Skip to main content
The .mergewatch.yml file controls how MergeWatch reviews pull requests in a repository. Place it at the root of your repository’s default branch (usually main).

Configuration priority

MergeWatch resolves configuration in the following order. Each layer overrides the one before it:
1

Built-in defaults

Hardcoded in the MergeWatch Lambda. These apply when no other configuration is present.
2

Installation-level settings (DynamoDB)

Set via the dashboard. Apply to all repositories in the installation.
3

Per-repo .mergewatch.yml

Checked into the repository. Overrides both built-in defaults and installation-level settings.
A .mergewatch.yml in the repository always wins. If you set maxFiles: 100 in the dashboard but maxFiles: 20 in the YAML file, the repo uses 20.

Validation

MergeWatch validates the .mergewatch.yml file on the first webhook it receives for the repository. If the file contains errors — invalid YAML, unknown properties, or type mismatches — MergeWatch posts the validation errors as a comment on the pull request so they are immediately visible to the author.

Full annotated example

.mergewatch.yml
version: 1

# Model used for all agents. Must be a valid Bedrock model ID.
model: anthropic.claude-sonnet-4-20250514

# Codebase awareness — enable agentic file fetching for cross-file context.
codebaseAwareness: true
maxFileRequestRounds: 1
maxContextKB: 256

# Agent configuration — toggle each built-in agent on or off.
agents:
  security: true
  bugs: true
  style: true
  errorHandling: true
  testCoverage: false
  commentAccuracy: true
  summary: true
  diagram: true

# Custom agents run alongside the built-in ones.
customAgents:
  - name: api-consistency
    prompt: "Check that all new API endpoints follow our REST conventions: plural resource names, consistent error response format, and proper HTTP status codes."
    severityDefault: warning
    enabled: true

# Review rules — control scope and trigger behavior.
rules:
  maxFiles: 50
  autoReview: true
  reviewOnMention: true
  skipDrafts: true
  ignoreLabels:
    - "skip-review"

# File patterns to exclude from the diff sent to agents.
excludePatterns:
  - "**/*.lock"
  - "**/package-lock.json"
  - "**/dist/**"
  - "**/node_modules/**"

# Force-include paths that would otherwise be PR-level skipped (e.g. docs-only PRs
# under a critical directory). Operates at the PR-skip layer, not the diff filter.
includePatterns:
  - "SECURITY.md"
  - "docs/policy/**"

# Agent-authored PR detection — flips reviews into strict mode and tracks iterations
# when commits look agent-generated.
agentReview:
  enabled: true
  strictChecks: true
  autoIterate: true
  maxIterations: 3
  passThreshold: noCritical          # noCritical | noFindings | scoreAtLeast4 | scoreAtLeast5
  detection:
    commitTrailers:
      - "Co-authored-by: Claude"
    branchPrefixes:
      - "claude/"
    labels:
      - "ai-generated"

# Minimum severity to report: info | warning | critical
minSeverity: info

# Maximum findings posted per review.
maxFindings: 25

# UX configuration for review comment formatting.
ux:
  tone: collaborative       # collaborative | direct | advisory
  showWorkDone: true         # show the stats bar (files scanned, lines reviewed, agents ran)
  showSuppressedCount: true  # show how many findings were suppressed
  reviewerChecklist: true    # show a checklist derived from top findings
  allClearMessage: true      # show a special message when no findings
  commentHeader: ""          # custom Markdown header for the review comment

