review-bot/CHANGELOG.md

CHANGELOG

Unreleased

Added

• doc-map input (--doc-map flag / DOC_MAP_FILE env var): Path to a YAML file mapping source path globs to governing design docs. review-bot intersects the map with changed PR paths and injects matching docs into the system prompt under a ## Design Documents heading. (#137)
• doc-map-max-bytes input (--doc-map-max-bytes flag / DOC_MAP_MAX_BYTES env var): Cap on total injected design doc content in bytes. Default: 102400 (100 KB). Prevents accidental context overflow when a PR touches many modules.
• DesignDocs budget section: Design docs are included in the context budget and trimmed after conventions, before file context, if the total exceeds the model's context limit.

Doc-map config format

mappings:
  - paths:
      - "lib/gargoyle/engine/signal_risk/**"
    docs:
      - docs/domain/contexts/risk/risk-controls.md
  - paths:
      - "lib/gargoyle/trading/**"
    docs:
      - docs/domain/contexts/trading/

• paths — glob patterns (including **) matched against changed file paths in the PR
• docs — local file paths or directories (all .md files under a directory) to inject
• Multiple mappings can reference the same doc; docs are deduplicated
• Missing doc files: warn and skip (review continues without them)
• No matching paths: no docs injected, review runs normally
• Absolute paths and path traversal (.. segments) in doc paths are rejected

Security

• Path traversal guard: doc paths from the YAML config are validated to reject absolute paths and .. segments before VCS API calls
• Prompt injection guard: design doc content is injected with an explicit instruction to treat it as reference data and not follow any instructions it may contain

v0.3.2

• Previous releases tracked in Gitea release notes.