@codweft reviewRun an LLM review pass on the diff. The bot leaves grouped, actionable comments. No rubber-stamps.
@codweft review focus on auth code
GitHub-native AI agents
Ship faster from the comments you already write
Comment @codweft on any issue or pull request and Codweft launches a reviewed, audited GitHub Actions run.
Bring your own Kimi, Z.AI, or MiniMax key. It goes straight to your repo's Actions secrets, never sits on our servers, and you pay your model provider directly.
- Your model keys, never ours
- Reviewable setup PR per repo
- Every command is a tracked Actions run
github.com/acme/api · #421
@maintainer · 2m
Cache invalidation breaks when a tag is updated mid-flight. Repro is in the comments.
CW
@codweft fix
@codweft fix the cache invalidation in CacheService. See repro above.
codweft.ymlrunning · 1m 12s
→ read repro from comments
→ patch CacheService.invalidate()
opening pull request...
What it does
Six things Codweft gets right that PAT-based bots don't.
Your model keys, never ours
Codweft routes Kimi, Z.AI, and MiniMax. Your keys are written through to your repo's GitHub Actions secrets at submit time and discarded server-side. You pay your model provider directly. Codweft never touches billing.
GitHub App, not a bot account
One install on your org. Granular permissions, no PATs, no shared service accounts to rotate.
Comment-driven workflows
@codweft <verb> in any issue or PR triggers a reusable, versioned GitHub Actions run that is fully visible to your team.
Reviewable setup PR
Every install opens a pull request with the workflow router. Read it, approve it, merge it. Codweft does nothing behind your back.
Run history and audit
Every command is logged with status, requester, run URL, and outcome. Browse it in the dashboard or pipe it to your SIEM.
Open and verifiable
The workflows live in github.com/codweft/github-actions, pinned by tag. Read what's running before you ship it.
How it works
Three steps from install to merged PR.
- 01
Install the GitHub App
One click on github.com/apps/codweft. Pick your org and the repos you want covered.
- 02
Review and merge the setup PR
Codweft opens a PR adding .github/workflows/codweft.yml. It is one router workflow that calls versioned reusables.
- 03
Comment @codweft on issues or PRs
@codweft review, @codweft fix, @codweft implement, @codweft resolve conflicts. Every command is a tracked Actions run.
Commands
A small vocabulary that does a lot.
Triggered from any issue or pull request comment by trusted users in your repo. Every command is a versioned reusable workflow you can pin and audit.
@codweft fixDiagnose and patch. Codweft reads the issue, the diff, and unresolved review threads, then opens a fix PR.
@codweft fix the off-by-one in pagination
@codweft implementFrom an issue to a draft PR. Asks clarifying questions when the issue is underspecified, then ships.
@codweft implement
@codweft resolve conflictsResolves merge conflicts on a stacked branch and documents the decisions in the PR body.
@codweft resolve conflicts prefer ours for lockfile
Your keys stay with you. Every workflow is open.
Provider API keys are written to your repository's GitHub Actions secrets the moment you save them, then discarded from Codweft state. The reusable workflows live incodweft/github-actions, pinned by tag, so you can read what runs before you ship.
FAQ
Questions, answered.
Which models does Codweft support?
Kimi (kimi-for-coding), Z.AI (glm-5.1), and MiniMax (MiniMax-M2.7). The router tries them in order based on which keys you configure. At least one is required per repo or org.
Does Codweft cost anything?
Codweft itself is free during the MVP. You pay your model provider for tokens and your GitHub Actions usage for run minutes. Both are billed directly by them, not by us.
What permissions does the GitHub App need?
Read on contents and metadata, write on pull requests, issues, and Actions secrets for the repos you select. The full permission list is shown on the install page.
What happens when I rotate a model API key?
Update the key in the repository's Codweft dashboard. We write through to your Actions secrets and discard the value server-side. The next run picks up the new secret.
Can trusted users only trigger commands, or anyone?
Only repository owners, members, and collaborators. The reusable workflows check association on every comment event before doing anything.
Is Codweft open source?
The reusable workflows are: github.com/codweft/github-actions. The portal/control plane is closed source for now.
Ready to merge from a comment?
Install Codweft on one repo and try @codweft reviewon your next pull request. Uninstall in one click if it's not for you.