PatchPatrol
Reference

Configuration Reference

Exact public configuration coverage for the supported PatchPatrol workflow.

Configuration Reference

Use this page when you need the exact public configuration contract for the supported PatchPatrol workflow after the quickstart path is already in place.

If you need the canonical support contract for runtime baselines and deployment modes before choosing settings, start with Supported runtime and operating modes.

Source of truth: this page is derived from shipped PatchPatrol contracts in patchpatrol/config.py and the checked-in configuration references that narrow those contracts to the supported public surface.

This is the baseline public configuration surface. For operator-tuned controls and explicitly scoped legacy compatibility entries, read the companion Advanced configuration page.

When the same setting exists in both an environment variable and the CLI, the CLI flag is the direct override. Use the CLI reference for command flags and Policy controls for change guidance.

Repo-local defaults with .ai-review.yml

PatchPatrol also supports an optional repo-root .ai-review.yml for versioned safe defaults. Resolution order is explicit:

  1. built-in defaults
  2. .ai-review.yml
  3. environment variables
  4. CLI overrides

Version 1 of .ai-review.yml intentionally supports only stable safe defaults and bounded prompt-only review rules that teams are most likely to version with the repository.

Supported defaults fields:

  • model
  • provider
  • fail_on
  • fail_on_partial_coverage
  • review_context_mode
  • include_globs
  • exclude_globs
  • feedback_mode
  • enable_final_summary

Supported review.rules fields:

  • id: required stable identifier, up to 128 characters, using letters, numbers, ., _, :, and -
  • severity: optional prompt-priority label: error, warning, or info
  • scope: optional list of repository-path glob patterns; omitted or empty scope applies the rule to every reviewed path
  • instruction: required non-empty review instruction, up to 1000 characters

PatchPatrol retains at most 50 repo-local rules from the policy file and renders at most 12 matched rules per prompt/chunk. Rules are prompt-only review constraints: they guide provider attention, but findings still require concrete diff/context evidence and do not become deterministic fail gates.

Secrets, endpoint URLs, allowlist controls, output paths, numeric diff bounds, and executable hooks are intentionally outside the version 1 repo-local policy contract.

Example:

version: 1
defaults:
  provider: openai
  model: gpt-4o-mini
  fail_on: high
  feedback_mode: artifact-only
  review_context_mode: diff-only
  include_globs:
    - src/**
  exclude_globs:
    - vendor/**
    - node_modules/**
review:
  rules:
    - id: require-regression-tests-for-runtime-behavior
      severity: warning
      scope:
        - "patchpatrol/**/*.py"
      instruction: "When runtime behavior changes, verify that tests cover the pre-fix failure mode and observable behavior."

Accepted findings with .ai-review-baseline.yml

PatchPatrol also supports an optional checked-in repo-root .ai-review-baseline.yml for accepted findings.

This file is distinct from .ai-review.yml:

  • use .ai-review.yml for safe repo-local defaults such as provider, model, and review bounds
  • use .ai-review-baseline.yml only for accepted findings that should stop tripping rollout gates while still remaining visible in artifacts

Version 1 is intentionally narrow and deterministic:

  • the file name is fixed at the repository root
  • entries live under suppressions
  • each entry requires an exact finding fingerprint
  • each entry requires a human-readable reason

Example:

version: 1
suppressions:
  - fingerprint: 0123456789abcdef
    reason: Accepted historical issue while rollout stays in advisory mode

On the next run, PatchPatrol applies the baseline before AI_REVIEW_FAIL_ON evaluation. That means fail-on policy evaluates only unsuppressed findings after baseline matching. Suppressed findings do not disappear silently: the artifacts still expose suppression evidence in markdown and JSON metadata so operators can see what matched and why.

Use the Developer Quickstart when you want the public artifact workflow for finding and copying a fingerprint, and use Policy controls when you are deciding whether accepted findings should remain advisory or block CI.

