lgtmaybe 0.1.0

Provider-agnostic PR reviewer — six providers, one flag, no keys in secrets for cloud.

lgtmaybe

Provider-agnostic PR reviewer. Six providers, one flag, no static keys for cloud providers. Posts inline review comments and a summary.

📖 Full documentation: https://mattjcoles.github.io/lgtmaybe/

What it reviews

lgtmaybe fetches the PR diff from the GitHub API and reviews the lines a pull request changes. It never checks out or runs your code. To judge each change in context it also reads a few surrounding lines from the file, but it only ever comments on what the PR actually changed, not the whole repository.

Reviews surface the kind of thing a careful reviewer would flag, each graded from info up to critical: logic and correctness bugs (edge cases, null dereferences, off-by-one and boundary errors, mismatched ranges, unhandled error paths), missing tests for changed code paths (with a suggested test to drop in), and undocumented public APIs. The model is prompted with an OWASP-aligned security checklist — injection, XSS, hardcoded secrets, broken authn/authz, path traversal, SSRF, insecure deserialization, weak crypto, resource/DoS safety, and secrets or PII (passwords, tokens, SSNs, card data) leaking into logs — so security findings are first-class, not an afterthought. It also flags factually outdated code — deprecated APIs and end-of-life or vulnerable dependencies — when the diff shows them. Generated and non-reviewable files (lockfiles, minified bundles, vendored directories, binaries) are skipped automatically, and secrets are redacted from the diff before it is sent to the model.

Hardened against malicious PRs. lgtmaybe never checks out or runs PR code, treats the diff as untrusted input, defends against prompt injection (including forged delimiter break-out attempts), and redacts a broad set of secret formats (cloud keys, GitHub/Slack/Google/Stripe tokens, private keys, passwords, and credentials in connection strings) before anything leaves your environment. See Data and Privacy.

How the scope is bounded. Every run is capped so a large PR can't blow up latency:

• max_files (default 50) — reviews the top-N changed files and notes how many were skipped.
• max_input_tokens (default 100k) — batches the diff to fit the model's budget.
• categories (default all five) — which review lenses to run; each is a concurrent model call, so narrowing the list means fewer calls.
• min_severity (default info) plus include_paths / exclude_paths — focus the review on what you care about.

See Configure .lgtmaybe.yml for every knob.

What you get back. Each finding is structured data — file, line, severity, a title, an explanation, and an optional suggested fix — so it renders the same everywhere:

• On a GitHub PR — an inline comment on the exact changed line for each finding, plus one summary comment naming the model used. Re-running updates the same comments instead of duplicating them, and a clean PR gets a 👍 LGTM!.
• On the CLI — lgtmaybe review reads your local git diff and prints the findings (a readable listing, a JSON array with --json, or --format agent for an AI coding agent to read and apply); nothing is posted to GitHub.

A fuller walkthrough with example output is in What gets reviewed.

Quick start (60 seconds, local, zero cost)

From inside a git repo, on a branch with changes, review your diff against the default branch and print the findings:

pip install lgtmaybe

lgtmaybe review \
  --provider ollama \
  --model qwen3.6:27b \
  --api-base http://localhost:11434

No GitHub token and no pull request needed — lgtmaybe review reads your local git diff and prints the findings. To post reviews on real pull requests, wire up the GitHub Action. See Getting Started for the full walkthrough.

Providers

Provider	Auth
openai	OPENAI_API_KEY
anthropic	ANTHROPIC_API_KEY
openrouter	OPENROUTER_API_KEY
bedrock	Ambient AWS creds — GitHub OIDC, no static key
vertex	Ambient GCP creds — Workload Identity Federation, no key
azure	Ambient Azure AD creds — GitHub OIDC, no static key (or AZURE_API_KEY) + endpoint
ollama	None — local only, zero cost

Documentation

Browse the rendered docs at https://mattjcoles.github.io/lgtmaybe/, or read the Markdown sources below.

Tutorial — learn by doing

• Getting Started — your first review with ollama

How-to guides — task recipes

• Run locally with ollama
• Review with Bedrock OIDC
• Review with Vertex WIF
• Review with Azure OpenAI
• Use as a GitHub Action
• Configure .lgtmaybe.yml
• Releasing (maintainers)

Reference — look things up

• Configuration Reference — all config fields and schemas (generated)

Explanation — understand the design

• What gets reviewed — scope, caps, and what the output looks like
• Architecture — ports and adapters, the review pipeline
• Auth Model — why keyless cloud, how credential resolution works
• Data and Privacy — what is sent where, secret redaction, ollama local mode

Use as a GitHub Action

name: lgtmaybe

on:
  pull_request_target:
  issue_comment:
    types: [created]

permissions:
  contents: read
  pull-requests: write

jobs:
  review:
    if: ${{ github.event_name == 'pull_request_target' || github.event.issue.pull_request }}
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: lgtmaybe/lgtmaybe@v1
        with:
          provider: openai
          model: gpt-5.5
          api_key: ${{ secrets.OPENAI_API_KEY }}

Copy-paste workflows for every cloud and API-key provider live in examples/workflows/. Cloud providers (Bedrock, Vertex, Azure) are keyless — pass aws_role_arn / gcp_wif_provider / azure_client_id and the action does the OIDC/WIF exchange for you (needs id-token: write). See Use as a GitHub Action. ollama is local only — run it through the CLI instead.

Distribution

• CLI — pip install lgtmaybe
• GitHub Action — uses: lgtmaybe/lgtmaybe@v1

Contributing

Test-first, green CI, scope is the gate. See CONTRIBUTING.md.

License

MIT — see LICENSE.