1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# Cartomancer configuration
# Generated by `cartomancer init`. All values shown are defaults — uncomment to override.
[]
= ["auto"]
= 120
# exclude = [".github/", "config/database.yml"]
# jobs = 4 # parallel jobs (default: opengrep auto-detect)
# taint_intrafile = false # cross-function taint analysis within a file
# ignore_pattern = "nosec" # custom inline ignore annotation
# enclosing_context = false # attach enclosing function/class (improves LLM deepening)
# dynamic_timeout = false # file-size-scaled timeouts
# dynamic_timeout_unit_kb = 10 # base timeout unit (only if dynamic_timeout = true)
# dynamic_timeout_max_multiplier = 5.0
# rules_dir = ".cartomancer/rules" # auto-discover custom YAML rules
[]
# knowledge_file = ".cartomancer/knowledge.md" # company context injected into LLM prompts
# system_prompt = "You are reviewing a fintech codebase. Prioritize payment flows."
# max_knowledge_chars = 8000
# Per-rule severity overrides:
# [knowledge.rules."generic.security.hardcoded-secret"]
# min_severity = "critical"
# always_deepen = true
[]
= "ollama" # "ollama" | "anthropic"
= "http://localhost:11434"
= "gemma3"
# anthropic_api_key = "sk-ant-..." # prefer ANTHROPIC_API_KEY env var
# anthropic_model = "claude-sonnet-4-20250514"
= 4096
# max_concurrent_deepening = 4
[]
# db_path = ".cartomancer.db"
[]
= 5
= "error"
# impact_depth = 3
# cartog_db_path = ".cartog.db" # run `cartog index .` to create
# [github]
# token = "" # prefer GITHUB_TOKEN env var
# webhook_secret = "" # required for `cartomancer serve` (HMAC-SHA256)
# [serve]
# max_concurrent_reviews = 4