Property reference

Top-level properties

PropertyTypeDefaultDescription
versionnumber1Schema version. Currently only 1 is supported.
modelstringus.anthropic.claude-sonnet-4-20250514-v1:0Bedrock model ID used for all agents. Any model available in your Bedrock account can be specified.
lightModelstringus.anthropic.claude-haiku-4-5-20251001-v1:0Lighter model used for low-complexity tasks such as summary generation.
maxTokensPerAgentnumber4096Maximum output tokens per agent invocation. Increase for large PRs; decrease to reduce cost.
minSeveritystringinfoMinimum severity level to report. One of info, warning, critical. Findings below this threshold are suppressed.
maxFindingsnumber25Maximum number of findings posted per review. Prevents noisy reviews on large PRs.
postSummaryOnCleanbooleantrueWhen true, MergeWatch posts a summary comment even when no findings are detected. Set to false to stay silent on clean PRs.
codebaseAwarenessbooleantrueEnable agentic file fetching for cross-file context. When true, agents can request additional files from the repository.
maxFileRequestRoundsnumber1Maximum rounds of file fetching per agent (1—2). Each round lets the agent request more files based on what it learned.
maxContextKBnumber256Maximum total context size in KB for fetched files per agent. Prevents runaway context expansion.
customStyleRulesstring[][]Additional style rules applied to the style agent. Each entry is a rule string.
conventionsstringauto-discoveredPath to a Markdown file documenting repo-specific conventions. Injected into every agent’s prompt (16 KB cap). When unset, MergeWatch tries AGENTS.md, CONVENTIONS.md, and .mergewatch/conventions.md in that order. See Repository Conventions.
excludePatternsstring[]See defaultsCanonical file-pattern field. Filters individual files out of the diff sent to agents. Uses glob syntax.
includePatternsstring[][]Force PRs back into review when every changed file would otherwise match the built-in trivial patterns (lock files, docs, build artifacts). Operates at the PR-skip layer — useful for opting a critical-docs subdirectory or a top-level SECURITY.md back into review.
agentsobjectSee AgentsBoolean map of built-in agent names to enabled/disabled state.
customAgentsCustomAgent[][]List of custom agent definitions. See Custom agents.
rulesobjectSee RulesReview scope and trigger rules.
uxobjectSee UXUX configuration for review comment formatting.
agentReviewobjectSee Agent-authored PRsDetection rules and strict-mode behavior for agent-authored pull requests.
pricingobjectprovider defaultsPer-model price overrides for cost estimation. Map of model ID → { inputPer1M, outputPer1M } in USD. Use this when a custom or self-hosted model is missing from MergeWatch’s built-in price table.

Agents

The agents object is a boolean map that toggles each of the eight built-in review agents on or off. Set an agent to false to disable it entirely.
agents:
  security: true
  bugs: true
  style: false        # disable style agent
  diagram: false      # disable diagram agent
You do not need to list all agents. Omitted agents default to true (enabled). To disable a single agent, include only that agent with false.
To define entirely new agents with custom prompts, use the customAgents array. See Custom agents below.
Built-in agents:
AgentDefaultPurpose
securityEnabledOWASP Top 10, secrets detection, injection flaws, unsafe deserialization
bugsEnabledLogic errors, off-by-one, null dereferences, race conditions
styleEnabledCode style, naming conventions, project-specific patterns
errorHandlingEnabledEmpty catch blocks, swallowed errors, unhandled promise rejections
testCoverageEnabledMissing tests for new public functions, untested edge cases
commentAccuracyEnabledMisleading or outdated code comments, incorrect JSDoc
summaryEnabledHigh-level PR summary with the merge readiness score (uses the light model)
diagramEnabledMermaid diagram of the changed control flow (uses the light model)

Custom agents

You can define custom agents using the customAgents array. Custom agents run in parallel alongside the built-in agents and follow the same output schema.
PropertyTypeDefaultDescription
namestringA unique identifier for the custom agent.
promptstring(Required) The system prompt for the agent. This defines what the agent looks for in the code.
severityDefaultstring"warning"Default severity for findings from this agent. One of: "info", "warning", "critical".
enabledbooleantrueSet to false to disable the custom agent.
customAgents:
  - name: api-consistency
    prompt: "Check that all new API endpoints follow REST conventions: plural resource names, consistent error response format, and proper HTTP status codes."
    severityDefault: warning
    enabled: true

  - name: i18n-compliance
    prompt: "Flag any user-facing strings that are not wrapped in a translation function (t() or i18n()). All UI text must be translatable."
    severityDefault: info
    enabled: true

