Deterministic review-readiness checks for AI-assisted pull requests.
Project description
MergeGuard
Deterministic review-readiness and governance checks for AI-assisted pull requests.
AI may generate the diff. Engineers still own the merge.
MergeGuard is not another AI code reviewer. It does not try to infer intent, judge code style, or replace human review. It is a low-noise, deterministic readiness layer that asks whether a pull request is prepared for responsible review before it reaches the merge button.
Product Positioning
AI-assisted development changes the shape of code review. Teams now need fast ways to separate review-ready pull requests from diffs that are under-explained, under-tested, risky, or hard to own.
MergeGuard applies the MERGE Framework before code is merged:
- It checks review readiness, not code cleverness.
- It produces deterministic findings, not probabilistic review prose.
- It favors governance signals developers can act on quickly.
- It keeps ownership with engineers, even when AI helped generate the diff.
MVP 1 is intentionally local and boring in the best way: no network calls, no LLM review, no GitHub App, no SaaS dashboard, and no automatic PR commenting.
MERGE Framework
MERGE is a lightweight checklist for AI-assisted pull requests:
- Meaning: Does the PR solve the right problem? Checks whether the PR description explains the requirement, expected behavior, issue, user impact, acceptance criteria, or why the change exists.
- Evidence: What proves the change works? Flags source changes that do not include matching test changes.
- Risk: What can this break? Detects configured risk keywords and risk-sensitive paths such as auth, payments, credentials, migrations, infrastructure, and config.
- Guardrails: Did the change respect system boundaries? Flags dependency/config changes and large PRs based on configured thresholds.
- Explainability: Can the developer explain the diff? Looks for author ownership signals such as tests run, rollback notes, known risks, manual review, or verification.
Installation
MergeGuard requires Python 3.14 or newer.
Recommended development setup uses uv:
uv python install 3.14.5
uv sync --dev
Plain pip installation is also supported on Python 3.14+:
pip install mergeguard-cli
For editable local development from this repository:
pip install -e .
Confirm the CLI is available:
mergeguard --help
When using uv without activating the virtual environment:
uv run mergeguard --help
Quickstart
Run MergeGuard against the included risky example:
mergeguard scan \
--diff examples/sample-risky.diff \
--description examples/pr-description-weak.md \
--format markdown
Or with uv:
uv run mergeguard scan \
--diff examples/sample-risky.diff \
--description examples/pr-description-weak.md \
--format markdown
Try the safe example:
uv run mergeguard scan \
--diff examples/sample-safe.diff \
--description examples/pr-description-good.md \
--format markdown
Supported output formats:
textmarkdownjson
The markdown format is designed for GitHub PR comments. It includes a compact status summary, diff stats, category findings, and readable inline file paths.
Sample Output
The full sample report is available at examples/sample-report.md.
## MERGE Review Readiness Report
### Overall status: Needs attention
| Metric | Value |
| --- | ---: |
| Files changed | 2 |
| Additions | 7 |
| Deletions | 1 |
| Category | Status | Findings |
| --- | --- | ---: |
| Meaning | Needs attention | 1 |
| Evidence | Needs attention | 1 |
| Risk | Needs attention | 1 |
| Guardrails | Needs attention | 1 |
| Explainability | Needs attention | 1 |
### Meaning
- **WARNING**: PR description does not clearly explain expected behavior.
### Evidence
- **WARNING**: Source files changed but no test files were modified.
### Risk
- **HIGH**: Risk-sensitive terms found: payment, refund.
### Guardrails
- **WARNING**: Dependency file changed: package.json. (`package.json`)
### Explainability
- **WARNING**: No rollback note or author verification detail found.
Configuration
MergeGuard automatically reads .mergeguard.yml or .mergeguard.yaml from the current directory when present. You can also pass a config file explicitly:
mergeguard scan \
--diff examples/sample-risky.diff \
--description examples/pr-description-weak.md \
--format markdown \
--config examples/mergeguard-config.yml
All settings are optional. Missing config files and missing keys fall back to deterministic defaults.
thresholds:
max_changed_files: 20
max_line_changes: 500
test_patterns:
- tests/
- test_
- _test
- .test.
- .spec.
- __tests__
dependency_patterns:
- requirements.txt
- pyproject.toml
- package.json
- package-lock.json
- yarn.lock
- poetry.lock
- go.mod
- Cargo.toml
- pom.xml
- build.gradle
risk_paths:
- src/payments/**
- infra/**
risk_keywords:
- auth
- login
- token
- password
- permission
- role
- payment
- billing
- invoice
- refund
- migration
- delete
- drop
- encrypt
- secret
- credential
- infra
- terraform
- config
MVP Roadmap
MVP 1:
- Python CLI package
- Unified diff parser
- Deterministic MERGE rule engine
.mergeguard.ymlconfiguration- Text, Markdown, and JSON renderers
- Example diffs, descriptions, and report output
Near-term:
- Exit-code policy for CI gating
- More precise config examples for common stacks
- Additional renderer fixtures
- Better large-PR and dependency-change explanations
- GitHub Actions usage documentation
Explicit non-goals for MVP 1:
- LLM-based code review
- GitHub App
- SaaS dashboard
- Automatic PR commenting
- Deep AST analysis
- Vulnerability scanner replacement
- External network calls
Contributing
Use Python 3.14.5 and uv for local development:
uv sync --dev
uv run pytest
Before opening a PR:
- Keep rules deterministic and explainable.
- Keep the rule engine separate from the CLI.
- Add or update tests for parser, rules, renderers, and examples.
- Avoid unnecessary runtime dependencies.
- Preserve the product boundary: MergeGuard checks readiness and governance, not code quality by opinion.
Useful local checks:
uv run pytest
uv run mergeguard scan --diff examples/sample-risky.diff --description examples/pr-description-weak.md --format markdown
uv run mergeguard scan --diff examples/sample-safe.diff --description examples/pr-description-good.md --format json
Release
Release readiness and publishing steps for v0.1.0 are documented in RELEASE.md.
License
MergeGuard is licensed under the Apache License, Version 2.0. See LICENSE.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file mergeguard_cli-0.1.0.tar.gz.
File metadata
- Download URL: mergeguard_cli-0.1.0.tar.gz
- Upload date:
- Size: 22.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.19 {"installer":{"name":"uv","version":"0.11.19","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6bcebb09f0885b88b7dbbf6db5d07cadea911598f9554eb4fef0df9d10baba31
|
|
| MD5 |
acd5152a36962858bb006036fb315872
|
|
| BLAKE2b-256 |
b0936640567ec6688462f0f7b52d93711827226042fe89f7345c4d078d7eae01
|
File details
Details for the file mergeguard_cli-0.1.0-py3-none-any.whl.
File metadata
- Download URL: mergeguard_cli-0.1.0-py3-none-any.whl
- Upload date:
- Size: 22.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.19 {"installer":{"name":"uv","version":"0.11.19","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9e8b29f062ce551038189f5cea10dddfa67141ea09d274600a6a39b5d6cd5bfd
|
|
| MD5 |
e2d6f1c0c596283f2a09f153baf1b440
|
|
| BLAKE2b-256 |
eb0f3299ff6f4ff7a5007ec10c9ce6da1e84e514006c9d3db9830faa8e887e32
|