PullLight Changelog

You're reading it. Reverse-chronological log of everything PullLight has shipped, with RSS feed, subscribe-by-email CTA, JSON-LD structured data, and a markdown-file authoring path for future entries.

The PullLight AI reviewer is now available as a zero-install CLI. Run npx pulllight scan against your local staged and unstaged changes before opening a PR. Pass -b main to compare the full branch diff. Severity-colored output groups findings by file with line numbers, category, explanation, and any one-click suggested fixes Claude was confident about. Exit code 0 for clean/medium/low; exit code 1 when critical or high findings exist — so it wires directly into pre-commit hooks, Husky, or GitHub Actions. --severity-floor high, --ignore glob patterns, and --json mode for scripting are all supported. Tokens are saved once in ~/.config/pulllight/config.json or read from PULLLIGHT_API_TOKEN. Full install guide, pre-commit hook recipe, Husky example, and CI snippet at /docs/cli.

When Claude finds a bug with an unambiguous, drop-in fix, approved inline comments now include a native GitHub ```suggestion``` block. Reviewer clicks "Commit suggestion" in the GitHub UI and the patch lands — no branch, no editor needed. Claude only emits suggested_fix when the fix is confined to the visible hunk lines, requires no new imports or symbols, and has one correct answer. When uncertain, it stays null — preserving the signal-not-noise brand. The /reviews queue shows an ⚡ auto-fix badge on findings that carry a suggestion so the operator can see at a glance which approvals are one-click patches.

Add a .pulllight.yml to any repo root to override PullLight behavior for that repo alone. Supported fields: review_focus (per-repo lane overrides), ignore_paths (glob patterns — vendor/**, *.generated.ts, dist/**), severity_floor (drop findings below low/medium/high/critical before they queue), custom_rules (free-text team conventions injected into the Claude prompt, up to 200 chars each), and disable (kill switch). PullLight fetches the file at the PR's head SHA on every webhook, parses it safely with js-yaml FAILSAFE_SCHEMA, and posts a Check Run annotation on parse errors. Falls back to your team defaults silently on any error. Full schema docs + 3 copy-paste examples (Node.js monorepo, Python Django, Go service) at /docs/config.

Four inline commands now work directly in PR comment threads. Type @pulllight recheck to kick off a fresh analysis on the latest commit, @pulllight ignore <id> to remove a review from the queue, @pulllight explain <id> to get a deeper bug class + fix patch from Claude, or @pulllight help for the reference table. PullLight acks with a 👀 reaction immediately and posts results async. No browser tab required — stays inside the conversation your devs are already in.

Teams can now toggle five review lanes — Security, Bugs, Performance, Style, and Tests. Disable style nits entirely, or crank up security scanning for a paranoid team. Config persists per installation, injects into the Claude prompt as a "Review categories enabled" header, and the dashboard shows a nudge to teams still on factory defaults. Signal not noise.

7th case study documents CVE-2025-55182: React2Shell, a CVSS 10.0 arbitrary code execution vulnerability in React Server Components. The RSC Flight protocol deserializer allows prototype chain traversal via "constructor" key, enabling full server compromise without Server Actions. Added to /case-studies index, sitemap, and changelog auto-publish.

Every installed team now gets a /embed page with one-click copy snippets for their live badge (Markdown, HTML, reStructuredText), pre-filled Twitter/X and LinkedIn share links, and a public report URL. Dashboard links directly to it. Badge is already live at /badge/:owner/:repo.svg — this page closes the loop and turns every team into a distribution channel.

Six pre-loaded example PRs (4 CVEs + null-deref + missing-await) show up above the input form on /analyze. Click any one and the analysis runs instantly — no URL needed. Cached as static JSON so results are instant. Conversion analytics log which examples get clicked.

New page explains exactly what PullLight collects, how diffs are processed, where data is stored, and what it never does. Eight sections with expandable details. Added to footer, sitemap, and the GitHub App setup page.

Dark terminal aesthetic blog with RSS feed and OG image generation. First post: why our AI reviewer asks before it posts, with the architectural explanation of the human-gate design.

Day 0 welcome, Day 1 badge nudge, Day 3 backfill recap — sent via Postmark on a per-minute cron. Unsubscribe link halts the sequence. Reduces time-to-value for new installs.

Install the GitHub App directly → authorize repos → upgrade to Pro via Stripe Checkout in your dashboard. No Marketplace detours.

Full pricing page with a drag-to-calculate ROI calculator (team size, PRs/week, hourly rate), a 5/10/25-dev competitor math table, three tier cards, and a 12-item FAQ accordion. All state persists in the URL.

Shields.io-style SVG badge showing how many bugs PullLight has caught on a repo. Embed it in your README. Impressions tracked. Each badge is a recurring distribution surface pointing back at /repos.

PullLight now posts a single sticky summary comment per PR and PATCH-updates it on re-review instead of creating duplicates. Cleaner comment threads, same signal.

Sanitized, privacy-safe stream of findings from PullLight-reviewed PRs across all installed repos. Severity, category, language, and a redacted snippet — no repo names unless already public. RSS feed included.

Every repo with PullLight installed gets a public page at /repos/:owner/:repo showing total PRs reviewed, findings by severity, top bug categories, and recent catches. Link it from your README.

Every /analyze run now generates a permanent link at /analysis/:slug. Share a specific AI review with your team. Stored in public_analyses with token counters and model attribution.

Head-to-head comparison pages for CodeRabbit, Greptile, Copilot PR Review, Graphite Agent, and Qodo. Tables compare human-gate, noise level, pricing, and setup time.

Deep-dive writeups on real vulnerabilities PullLight's AI caught in open-source PRs: the Next.js middleware bypass (CVSS 9.1), the Waitress HTTP pipelining race condition, and the JSONPath-Plus VM sandbox escape.

PullLight now creates a Check Run on every PR. Status updates in real time: queued → in_progress → completed. The check block shows finding count and links back to the /reviews queue.

One-click test that fires a synthetic webhook to confirm the install is wired correctly end-to-end. Creates a pending review you can inspect in the queue. No more silent failures at install time.

After installing PullLight, you can now scan up to 50 recent closed PRs for bugs you might have missed. Results appear in backfill_reviews. The UI shows progress in real time.

First-run setup now creates the GitHub App automatically via the manifest flow. No manual key copying. Credentials stored encrypted in github_app_config. Install URL generated and ready immediately.