Heimdall
Code Guardian. Heimdall reviews every pull request with skeptical eyes - trust nothing, verify everything. Security scanning, style enforcement, test adequacy analysis, and your team's own engineering standards, all enforced automatically.
What Heimdall Does
Heimdall is an automated PR reviewer that posts a structured review comment on every pull request. It runs 18 analysis layers in parallel - from OWASP security scanning to MCI call-graph analysis to your team's PRINCIPLE and DECISION atoms - and produces a single risk-rated comment with actionable concerns, a test checklist, and governance advisories.
Unlike a linter or SAST tool, Heimdall combines deterministic pattern matching with LLM reasoning. Regex catches the obvious patterns; the LLM eliminates false positives, verifies intent, and assesses whether the test checklist actually covers the changed code paths.
Zero Setup Required
Every capability below works from the first PR with no configuration files, no CI changes, and no tooling installation. Connect the GitHub App, open a PR, and Heimdall comments within seconds.
Optional configuration via .heimdall.yml unlocks additional features (design system
enforcement, architecture boundaries, custom blocked patterns) but is never required.
Review Capabilities
Always On (zero config)
| Capability | What it catches |
|---|---|
| LLM Code Review | Risk assessment (LOW/MEDIUM/HIGH), concerns, test checklist, and highlights. Reads up to 160KB of diff and 25 full file contents. |
| Security Scan | 22 regex patterns across 12 categories: SQL injection, XSS, code injection, RLS bypass, weak crypto (MD5/SHA1), timing attacks (=== on HMAC), hardcoded secrets (AWS, GitHub, Stripe, Momental keys), SSRF, path traversal, prototype pollution, sensitive data in logs/responses, insecure cookies. LLM verification eliminates false positives. |
| Style Check | console.log in non-test code, : any usage, require() in ESM, hardcoded localhost URLs, Node.js built-in imports in frontend code, TODO/FIXME additions. Pure diff parsing, runs in <10ms. |
| MCI Call-Graph | Blast radius of every changed symbol, caller completeness (missed callers = real bugs), co-change detection, test file mapping. Requires npx @momentalos/cli index. |
| Dependency Intelligence | For package.json bumps: fetches changelogs, extracts breaking APIs, traces every caller via MCI, flags unupdated call sites. |
| Migration Safety | PK renames without FK constraint drops, column drops, column renames, table drops, unsafe type casts, NOT NULL on existing columns. |
| Intent Verification | Compares PR title/description to actual diff. Catches PRs that don't implement what they claim. Escalates risk below 40% confidence. |
| Engineering Standards | Fetches your team's PRINCIPLE and DECISION atoms from the knowledge graph and strictly enforces them. The more standards you capture, the smarter reviews become. |
| Deep Test Analysis | Second LLM pass evaluating whether the test checklist items are specific enough to catch regressions. Flags concrete missing scenarios by function name. Toggle: adds 30-90s. |
| Repo Health | On PR open only: checks for missing CODEOWNERS, dependabot.yml, PR template, CodeQL workflow, and .env.example drift when new env vars are used. |
| PR Description Gate | Flags missing or template-placeholder descriptions. Advisory only. |
| @heimdall Q&A | Mention @heimdall on any PR line to ask a question. Heimdall replies in-thread using the diff hunk as context. |
| BigQuery Audit | Every review decision logged immutably. SOC2 CC6.1 (logical access), CC7.2 (system monitoring). |
| PR-to-Task Linking | Fuzzy-matches PR title to Momental tasks and attaches the PR URL automatically. |
Opt-in (via .heimdall.yml)
| Capability | Config key |
|---|---|
| Design System Compliance | design_system: true |
| Architecture Boundaries | architecture: true |
| Custom Blocked Patterns | blocked_patterns: |
| Extra Security Patterns | security.extra_patterns: |
| Frontend Path Config | frontend_paths: |
| Playwright E2E | frontend_qa_enabled flag + playwright: |
| Visual Regression | visual_regression: true (within playwright section) |
Risk Levels
| Risk | Meaning | Auto-merge? |
|---|---|---|
| LOW | No auth, DB schema, or API contract changes | Eligible (if no concerns) |
| MEDIUM | Logic changes with possible edge cases | Not eligible |
| HIGH | Auth, payments, DB migrations, breaking API changes, CRITICAL security findings | Not eligible |
Risk escalation is deterministic and post-LLM. The LLM assigns an initial risk, then hard rules override upward: 3+ MCI gaps forces HIGH, any CRITICAL security finding forces HIGH, any style HIGH finding forces HIGH. The LLM cannot downgrade risk set by deterministic rules.
