Heimdallm runs silently in your menu bar, watches your GitHub review requests, and submits AI-generated code reviews — powered by Claude, Gemini or Codex.
Someone requests your review on GitHub
Heimdallm fetches the diff and runs your AI agent
Review submitted as your account with severity rating
Native macOS notification with a link to the review
Heimdallm is a small, focused tool that does one thing well.
Polls GitHub for review-requested:@me. No setup needed — uses your gh CLI token.
Reviews are submitted as proper GitHub PR reviews — not stored locally. REQUEST_CHANGES on high severity, APPROVE otherwise.
Works with Claude, Gemini and Codex. Configure which agent reviews which repo. Pass custom CLI flags.
Define review profiles: security audit, performance, architecture. Use {diff} {author} {link} placeholders.
Track reviews over time: severity distribution, top repos, reviews per day, average issues per review.
Single: one consolidated review comment. Multi: one comment per issue + summary. Configurable globally or per repo.
Run headless on any server. Pre-built image with Claude, Gemini, Codex and OpenCode bundled. Configure via environment variables.
Menu bar on macOS. Native desktop on Linux (.deb, .rpm, AppImage). No Electron, no browser — just a Go daemon and a Flutter UI.
Posted as a proper GitHub review under your account, with file-level issues and an overall severity badge.
"Migration from kubernetes-labeled runner to generic self-hosted runner with kubectl port-forward for registry access. The approach is functional but has reliability and security concerns around the port-forward lifecycle and kubeconfig handling."
.github/workflows/docker-publish.yml:138 — Port-forward process (PF_PID) is only killed on the happy path. If docker push fails, the port-forward process leaks.
.github/workflows/docker-publish.yml:121 — KUBE_CONFIG secret is base64-decoded and written to ~/.kube/config. If the job crashes before cleanup, credentials persist on the runner.
.github/workflows/docker-publish.yml:128 — LOCAL_PORT is defined as a string env var but used in numeric contexts. Two concurrent builds will race on port 5050.
Choose a preset or write your own with {diff} {title} {author} {link} placeholders.
Correctness, maintainability, error handling, code style
OWASP Top 10, injection, hardcoded secrets, auth flaws
N+1 queries, allocations, blocking I/O, O(n²) algorithms
SOLID violations, coupling, separation of concerns
Docstrings, naming, magic numbers, conventions
Write your own with placeholders and optional full template
Open the DMG and drag Heimdallm to the Applications folder.
Run once in Terminal — macOS security requirement for unsigned apps:
xattr -cr /Applications/Heimdallm.app
Requires macOS 13+ · gh CLI authenticated · Claude/Gemini/Codex CLI installed