Heimdall

Code Guardian. Heimdall reviews every pull request with skeptical eyes - trust nothing, verify everything. Security scanning, style enforcement, test adequacy analysis, and your team's own engineering standards, all enforced automatically.

What Heimdall Does

Heimdall is an automated PR reviewer that posts a structured review comment on every pull request. It runs multiple analysis layers in parallel - from OWASP security scanning to call-graph analysis to your team's PRINCIPLE and DECISION atoms - and produces a single risk-rated comment with actionable concerns, a test checklist, and governance advisories.

Unlike a linter or SAST tool, Heimdall combines pattern matching with AI reasoning to minimize false positives, verify intent, and assess whether the test checklist actually covers the changed code paths.

Zero Setup Required

Every capability below works from the first PR with no configuration files, no CI changes, and no tooling installation. Connect the GitHub App, open a PR, and Heimdall comments within seconds.

Optional configuration via .heimdall.yml unlocks additional features (design system enforcement, architecture boundaries, custom blocked patterns) but is never required.

Review Capabilities

Always On (zero config)

Capability	What it catches
LLM Code Review	Risk assessment (LOW/MEDIUM/HIGH), concerns, test checklist, and highlights. Reads the full diff and key file contents.
Security Scan	Scans across key vulnerability categories: SQL injection, XSS, code injection, weak crypto, hardcoded secrets, SSRF, path traversal, prototype pollution, sensitive data in logs/responses, insecure cookies. LLM verification eliminates false positives.
Style Check	`console.log` in non-test code, `: any` usage, `require()` in ESM, hardcoded localhost URLs, Node.js built-in imports in frontend code, TODO/FIXME additions.
Call-Graph Analysis	Blast radius of every changed symbol, caller completeness (missed callers = real bugs), co-change detection, test file mapping. Requires `momental-indexer --dir .` (`npm i -g @momentalos/cli`).
Dependency Intelligence	For package.json bumps: fetches changelogs, extracts breaking APIs, traces every caller via MCI, flags unupdated call sites.
Migration Safety	PK renames without FK constraint drops, column drops, column renames, table drops, unsafe type casts, NOT NULL on existing columns.
Intent Verification	Compares PR title/description to actual diff. Catches PRs that don't implement what they claim. Escalates risk when confidence is low.
Engineering Standards	Fetches your team's PRINCIPLE and DECISION atoms from the knowledge graph and strictly enforces them. The more standards you capture, the smarter reviews become.
Deep Test Analysis	Second pass evaluating whether the test checklist items are specific enough to catch regressions. Flags concrete missing scenarios by function name. Toggle: adds time.
Repo Health	On PR open only: checks for missing CODEOWNERS, dependabot.yml, PR template, CodeQL workflow, and `.env.example` drift when new env vars are used.
PR Description Gate	Flags missing or template-placeholder descriptions. Advisory only.
@heimdall Q&A	Mention `@heimdall` on any PR line to ask a question. Heimdall replies in-thread using the diff hunk as context.
BigQuery Audit	Every review decision logged immutably. SOC2 CC6.1 (logical access), CC7.2 (system monitoring).
PR-to-Task Linking	Fuzzy-matches PR title to Momental tasks and attaches the PR URL automatically.

Opt-in (via .heimdall.yml)

Capability	Config key
Design System Compliance	`design_system: true`
Architecture Boundaries	`architecture: true`
Custom Blocked Patterns	`blocked_patterns:`
Extra Security Patterns	`security.extra_patterns:`
Frontend Path Config	`frontend_paths:`
Playwright E2E	`frontend_qa_enabled` flag + `playwright:`
Visual Regression	`visual_regression: true` (within playwright section)

Risk Levels

Risk	Meaning	Auto-merge?
LOW	No auth, DB schema, or API contract changes	Eligible (if no concerns)
MEDIUM	Logic changes with possible edge cases	Not eligible
HIGH	Auth, payments, DB migrations, breaking API changes, CRITICAL security findings	Not eligible

Risk levels are enforced consistently - certain findings always result in elevated risk regardless of other factors.

Engineering Standards from Knowledge Graph

Heimdall automatically enforces your team's engineering standards. Create PRINCIPLE and DECISION atoms in your Momental workspace:

// These atoms are free to create (v1 MCP, pure DB operations)
await momental_node_create({
  statement: "All database queries must use Drizzle ORM. No raw SQL except migrations.",
  nodeType: "PRINCIPLE",
  status: "ACTIVE"
});

await momental_node_create({
  statement: "We use zod for all API input validation. No manual JSON.parse.",
  nodeType: "DECISION",
  status: "ACTIVE"
});

await momental_node_create({
  statement: "Every external API call must have explicit timeout + circuit-breaker.",
  nodeType: "PRINCIPLE",
  status: "ACTIVE"
});

Heimdall recalls your team's PRINCIPLE and DECISION atoms before every review and enforces them. A PR that violates a team principle gets it flagged as a concern - not just a note.

