Configuration reference

File name and location

The config lives at the repository root.

• Canonical name: .trirev.yml
• Legacy name (still accepted): .reviewbot.yml. The parser reads the legacy filename and posts a deprecation warning recommending the rename. Both files in the same repo means the canonical name wins; the legacy file is ignored with a warning.
• Maximum size: 64 KB. Larger files fall back to defaults with an error comment.
• Missing file: silent defaults. No PR comment, no warning. Most repositories never need a config.

Minimal example

Most users start here. Every key is optional. Omitted keys use the defaults below.

version: 1

severity_threshold: high
language_hint: typescript

agents:
  correctness: true
  security: true
  style: false

ignore_paths:
  - "dist/**"
  - "**/*.generated.*"

custom_rules:
  - "Always use named exports, never default exports."
  - "Controllers must call assertNoNulls on inputs."

This example raises the noise floor to high-and-above findings, gives the agents a TypeScript hint, disables the style agent, skips compiled output, and passes two project-specific conventions.

Schema

Every field, every default, every allowed value.

severity_threshold

The minimum severity reported. Findings below the threshold are dropped before the PR comment is composed.

Severity is ordered from highest to lowest: critical → high → medium → low → info. Setting severity_threshold: high reports only critical and high findings; setting severity_threshold: info reports everything.

The default is medium, which removes typical low-confidence style nits while keeping correctness and security signals.

confidence_threshold

The minimum confidence (0.0–1.0) for a finding to be reported. Each agent attaches a confidence score to every finding it produces; findings below the threshold are filtered out before the unified review comment is composed.

Default is 0.7: includes near-certain findings and strong-but-pending-context ones, drops anything genuinely speculative.

Set higher (for example 0.85) on noise-sensitive repositories where you only want findings the agents are very sure about. Set lower (for example 0.5) on exploratory codebases where you want to see possible issues even if the agent is hedging.

# Tighter threshold: report only high-confidence findings
confidence_threshold: 0.85

Values outside [0.0, 1.0] are rejected with an error and the default is used. See the Severity and confidence section in Review agents for how the agents assign confidence scores.

How confidence_threshold interacts with cross-agent validation

When two or more agents flag the same finding in the same file and line, TriRev applies a cross-agent consensus boost before applying your threshold. The boost rewards agreement between agents: a borderline finding that all three agents notice independently is more likely to be a real problem than one noticed by only one agent.

The two-step process

1. Agents run with a low internal noise floor (0.5). Each agent filters its own output at 0.5, not at your configured threshold. This lets borderline findings reach the deduplication step.
2. Cross-agent boost is applied. For each deduplicated finding, TriRev counts how many distinct agents flagged it. Each additional agent beyond the first adds +0.15 to the confidence, capped at 1.0. One agent: no boost. Two agents: +0.15. Three agents: +0.30.
3. Your confidence_threshold is applied after the boost. Only findings whose post-boost confidence meets your threshold are included in the review comment.

The "Cross-validated by N agents" badge

When a finding passes because of the boost, the inline PR comment shows a badge such as Cross-validated by 2 agents or Cross-validated by all 3 agents. The badge tells you the finding has stronger signal than a single-agent flag and is why it appeared at your threshold.

Side-by-side example

Suppose you have confidence_threshold: 0.9. Two findings come in with a base confidence of 0.60.

The practical effect: setting confidence_threshold: 0.9 still surfaces 3-agent-validated findings down to a base confidence of 0.60. It filters out single-agent findings below 0.90. Setting the threshold to 0.5 shows almost everything because the noise floor is already 0.5.

language_hint

Helps the agents pick the right rules and idioms when a repository contains a mix of files. Most repositories do not need this hint: the agents detect the language from file extensions on the diff.

Set the hint when the diff is ambiguous, for example a polyglot monorepo where a single review should be evaluated against TypeScript conventions even if the touched files include shell scripts and YAML.

Allowed values are "javascript", "typescript", "python", "go", or null for auto-detect (the default). Other strings are rejected with an error and the hint falls back to null.

agents

Three booleans, one per agent. Setting any to false turns that agent off entirely; the unified PR comment renders only findings from the agents that ran.

agents:
  correctness: true
  security: true
  style: false   # silence the style agent for this repo

If you turn off all three agents, no review is posted (the orchestrator detects the empty-agent case and skips the comment).