Provider and Runtime

VariableDefaultSupported values or posturePublic meaning
AI_REVIEW_MODELdeepseek-coder-v2:16bNon-empty model identifierSelects the review model used for run and readiness checks.
AI_REVIEW_PROVIDERollamaollama, openai, mockChooses the provider path: Ollama, OpenAI-compatible endpoints, or mock iteration.
AI_REVIEW_STRUCTURED_OUTPUT_MODEjsonjson, json_schema, autoControls the review-call output request shape. json preserves the baseline JSON-object contract. json_schema and auto can request strict JSON-schema output for OpenAI-compatible review calls and safely fall back to JSON-object mode when the endpoint rejects schema mode.
OLLAMA_HOSThttp://127.0.0.1:11434Valid http or https URLEndpoint used when AI_REVIEW_PROVIDER=ollama.
OPENAI_BASE_URLunsetRequired when AI_REVIEW_PROVIDER=openai; valid http(s) API root without query or fragmentPoints PatchPatrol at a customer-controlled/self-hosted OpenAI-compatible endpoint or the official OpenAI API fallback.
OPENAI_API_KEYunsetSecret value when the endpoint requires authSupplies bearer-token auth for OpenAI-compatible requests.
OPENAI_ORGANIZATIONunsetOptional header valueAdds the OpenAI-Organization header when the endpoint supports it.
OPENAI_PROJECTunsetOptional header valueAdds the OpenAI-Project header when the endpoint supports it.
AI_REVIEW_OUTPUT_DIR.ai-reviewWritable pathControls where PatchPatrol writes ai-review.md, ai-review.json, optional ai-review.html, and related artifacts.
AI_REVIEW_TIMEOUT_SECONDSunsetPositive integer or unsetSets a provider-neutral request timeout and takes precedence over OLLAMA_TIMEOUT_SECONDS.
OLLAMA_TIMEOUT_SECONDSunsetPositive integer or unsetBackwards-compatible timeout alias for the Ollama path; ignored when AI_REVIEW_TIMEOUT_SECONDS is set.
AI_REVIEW_TRANSPORT_RETRY_MAX_ATTEMPTS2Positive integer; 1 disables retryBounds retryable provider and GitLab transport attempts for CI predictability.

Structured-output mode

AI_REVIEW_STRUCTURED_OUTPUT_MODE affects review calls only:

  • json: the default JSON-object request shape and validation/retry path.
  • json_schema: for OpenAI-compatible review calls, requests strict structured output with the PatchPatrol report schema. If the endpoint returns a clear unsupported-schema response, PatchPatrol retries that review call with JSON-object mode.
  • auto: currently uses the same OpenAI-compatible schema request and deterministic unsupported-schema fallback as json_schema.

Ollama review calls keep the broadly compatible JSON path. PatchPatrol records only compact mode counters and reason codes under meta.limits; it does not persist raw prompts or provider request payloads in review artifacts.

Review Bounds and Semantic Context

VariableDefaultSupported values or posturePublic meaning
AI_REVIEW_MAX_DIFF_BYTES65536Positive integer, unset, or empty stringCaps total diff bytes considered for review.
AI_REVIEW_MAX_FILES8Positive integer, unset, or empty stringCaps how many changed files PatchPatrol selects for review.
AI_REVIEW_MAX_CHUNKS16Positive integer, unset, or empty stringCaps the number of reviewable chunks after filtering and ordering.
AI_REVIEW_MAX_FILE_DIFF_BYTES16384Positive integer, unset, or empty stringCaps diff size per file chunk and omits oversized files with reason metadata.
AI_REVIEW_CONTEXT_MODEdiff-onlydiff-only, diff+semanticChooses plain diff review or the best-effort semantic precheck path.
AI_REVIEW_SEMANTIC_TOTAL_TIMEOUT_SECONDS20Positive integerSets the total timeout budget for semantic precheck work when diff+semantic is enabled.
AI_REVIEW_MAX_SUPPORTING_CONTEXT_BYTES65536Positive integerCaps the bounded supporting context carried into semantic-aware prompts.

