Skip to main content
The .mergewatch.yml file controls how MergeWatch reviews pull requests in a repository. Place it at the root of your repository’s default branch (usually main).

Configuration priority

MergeWatch resolves configuration in the following order. Each layer overrides the one before it:
1

Built-in defaults

Hardcoded in the MergeWatch Lambda. These apply when no other configuration is present.
2

Installation-level settings (DynamoDB)

Set via the dashboard. Apply to all repositories in the installation.
3

Per-repo .mergewatch.yml

Checked into the repository. Overrides both built-in defaults and installation-level settings.
A .mergewatch.yml in the repository always wins. If you set maxFiles: 100 in the dashboard but maxFiles: 20 in the YAML file, the repo uses 20.

Validation

MergeWatch validates the .mergewatch.yml file on the first webhook it receives for the repository. If the file contains errors — invalid YAML, unknown properties, or type mismatches — MergeWatch posts the validation errors as a comment on the pull request so they are immediately visible to the author.

Full annotated example

.mergewatch.yml
version: 1

# Model used for all agents. Must be a valid Bedrock model ID.
model: anthropic.claude-sonnet-4-20250514

# Codebase awareness — enable agentic file fetching for cross-file context.
codebaseAwareness: true
maxFileRequestRounds: 1
maxContextKB: 256

# Agent configuration — toggle each built-in agent on or off.
agents:
  security: true
  bugs: true
  style: true
  errorHandling: true
  testCoverage: false
  commentAccuracy: true
  summary: true
  diagram: true

# Custom agents run alongside the built-in ones.
customAgents:
  - name: api-consistency
    prompt: "Check that all new API endpoints follow our REST conventions: plural resource names, consistent error response format, and proper HTTP status codes."
    severityDefault: warning
    enabled: true

# Review rules — control scope and trigger behavior.
rules:
  maxFiles: 50
  ignorePatterns:
    - "*.lock"
    - "vendor/**"
    - "dist/**"
  autoReview: true
  reviewOnMention: true
  skipDrafts: true
  ignoreLabels:
    - "skip-review"

# File patterns to exclude from the diff sent to agents.
excludePatterns:
  - "**/*.lock"
  - "**/package-lock.json"
  - "**/dist/**"
  - "**/node_modules/**"

# Minimum severity to report: info | warning | critical
minSeverity: info

# Maximum findings posted per review.
maxFindings: 25

# UX configuration for review comment formatting.
ux:
  tone: collaborative       # collaborative | direct | advisory
  showWorkDone: true         # show the stats bar (files scanned, lines reviewed, agents ran)
  showSuppressedCount: true  # show how many findings were suppressed
  reviewerChecklist: true    # show a checklist derived from top findings
  allClearMessage: true      # show a special message when no findings
  commentHeader: ""          # custom Markdown header for the review comment

Property reference

Top-level properties

PropertyTypeDefaultDescription
versionnumber1Schema version. Currently only 1 is supported.
modelstringus.anthropic.claude-sonnet-4-20250514-v1:0Bedrock model ID used for all agents. Any model available in your Bedrock account can be specified.
lightModelstringus.anthropic.claude-haiku-4-5-20251001-v1:0Lighter model used for low-complexity tasks such as summary generation.
maxTokensPerAgentnumber4096Maximum output tokens per agent invocation. Increase for large PRs; decrease to reduce cost.
minSeveritystringinfoMinimum severity level to report. One of info, warning, critical. Findings below this threshold are suppressed.
maxFindingsnumber25Maximum number of findings posted per review. Prevents noisy reviews on large PRs.
postSummaryOnCleanbooleantrueWhen true, MergeWatch posts a summary comment even when no findings are detected. Set to false to stay silent on clean PRs.
codebaseAwarenessbooleantrueEnable agentic file fetching for cross-file context. When true, agents can request additional files from the repository.
maxFileRequestRoundsnumber1Maximum rounds of file fetching per agent (1—2). Each round lets the agent request more files based on what it learned.
maxContextKBnumber256Maximum total context size in KB for fetched files per agent. Prevents runaway context expansion.
customStyleRulesstring[][]Additional style rules applied to the style agent. Each entry is a rule string.
conventionsstringauto-discoveredPath to a Markdown file documenting repo-specific conventions. Injected into every agent’s prompt (16 KB cap). When unset, MergeWatch tries AGENTS.md, CONVENTIONS.md, and .mergewatch/conventions.md in that order. See Repository Conventions.
excludePatternsstring[][]File patterns to exclude from the diff sent to agents (in addition to ignorePatterns in rules). Uses glob syntax.
agentsobjectSee AgentsBoolean map of built-in agent names to enabled/disabled state.
customAgentsCustomAgent[][]List of custom agent definitions. See Custom agents.
rulesobjectSee RulesReview scope and trigger rules.
uxobjectSee UXUX configuration for review comment formatting.