The Review agents page describes what each agent actually checks.

custom_rules

Free-form text instructions passed to every agent. Use this to encode conventions that are specific to your codebase: naming patterns, framework idioms, library preferences, things that linters cannot express.

custom_rules:
  - "Always use named exports. Default exports are not allowed."
  - "Controllers must validate inputs with assertNoNulls before any business logic."
  - "This is a Next.js app router project. Pages are server components by default."

Limits and safety filters

• Up to 10 rules. Extra rules are dropped with a warning. Keep the list focused: more rules dilute attention.
• Up to 200 characters per rule. Longer rules are truncated with a warning. Be terse.
• Prompt-injection filter. Rules that match patterns like "ignore previous instructions", "you are now", "override", or "SYSTEM:" are dropped silently with a warning. This is intentional and not configurable: it protects the agents from instructions that would weaken the review.

ignore_paths

List of glob patterns relative to the repository root. Files matching any pattern are excluded from the review.

ignore_paths:
  - "dist/**"
  - "build/**"
  - "**/*.generated.*"
  - "vendor/**"
  - "tests/fixtures/**"

Patterns are checked against the diff hunk paths. A file path matching any glob skips all agents.

What not to do

Patterns starting with / or containing .. are flagged with a warning. Use repository-relative globs only. Absolute paths and parent-directory traversal are not respected by the parser and indicate a config mistake.

auto_fix

Controls the Suggested-change blocks that TriRev posts inline on findings. A Suggested-change block is a GitHub-native code suggestion the user can accept with one click.

auto_fix:
  enabled: true
  batch_hint: true
  max_per_pr: 20
  agents:
    style:
      suggestions: true
    correctness:
      suggestions: false   # not yet supported by default
    security:
      suggestions: false   # not yet supported by default

Defaults today: the style agent emits Suggested-change blocks; correctness and security agents emit findings without suggestions. Per-agent opt-in lets you enable suggestions on the other two when their authoring ships.

The max_per_pr cap prevents very large refactor PRs from getting flooded with mechanical fix suggestions. Set it lower (for example, 5) for repositories where you prefer terse reviews.

Validation behavior

The parser is built to never crash on a bad config. Two outcomes are possible.

Errors

An error means the value is invalid for that key. The parser uses the default for the affected key and posts a structured comment on the PR explaining the problem. Examples:

• severity_threshold: "warn" is rejected (not in the enum). Default "medium" is used. Comment lists the allowed values.
• agents.security: "off" is rejected (expected boolean). Default true is used.
• version: 2 is rejected (only version 1 is supported). All defaults are used.

Warnings

A warning means the value is accepted but suspicious. The config is applied as written; the warning is posted in the same PR comment. Examples:

• An unknown top-level key (typo, future field). The unknown key is ignored.
• 11+ custom_rules. The first 10 are kept; the rest are dropped.
• A custom rule matching prompt-injection patterns. The rule is dropped.
• An ignore_paths entry that starts with / or contains ... The pattern is kept but flagged as suspicious.

Full example

Every key set, with realistic values. Use this as a starting point and trim what you do not need.

version: 1

severity_threshold: medium
language_hint: typescript

agents:
  correctness: true
  security: true
  style: true

ignore_paths:
  - "dist/**"
  - "build/**"
  - "node_modules/**"
  - "**/*.generated.ts"
  - "tests/fixtures/**"

custom_rules:
  - "Use named exports. No default exports."
  - "All controllers validate inputs with assertNoNulls."
  - "Async functions must have explicit error handling, no implicit rejection."
  - "Prefer composition over inheritance for domain models."

auto_fix:
  enabled: true
  batch_hint: true
  max_per_pr: 15
  agents:
    style:
      suggestions: true

Where to next

• Want to know what each agent actually checks? Review agents
• Config not picked up or behavior unexpected? Troubleshooting
• Question this page did not answer? FAQ or support@trirev.dev