.mergewatch.yml file controls how MergeWatch reviews pull requests in a repository. Place it at the root of your repository’s default branch (usually main).
Configuration priority
MergeWatch resolves configuration in the following order. Each layer overrides the one before it:Built-in defaults
Hardcoded in the MergeWatch Lambda. These apply when no other configuration is present.
Installation-level settings (DynamoDB)
Set via the dashboard. Apply to all repositories in the installation.
A
.mergewatch.yml in the repository always wins. If you set maxFiles: 100 in the dashboard but maxFiles: 20 in the YAML file, the repo uses 20.Validation
MergeWatch validates the.mergewatch.yml file on the first webhook it receives for the repository. If the file contains errors — invalid YAML, unknown properties, or type mismatches — MergeWatch posts the validation errors as a comment on the pull request so they are immediately visible to the author.
Full annotated example
.mergewatch.yml
Property reference
Top-level properties
| Property | Type | Default | Description |
|---|---|---|---|
version | number | 1 | Schema version. Currently only 1 is supported. |
model | string | us.anthropic.claude-sonnet-4-20250514-v1:0 | Bedrock model ID used for all agents. Any model available in your Bedrock account can be specified. |
lightModel | string | us.anthropic.claude-haiku-4-5-20251001-v1:0 | Lighter model used for low-complexity tasks such as summary generation. |
maxTokensPerAgent | number | 4096 | Maximum output tokens per agent invocation. Increase for large PRs; decrease to reduce cost. |
minSeverity | string | info | Minimum severity level to report. One of info, warning, critical. Findings below this threshold are suppressed. |
maxFindings | number | 25 | Maximum number of findings posted per review. Prevents noisy reviews on large PRs. |
postSummaryOnClean | boolean | true | When true, MergeWatch posts a summary comment even when no findings are detected. Set to false to stay silent on clean PRs. |
codebaseAwareness | boolean | true | Enable agentic file fetching for cross-file context. When true, agents can request additional files from the repository. |
maxFileRequestRounds | number | 1 | Maximum rounds of file fetching per agent (1—2). Each round lets the agent request more files based on what it learned. |
maxContextKB | number | 256 | Maximum total context size in KB for fetched files per agent. Prevents runaway context expansion. |
customStyleRules | string[] | [] | Additional style rules applied to the style agent. Each entry is a rule string. |
conventions | string | auto-discovered | Path to a Markdown file documenting repo-specific conventions. Injected into every agent’s prompt (16 KB cap). When unset, MergeWatch tries AGENTS.md, CONVENTIONS.md, and .mergewatch/conventions.md in that order. See Repository Conventions. |
excludePatterns | string[] | See defaults | Canonical file-pattern field. Filters individual files out of the diff sent to agents. Uses glob syntax. |
includePatterns | string[] | [] | Force PRs back into review when every changed file would otherwise match the built-in trivial patterns (lock files, docs, build artifacts). Operates at the PR-skip layer — useful for opting a critical-docs subdirectory or a top-level SECURITY.md back into review. |
agents | object | See Agents | Boolean map of built-in agent names to enabled/disabled state. |
customAgents | CustomAgent[] | [] | List of custom agent definitions. See Custom agents. |
rules | object | See Rules | Review scope and trigger rules. |
ux | object | See UX | UX configuration for review comment formatting. |
agentReview | object | See Agent-authored PRs | Detection rules and strict-mode behavior for agent-authored pull requests. |
pricing | object | provider defaults | Per-model price overrides for cost estimation. Map of model ID → { inputPer1M, outputPer1M } in USD. Use this when a custom or self-hosted model is missing from MergeWatch’s built-in price table. |
Agents
Theagents object is a boolean map that toggles each of the eight built-in review agents on or off. Set an agent to false to disable it entirely.
To define entirely new agents with custom prompts, use the
customAgents array. See Custom agents below.| Agent | Default | Purpose |
|---|---|---|
security | Enabled | OWASP Top 10, secrets detection, injection flaws, unsafe deserialization |
bugs | Enabled | Logic errors, off-by-one, null dereferences, race conditions |
style | Enabled | Code style, naming conventions, project-specific patterns |
errorHandling | Enabled | Empty catch blocks, swallowed errors, unhandled promise rejections |
testCoverage | Enabled | Missing tests for new public functions, untested edge cases |
commentAccuracy | Enabled | Misleading or outdated code comments, incorrect JSDoc |
summary | Enabled | High-level PR summary with the merge readiness score (uses the light model) |
diagram | Enabled | Mermaid diagram of the changed control flow (uses the light model) |
Custom agents
You can define custom agents using thecustomAgents array. Custom agents run in parallel alongside the built-in agents and follow the same output schema.
| Property | Type | Default | Description |
|---|---|---|---|
name | string | — | A unique identifier for the custom agent. |
prompt | string | — | (Required) The system prompt for the agent. This defines what the agent looks for in the code. |
severityDefault | string | "warning" | Default severity for findings from this agent. One of: "info", "warning", "critical". |
enabled | boolean | true | Set to false to disable the custom agent. |
Rules
Therules object controls which files are reviewed and when reviews are triggered.
