diffwarden

Overview

preflight -> detect PR -> collect evidence -> classify -> plan fixes -> apply safe fixes -> verify -> optional push -> re-check -> report

When to Use

• check a PR before merge
• address review feedback
• fix failing PR checks
• run a review-fix-verify loop
• prepare a PR for human approval
• perform a security/quality pass on changed code
• verify whether a PR is merge-ready

• production deployment
• automatic merging
• bypassing or weakening CI
• broad refactors outside PR scope
• destructive history rewrite
• non-GitHub workflows until adapters are added

Inputs

• PR number or URL, optional. If omitted, detect from current branch.

• --dry-run

  , optional. Plan only; no edits, commits, pushes, or comment resolution.

• --no-push

  , optional. Local fixes only.

• --post-review

  , optional. Post findings to the PR as a GitHub review of type

  COMMENT

  (and optional inline comments). Off by default; requires explicit user authorization each run. Never approves, requests changes, or merges.

• --security-focus

  , optional. Prioritize auth, input validation, secrets, data loss, SSRF, injection, path traversal, crypto, and logging leaks.

• --max-iterations N

  , optional. Default

  3

  ; hard max

  5

  unless the user explicitly asks otherwise.

• GitHub via

  gh

  CLI.

• GitLab via

  glab

  .
• Perforce via

  p4

  .
• Greptile MCP adapter.

External Agent Protocol

CAVEMAN MODE:
- Compact, high-signal output.
- Bullets over prose.
- No filler.
- Preserve exact paths, commands, errors, verification results, risks, and next actions.
- Do not make broad changes beyond requested scope.

• Claude Code CLI: primary implementation/review helper.
• Copilot CLI: secondary implementation/review helper.
• The primary agent remains orchestrator and verifier.

command -v claude || true
command -v copilot || true
claude --version || true
copilot --version || true

1. Do not trust external-agent self-reports.
2. Verify all claimed changes with file reads,

   git diff

   , and commands.
3. If agent outputs conflict, prefer verified evidence over claims.
4. External agents must not commit, push, merge, or resolve comments unless explicitly authorized.

Preflight

git rev-parse --show-toplevel
git status --short
git branch --show-current
git remote -v
command -v gh || true
gh auth status

• not inside a git repo
• GitHub CLI is unavailable or unauthenticated
• no PR can be detected and no PR number was provided
• current branch is

  main

  ,

  master

  ,

  trunk

  , or the PR base branch
• worktree has unrelated dirty files that may be overwritten
• PR is closed or merged
• a human pushed new commits mid-loop and state is stale

• If dirty files are unrelated to the PR fix, stop and ask.
• If dirty files are expected current-task edits, record them before continuing.

GitHub PR Detection

gh pr view --json number,url,title,headRefName,baseRefName,headRefOid,isDraft,mergeStateStatus

gh pr view <PR_NUMBER> --json number,url,title,body,state,isDraft,author,headRefName,baseRefName,headRefOid,mergeStateStatus,reviewDecision,statusCheckRollup

git branch --show-current
gh pr view <PR_NUMBER> --json headRefName,baseRefName -q '{head: .headRefName, base: .baseRefName}'

Evidence Collection

gh pr diff <PR_NUMBER>
gh pr checks <PR_NUMBER> --watch=false
gh api repos/{owner}/{repo}/pulls/<PR_NUMBER>/comments --paginate
gh api repos/{owner}/{repo}/issues/<PR_NUMBER>/comments --paginate
gh pr view <PR_NUMBER> --json number,url,title,body,state,isDraft,author,reviews,comments,files,commits,headRefOid,reviewDecision,statusCheckRollup

• PR title/body and acceptance criteria.
• Changed files and diff size.
• CI/check status.
• Inline review comments.
• General issue comments.
• Bot vs human comments.
• Required approvals or changes requested.
• Latest reviewed commit vs current head commit.

