codespy/codespy.yaml at main · khezen/codespy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
# codespy.yaml - Configuration file for codespy
#
# ENVIRONMENT VARIABLE OVERRIDES:
# All settings can be overridden via environment variables.
# - Flat values: <KEY> (e.g., OUTPUT_FORMAT=json, DEFAULT_MODEL=openai/gpt-5)
# - Signature values: <SIGNATURE>_<KEY>
#   Examples:
#     CODE_REVIEW_MAX_ITERS=15
#     CODE_REVIEW_ENABLED=false
#     SUPPLY_CHAIN_MODEL=openai/gpt-4-turbo
#
# Priority: Environment Variables > YAML Config > Defaults

# ============================================================================
# LLM ACCESS
# ============================================================================
llm:
  # OpenAI
  openai_api_key: null                   # OPENAI_API_KEY
  openai_api_base: null                  # OPENAI_API_BASE
  auto_discover_openai: true             # AUTO_DISCOVER_OPENAI (set to false to disable)

  # Anthropic
  anthropic_api_key: null                # ANTHROPIC_API_KEY
  auto_discover_anthropic: true          # AUTO_DISCOVER_ANTHROPIC (set to false to disable)

  # Google Gemini
  gemini_api_key: null                   # GEMINI_API_KEY
  auto_discover_gemini: true             # AUTO_DISCOVER_GEMINI (set to false to disable)

  # AWS Bedrock
  aws_region: us-east-1                  # AWS_REGION
  aws_access_key_id: null                # AWS_ACCESS_KEY_ID
  aws_secret_access_key: null            # AWS_SECRET_ACCESS_KEY
  aws_profile: null                      # AWS_PROFILE
  auto_discover_aws: true                # AUTO_DISCOVER_AWS (set to false to disable)

  # Azure OpenAI
  azure_api_key: null                    # AZURE_API_KEY
  azure_api_base: null                   # AZURE_API_BASE
  azure_api_version: null                # AZURE_API_VERSION

  # Enable provider-side prompt caching (Anthropic, OpenAI, Bedrock, etc.)
  # Caches system prompts on the LLM provider's servers to reduce latency and costs
  enable_prompt_caching: true              # ENABLE_PROMPT_CACHING


# ============================================================================
# GIT PLATFORMS
# ============================================================================
github:
  token: null                            # GITHUB_TOKEN (auto-discovered if not set)
  auto_discover_token: true              # GITHUB_AUTO_DISCOVER_TOKEN (set to false to disable auto-discovery)

gitlab:
  token: null                            # GITLAB_TOKEN (auto-discovered if not set)
  url: https://gitlab.com                # GITLAB_URL (for self-hosted instances)
  auto_discover_token: true              # GITLAB_AUTO_DISCOVER_TOKEN (set to false to disable auto-discovery)

# ============================================================================
# SIGNATURES
# ============================================================================
# Each signature config supports: enabled, max_iters, model, max_context_size
# Set to null to use defaults
#
# RECOMMENDED MODEL STRATEGY
# ============================================================================
# codespy uses a tiered model approach to balance review quality and cost:
#
#   Smart (default_model): Used for core analysis — code review (bugs, security,
#     smells), supply chain, scope identification, doc review. Requires strong reasoning.
#     Recommended: anthropic/claude-opus-4-6 or equivalent.
#
#   Mid-tier (extraction_model): Used for structured field
#     extraction (TwoStepAdapter). Needs accuracy but not deep reasoning.
#     Recommended: anthropic/claude-sonnet-4-5-20250929 or equivalent.
#
#   Cheap (summarization): Used for PR summary generation. Simple synthesis
#     task. Recommended: anthropic/claude-haiku-4-5-20251001 or equivalent.
#
# By default, all models fall back to default_model. Override extraction_model
# and summarization model for cost optimization:
#
#   default_model: anthropic/claude-opus-4-6
#   extraction_model: anthropic/claude-sonnet-4-5-20250929
#   signatures:
#     summarization:
#       model: anthropic/claude-haiku-4-5-20251001
# ============================================================================

# These apply to all signatures unless overridden per-signature
default_model: anthropic/claude-opus-4-6        # DEFAULT_MODEL
extraction_model: null                          # EXTRACTION_MODEL (falls back to default_model)
default_max_iters: 20                           # DEFAULT_MAX_ITERS
default_max_context_size: 100000                # DEFAULT_MAX_CONTEXT_SIZE
default_max_reasoning_tokens: 6000             # DEFAULT_MAX_REASONING_TOKENS (limits LLM reasoning verbosity)
default_temperature: 0                          # DEFAULT_TEMPERATURE (lower = more deterministic output)