| Property | Type | Default | Description |
|---|---|---|---|
maxFiles | number | 50 | Maximum number of changed files to review. PRs exceeding this limit are skipped with a comment explaining why. |
autoReview | boolean | true | When true, MergeWatch reviews every PR automatically on open and synchronize events. When false, MergeWatch posts a neutral check run on each PR titled “Auto-review is disabled for this repository” instructing the author to comment @mergewatch review to trigger one — see Auto-review off. |
reviewOnMention | boolean | true | When true, MergeWatch runs a review when mentioned in a PR comment (e.g., @mergewatch review). Works even if autoReview is false. |
skipDrafts | boolean | true | Skip draft pull requests. Set to false to review drafts automatically. |
ignoreLabels | string[] | ["skip-review"] | Skip PRs with any of these GitHub labels. PRs matching these labels are not reviewed. |
UX
Theux object controls how the review comment is formatted and what sections are shown.
| Property | Type | Default | Description |
|---|---|---|---|
tone | string | collaborative | Tone of review findings. One of: collaborative, direct, advisory. |
showWorkDone | boolean | true | Show the “work done” stats bar (files scanned, lines reviewed, agents ran). |
showSuppressedCount | boolean | true | Show how many findings were suppressed by the orchestrator’s dedup and quality filters. |
reviewerChecklist | boolean | true | Show a reviewer checklist derived from the top findings. |
allClearMessage | boolean | true | Show a special “all clear” message when there are no findings. |
commentHeader | string | "" | Custom Markdown header for the review comment. Replaces the default MergeWatch logo. |
| Tone | Behavior |
|---|---|
collaborative | Frames findings as suggestions from a teammate. Uses phrases like “Consider…”, “It might be worth…”, “One approach would be…”. Acknowledges the author’s intent before suggesting alternatives. |
direct | States findings clearly and concisely without hedging. Leads with what needs to change and why. Skips pleasantries but remains respectful. |
advisory | Presents findings as expert observations. Uses phrases like “In my experience…”, “A common pitfall here is…”, “Best practice suggests…”. Provides context for why the suggestion matters. |
Path filters
MergeWatch has two top-level path-filter fields. They operate at different layers — see Skip Rules for the full picture.| Field | Layer | Default | What it does |
|---|---|---|---|
excludePatterns | Diff filter | lock files, dist/**, build/**, node_modules/**, minified files | Files matching these globs are stripped out of the diff sent to agents. The PR is still reviewed if any non-matching files remain. |
includePatterns | PR-skip override | [] | Forces a PR back into review even when every changed file would otherwise be classified as trivial (docs-only, lock-only). Files still flow through excludePatterns afterwards. |
.mergewatch.yml
Agent-authored PRs
TheagentReview object controls how MergeWatch handles pull requests authored by coding agents (Claude Code, Cursor, Codex, etc.). When detection matches, the review pipeline applies stricter prompts and tracks how many iterations the agent took to reach a passing state.
| Property | Type | Default | Description |
|---|---|---|---|
enabled | boolean | true | Master switch for agent-authored PR handling. Set to false to disable detection entirely. |
strictChecks | boolean | true | Inject the agent-mode prompt suffix when the PR is detected as agent-authored. The suffix warns reviewers about hallucinated APIs, no-op tests, and stale patterns. |
autoIterate | boolean | true | Track iteration count across re-reviews and surface a “reviewer whisper” when an agent has taken multiple rounds to converge. |
maxIterations | number | 3 | Iteration cap (1-20) used for the iteration-count metadata. |
passThreshold | string | noCritical | Threshold an agent-authored PR must clear to be considered passing. One of noCritical, noFindings, scoreAtLeast4, scoreAtLeast5. |
detection.commitTrailers | string[] | ["Co-authored-by: Claude"] | Substrings searched in commit message trailers. A match flips the source to agent. |
detection.branchPrefixes | string[] | ["claude/"] | Branch-name prefixes that mark a PR as agent-authored. |
detection.labels | string[] | ["ai-generated"] | GitHub labels that mark a PR as agent-authored. |
.mergewatch.yml
Pricing overrides
Thepricing field maps a model ID to its per-token price (USD per 1M tokens) and is used by the cost-estimation pipeline. Set it when you run a model that is not in MergeWatch’s built-in price table — for example, a self-hosted Llama on Ollama or a custom Bedrock provisioned-throughput endpoint.
.mergewatch.yml
Minimal configuration
If the defaults work for you, the smallest valid configuration is:.mergewatch.yml
Common patterns
Security-focused pipeline (e.g., payments service)
Security-focused pipeline (e.g., payments service)
.mergewatch.yml
Lightweight pipeline for high-volume repos
Lightweight pipeline for high-volume repos
.mergewatch.yml
Style-heavy pipeline for a frontend repo
Style-heavy pipeline for a frontend repo
.mergewatch.yml
Monorepo with service boundaries
Monorepo with service boundaries
.mergewatch.yml
Review only on mention
Review only on mention
.mergewatch.yml
@mergewatch review on the PR.Ignore generated code and vendored dependencies
Ignore generated code and vendored dependencies
.mergewatch.yml
Django/Python backend
Django/Python backend
.mergewatch.yml
Where the file lives
The.mergewatch.yml file must be placed at the root of the repository’s default branch (the branch GitHub shows when you visit the repo — usually main or master).
MergeWatch reads the file from the default branch, not from the PR’s head branch. This means configuration changes in a PR do not take effect until they are merged.