New: configurable code-review rules. Drop a.codeep/review.jsoninto a repo to add your own deterministic review rules, disable built-in ones, and scope which files are reviewed — enforced the same way bycodeep review(CLI) and the Codeep GitHub Action, with zero LLM cost.
Added
.codeep/review.json— review rules as config. The deterministic
reviewer (codeep review, /review --static, and the GitHub Action) now reads a per-project config: - rules — your own checks: id, pattern (regex), message (required) plus optional flags, category, severity, suggestion, extensions. - disable — turn off built-in rules by id (each built-in now has a stable id, e.g. eval-usage, todo-comment, any-type, long-file). - include / exclude — glob scoping (**, *, ?). A missing, malformed, or partially-invalid config never breaks a review — bad entries are skipped with a warning and valid ones still apply.
Security
- Hardened the reviewer against untrusted custom rules. Since a PR's
.codeep/review.json runs in CI via the Action, custom regexes are screened at load (length cap + a catastrophic-backtracking/ReDoS heuristic), the match loop guards zero-width patterns (no infinite loop) and caps matches per rule, and the GitHub Action bounds each review's wall-clock at 180s.