repopilot 0.16.0

Local-first CLI for reviewing Git changes, security boundaries, and blast radius before merge.
Documentation
# RepoPilot

[![Crates.io](https://img.shields.io/crates/v/repopilot.svg)](https://crates.io/crates/repopilot)
[![npm](https://img.shields.io/npm/v/repopilot.svg)](https://www.npmjs.com/package/repopilot)
[![CI](https://github.com/MykytaStel/repopilot/actions/workflows/ci.yaml/badge.svg)](https://github.com/MykytaStel/repopilot/actions)
[![GitHub Release](https://img.shields.io/github/v/release/MykytaStel/repopilot)](https://github.com/MykytaStel/repopilot/releases)
[![License](https://img.shields.io/crates/l/repopilot.svg)](LICENSE)

**Review what you or an AI agent changed before you merge.**

RepoPilot is a fast, local-first Rust CLI for Git change review. It flags
security-boundary changes, behavioral and algorithmic shifts, taint-lite flows,
and blast radius so maintainers can focus on the parts of a diff that deserve
extra attention. It is deterministic, runs entirely on your machine, and can be
called by coding agents over MCP. Nothing is uploaded.

```text
git diff -> boundary + behavior + taint + blast radius -> review or CI gate
```

<p align="center">
  <img src="https://raw.githubusercontent.com/MykytaStel/repopilot/main/docs/demos/02-review.gif" alt="RepoPilot reviewing a branch change" width="800">
</p>

> RepoPilot reports structural evidence, not a security verdict. Use it beside
> tests, linters, type checkers, and dedicated security tools.

## Install

```bash
cargo install repopilot
# or
npm install -g repopilot
```

Homebrew, curl, GitHub Releases, and source builds are documented in
[Installation](https://github.com/MykytaStel/repopilot/blob/main/docs/install.md).

## Review A Change

Review the working tree against `HEAD`:

```bash
repopilot review .
```

Review a branch before merge:

```bash
repopilot review . --base origin/main
```

RepoPilot groups review evidence into confidence tiers:

- security boundaries: access control, request trust, deploy surface, supply
  chain, and secret configuration;
- behavioral changes: network, subprocess, filesystem, SQL, dependencies,
  migrations, removed error handling, or removed auth checks;
- algorithmic changes: deeper nesting, nested loops, growth, or recursion;
- taint-lite flows: changed request or process input reaching SQL, exec,
  filesystem-write, or outbound-network sinks;
- blast radius: files that import a changed file.

All review signals ship at `preview`. They are advisory by default; enable the
explicit high-confidence gate with:

```bash
repopilot review . --base origin/main --fail-on-review definitely
```

For a complete agent run:

```bash
repopilot snapshot
# let the agent or developer work
repopilot review --since-snapshot
```

## Full Repository Audit

The broader scan remains available for repository adoption and CI:

```bash
repopilot scan .
repopilot baseline create .
repopilot scan . \
  --baseline .repopilot/baseline.json \
  --fail-on new-high
```

Default scans hide broad maintainability noise. Use `--profile strict` for the
full audit surface.

## AI Agents And MCP

RepoPilot exposes local review, scan, context, and explain tools over stdio:

```bash
claude mcp add repopilot -- repopilot mcp --root .
```

The MCP server is synchronous, root-confined, and makes no network or LLM calls.
See [MCP server](https://github.com/MykytaStel/repopilot/blob/main/docs/mcp.md).

## Distribution

Official CLI channels are crates.io, npm, Homebrew, and GitHub Releases.

Platform-specific VSIX files are attached to GitHub Releases as a **preview**
integration. RepoPilot is not currently published to the VS Code Marketplace or
PyPI.

## Documentation

- [Documentation index]https://github.com/MykytaStel/repopilot/blob/main/docs/README.md
- [Common workflows]https://github.com/MykytaStel/repopilot/blob/main/docs/commands.md
- [CLI reference]https://github.com/MykytaStel/repopilot/blob/main/docs/cli.md
- [Configuration]https://github.com/MykytaStel/repopilot/blob/main/docs/configuration.md
- [Reports and schemas]https://github.com/MykytaStel/repopilot/blob/main/docs/reports.md
- [GitHub pull request integration]https://github.com/MykytaStel/repopilot/blob/main/docs/integrations/github-code-scanning.md
- [Signal contract]https://github.com/MykytaStel/repopilot/blob/main/docs/engineering/signal-contract.md
- [Release process]https://github.com/MykytaStel/repopilot/blob/main/docs/release.md

## Development

```bash
cargo fmt --all -- --check
cargo clippy --all-targets --all-features -- -D warnings
cargo test --all
npm run release:contract
./scripts/smoke-product.sh
```

## License

RepoPilot is licensed under **MIT OR Apache-2.0**.