Agents

The agents object is a boolean map that toggles each of the eight built-in review agents on or off. Set an agent to false to disable it entirely. 
agents:
  security: true
  bugs: true
  style: false        # disable style agent
  diagram: false      # disable diagram agent
You do not need to list all agents. Omitted agents default to true (enabled). To disable a single agent, include only that agent with false.
To define entirely new agents with custom prompts, use the customAgents array. See Custom agents below.
Built-in agents:
AgentDefaultPurpose
securityEnabledOWASP Top 10, secrets detection, injection flaws, unsafe deserialization
bugsEnabledLogic errors, off-by-one, null dereferences, race conditions
styleEnabledCode style, naming conventions, project-specific patterns
errorHandlingEnabledEmpty catch blocks, swallowed errors, unhandled promise rejections
testCoverageEnabledMissing tests for new public functions, untested edge cases
commentAccuracyEnabledMisleading or outdated code comments, incorrect JSDoc
summaryEnabledHigh-level PR summary with the merge readiness score (uses the light model)
diagramEnabledMermaid diagram of the changed control flow (uses the light model)

Custom agents

You can define custom agents using the customAgents array. Custom agents run in parallel alongside the built-in agents and follow the same output schema.
PropertyTypeDefaultDescription
namestringA unique identifier for the custom agent.
promptstring(Required) The system prompt for the agent. This defines what the agent looks for in the code.
severityDefaultstring"warning"Default severity for findings from this agent. One of: "info", "warning", "critical".
enabledbooleantrueSet to false to disable the custom agent.
customAgents:
  - name: api-consistency
    prompt: "Check that all new API endpoints follow REST conventions: plural resource names, consistent error response format, and proper HTTP status codes."
    severityDefault: warning
    enabled: true

  - name: i18n-compliance
    prompt: "Flag any user-facing strings that are not wrapped in a translation function (t() or i18n()). All UI text must be translatable."
    severityDefault: info
    enabled: true

Rules

The rules object controls which files are reviewed and when reviews are triggered.
PropertyTypeDefaultDescription
maxFilesnumber50Maximum number of changed files to review. PRs exceeding this limit are skipped with a comment explaining why.
ignorePatternsstring[]["*.lock", "package-lock.json", "yarn.lock", "pnpm-lock.yaml", "dist/**", "node_modules/**"]Glob patterns for files to exclude from review. Matched against the file path relative to the repo root.
autoReviewbooleantrueWhen true, MergeWatch reviews every PR automatically on open and synchronize events.
reviewOnMentionbooleantrueWhen true, MergeWatch runs a review when mentioned in a PR comment (e.g., @mergewatch review). Works even if autoReview is false.
skipDraftsbooleantrueSkip draft pull requests. Set to false to review drafts automatically.
ignoreLabelsstring[]["skip-review"]Skip PRs with any of these GitHub labels. PRs matching these labels are not reviewed.

UX

The ux object controls how the review comment is formatted and what sections are shown.
PropertyTypeDefaultDescription
tonestringcollaborativeTone of review findings. One of: collaborative, direct, advisory.
showWorkDonebooleantrueShow the “work done” stats bar (files scanned, lines reviewed, agents ran).
showSuppressedCountbooleantrueShow how many findings were suppressed by the orchestrator’s dedup and quality filters.
reviewerChecklistbooleantrueShow a reviewer checklist derived from the top findings.
allClearMessagebooleantrueShow a special “all clear” message when there are no findings.
commentHeaderstring""Custom Markdown header for the review comment. Replaces the default MergeWatch logo.
Tone directives:
ToneBehavior
collaborativeFrames findings as suggestions from a teammate. Uses phrases like “Consider…”, “It might be worth…”, “One approach would be…”. Acknowledges the author’s intent before suggesting alternatives.
directStates findings clearly and concisely without hedging. Leads with what needs to change and why. Skips pleasantries but remains respectful.
advisoryPresents findings as expert observations. Uses phrases like “In my experience…”, “A common pitfall here is…”, “Best practice suggests…”. Provides context for why the suggestion matters.