• relevant changed files
• adjacent code
• existing tests
• project instructions:

  AGENTS.md

  ,

  CLAUDE.md

  ,

  .cursorrules

  , README, test docs
• dependency/config files needed to discover verification commands

Classification Taxonomy

Actionable

• failing CI
• required review change
• bug in changed code
• missing test for changed behavior
• security weakness
• broken build/typecheck/lint
• PR description missing required testing/risk notes

Informational

• FYI comments
• duplicated bot comments
• optional style suggestions
• low-confidence suggestions
• comments outside PR scope

Already addressed

• inspect current file content
• inspect current diff
• run relevant test/check if possible
• confirm the comment applies to old code, not current head

Needs user decision

• product behavior ambiguity
• public API contract
• database migration risk
• authentication/authorization design
• payment/billing behavior
• secrets or production config
• CI/workflow weakening
• file deletion
• dependency removal
• broad refactor beyond PR scope

Severity Model

• P0 critical: security exploit, data loss, crash, auth bypass, secret leak.
• P1 high: incorrect behavior, failing required check, broken edge case, review-blocking issue.
• P2 medium: maintainability, missing targeted test, confusing behavior, non-blocking quality issue.
• P3 low/info: polish, optional style, context note.

Fix Planning Protocol

Findings:
1. [ACTIONABLE][P1/security] file:line — issue
   Evidence: ...
   Fix: ...
   Verify: ...

Will change:
- path/to/file.ext
- tests/path/to/test.ext

Will run:
- exact test/lint commands

Will not change:
- unrelated files
- public API unless approved

• Fix root causes, not symptoms.
• Prefer smallest safe patch.
• Preserve existing project style.
• Add/adjust tests when behavior changes.
• Do not weaken tests, lints, branch protection, or CI workflows to pass checks.
• If diff grows beyond about 500 lines, stop and ask unless the user requested a large fix.

Applying Fixes

git status --short
git diff --stat

git diff --stat
git diff --check

git reset --hard
git clean -fd
git push --force
git rebase

• Default: do not commit/push unless requested.
• If user requested full PR preparation, commits are allowed after verification.
• Never auto-merge.
• Never force-push.
• Before any commit, inspect staged diff.
• Before any push, verify current head did not change unexpectedly.

Verification Strategy

• package.json

• pyproject.toml

• pytest.ini

• tox.ini

• Makefile

• .github/workflows/*

• README/docs
• project

  AGENTS.md

  ,

  CLAUDE.md

  ,

  .cursorrules

  , or equivalent agent instruction files

• test file related to changed file
• linter for changed language
• typecheck for touched package
• security test for auth/input/data changes

npm test -- --runInBand path/to/test
npm run lint
npm run typecheck
pytest tests/path/test_file.py -q
ruff check path/to/file.py
cargo test -p package_name
make test

• command
• exit code
• pass/fail
• important output excerpt

1. Diagnose root cause.
2. Do not hide or bypass failure.
3. Fix if scoped and safe.
4. Otherwise stop with blocker report.

Loop Algorithm

3

1. Run preflight.
2. Detect PR and current head SHA.
3. Collect PR evidence.
4. Classify findings.
5. Stop if no actionable findings and required checks pass.
6. Produce fix plan.
7. Apply safe scoped fixes.
8. Run targeted verification.
9. Run broader verification if needed.
10. Inspect diff.
11. If commit/push authorized, commit/push. If

    --post-review

    and posting authorized, post a

    COMMENT

    review with findings.
12. Re-collect PR evidence after checks complete or when user asks to stop.
13. If checks are still pending/in progress, report that state explicitly; do not claim merge-ready until required checks reach terminal passing state.

• max iterations reached
• same finding reappears without progress
• verification fails for ambiguous root cause
• user decision is needed
• risk exceeds requested scope
• worktree contains unexpected unrelated changes
• PR head changes externally mid-loop
• PR is closed or merged externally

• required checks pass
• no actionable unresolved comments
• no known P0/P1/security issue
• PR description has adequate summary/testing/risk notes
• changed files are scoped and verified

Comment Resolution Rules

• May resolve only if user requested it and evidence proves the fix.
• Include evidence: commit, file, line, test command.

• Do not resolve by default.
• Only resolve if the user explicitly asks and the fix directly addresses the comment.

• Treat as already addressed only after checking current code and latest commit.
• Do not ignore comments just because they are old.

