Configuration (.aicodereview.yml)

The tool loads configuration from .aicodereview.yml (YAML) or JSON. You can also provide a custom path with --config.

Config file format

Top-level sections:

• version – config schema version
• providers – default provider and provider-specific settings
• context – token budget and overflow handling
• policy – commenting thresholds and redaction
• guidelines_file – optional path to coding guidelines file
• vcs – platform and identifiers to resolve diffs by --id
• prompts – optional extra instructions appended to base prompts
• excludes – array of paths to exclude from code review

Full example

version: 1
providers:
  # Safe deterministic provider by default
  default: mock
context:
  diff_token_limit: 8000
  overflow_strategy: trim
  per_file_token_cap: 2000
  enable_semantic_chunking: true
  enable_diff_compression: true
  cache_ttl: 3600                  # API response cache TTL in seconds
  max_cache_size: 52428800         # Maximum cache size in bytes (50MB)
policy:
  min_severity_to_comment: info
  max_comments: 50
  redact_secrets: true
  consolidate_similar_findings: true
  max_findings_per_file: 5
  severity_limits:
    error: 10
    warning: 10
    info: 5
guidelines_file: null
vcs:
  # Choose which platform to use when computing diffs via git and posting comments
  # Allowed values: github | gitlab | bitbucket
  platform: null

  # Repository identifier: "owner/repository_name" (GitHub), "namespace" (GitLab), "workspace/repository_name" (Bitbucket)
  repository: null
  # Gitlab Project ID
  project_id: null
  # Authentication token (falls back to env vars: AICR_TOKEN, then platform-specific tokens)
  access_token: null
  # API base URL (defaults to platform standard, override for self-hosted instances)
  api_base: null
  # HTTP timeout in seconds
  timeout: 30
prompts:
  system_append: "Prefer concise findings and avoid duplicates."
  user_append:
    - "Prioritize security and performance related issues."
  extra:
    - "If a secret or key is detected, suggest redaction."
excludes:
  # Array of paths to exclude from code review
  # Each element is treated as glob, regex, or relative path from project root
  - "*.md"           # Exclude all markdown files (glob)
  - "composer.lock"  # Exclude specific files (exact match)
  - "tests/*.php"    # Exclude files in specific directories with patterns (glob)
  - "vendor"         # Exclude entire vendor directory (directory)
  - "node_modules"   # Exclude node_modules directory (directory)
  - "build"          # Exclude build artifacts (directory)
  - "dist"           # Exclude distribution files (directory)

Excludes

The excludes configuration allows you to specify files and directories to exclude from code review. Each element in the array is treated as a glob pattern, regex, or relative path from the project root.

Pattern Types

• Glob patterns – Use wildcards like *.md, tests/*.php, or **/*.json
• Exact matches – Specify exact file names like composer.lock or package.json
• Directory patterns – Exclude entire directories like vendor, node_modules, or build

Common Examples

• "*.md" – Excludes all markdown files
• "vendor" – Excludes the entire vendor directory and all its contents
• "tests/*.php" – Excludes all PHP files in the tests directory
• "composer.lock" – Excludes the specific composer.lock file
• "build", "dist", "node_modules" – Excludes common build/dependency directories

Notes

• The default AI provider is mock; no network calls occur until you configure a real provider.
• When guidelines_file is set, its contents are base64-embedded in the prompt for all providers.
• Commenting back to PR/MR happens only when you pass --comment to the CLI.