Policy Reference
DiffPulse reads .diffpulse/policy.yaml to configure checks,
thresholds, and path patterns. Run diffpulse init to scaffold a
starter policy, then validate with:
diffpulse config validateversion
Policy schema version. Currently "1".
defaults
| Field | Description |
|---|---|
base_ref | Default git base branch when --base is not passed (for example main). |
thresholds
| Field | Description |
|---|---|
max_diff_lines | Block when total changed lines exceed this value. |
warn_diff_lines | Warn on large diffs below the block threshold. |
max_files_changed | Block when changed file count exceeds this value. |
warn_files_changed | Warn on many files below the block threshold. |
max_file_size_kb | Block when any changed file exceeds this size. |
warn_risk_score | Warn when synthesized risk score reaches this value. |
block_risk_score | Block when synthesized risk score reaches this value. |
warn_* values must be less than or equal to their corresponding
max_* / block_* values.
checks
Toggle deterministic checks on or off:
| Check | Description |
|---|---|
diff_size | Warn or block on large line counts. |
file_count | Warn or block on many changed files. |
sensitive_paths | Flag changes to secrets, keys, and credential paths. |
test_presence | Warn when source files change without matching test changes. |
lockfile_changes | Flag dependency lockfile modifications. |
binary_files | Flag added or modified binary files. |
Path patterns
Glob patterns (micromatch-style) control how files are classified:
| Field | Purpose |
|---|---|
sensitive_patterns | Paths treated as secrets or credentials. |
lockfile_patterns | Dependency lockfiles. |
test_patterns | Test files. |
source_patterns | Application source files (used by test_presence). |
generated_patterns | Build output and generated artifacts. |
binary_extensions | File extensions treated as binary. |
Example
version: "1"
defaults:
base_ref: main
thresholds:
max_diff_lines: 1000
warn_diff_lines: 300
max_files_changed: 30
warn_files_changed: 15
max_file_size_kb: 512
warn_risk_score: 25
block_risk_score: 60
checks:
diff_size: true
file_count: true
sensitive_paths: true
test_presence: true
lockfile_changes: true
binary_files: true
sensitive_patterns:
- .env
- "**/*.pem"
- "**/credentials.json"
lockfile_patterns:
- package-lock.json
- pnpm-lock.yaml
test_patterns:
- "**/*.test.ts"
- "**/__tests__/**"
source_patterns:
- "**/*.ts"
- "**/*.js"