FAQ

FAQ

How much triage work should I expect?

A few flags on a typical agent change; more on a security-sensitive refactor. Flags are review prompts, not verdicts, and the loop is fast: read the flag, check the node's before/after, then dismiss or fix. Dismissals are remembered per repo, so re-runs only surface new or changed drift.

To measure noise on your codebase instead of guessing, run the FP-replay script over a few recent commit ranges.

A flag is wrong. What do I do?

Dismiss it. That's a designed outcome, not a failure: rules like "Removed sanitization" deliberately over-trigger on renames and refactors because missing a real removal is worse. The dismissal is pinned to the flagged node's content — if that code changes meaningfully later, the flag comes back on its own. Dismissed flags stay visible (struck through) so a reviewer can audit what was waved through.

If a rule is consistently noisy in a way the Rule Reference caveats don't acknowledge, open a discussion with the pattern.

Why was my file skipped or not shown as AST drift?

Three reasons a changed file isn't rendered as nodes:

• Not a supported language. Diff Drift parses .ts, .tsx, .js, .jsx, .mjs, .cjs, .rs, .go, .py, .pyi, .java, .cs, .kt, .kts, and .swift files (plus package.json dependency drift). Other changed files count toward git drift and appear by path as "Other changed files", but they are not rendered as AST or dependency nodes.
• Type definitions. .d.ts files are intentionally excluded.
• Too large. Files over 2 MB are skipped before parsing and appear in the file list with the summary "Skipped — file too large to analyze". This is a denial-of-service guard for giant generated bundles; review those by other means.

Can I gate CI or an agent hook on Diff Drift?

Yes — that's what the read-only CLI is for. diff-drift check exits with the highest active severity (0 none, 1 low, 2 medium, 3 high; 64 usage error), honors your dismissals, and never writes state. See CI and Hook Recipes for copy-paste examples.

Does anything leave my machine?

No. No telemetry, no model calls, no upload, no update pings — and no HTTP client compiled into the app. Privacy and Data Flow shows how to verify that yourself instead of taking the claim on trust.

Is a clean run proof the change is safe?

No. Diff Drift is a deterministic second pass that makes structural drift reviewable and flags known-risky patterns. It is not a full static analyzer, and the Threat Model explicitly does not claim detection of a deliberately evasive attacker. Use it to focus human review, alongside — not instead of — your normal PR review and any SAST you already run.

Why is the blind-agent score not a guarantee?

The scorecard is advisory and measured on a small synthetic suite — see Eval Methodology for the rubric, the case list, and the limitations (including which validations are still pending). The CI gate is the deterministic engine benchmark, not the blind-agent score.

Where is my triage state stored?

%APPDATA%\io.github.statusnone420.diffdrift\repo-state.json, keyed by repo path. Delete it to reset all triage for all repos. It contains flag IDs, hashes, and your baseline choice — not source code.