Posting Review to PR

• --post-review

  was passed, and
• the user explicitly authorized posting for this run.

• Only post reviews of type

  COMMENT

  . Never

  APPROVE

  . Never

  REQUEST_CHANGES

  . Approval and change-request are human merge-gating decisions and are out of scope.
• Never resolve, dismiss, or edit existing human review threads.
• Never merge, push to the head branch, or modify the PR's commits when posting a review.
• Redact secrets/tokens from comment bodies before posting.
• Use the head SHA captured during evidence collection. If the PR head changed since, stop and re-collect; do not post against a stale commit.
• Prefix the review body so it is clearly an automated review, e.g.

  Diffwarden review (automated — comment only, no approval)

  .

• Before posting, list existing PR review comments and check for prior Diffwarden comments at the same path/line.
• Do not repost duplicates. Skip resolved points; only add new or changed findings.

gh pr view <PR_NUMBER> --json author,headRefOid,isDraft,state
gh api repos/{owner}/{repo}/pulls/<PR_NUMBER>/comments --paginate

gh pr review <PR_NUMBER> --comment --body-file diffwarden-review.md

COMMENT

gh api repos/{owner}/{repo}/pulls/<PR_NUMBER>/reviews \
  -f event='COMMENT' \
  -f body='Diffwarden review (automated — comment only, no approval). Summary: ...' \
  -f 'comments[][path]=path/to/file.ext' \
  -F 'comments[][line]=NN' \
  -f 'comments[][side]=RIGHT' \
  -f 'comments[][body]=[P1/security] issue. Evidence: ... Suggested fix: ...'

Security-Focused Checklist

--security-focus

• authn/authz bypass
• missing ownership checks
• injection: SQL/NoSQL/command/template
• SSRF and unsafe URL fetches
• path traversal and unsafe file access
• unsafe deserialization
• XSS and output encoding
• CSRF/session/cookie weakness
• secret logging or token exposure
• cryptography misuse
• race conditions and TOCTOU
• data deletion or migration risk
• PII leakage

• claim
• evidence
• exploitability or impact
• recommended fix
• verification command or review step

Branch and CI Protection Guards

• .github/workflows/**

• branch protection configuration
• test snapshots that hide behavior changes
• linter/typecheck configuration
• auth, payments, migrations, secrets, infra config

gh api repos/{owner}/{repo}/branches/<BRANCH>/protection || true

Dry Run Mode

• collect PR evidence
• classify findings
• produce fix plan
• list verification commands
• do not edit files
• do not commit
• do not push
• do not resolve comments

Final Report Format

Diffwarden result.

Status: merge-ready | needs fixes | blocked | user decision needed
PR: <url>
Iterations: N/M

Findings:
- Fixed: N
- Remaining actionable: N
- Informational: N
- Already addressed: N

Verification:
- PASS `command`
- FAIL `command` — reason

Changed files:
- path

Risks:
- risk or "none known"

Next action:
- merge / review diff / approve decision / run command

Common Pitfalls

1. Trusting bot comments without checking current code. Always verify against current head.
2. Fixing CI by weakening CI. Never reduce test/lint/security coverage to pass.
3. Resolving human comments too aggressively. Human review is a decision trail; preserve it unless asked.
4. Overbuilding beyond PR scope. Diffwarden is a guardian, not a refactor engine.
5. Skipping tests because fix is small. Run at least a targeted verification when behavior changes.
6. Ignoring dirty worktree. Protect uncommitted user work first.
7. Letting loops oscillate. If the same issue returns, stop and report root cause.
8. Believing external agents. Read files and run commands before declaring success.

Verification Checklist

• PR detected and URL reported.
• Current branch is PR head, not base branch.
• Worktree state inspected.
• Checks/comments/diff collected.
• Findings classified.
• Fix plan made before edits.
• Risk gates respected.
• Tests/lints/typechecks run where applicable.
• No force-push, auto-merge, or history rewrite.
• No human comment resolved without explicit approval.
• If a review was posted, it was

  COMMENT

  only (no approve/request-changes) and authorized.
• Final report includes status, findings, verification, changed files, risks, next action.