diff-fox-marketplace

DiffFox

AI-powered code review with 6 specialized agents. Runs as a GitHub Action on PRs or as a Claude Code plugin locally.

What It Does

DiffFox analyzes code changes from 6 engineering perspectives simultaneously:

Agent	Focus
Logic	Bugs at runtime — null handling, off-by-one, incorrect conditions, edge cases
Security	Injection, auth bypass, secrets, XSS, SSRF, data exposure
Architecture	Design violations, DRY, API contracts, coupling, tech debt
Performance	N+1 queries, O(n^2) algorithms, blocking I/O, resource leaks
Risk	Blast radius, backwards compatibility, migration safety, rollback
COGS	Unbounded queries, LLM calls in loops, missing rate limits, cost spikes

Each agent has its own exclusion rules and precedent rules to minimize false positives. Findings are verified by a second-opinion LLM pass, deduplicated across agents, and validated against diff lines before posting.

Quick Start

GitHub Action

# .github/workflows/diff-fox.yml
name: DiffFox Review
on:
  pull_request:
    types: [opened, synchronize, ready_for_review]

jobs:
  review:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
      contents: read
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
      - uses: mthooyavan/diff-fox@main
        with:
          anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}

Dependabot PRs: If you use Dependabot, add ANTHROPIC_API_KEY under Settings > Secrets > Dependabot separately — Dependabot can't access regular repo secrets. Alternatively, skip DiffFox for Dependabot by adding if: github.actor != 'dependabot[bot]' to the job.

Claude Code Plugin

Install from GitHub (inside any Claude Code session):

/plugin marketplace add mthooyavan/diff-fox
/plugin install diff-fox@diff-fox-marketplace

Or install from local clone:

git clone https://github.com/mthooyavan/diff-fox.git ~/diff-fox

Then in Claude Code:

/plugin marketplace add ~/diff-fox
/plugin install diff-fox@diff-fox-marketplace

Usage (start a new Claude Code session after install):

/diff-fox              # Review all changes on current branch vs main/master
/diff-fox-pr 123       # Review a specific GitHub PR

No Python dependencies — uses Claude Code's built-in Read, Grep, Glob, and Bash tools.

Note: If you also have the code-review plugin installed, use /diff-fox (not /review) to avoid name collision.

Configuration

Create .diff-fox/config.yml in your repo root:

# Enable/disable agents
agents:
  logic: true
  security: true
  architecture: true
  performance: true
  risk: true
  cogs: true

  # Per-agent file filtering
  security:
    enabled: true
    include: ["src/api/**"]
    skip: ["src/api/tests/**"]

# Custom guidelines injected into agent prompts
guidelines:
  security:
    - "All API endpoints must validate JWT tokens"
  architecture:
    - "Database access only through repository pattern"

# Global file filtering
skip:
  - "src/generated/**"
  - "**/*.min.js"
  - "vendor/**"

# Suppress findings matching these title patterns
suppress_filters:
  - "commented-out code"

# Optional: Jira integration
jira:
  enabled: true

The config supports hierarchical merging — repo-level config is merged with project-level config found by walking up from the primary changed directory.

Action Inputs

Input	Required	Default	Description
anthropic-api-key	Yes	—	Anthropic API key
model	No	claude-sonnet-4-6-20250514	Claude model to use
config-path	No	.diff-fox/config.yml	Config file path
jira-mcp-url	No	—	Jira MCP server URL
jira-enabled	No	false	Enable Jira context
post-comments	No	true	Post comments to PR

How It Works

PR opened
  → Fetch diff + existing comments
  → Load .diff-fox/config.yml
  → Context enrichment (symbol extraction, call graphs, impact analysis)
  → 6 agents review in parallel
  → Verification (second-opinion LLM pass)
  → Hard security exclusion filter (regex)
  → Semantic dedup (LLM merges cross-agent duplicates)
  → Validate against diff lines
  → Filter already-posted comments
  → Jira alignment check (optional)
  → Post inline comments + summary

Deterministic vs AI-Powered

Deterministic (no LLM):

• Diff parsing, symbol extraction (Python AST + regex for other languages)
• Call site search, callee extraction, impact analysis
• Security hard exclusion filter (compiled regex patterns)
• Diff line validation, heuristic dedup, severity ranking, formatting

AI-Powered (Claude):

• 6 parallel agent reviews with specialized prompts
• Finding verification (second opinion)
• Semantic dedup (cross-agent/cross-file merge)
• Jira alignment check

Architecture