A git-native, framework-agnostic AI PR reviewer built on the GitAgent standard.
CodeGuard is a git repository that reviews other git repositories.
Clone it, fork it, edit its SOUL.md, diff its skills/ — it is a fully
version-controlled AI reviewer that you can treat like any other piece of
source code.
Most AI code reviewers are black boxes:
- You can't see why they flagged something
- You can't edit their rules without paying for a plan
- You can't version-control their behavior
- You can't fork them per team
CodeGuard flips that. The reviewer's brain is the repo. Every rule, every skill, every personality trait is a human-readable file you can read, diff, fork, and change.
SOUL.md ← how the reviewer talks
RULES.md ← what it will never do
skills/ ← what it checks for
tools/ ← how it touches GitHub
runtime/ ← the tiny orchestrator that glues it together
Want a stricter reviewer on your banking codebase? Fork, tighten RULES.md,
commit. Done.
On every pull request, CodeGuard:
- Reads the changed files (TypeScript, JavaScript, Python)
- Runs four skills against the diff:
- security-audit — secrets, injection, XSS, auth bugs
- test-coverage — new code without tests, weak assertions
- code-quality — complexity, dead code, poor error handling
- breaking-changes — removed exports, API signature changes
- Posts inline comments on specific lines
- Posts a summary comment with pass/warn/fail verdict
- Opens GitHub issues for every
criticalfinding - Fails the CI job if any critical issues are found (never auto-merges)
In your repo: Settings → Secrets and variables → Actions → New repository secret
- Name:
ANTHROPIC_API_KEY - Value: your key from console.anthropic.com
Copy examples/consumer-workflow.yml
into your repo at .github/workflows/codeguard.yml.
That's it. Open a PR and CodeGuard will review it.
git clone https://github.com/mayanksaini18/codeguard
cd codeguard
npm install
cp .env.example .env # fill in your keys
npx tsx runtime/index.ts --owner your-org --repo your-repo --pr 42codeguard/
├── agent.yaml ← GitAgent manifest
├── SOUL.md ← reviewer personality
├── RULES.md ← hard constraints
├── skills/
│ ├── security-audit.md
│ ├── test-coverage.md
│ ├── code-quality.md
│ └── breaking-changes.md
├── tools/
│ └── github-pr.md ← GitHub API tool definition
├── runtime/
│ ├── index.ts ← orchestrator entrypoint
│ ├── loadAgent.ts ← reads agent.yaml + skill files
│ ├── github.ts ← Octokit wrapper
│ ├── claude.ts ← Anthropic SDK wrapper
│ └── types.ts
├── .github/workflows/review.yml ← workflow used by this repo itself
├── examples/consumer-workflow.yml ← copy-paste into your repo
└── README.md
Because CodeGuard is just a git repo, customizing it is a git commit:
- Softer reviewer? Edit
SOUL.md— change personality to "gentle mentor" - Stricter rules? Edit
RULES.md— lower the approval bar - New skill? Drop a new file in
skills/, reference it fromagent.yaml - Different languages? Edit
RULES.mdrule 8 to add Go, Ruby, Rust, etc. - Different model? Change
model.nameinagent.yaml
Every change is a diff. Every rollback is a git revert. That's the
promise of GitAgent.
CodeGuard is a reference implementation of the GitAgent v0.1.0 spec:
| GitAgent requirement | CodeGuard file |
|---|---|
agent.yaml manifest |
✅ agent.yaml |
SOUL.md identity |
✅ SOUL.md |
RULES.md hard constraints |
✅ RULES.md |
skills/ modular capabilities |
✅ skills/ |
tools/ MCP-style tool defs |
✅ tools/ |
| Compliance block (risk tier, HITL, audit) | ✅ in agent.yaml |
| Human-in-the-loop guarantee | ✅ never auto-merges |
| Audit logging | ✅ structured JSON audit lines |
- Node.js ≥ 20
- An Anthropic API key
- A GitHub repo where you want reviews
MIT — fork it, break it, improve it.
CodeGuard was built for the GitAgent Hackathon by Lyzr AI — to show that the repo-as-agent pattern unlocks real products, not just demos.