These review bounds are built-in defaults for the supported baseline path when the environment variable is left unset. Raise them explicitly for larger runs, or clear a specific bound by setting its environment variable to an empty string when you are deliberately opting out and want an unbounded/None posture.

For the operational difference between diff-only and diff+semantic, read Review context mode.

Delivery and Policy Controls

VariableDefaultSupported values or posturePublic meaning
AI_REVIEW_FAIL_ONnonenone, blocker, high, mediumChooses which validated finding severities turn ai-review run into a non-zero gate.
AI_REVIEW_FAIL_ON_PARTIAL_COVERAGEfalsetrue or falseFails the run when omitted chunks are present, even if no severity threshold was hit.
AI_REVIEW_ENABLE_FINAL_SUMMARYfalsetrue or falseEnables an extra summary-only model pass that can refine top issues without changing deterministic findings.
AI_REVIEW_HTML_REPORTfalsetrue or falseAdds optional static ai-review.html output for browser review or PDF printing; local runs can also use ai-review run --html-report.
AI_REVIEW_FEEDBACK_MODEartifact-onlyartifact-only, mr, mr-manualKeeps the blessed artifact-first baseline or turns on GitLab merge request delivery.
AI_REVIEW_GITLAB_INLINE_DISCUSSIONStruetrue or falseWhen MR delivery is active, decides whether PatchPatrol also posts eligible inline discussions.
AI_REVIEW_ALLOW_DRAFT_MR_FEEDBACKfalsetrue or falseAllows MR delivery on draft or WIP merge requests for the current run.
AI_REVIEW_MANUAL_FEEDBACK_AUTHORIZEDfalsetrue or falseExplicitly authorizes mr-manual delivery when CI metadata alone should not decide it.
AI_REVIEW_PROVIDER_ALLOWLIST_BASE_URLSunsetComma-separated exact normalized http(s) base URLsRequired exact normalized provider base URLs for non-mock providers before the first real review run.

Trust-gate prerequisite for first real runs

Set the allowlist to the exact normalized provider base URL before the first real non-mock review run:

OPENAI_BASE_URL="https://llm-gateway.internal/v1"
AI_REVIEW_PROVIDER_ALLOWLIST_BASE_URLS="https://llm-gateway.internal/v1"
OLLAMA_HOST="http://ollama.internal:11434"
AI_REVIEW_PROVIDER_ALLOWLIST_BASE_URLS="http://ollama.internal:11434/"

If you are wiring the first supported public path, start with Admin Quickstart and return here for the exact variable contract.

Exit Semantics

Most teams only need a short mental model for exit behavior:

  • 0: no configured gate was tripped.
  • 10: AI_REVIEW_FAIL_ON or AI_REVIEW_FAIL_ON_PARTIAL_COVERAGE triggered a review gate.
  • 11: PatchPatrol stopped before remote calls because the trust gate blocked execution.
  • 8: invalid-output fallback occurred.

Public Boundary

  • AI_REVIEW_POST_MR_NOTE is retained as a backwards-compatible alias for existing installs and maps to AI_REVIEW_FEEDBACK_MODE=mr through AI_REVIEW_FEEDBACK_MODE resolution.
  • Variables not listed on this page and not covered on the companion page are outside the published public contract.

Use Policy controls when you are choosing how strict those gates should be, and use the CLI reference when you need the matching command-line overrides.

Return to Reference.

Supported Runtime and Operating Modes

Canonical support contract for PatchPatrol runtime baselines, deployment modes, and support tiers.

Review Context Mode

How diff-only and diff+semantic change what PatchPatrol reviews before it calls the model.

On this page

Configuration ReferenceRepo-local defaults with .ai-review.ymlAccepted findings with .ai-review-baseline.ymlProvider and RuntimeStructured-output modeReview Bounds and Semantic ContextDelivery and Policy ControlsTrust-gate prerequisite for first real runsExit SemanticsPublic Boundary