npm - @diffpal/diffpal-darwin-x64 - Versions diffs - 0.1.21 → 0.1.23 - Mend

@diffpal/diffpal-darwin-x64 0.1.21 → 0.1.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -18,10 +18,9 @@ review platform they rent. It runs in your CI, uses the AI provider you choose,
 and turns every pull request into clear summaries, actionable inline feedback,
 review artifacts, and merge gates.
-Bring your own provider account, keep your costs and credentials with you, and
-keep the review workflow in your repository. DiffPal's goal is to make AI PR
-review portable, affordable, and enforceable across GitHub, GitLab, and Azure
-DevOps.
+Use the provider path that already works for your team and keep the review
+workflow in your repository. DiffPal's goal is to make AI PR review portable,
+affordable, and enforceable across GitHub, GitLab, and Azure DevOps.
 | Works with | Publishes | Gates on |
 | --- | --- | --- |
@@ -56,9 +55,9 @@ Codex, Copilot, OpenCode, Gemini, Claude Code, a hosted API provider, an ordered
 provider pool, or any ACP-compatible CLI without rebuilding your PR review
 workflow.
-That model keeps cost and account control in your provider account. DiffPal
-does not require a hosted review service or per-seat platform subscription to
-collect diffs, publish PR feedback, write artifacts, or enforce merge gates.
+That model keeps cost control with your team. DiffPal does not require a hosted
+review service or per-seat platform subscription to collect diffs, publish PR
+feedback, write artifacts, or enforce merge gates.
 ## Quick Start: GitHub Actions
@@ -82,6 +81,12 @@ files are kept unless you pass `--force`.
 | --- | --- |
 | `OPENAI_API_KEY` | Authenticates Codex for the review provider. |
+For public open-source repositories, keep provider credentials away from fork PR
+code. GitHub's fork workflow approval settings control whether outside
+contributors' fork workflows run automatically; they do not make it safe to
+release provider secrets to fork code. Keep DiffPal's secret-backed review job
+limited to same-repository pull requests. Fork PRs should run no-secret CI only.
 3. Add the workflow:
 ```bash
@@ -117,13 +122,25 @@ DiffPal.
 | GitLab CI | [`examples/ci/gitlab`](examples/ci/gitlab) | MR summary, discussions, Code Quality, SARIF |
 | Azure Pipelines | [`examples/ci/azure-pipelines`](examples/ci/azure-pipelines) | PR summary thread, PR threads, PR status |
+## GitHub Action
+GitHub Actions users can install the
+[DiffPal Review action](https://github.com/marketplace/actions/diffpal-review)
+with `uses: diffpal/action@v1`. The action source and release automation live in
+the separate [diffpal/action](https://github.com/diffpal/action) repository.
+The action installs `@diffpal/diffpal` by default, then runs
+`diffpal review github`. You still own provider setup and authentication in the
+workflow, so switching provider recipes does not require switching PR review
+platforms.
 ## Azure DevOps Marketplace Extension
 Azure Pipelines users can install the public
 [DiffPal Review extension](https://marketplace.visualstudio.com/items?itemName=diffpal.diffpal)
 from the Azure DevOps Marketplace and add the `DiffPalReview@1` task to PR
 validation pipelines. Extension source and release automation live in the
-separate [diffpal-azure-devops](https://github.com/diffpal/azure-devops)
+separate [diffpal/azure-devops](https://github.com/diffpal/azure-devops)
 repository.
 The task installs `@diffpal/diffpal` by default, then runs `diffpal review ado`.
@@ -132,8 +149,7 @@ You still need a committed DiffPal config, a provider credential such as
 checkout. See the [Azure Pipelines setup guide](docs/ci-examples.md#azure-pipelines)
 for copy-paste examples.
-GitHub Actions users can use the
-[DiffPal Review action](https://github.com/marketplace/actions/diffpal-review):
+Example GitHub Actions workflow:
 ```yaml
 name: diffpal
@@ -145,6 +161,8 @@ on:
 jobs:
   review:
     name: review
+    # Provider credentials are only exposed to same-repository PRs.
+    # Fork PRs should run no-secret CI only.
     if: ${{ !github.event.pull_request.draft && github.event.pull_request.head.repo.full_name == github.repository }}
     runs-on: ubuntu-latest
     permissions:
@@ -179,6 +197,12 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 ```
+`pull_request_target` runs from the default branch of the base repository and is