Rules

The rules object controls which files are reviewed and when reviews are triggered.
PropertyTypeDefaultDescription
maxFilesnumber50Maximum number of changed files to review. PRs exceeding this limit are skipped with a comment explaining why.
autoReviewbooleantrueWhen true, MergeWatch reviews every PR automatically on open and synchronize events. When false, MergeWatch posts a neutral check run on each PR titled “Auto-review is disabled for this repository” instructing the author to comment @mergewatch review to trigger one — see Auto-review off.
reviewOnMentionbooleantrueWhen true, MergeWatch runs a review when mentioned in a PR comment (e.g., @mergewatch review). Works even if autoReview is false.
skipDraftsbooleantrueSkip draft pull requests. Set to false to review drafts automatically.
ignoreLabelsstring[]["skip-review"]Skip PRs with any of these GitHub labels. PRs matching these labels are not reviewed.
rules.ignorePatterns is deprecated. Use top-level excludePatterns instead — it is the canonical field for filtering files out of the diff. Existing .mergewatch.yml files keep working: any entries under rules.ignorePatterns are folded into excludePatterns at parse time and a one-time deprecation warning is emitted.

UX

The ux object controls how the review comment is formatted and what sections are shown.
PropertyTypeDefaultDescription
tonestringcollaborativeTone of review findings. One of: collaborative, direct, advisory.
showWorkDonebooleantrueShow the “work done” stats bar (files scanned, lines reviewed, agents ran).
showSuppressedCountbooleantrueShow how many findings were suppressed by the orchestrator’s dedup and quality filters.
reviewerChecklistbooleantrueShow a reviewer checklist derived from the top findings.
allClearMessagebooleantrueShow a special “all clear” message when there are no findings.
commentHeaderstring""Custom Markdown header for the review comment. Replaces the default MergeWatch logo.
Tone directives:
ToneBehavior
collaborativeFrames findings as suggestions from a teammate. Uses phrases like “Consider…”, “It might be worth…”, “One approach would be…”. Acknowledges the author’s intent before suggesting alternatives.
directStates findings clearly and concisely without hedging. Leads with what needs to change and why. Skips pleasantries but remains respectful.
advisoryPresents findings as expert observations. Uses phrases like “In my experience…”, “A common pitfall here is…”, “Best practice suggests…”. Provides context for why the suggestion matters.

Path filters

MergeWatch has two top-level path-filter fields. They operate at different layers — see Skip Rules for the full picture.
FieldLayerDefaultWhat it does
excludePatternsDiff filterlock files, dist/**, build/**, node_modules/**, minified filesFiles matching these globs are stripped out of the diff sent to agents. The PR is still reviewed if any non-matching files remain.
includePatternsPR-skip override[]Forces a PR back into review even when every changed file would otherwise be classified as trivial (docs-only, lock-only). Files still flow through excludePatterns afterwards.
.mergewatch.yml
excludePatterns:
  - "**/*.generated.ts"
  - "**/fixtures/**"

includePatterns:
  - "SECURITY.md"
  - "docs/policy/**"

Agent-authored PRs

The agentReview object controls how MergeWatch handles pull requests authored by coding agents (Claude Code, Cursor, Codex, etc.). When detection matches, the review pipeline applies stricter prompts and tracks how many iterations the agent took to reach a passing state.
PropertyTypeDefaultDescription
enabledbooleantrueMaster switch for agent-authored PR handling. Set to false to disable detection entirely.
strictChecksbooleantrueInject the agent-mode prompt suffix when the PR is detected as agent-authored. The suffix warns reviewers about hallucinated APIs, no-op tests, and stale patterns.
autoIteratebooleantrueTrack iteration count across re-reviews and surface a “reviewer whisper” when an agent has taken multiple rounds to converge.
maxIterationsnumber3Iteration cap (1-20) used for the iteration-count metadata.
passThresholdstringnoCriticalThreshold an agent-authored PR must clear to be considered passing. One of noCritical, noFindings, scoreAtLeast4, scoreAtLeast5.
detection.commitTrailersstring[]["Co-authored-by: Claude"]Substrings searched in commit message trailers. A match flips the source to agent.
detection.branchPrefixesstring[]["claude/"]Branch-name prefixes that mark a PR as agent-authored.
detection.labelsstring[]["ai-generated"]GitHub labels that mark a PR as agent-authored.
.mergewatch.yml
agentReview:
  enabled: true
  strictChecks: true
  passThreshold: scoreAtLeast4
  detection:
    commitTrailers:
      - "Co-authored-by: Claude"
      - "Co-authored-by: Cursor"
    branchPrefixes:
      - "claude/"
      - "cursor/"
    labels:
      - "ai-generated"

