Skip to content

Findings Schema

The canonical review artifact is .artifacts/diffpal/findings.json, a JSON serialization of DiffPal's findings bundle. New review writes use version: "v3" unless a bundle version is already set by the caller.

Canonical Bundle

FieldRequiredMeaning
versionyesBundle version. New writes use v3; readers accept v1, v2, and v3.
review_idyesStable review identifier.
base_shayesBase revision used for the review.
head_shayesHead revision used for the review.
languagenoLanguage requested for generated text.
promptnoPrompt metadata.
inspectionnoProvider inspection metadata.
change_summarynoHuman-readable summary bullets.
review_resultnoHuman-readable review outcome sentence.
filesnoReviewed files.
findingsyesFinding array. May be empty.

Prompt metadata fields:

FieldMeaning
prompt_idPrompt identifier, currently diffpal.review for review output.
prompt_versionPrompt version used for the review.
purposePrompt purpose.
schema_versionPrompt output schema version, currently findings.v3.

Inspection metadata fields:

FieldMeaning
provider_typeRuntime provider type when available.
requiredWhether inspection metadata was required by the runtime.
tool_callsTool call names when available.
diff_inspectedWhether the provider reported diff inspection.
context_inspectedWhether the provider reported context inspection.

Finding Fields

FieldRequiredMeaning
idwritten by DiffPalDeterministic fingerprint.
review_idwritten by DiffPal when missingReview identifier copied from the bundle.
categoryyesFinding category.
severityyeslow, medium, high, or critical.
confidenceyesNumber from 0 to 1.
pathyesFile path for the finding.
start_lineyesPositive start line.
end_lineyesPositive end line, greater than or equal to start_line.
changed_spanyes for v2/v3Changed-line span that anchors the finding.
supporting_spannoAdditional context span.
titleyesShort finding title.
messageyesFinding explanation.
evidenceyesStructured evidence for v2/v3.
impactyesStructured impact for v2/v3.
suggestionnoSuggested fix.
blockingwritten by DiffPalWhether the finding meets the active threshold.
providernoProvider ID that produced the finding.

Line span representation:

json
{
  "path": "internal/session.go",
  "start_line": 12,
  "end_line": 14
}

Evidence representation:

json
{
  "anchor": "changed lines call exec with request input",
  "reasoning_basis": "the command arguments now include unsanitized user data",
  "source": "changed_line"
}

Impact representation:

json
{
  "summary": "users can execute unintended shell commands",
  "scope": "request handling path"
}

Severity And Location

Allowed severities are low, medium, high, and critical. DiffPal normalizes severity to lowercase.

Location is represented twice for compatibility:

  • path, start_line, and end_line are the primary line fields;
  • changed_span carries the same changed-line anchor in structured form.

For v2/v3, changed_span.path, changed_span.start_line, and changed_span.end_line are required and must be positive.

Compatibility

DiffPal readers accept:

  • v1 bundles where evidence and impact may be legacy strings;
  • v2 bundles with structured evidence and impact;
  • v3 bundles with optional review_result.

New writes use v3. Consumers should ignore unknown fields and treat findings[] as the canonical machine-readable issue list.

Consumer Example

Fail a CI step when the canonical bundle contains blocking findings:

bash
jq -e '[.findings[] | select(.blocking == true)] | length == 0' \
  .artifacts/diffpal/findings.json

Count high and critical findings regardless of whether the gate was enabled:

bash
jq '[.findings[] | select(.severity == "high" or .severity == "critical")] | length' \
  .artifacts/diffpal/findings.json

Released as open source software.