Findings Schema
The canonical review artifact is .artifacts/diffpal/findings.json, a JSON serialization of DiffPal's findings bundle. New review writes use version: "v3" unless a bundle version is already set by the caller.
Canonical Bundle
| Field | Required | Meaning |
|---|---|---|
version | yes | Bundle version. New writes use v3; readers accept v1, v2, and v3. |
review_id | yes | Stable review identifier. |
base_sha | yes | Base revision used for the review. |
head_sha | yes | Head revision used for the review. |
language | no | Language requested for generated text. |
prompt | no | Prompt metadata. |
inspection | no | Provider inspection metadata. |
change_summary | no | Human-readable summary bullets. |
review_result | no | Human-readable review outcome sentence. |
files | no | Reviewed files. |
findings | yes | Finding array. May be empty. |
Prompt metadata fields:
| Field | Meaning |
|---|---|
prompt_id | Prompt identifier, currently diffpal.review for review output. |
prompt_version | Prompt version used for the review. |
purpose | Prompt purpose. |
schema_version | Prompt output schema version, currently findings.v3. |
Inspection metadata fields:
| Field | Meaning |
|---|---|
provider_type | Runtime provider type when available. |
required | Whether inspection metadata was required by the runtime. |
tool_calls | Tool call names when available. |
diff_inspected | Whether the provider reported diff inspection. |
context_inspected | Whether the provider reported context inspection. |
Finding Fields
| Field | Required | Meaning |
|---|---|---|
id | written by DiffPal | Deterministic fingerprint. |
review_id | written by DiffPal when missing | Review identifier copied from the bundle. |
category | yes | Finding category. |
severity | yes | low, medium, high, or critical. |
confidence | yes | Number from 0 to 1. |
path | yes | File path for the finding. |
start_line | yes | Positive start line. |
end_line | yes | Positive end line, greater than or equal to start_line. |
changed_span | yes for v2/v3 | Changed-line span that anchors the finding. |
supporting_span | no | Additional context span. |
title | yes | Short finding title. |
message | yes | Finding explanation. |
evidence | yes | Structured evidence for v2/v3. |
impact | yes | Structured impact for v2/v3. |
suggestion | no | Suggested fix. |
blocking | written by DiffPal | Whether the finding meets the active threshold. |
provider | no | Provider ID that produced the finding. |
Line span representation:
{
"path": "internal/session.go",
"start_line": 12,
"end_line": 14
}Evidence representation:
{
"anchor": "changed lines call exec with request input",
"reasoning_basis": "the command arguments now include unsanitized user data",
"source": "changed_line"
}Impact representation:
{
"summary": "users can execute unintended shell commands",
"scope": "request handling path"
}Severity And Location
Allowed severities are low, medium, high, and critical. DiffPal normalizes severity to lowercase.
Location is represented twice for compatibility:
path,start_line, andend_lineare the primary line fields;changed_spancarries the same changed-line anchor in structured form.
For v2/v3, changed_span.path, changed_span.start_line, and changed_span.end_line are required and must be positive.
Compatibility
DiffPal readers accept:
v1bundles whereevidenceandimpactmay be legacy strings;v2bundles with structured evidence and impact;v3bundles with optionalreview_result.
New writes use v3. Consumers should ignore unknown fields and treat findings[] as the canonical machine-readable issue list.
Consumer Example
Fail a CI step when the canonical bundle contains blocking findings:
jq -e '[.findings[] | select(.blocking == true)] | length == 0' \
.artifacts/diffpal/findings.jsonCount high and critical findings regardless of whether the gate was enabled:
jq '[.findings[] | select(.severity == "high" or .severity == "critical")] | length' \
.artifacts/diffpal/findings.json