Pricing overrides

The pricing field maps a model ID to its per-token price (USD per 1M tokens) and is used by the cost-estimation pipeline. Set it when you run a model that is not in MergeWatch’s built-in price table — for example, a self-hosted Llama on Ollama or a custom Bedrock provisioned-throughput endpoint.
.mergewatch.yml
pricing:
  "custom-llama-3-70b":
    inputPer1M: 0.50
    outputPer1M: 0.75

Minimal configuration

If the defaults work for you, the smallest valid configuration is:
.mergewatch.yml
version: 1
This enables all eight built-in agents with their default prompts, uses Claude Sonnet via Bedrock, and reviews PRs automatically.

Common patterns

.mergewatch.yml
version: 1
model: us.anthropic.claude-sonnet-4-20250514-v1:0
agents:
  style: false
  diagram: false
customAgents:
  - name: security-pci
    prompt: "This is a PCI-DSS scoped payments service. Focus on: SQL injection via raw queries, XSS in template rendering, hardcoded credentials, insecure cryptographic operations, and unvalidated redirects. Flag any use of eval() or exec()."
    severityDefault: critical
    enabled: true
Disables style and diagram agents. A custom agent adds domain-specific security checks for payments services.
.mergewatch.yml
version: 1
model: us.anthropic.claude-haiku-4-5-20251001-v1:0
maxTokensPerAgent: 2048
maxFindings: 10
minSeverity: warning
agents:
  bugs: false
  style: false
  diagram: false
Uses the cheaper Haiku model, disables low-priority agents, and suppresses info-level findings. Good for repos with frequent small PRs where speed and cost matter more than comprehensive review.
.mergewatch.yml
version: 1
customAgents:
  - name: react-style
    prompt: "This is a React + TypeScript project. Flag any use of `any` type. Require explicit return types on exported functions. Flag inline styles — use Tailwind classes. Flag console.log() calls. Prefer named exports over default exports."
    severityDefault: warning
    enabled: true
  - name: frontend-security
    prompt: "Focus on XSS via dangerouslySetInnerHTML, unsanitized user input in URLs, and exposed API keys in client-side code."
    severityDefault: critical
    enabled: true
Custom agents add React/TypeScript conventions and frontend-specific security checks alongside the built-in agents.
.mergewatch.yml
version: 1
customAgents:
  - name: service-boundaries
    prompt: "This repo contains three services: payments/, orders/, notifications/. Flag any direct imports across service boundaries — each service must be independent. Flag shared mutable state."
    severityDefault: warning
    enabled: true
  - name: monorepo-style
    prompt: "Each service has its own tsconfig.json. Flag path aliases that reference other services."
    severityDefault: info
    enabled: true
Custom agents enforce architectural boundaries. All built-in agents remain enabled.
.mergewatch.yml
version: 1
rules:
  autoReview: false
  reviewOnMention: true
MergeWatch stays silent until someone comments @mergewatch review on the PR.
.mergewatch.yml
version: 1
rules:
  ignorePatterns:
    - "*.lock"
    - "vendor/**"
    - "dist/**"
    - "generated/**"
    - "*.pb.go"
    - "*.gen.ts"
.mergewatch.yml
version: 1
customAgents:
  - name: django-security
    prompt: "This is a Django 5 project. Focus on SQL injection via raw querysets, CSRF token issues, unvalidated redirects, and mass assignment via ModelForm. Check for DEBUG=True in settings."
    severityDefault: critical
    enabled: true
  - name: django-style
    prompt: "Enforce PEP 8. Flag any print() calls — use logging instead. Flag bare except clauses. Require type hints on public function signatures."
    severityDefault: warning
    enabled: true
  - name: django-bugs
    prompt: "Watch for N+1 query patterns in Django ORM, missing database migrations for model changes, and unclosed file handles."
    severityDefault: warning
    enabled: true
Three custom agents with Django-specific prompts alongside the built-in agents.

Where the file lives

The .mergewatch.yml file must be placed at the root of the repository’s default branch (the branch GitHub shows when you visit the repo — usually main or master). MergeWatch reads the file from the default branch, not from the PR’s head branch. This means configuration changes in a PR do not take effect until they are merged.
If you rename your default branch, MergeWatch automatically detects the new default on the next webhook. No action is required.