+useful for trusted automation such as labeling or commenting. Do not combine it
+with checking out the PR head or running package installs, tests, build scripts,
+hooks, provider CLIs, or other fork code. That pattern can expose privileged
+tokens or secrets to untrusted code.
 If you prefer copying files manually, use
 [`examples/configs/codex-api-key/config.yaml`](examples/configs/codex-api-key/config.yaml).
 For full copy-paste files and host-specific notes, read
@@ -205,17 +229,8 @@ diffpal:
     block_on: high
   review:
     language: en
-    prompt_profile: v2
-    strict_evidence: true
-    strict_injection: true
-    allow_nearby_context: true
     instructions: |
       Prefer actionable findings that are directly supported by the diff.
-    checks:
-      - security
-      - bugs
-      - performance
-      - best-practices
   platforms:
     github: {}
     gitlab: {}
@@ -226,22 +241,12 @@ profiles:
     diffpal:
       gate:
         block_on: high
-      review:
-        prompt_profile: v2
-        strict_evidence: true
-        strict_injection: true
-        allow_nearby_context: true
 ```
-Review checks are intentionally simple. They ask the agent what to focus on;
-DiffPal does not hardcode individual signal slugs:
-| Check | Finding categories the agent may return |
-| --- | --- |
-| `security` | security |
-| `bugs` | correctness, reliability |
-| `performance` | performance |
-| `best-practices` | maintainability, testing, style |
+DiffPal uses a fixed finding taxonomy: security, correctness, reliability,
+performance, maintainability, testing, and style. Use review instructions to
+change or extend the review scope, for example `Review for OWASP best practices
+and authz/authn regressions.`
 Severity is impact-based across all categories. The full critical/high/medium/low
 matrix is in the [config reference](docs/config-reference.md#severity-matrix).
@@ -249,11 +254,6 @@ matrix is in the [config reference](docs/config-reference.md#severity-matrix).
 Use `diffpal.review.instructions`, the `instructions` action input, or
 `--instructions-file` for repository-specific review guidance.
-The review rollout fields are safe to canary per profile. Keep the repository
-default conservative if needed, then set `profiles.ci.diffpal.review` to
-`prompt_profile: v2`, `strict_evidence: true`, `strict_injection: true`, and
-`allow_nearby_context: true` before making the gate blocking.
 ## Provider Recipes and Runtime Types
 DiffPal delegates review to `diffpal.provider`, which points at a provider
@@ -270,6 +270,9 @@ Ready-made config recipes. These are the same names accepted by
 | Copilot fine-grained PAT | [`examples/configs/copilot-github-token/config.yaml`](examples/configs/copilot-github-token/config.yaml) | `COPILOT_GITHUB_TOKEN` |
 | OpenCode ACP | [`examples/configs/opencode-acp/config.yaml`](examples/configs/opencode-acp/config.yaml) | OpenCode-specific |
+For Codex subscription auth, generate a fresh `CODEX_AUTH_JSON_B64` value with
+the command recipe in [`examples/README.md`](examples/README.md#generate-codex_auth_json_b64).
 Use `generic_acp` for any CLI that can start an ACP stdio server:
 ```yaml
@@ -298,15 +301,10 @@ authenticated:
 | `openai`, `aistudio` | Hosted API providers |
 | `pool` | Ordered provider failover |
-Hosted providers receive DiffPal's read-only review tools during each review:
-`git_changed_files`, `git_diff`, `list_files`, `read_file`, and
-`search_files`. These are request-level tools, not provider config. ACP
-providers keep their own tool surface.
-For hosted providers, DiffPal records review tool usage in the findings bundle
-and rejects a result when the provider did not inspect the diff with `git_diff`.
-ACP providers use their native Git and filesystem tools, so DiffPal records that
-runtime inspection proof is not available for that provider class.
+DiffPal passes the review task snapshot with base and head revisions. Providers
+inspect the repository diff and supporting code through their available Git and
+filesystem tools, then DiffPal validates the structured findings against the
+changed ranges it collected internally.
 ## MCP Servers

package/bin/diffpal CHANGED Viewed

Binary file

package/package.json CHANGED Viewed

@@ -13,5 +13,5 @@
   "os": [
     "darwin"
   ],
-  "version": "0.1.21"
+  "version": "0.1.23"
 }