# Global LLM reliability settings
llm_retries: 3                           # LLM_RETRIES (number of retries for LLM API calls)
llm_timeout: 240                         # LLM_TIMEOUT (timeout in seconds for LLM calls)

signatures:
  # Supply Chain Security signature
  supply_chain:
    enabled: true                        # SUPPLY_CHAIN_ENABLED
    max_iters: null                      # SUPPLY_CHAIN_MAX_ITERS
    model: null                          # SUPPLY_CHAIN_MODEL (Haiku 4.5)
    max_context_size: null               # SUPPLY_CHAIN_MAX_CONTEXT_SIZE
    max_reasoning_tokens: null           # SUPPLY_CHAIN_MAX_REASONING_TOKENS
    temperature: null                    # SUPPLY_CHAIN_TEMPERATURE
    scan_unchanged: false                # SUPPLY_CHAIN_SCAN_UNCHANGED
    # When true: scans ALL artifacts (Dockerfiles, etc.) and manifests
    # When false (default): only scans artifacts/manifests that were modified in the MR

  # Code Reviewer signature (bugs, security, removed defensive code, code smells)
  # Unified code review: bugs, security vulnerabilities, and code smells in a single agent pass per scope
  code_review:
    enabled: true                        # CODE_REVIEW_ENABLED
    max_iters: null                      # CODE_REVIEW_MAX_ITERS
    model: null                          # CODE_REVIEW_MODEL
    max_context_size: null               # CODE_REVIEW_MAX_CONTEXT_SIZE
    max_reasoning_tokens: null           # CODE_REVIEW_MAX_REASONING_TOKENS
    temperature: null                    # CODE_REVIEW_TEMPERATURE

  # Documentation Reviewer signature (compares patches against extracted documentation)
  # Note: doc extraction is now deterministic (no LLM) — see doc_extractor.py
  doc:
    enabled: true                        # DOC_ENABLED
    model: null                          # DOC_MODEL
    max_context_size: null               # DOC_MAX_CONTEXT_SIZE
    max_reasoning_tokens: null           # DOC_MAX_REASONING_TOKENS
    temperature: null                    # DOC_TEMPERATURE

  # Scope Identifier signature
  scope:
    enabled: true                        # SCOPE_ENABLED
    max_iters: null                      # SCOPE_MAX_ITERS
    model: null                          # SCOPE_MODEL
    max_context_size: null               # SCOPE_MAX_CONTEXT_SIZE
    max_reasoning_tokens: null           # SCOPE_MAX_REASONING_TOKENS
    temperature: null                    # SCOPE_TEMPERATURE

  # Summarizer signature
  summarization:
    enabled: true                        # SUMMARIZATION_ENABLED
    model: null                          # SUMMARIZATION_MODEL (falls back to default_model)
    max_context_size: null               # SUMMARIZATION_MAX_CONTEXT_SIZE
    max_reasoning_tokens: null           # SUMMARIZATION_MAX_REASONING_TOKENS
    temperature: null                    # SUMMARIZATION_TEMPERATURE

# ============================================================================
# OUTPUT
# ============================================================================
output_format: markdown                  # OUTPUT_FORMAT (markdown | json)
output_stdout: true                      # OUTPUT_STDOUT (enable stdout output)
output_git: true                         # OUTPUT_GIT (post review to GitHub PR or GitLab MR)
cache_dir: ~/.cache/codespy              # CACHE_DIR

# ============================================================================
# FILE EXCLUSIONS
# ============================================================================
# Directories to skip during code review (binary files, lock files, and
# minified files are always excluded automatically)
excluded_directories:                    # EXCLUDED_DIRECTORIES (JSON array in env)
  # Vendor/dependency directories
  - vendor
  - node_modules
  - third_party
  - external
  - deps
  - _vendor
  - vendored
  # Build output directories
  - dist
  - build
  - out
  - target
  # Package manager directories
  - .bundle
  - Pods
  - Carthage
  - bower_components
  - jspm_packages
  # Version control
  - .git
  - .svn
  - .hg
  # Cache directories
  - __pycache__
  - .cache
  - .pytest_cache
  - .mypy_cache
  - .ruff_cache