Minimal configuration

If the defaults work for you, the smallest valid configuration is:
.mergewatch.yml
version: 1
This enables all eight built-in agents with their default prompts, uses Claude Sonnet via Bedrock, and reviews PRs automatically.

Common patterns

.mergewatch.yml
version: 1
model: us.anthropic.claude-sonnet-4-20250514-v1:0
agents:
  style: false
  diagram: false
customAgents:
  - name: security-pci
    prompt: "This is a PCI-DSS scoped payments service. Focus on: SQL injection via raw queries, XSS in template rendering, hardcoded credentials, insecure cryptographic operations, and unvalidated redirects. Flag any use of eval() or exec()."
    severityDefault: critical
    enabled: true
Disables style and diagram agents. A custom agent adds domain-specific security checks for payments services.
.mergewatch.yml
version: 1
model: us.anthropic.claude-haiku-4-5-20251001-v1:0
maxTokensPerAgent: 2048
maxFindings: 10
minSeverity: warning
agents:
  bugs: false
  style: false
  diagram: false
Uses the cheaper Haiku model, disables low-priority agents, and suppresses info-level findings. Good for repos with frequent small PRs where speed and cost matter more than comprehensive review.
.mergewatch.yml
version: 1
customAgents:
  - name: react-style
    prompt: "This is a React + TypeScript project. Flag any use of `any` type. Require explicit return types on exported functions. Flag inline styles — use Tailwind classes. Flag console.log() calls. Prefer named exports over default exports."
    severityDefault: warning
    enabled: true
  - name: frontend-security
    prompt: "Focus on XSS via dangerouslySetInnerHTML, unsanitized user input in URLs, and exposed API keys in client-side code."
    severityDefault: critical
    enabled: true
Custom agents add React/TypeScript conventions and frontend-specific security checks alongside the built-in agents.
.mergewatch.yml
version: 1
customAgents:
  - name: service-boundaries
    prompt: "This repo contains three services: payments/, orders/, notifications/. Flag any direct imports across service boundaries — each service must be independent. Flag shared mutable state."
    severityDefault: warning
    enabled: true
  - name: monorepo-style
    prompt: "Each service has its own tsconfig.json. Flag path aliases that reference other services."
    severityDefault: info
    enabled: true
Custom agents enforce architectural boundaries. All built-in agents remain enabled.
.mergewatch.yml
version: 1
rules:
  autoReview: false
  reviewOnMention: true
MergeWatch stays silent until someone comments @mergewatch review on the PR.
.mergewatch.yml
version: 1
rules:
  ignorePatterns:
    - "*.lock"
    - "vendor/**"
    - "dist/**"
    - "generated/**"
    - "*.pb.go"
    - "*.gen.ts"
.mergewatch.yml
version: 1
customAgents:
  - name: django-security
    prompt: "This is a Django 5 project. Focus on SQL injection via raw querysets, CSRF token issues, unvalidated redirects, and mass assignment via ModelForm. Check for DEBUG=True in settings."
    severityDefault: critical
    enabled: true
  - name: django-style
    prompt: "Enforce PEP 8. Flag any print() calls — use logging instead. Flag bare except clauses. Require type hints on public function signatures."
    severityDefault: warning
    enabled: true
  - name: django-bugs
    prompt: "Watch for N+1 query patterns in Django ORM, missing database migrations for model changes, and unclosed file handles."
    severityDefault: warning
    enabled: true
Three custom agents with Django-specific prompts alongside the built-in agents.

Where the file lives

The .mergewatch.yml file must be placed at the root of the repository’s default branch (the branch GitHub shows when you visit the repo — usually main or master). MergeWatch reads the file from the default branch, not from the PR’s head branch. This means configuration changes in a PR do not take effect until they are merged.
If you rename your default branch, MergeWatch automatically detects the new default on the next webhook. No action is required.