Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/kestiny18/scopediff

Local-first scope checker for AI-generated code changes.
https://github.com/kestiny18/scopediff

ai claude-code cli code-review codex coding-agent cursor diff git

Last synced: 2 days ago
JSON representation

Local-first scope checker for AI-generated code changes.

Awesome Lists containing this project

README 

          
# ScopeDiff



[![npm](https://img.shields.io/npm/v/@scopediff-dev/cli.svg)](https://www.npmjs.com/package/@scopediff-dev/cli)

[![CI](https://github.com/kestiny18/scopediff/actions/workflows/ci.yml/badge.svg)](https://github.com/kestiny18/scopediff/actions/workflows/ci.yml)

[![license](https://img.shields.io/npm/l/@scopediff-dev/cli.svg)](LICENSE)



> Status: early (v0.2). Useful today; the CLI surface and rules may still change.



Let AI write code without letting it rewrite your project.



ScopeDiff reports when AI-generated code changes drift outside the scope a task

declared. It runs locally, requires no API key, and works with Cursor, Codex,

Claude Code, and other AI coding workflows.



Most AI code review tools ask:



> Is this code good?



ScopeDiff asks:



> Was this code supposed to change?



## How it answers that



ScopeDiff does **not** try to guess your intent from a prompt. Instead, the task

declares its scope up front — the paths it expects to touch — and ScopeDiff

compares the actual diff against that declaration. It is an **attention router**:

it points you (or your agent) at the few changes that fall outside the declared

scope, and gets out of the way for everything that's in scope.



Its guiding principle is **trust over coverage**: only high-confidence facts

(an undeclared dependency/lockfile/migration/CI/secret change) ever *block*.

Fuzzy, inferred findings are surfaced for review but never block.



## Why ScopeDiff



AI coding agents are useful, but they drift: touching unrelated modules,

changing dependencies, deleting tests, or rewriting build files while solving a

narrow task. ScopeDiff catches that drift before you finish a task or open a PR.



## Installation



Requires **Node.js ≥ 20** and **git**.



```bash

npm install -g @scopediff-dev/cli

```



Or run without installing:



```bash

npx @scopediff-dev/cli check

```



## Declared scope (recommended)



At the start of a task, declare what it should touch:



```bash

scopediff intent --task "fix login empty password returns 400" --allow "src/auth/**"

```



This writes `.scopediff/intent.json`. Then, after changes, check the diff:



```bash

scopediff check

```



Example output (declared `src/auth/**`, but the diff also touched `package.json`

and `src/payment/`):



```text

ScopeDiff Report



Mode:

  scope



Declared scope:

  task: fix login empty password returns 400

  allow: src/auth/**



Summary:

  1 high, 1 medium, 0 info

  3 files, 6 changed lines



High Risk:

  [SD019] High-risk file changed outside declared scope

  file: package.json

  reason: This file was changed but is not covered by the declared scope (src/auth/**). High-risk files require an explicit declaration.

  blocking: true



Potential Scope Drift:

  [SD019] Potential scope drift: file changed outside declared scope

  file: src/payment/PaymentService.ts

  reason: This file was changed but is not covered by the declared scope (src/auth/**). Please review whether it belongs in this task.



Result:

  failed because 1 blocking finding(s) were found.

```



Files inside the declared scope (and test files) stay silent. An undeclared

high-risk file blocks; an undeclared ordinary source file is a non-blocking

review note; an undeclared docs file is informational.



## Without a declaration



If there is no `.scopediff/intent.json`, ScopeDiff degrades gracefully:



- **Deterministic danger tripwires still fire on fact** — env/secret changes,

  test deletion, and large deletions are flagged regardless of scope.

- **Keyword heuristics become a best-effort fallback** — it guesses task domains

  from a prompt or branch name. These findings are review hints and **never

  block**.



You can still pass context explicitly:



```bash

scopediff check --prompt "fix login empty password returns 400"

scopediff check --prompt-file task.md

```



## Diff source



```bash

scopediff check            # git diff HEAD (all tracked changes)

scopediff check --staged   # git diff --staged

scopediff check --base main # git diff main...HEAD

```



## Agent workflows



```bash

scopediff init cursor

scopediff init codex

scopediff init claude

```



Execution differs by tool, and ScopeDiff is honest about it:



| Tool | Enforcement | How |

| --- | --- | --- |

| **Claude Code** | **Hard** | `init claude` installs a `Stop` hook (`scopediff check --hook`) that runs automatically before the agent finishes and sends it back on blocking findings. Merged into `.claude/settings.json`. |

| **Cursor** | Soft (best-effort) | `.cursor/rules/scopediff.mdc` asks the agent to declare scope and check. The agent may skip it. |

| **Codex** | Soft (best-effort) | `AGENTS.md` asks the agent to declare scope and check. The agent may skip it. |



> Deterministic post-turn hooks for Cursor and Codex are not yet supported here;

> on those tools enforcement is best-effort until that is verified.



## Configuration



```bash

scopediff init   # writes scopediff.yml

```



ScopeDiff reads `scopediff.yml` from the current project.



## Exit codes



- `0`: passed

- `1`: blocked by findings at or above the configured `fail_on` (default: HIGH)

- `2`: runtime or config error



## Rules



Findings carry an ID (`SD001`–`SD019`). The full rule list, severities, and the

declared-intent model are documented in [SPEC.md](SPEC.md).



## Privacy



ScopeDiff runs locally. Your code, diffs, and task context are not uploaded. No

API key is required. No LLM is used — semantic judgment, when needed, is left to

the coding agent already in your editor.



## Roadmap



- v0.1: CLI, local rules, config, Risk Mode, Agent Pack

- v0.2: declared-intent scope engine, Claude Code Stop hook, honest agent docs

- v0.2.x: verify Cursor/Codex hooks, file-level scope precision, more rules

- v1.0: PR bot, team policies, dashboard



## Contributing



Issues and PRs are welcome. Local setup:



```bash

git clone https://github.com/kestiny18/scopediff.git

cd scopediff

npm install

npm run check   # build + tests

```



See [CONTRIBUTING.md](CONTRIBUTING.md) for project layout and how rules are

structured.



## License



MIT