PR risk gate for AI-generated code: diff scoring, test impact checks, and merge policy enforcement.
Project description
DiffTriage - Pro PR Risk Gating for AI-Generated Code
difftriage is an open-source Python library for production-grade pull request risk analysis.
It scores change risk across blast radius, behavior change, test impact, schema/security sensitivity, AI uncertainty, and observability gaps. It then enforces configurable merge policy decisions: pass, review_required, block, and override_required_review.
Why DiffTriage
Teams shipping more AI-assisted code often face:
- more regressions in core paths,
- slower reviews,
- weak signal-to-noise in large diffs.
DiffTriage provides a deterministic, explainable risk gate with rule-level scoring so teams can move fast without blind merges.
Key Features
- Multi-factor risk model (9 weighted dimensions)
- Explainable scoring with per-rule contributions
- Policy decisions:
pass/review_required/block/override_required_review - Confidence bands near threshold boundaries
- False-positive controls for docs/tests-only changes
- Override governance with audit-friendly policy flags
- CI-friendly CLI with multiple output modes
- GitHub + PyPI release workflows (trusted publishing ready)
Installation
pip install difftriage
Requires Python 3.10+.
Quick Start
difftriage score \
--files-changed 12 \
--lines-added 420 \
--lines-deleted 130 \
--changed-path src/auth/service.py \
--changed-path db/migrations/001.sql \
--dependencies-changed \
--output text
Example result:
- risk score + level
- decision + confidence
- top risk drivers
- rule scores
CLI Usage
Output formats:
--output text(default)--output json--output markdown
Exit semantics:
--exit-mode threshold:0pass2fail
--exit-mode decision:0pass3review required2block
Examples:
# JSON for automation
difftriage score --files-changed 8 --lines-added 140 --lines-deleted 35 --changed-path src/payments.py --output json
# Markdown for PR comments
difftriage score --files-changed 8 --lines-added 140 --lines-deleted 35 --changed-path src/payments.py --output markdown --exit-mode decision
Risk Model
Default weighted dimensions:
blast_radius(0.20)behavior_change(0.18)test_impact(0.16)complexity(0.12)dependency_config(0.10)data_schema(0.08)security_privacy(0.08)ai_uncertainty(0.05)observability_gap(0.03)
Scoring levels:
0-24: low25-49: medium50-74: high75-100: critical
Configuration
Create .difftriage.yml in repo root:
threshold: 50
review_threshold: 50
block_threshold: 75
enable_confidence_bands: true
weights:
blast_radius: 0.20
behavior_change: 0.18
test_impact: 0.16
complexity: 0.12
dependency_config: 0.10
data_schema: 0.08
security_privacy: 0.08
ai_uncertainty: 0.05
observability_gap: 0.03
rules:
risky_path_patterns: ["auth", "billing", "migrations", ".github/workflows", "infra", "config", "permissions", "token"]
schema_patterns: ["migrations", "schema", "models", "ddl"]
security_patterns: ["auth", "token", "permission", "secret", "privacy"]
observability_patterns: ["log", "metrics", "trace"]
safe_path_patterns: ["docs/", ".md", "tests/"]
policy:
docs_tests_only_max_score: 18
safe_change_max_score: 30
security_block_score: 70
schema_block_score: 78
schema_review_score: 45
dependency_review_score: 55
missing_tests_review_score: 45
override:
require_reason_min_length: 12
allow_score_override: true
allow_schema_override: true
allow_dependency_override: true
allow_security_override: true
CI Integration
DiffTriage is designed for CI gates:
difftriage score ... --output json --exit-mode decision
Recommended policy:
- treat
review_requiredas protected-branch reviewer gate, - treat
blockas merge stop, - allow audited overrides only for approved emergency paths.
Release and Publishing
This repo includes:
.github/workflows/ci.ymlfor tests + build checks.github/workflows/release.ymlfor tag-based PyPI publishing
Publish flow:
- Push tag
vX.Y.Z - Build artifacts
- Publish with
pypa/gh-action-pypi-publishvia GitHub OIDC
Local Validation
pip install -e . pytest build twine
pytest -q
python -m build
twine check dist/*
Contributing
Issues and pull requests are welcome.
License
MIT - see LICENSE.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file difftriage-0.1.0.tar.gz.
File metadata
- Download URL: difftriage-0.1.0.tar.gz
- Upload date:
- Size: 9.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1bf06d98dc826c15b366bf2028b58de0dbf1d7090f018710d340170d4e09a3cd
|
|
| MD5 |
1f23bb55f881070cec93a2f23c8ead41
|
|
| BLAKE2b-256 |
7636a3a76bb97d2c662b3dc49b27b51bb071a3bc47ad7f9316b7c2e0b0453883
|
File details
Details for the file difftriage-0.1.0-py3-none-any.whl.
File metadata
- Download URL: difftriage-0.1.0-py3-none-any.whl
- Upload date:
- Size: 9.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9fe0132a34364f8bfd853097a98b50e111166672eb9bbc555ca299137c95c12a
|
|
| MD5 |
402dc71c78c1967a553d4e3d72021c05
|
|
| BLAKE2b-256 |
bb65d9c668bd50c1beeb484944d003e045a1a39c7b018f2f0454125250d1dcdf
|