Engineering Standards from Knowledge Graph
Heimdall automatically enforces your team's engineering standards. Create PRINCIPLE and DECISION atoms in your Momental workspace:
// These atoms are free to create (v1 MCP, pure DB operations)
await momental_node_create({
statement: "All database queries must use Drizzle ORM. No raw SQL except migrations.",
nodeType: "PRINCIPLE",
status: "ACTIVE"
});
await momental_node_create({
statement: "We use zod for all API input validation. No manual JSON.parse.",
nodeType: "DECISION",
status: "ACTIVE"
});
await momental_node_create({
statement: "Every external API call must have explicit timeout + circuit-breaker.",
nodeType: "PRINCIPLE",
status: "ACTIVE"
});Heimdall recalls up to 10 PRINCIPLE/DECISION atoms before every review and injects them into the LLM prompt with a strict enforcement instruction. A PR that violates a team principle gets it flagged as a concern - not just a note.
Security Scan Categories
22 regex patterns run on every diff, then an LLM pass eliminates false positives. Teams can add
custom patterns via .heimdall.yml.
| Category | Severity | What it catches |
|---|---|---|
| SQL Injection | CRITICAL | String concatenation in queries with user input |
| XSS | CRITICAL | innerHTML, dangerouslySetInnerHTML |
| Code Injection | CRITICAL | eval() / new Function() with user input |
| RLS Bypass | CRITICAL | sql.raw() with template interpolation |
| Weak Crypto | HIGH | createHash('md5'), createHash('sha1') |
| Weak Randomness | HIGH | Math.random() for tokens/secrets/nonces |
| Timing Attack | HIGH | === comparison on HMAC/signature/hash |
| Hardcoded Secret | HIGH | mmt_*, ghp_*, sk_live_*, AKIA*, high-entropy credential strings |
| Prototype Pollution | HIGH | Object.assign/spread from user input |
| SSRF | HIGH | User input in fetch()/axios URL |
| Path Traversal | HIGH | User input in fs.*/path.* |
| Sensitive Data Logged | MEDIUM | password/secret/token in logger calls |
| Sensitive Data Exposed | MEDIUM | Credentials in HTTP response body |
| Insecure Cookie | MEDIUM | Missing httpOnly/Secure/SameSite |
| Missing Auth | MEDIUM | New route handler without auth middleware |
| Insecure Deserialization | MEDIUM | JSON.parse(req.*) without validation |
Setup
- Subscribe - Visit the Heimdall page and subscribe ($49/mo).
- Connect GitHub - Click "Connect GitHub" on the Heimdall settings page. Install the GitHub App on your org.
- (Optional) Index your code - Run
npx @momentalos/cli indexfor MCI-powered blast radius and caller completeness analysis. - Open a PR - Heimdall posts a review comment automatically within seconds.
.heimdall.yml Configuration
Place at your repo root. All keys are optional. Fetched at review time and cached for 1 hour.
# Opt-in: flag hardcoded colors and unapproved HTML elements
design_system: true
# Opt-in: enforce import boundaries between layers
architecture: true
# Block specific patterns in additions (regex)
blocked_patterns:
- pattern: "console\\.log"
message: "Remove debug logging before merge"
- pattern: "process\\.env\\.SECRET"
message: "Do not commit secrets"
# Add extra patterns to the security scan
security:
extra_patterns:
- "eval\\("
- "document\\.write\\("
# Require test files for specific paths
test_coverage:
require_tests_for:
- "src/services/**"
- "src/utils/**"
# Tell Heimdall which dirs contain browser/frontend code
# Default: .tsx files + common dirs (components/, pages/, app/, etc.)
frontend_paths:
- "src/client/"
- "packages/webapp/"
# Playwright E2E (requires frontend_qa_enabled flag)
playwright:
webapp_start_cmd: "pnpm dev:webapp"
webapp_ready_path: "/health"
visual_regression: truePer-Team Toggles
Two time-intensive features can be toggled on/off from the Heimdall settings page at
/apps/heimdall. Both default to ON.
| Toggle | Default | Time cost | What it controls |
|---|---|---|---|
| Deep Test Analysis | ON | +30-90s | Second LLM pass assessing test checklist adequacy |
| Extended Context | ON | +20-60s | 400KB diff + 25 files (vs 160KB + 10 in base mode) |
Ask Heimdall
Mention @heimdall in any PR review comment to ask a question:
@heimdall why is the token refreshed here instead of at the call site?
Heimdall replies in-thread using the diff_hunk as local context. For full-PR questions,
mention Heimdall in a top-level review body and it fetches the entire diff before answering.
Self-Improvement Loop
Heimdall learns from its own history. Before each review, it recalls past CI/CD atoms tagged
with ci-cd, code-review, and regression. After a deploy,
the quality judge scores post-deploy scenarios. If a regression is detected on code Heimdall
previously rated LOW, it creates a LEARNING atom that feeds into future reviews.
Combined with engineering standards enforcement, this creates a flywheel: team decisions become PRINCIPLE atoms, Heimdall enforces them, post-deploy outcomes create LEARNING atoms, and those learnings make the next review smarter.
Pricing
$49/month per workspace. Includes unlimited PR reviews for all repos connected via the GitHub App. No per-seat or per-review charges.