rs-guard 1.0.0

AI-powered code review CLI for GitHub PRs
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204

# Local Mode Guide

rs-guard supports local pre-commit execution, analyzing `git diff --cached` output before you commit changes.

---

## Detection

Local mode is automatically detected when the `GITHUB_ACTIONS` environment variable is **absent**.

```bash
# Local mode (no GITHUB_ACTIONS)
rs-guard

# CI mode (GITHUB_ACTIONS is set by GitHub)
GITHUB_ACTIONS=true rs-guard
```

---

## Behavior

In local mode, rs-guard:

1. Runs `git diff --cached` to fetch staged changes
2. Sends the diff to the configured LLM provider
3. Prints a colored summary to the terminal
4. Exits with code `2` if the review returns `REQUEST_CHANGES`

### Exit Codes

| Code | Meaning                                                |
| ---- | ------------------------------------------------------ |
| `0`  | Review completed successfully (`APPROVE` or `COMMENT`) |
| `1`  | Error occurred (API failure, config error, etc.)       |
| `2`  | Review returned `REQUEST_CHANGES` — blocks commit      |

---

## Pre-Commit Hook Setup

### Option 1: Copy the Example Hook

```bash
cp examples/local-review/pre-commit-hook.sh .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit
```

The example hook includes:

- Automatic API key detection (checks for all supported providers)
- Optional config file loading from `~/.config/rs-guard/env`
- Helpful error messages if no API key is found
- Security warnings about not hardcoding keys

### Option 2: Config File (Recommended for Security)

Create a config file at `~/.config/rs-guard/env`:

```bash
mkdir -p ~/.config/rs-guard
cat > ~/.config/rs-guard/env << 'EOF'
# rs-guard API key configuration
# Add this file to your .gitignore if it contains secrets

export DEEPSEEK_API_KEY="your-api-key"
# Or use another provider:
# export KIMI_API_KEY="your-api-key"
# export DASHSCOPE_API_KEY="your-api-key"
# export OPENROUTER_API_KEY="your-api-key"
# export OPENAI_API_KEY="your-api-key"
EOF
```

Add to your `.gitignore` (if the config file is in your repo):

```bash
echo "~/.config/rs-guard/env" >> .gitignore
```

### Option 3: Manual Hook

Create `.git/hooks/pre-commit`:

```bash
#!/bin/sh

# Load optional config file
if [ -f ~/.config/rs-guard/env ]; then
    . ~/.config/rs-guard/env
fi

# Required: set your API key (if not in config file)
# export DEEPSEEK_API_KEY="your-api-key"

# Optional: override provider/model
export RS_GUARD_PROVIDER="deepseek"

echo "Running rs-guard pre-commit review..."

rs-guard
EXIT_CODE=$?

if [ "$EXIT_CODE" -eq 0 ]; then
    exit 0
elif [ "$EXIT_CODE" -eq 2 ]; then
    echo "rs-guard: Review returned REQUEST_CHANGES. Commit aborted."
    echo "Bypass with: git commit --no-verify"
    exit 1
else
    echo "rs-guard: Error occurred (exit code $EXIT_CODE)."
    exit 1
fi
```

Make it executable:

```bash
chmod +x .git/hooks/pre-commit
```

### Security Best Practices

⚠️ **IMPORTANT**: Never hardcode API keys in your pre-commit hook or commit them to git.

- Use environment variables or the `~/.config/rs-guard/env` config file
- Add config files containing secrets to your `.gitignore`
- Rotate API keys if they're accidentally committed
- Use different API keys for different projects when possible

### Bypassing the Hook

If you need to commit despite the review:

```bash
git commit --no-verify  # or -n
```

---

## Running Locally Without a Hook

You can also run rs-guard manually before committing:

```bash
# Using default provider (deepseek)
export DEEPSEEK_API_KEY="your-api-key"
rs-guard

# Using a different provider
export KIMI_API_KEY="your-api-key"
rs-guard --provider kimi

# With custom config
rs-guard --config ./my-review-config.toml

# Test configuration without blocking the commit
rs-guard --dry-run

# Force a fresh review (bypass cache)
rs-guard --no-cache
```

---

## Terminal Output

Local mode prints a color-coded summary:

```text
rs-guard Review

✓ State: APPROVE

Verdict:         POSITIVE
Critical Bugs:   0
Security Issues: 0

The code looks good. No issues found.

--- Metadata ---
Provider:    deepseek
Model:       deepseek-v4-flash
Temperature: 0.1
Diff Lines:  42
```

States are color-coded:

- **Green (`APPROVE`)** — Code is ready to merge
- **Red (`REQUEST_CHANGES`)** — Issues must be addressed
- **Yellow (`COMMENT`)** — Minor concerns, human review recommended

---

## Tips

- **No staged changes?** rs-guard exits cleanly with "No staged changes to review."
- **Diff too large?** Local mode warns and exits `0` (does not block).
- **Want a custom prompt?** Use `--prompt-file` or create `.github/review-prompt.md`.
- **Need faster reviews?** Use a smaller/faster model like `deepseek-v4-flash`.
- **Progress indicators** — In local mode, rs-guard prints
  `🤖 Calling {provider} ({model})...` before the LLM call and
  `✅ Response received (N chars)` after, so you know the tool is working.