Security Scan Categories

Heimdall scans every diff for known vulnerability patterns. Teams can add custom patterns via .heimdall.yml.

Category	Severity	What it catches
SQL Injection	CRITICAL	String concatenation in queries with user input
XSS	CRITICAL	`innerHTML`, `dangerouslySetInnerHTML`
Code Injection	CRITICAL	`eval()` / `new Function()` with user input
RLS Bypass	CRITICAL	`sql.raw()` with template interpolation
Weak Crypto	HIGH	`createHash('md5')`, `createHash('sha1')`
Weak Randomness	HIGH	`Math.random()` for tokens/secrets/nonces
Timing Attack	HIGH	`===` comparison on HMAC/signature/hash
Hardcoded Secret	HIGH	`mmt_`, `ghp_`, `sk_live_`, `AKIA`, high-entropy credential strings
Prototype Pollution	HIGH	`Object.assign`/spread from user input
SSRF	HIGH	User input in `fetch()`/`axios` URL
Path Traversal	HIGH	User input in `fs.`/`path.`
Sensitive Data Logged	MEDIUM	password/secret/token in logger calls
Sensitive Data Exposed	MEDIUM	Credentials in HTTP response body
Insecure Cookie	MEDIUM	Missing httpOnly/Secure/SameSite
Missing Auth	MEDIUM	New route handler without auth middleware
Insecure Deserialization	MEDIUM	`JSON.parse(req.*)` without validation

Security & Data Isolation

Heimdall reads your pull request diffs via the GitHub API using a per-team installation token. Your code is never stored, cached, or shared with other customers.

Per-team GitHub tokens - Installation tokens are generated on-demand with 1-hour expiry and never stored in our database.
No code storage - Diffs and file contents are fetched at review time and discarded after analysis. Nothing is persisted.
No cross-team access - Database-level security policies and application-level team filtering ensure one team's reviews are invisible to another.
Zero training policy - Your code is never used to train AI models. Our AI providers operate under enterprise agreements that enforce automatic deletion within 30 days.
Immutable audit log - Every review decision is logged to an immutable audit store for compliance (logical access control, system monitoring).

See our Security page for the complete data protection framework.

Setup

Subscribe - Visit the Heimdall page and subscribe ($49/mo).
Connect GitHub - Click "Connect GitHub" on the Heimdall settings page. Install the GitHub App on your org.
(Optional) Index your code - Run npm i -g @momentalos/cli && momental-indexer --dir . for MCI-powered blast radius and caller completeness analysis. All features (call graph, test mapping, co-change) auto-detect.
Open a PR - Heimdall posts a review comment automatically within seconds.

.heimdall.yml Configuration

Place at your repo root. All keys are optional. Fetched at review time and cached for 1 hour.

# Opt-in: flag hardcoded colors and unapproved HTML elements
design_system: true

# Opt-in: enforce import boundaries between layers
architecture: true

# Block specific patterns in additions (regex)
blocked_patterns:
  - pattern: "console\\.log"
    message: "Remove debug logging before merge"
  - pattern: "process\\.env\\.SECRET"
    message: "Do not commit secrets"

# Add extra patterns to the security scan
security:
  extra_patterns:
    - "eval\\("
    - "document\\.write\\("

# Require test files for specific paths
test_coverage:
  require_tests_for:
    - "src/services/**"
    - "src/utils/**"

# Tell Heimdall which dirs contain browser/frontend code
# Default: .tsx files + common dirs (components/, pages/, app/, etc.)
frontend_paths:
  - "src/client/"
  - "packages/webapp/"

# Playwright E2E (requires frontend_qa_enabled flag)
playwright:
  webapp_start_cmd: "pnpm dev:webapp"
  webapp_ready_path: "/health"
  visual_regression: true

Per-Team Toggles

Two time-intensive features can be toggled on/off from the Heimdall settings page at /apps/heimdall. Both default to ON.

Toggle	Default	Time cost	What it controls
Deep Test Analysis	ON	+30-90s	Second LLM pass assessing test checklist adequacy
Extended Context	ON	+20-60s	Larger diff window and more file contents for thorough analysis

Ask Heimdall

Mention @heimdall in any PR review comment to ask a question:

@heimdall why is the token refreshed here instead of at the call site?

Heimdall replies in-thread using the diff_hunk as local context. For full-PR questions, mention Heimdall in a top-level review body and it fetches the entire diff before answering.

Gets Smarter Over Time

Heimdall improves with use. Each review is informed by your team's engineering standards and past outcomes. The more your team documents decisions as PRINCIPLE and DECISION atoms, the more precisely Heimdall enforces them.

Pricing

$49/month per workspace. Includes unlimited PR reviews for all repos connected via the GitHub App. No per-seat or per-review charges.