DiffSight is a local-first desktop client for reviewing pull and merge requests on GitHub and GitLab. It's built for engineers reviewing code their AI wrote — themed tracks, call-graph blast radius, and versioned reviews on top of fast keyboard-driven diffs.

How do I review an AI-generated pull request with DiffSight?

Open the PR in DiffSight. The 47 files become 6 themed tracks, each with a one-paragraph narrative of what it does. Files sort by blast radius so the dangerous edits — the +1/−0 in a shared type — surface first. Run a deep AI pass per file with your own key, then walk threads inline. Read state, AI findings, and comments persist locally.

What is blast radius in code review?

Blast radius is an impact score DiffSight computes for every changed file from your local call graph. Files whose edits ripple into many other symbols rank high. It catches the failure mode AI-generated PRs ship most often: a one-line edit to a shared type or helper that silently shifts behavior in dozens of callers.

How is DiffSight different from reviewing on github.com or gitlab.com?

It's a native desktop app, not a browser tab. Keyboard-driven, dense, sync'd-scroll diffs with whole-file context inline. A local repo index for definition jumps and references. Blast-radius scoring per file. Versioned reviews between any two SHAs in a PR. Deep AI analysis grounded in your code, with your own provider key. Your review state lives on your machine and survives restarts.

Does DiffSight upload my source code anywhere?

No. DiffSight runs a backend for sign-in, licensing, and updates — never for your code. The app talks directly to GitHub or GitLab from your machine, and AI requests go straight to the provider you configured (Anthropic, OpenAI, Claude Code, Codex). Your code, diffs, and prompts never pass through our servers.

Which AI providers can I use?

Bring your own key for Anthropic or OpenAI. Or wire up an existing Claude Code or Codex CLI. DiffSight never proxies, relays, or aggregates your prompts.

Which Git providers does it support?

GitHub and GitLab, in the same UI. Switch between repos and providers without leaving the keyboard.

Which platforms are supported?

macOS only at launch. Windows and Linux to come. The first installable build ships to the waitlist.

Free during the closed beta. Pricing for the public release will be announced before 1.0 — waitlist hears first.

How are my tokens and API keys stored?

OAuth tokens, personal access tokens, and LLM API keys are encrypted at rest using the macOS Keychain via Electron safeStorage. Never plaintext, never logged.

Does DiffSight collect telemetry?

None today. If we ever add any, it ships off by default, is disclosed in the changelog, and is a single toggle in settings.

Can the AI agent modify my code or push commits?

No. The review agent is read-only by construction. It can read files, list files, grep, and inspect the PR. It cannot run a shell, write files, commit, push, or open arbitrary network connections.

When will DiffSight be available?

Pre-1.0 closed beta. Join the waitlist — one email when there's an installable build for you. No drip campaign.

Stay in control
of every merge.

DiffSight is the local-first desktop client built around the engineer reviewing the code — not around the model writing it.

Themed tracks instead of a wall of diff. Blast-radius scoring to find the +1/−0 that broke 30 things. Versioned reviews so you re-read only the commits added since your last pass.

Reviewing AI code is a different jobmanifesto

Read the manifesto

Pre-1.0. We'll email you the moment there's something to install.

DiffSight

DDiffSightv0.1.0

Search⌘K

Pro

Multi-tenant storage rewrite#482Open

evilcorpatlasfeat/multi-tenant→main

Approve

·jane.doeAll checks passingChecks ok

Files (9)3 / 9

Filter by path…

packages

auth

src

session.ts47+1−1

middleware.ts+4−2

tokens.ts+2−0

billing

src

core

apps

web

Modifiedpackages/auth/src/session.ts+1−1

7 import { Database } from './db';

8 import { now } from './time';

9 import type { ScopeName } from './scopes';

11 export type Session = {

12 userId: string;

13− expiresAt: Date;

13+ expiresAt: Date | null;47

14 scopes: ScopeName[];

15 refreshToken: string;

16 };

18 export const SESSION_KEY = '__sess';

7 import { Database } from './db';

8 import { now } from './time';

9 import type { ScopeName } from './scopes';

11 export type Session = {

12 userId: string;

13− expiresAt: Date;

14 scopes: ScopeName[];

15 refreshToken: string;

16 };

18 export const SESSION_KEY = '__sess';

7 import { Database } from './db';

8 import { now } from './time';

9 import type { ScopeName } from './scopes';

11 export type Session = {

12 userId: string;

13+ expiresAt: Date | null;47

14 scopes: ScopeName[];

15 refreshToken: string;

16 };

18 export const SESSION_KEY = '__sess';

Blast radius 47+1 / −1 on Session.expiresAt · reaches 47 callers across 14 files.View graph →

Deep analysisBusiness logicCritical3 callers assume expiresAt is never null.

packages/auth/src/middleware.ts:62session.expiresAt.getTime()
no null guard before .getTime()
packages/billing/src/checkout.ts:104if (session.expiresAt < now())
comparison treats null as 0
apps/web/src/middleware.ts:14const ttl = expiresAt - Date.now()
arithmetic on possibly-null Date

Blast radius 47·3 / 9 files reviewedResume tomorrow⌘S

Manifesto

The craft of reading code is dying.

More code is written by machines every day. Reviewed by no one. PRs pile up. Diffs scroll past. We click Approvebecause we trust the model. Or because we've stopped trying.

DiffSight is for engineers who still believe code review is a discipline. Not a chore. Not a formality. A craft.

AI-assisted, not AI-replaced.

You write with AI. You ship with AI. Fine. Someone still has to look. That someone is you. We make it bearable. Fast, dense, keyboard-driven, local.

What it is

A code review client. Nothing more. Nothing less.

Local-first. Code stays put.

SQLite, encrypted tokens, indexed repos, review history — all on your machine. A DiffSight account handles sign-in and licensing; your code, diffs, and review history never reach it. The app pulls PRs straight from GitHub and GitLab.

Bring your own model.

Drop in your Anthropic or OpenAI key. Or wire up your Claude Code or Codex CLI. Your prompts go from your machine to your provider. No DiffSight gateway. No relay. No aggregation.

Deep reads, grounded in your code.

Target a file. DiffSight walks every change line by line, follows the call graph through the local index, and reports back: behavior shifts, security risks, missing tests, places the diff stops making sense.

GitHub and GitLab. One client.

Same UI. Same keyboard. Switch repos, switch providers, without ever opening a browser tab.

Flagship · Track-based review

A 47-file PR is not a wall of diff.
It's six chapters.

DiffSight slices the PR into themed tracks. Each one groups the hunks that belong together, with a one-paragraph narrative on why. Lockfiles and generated code collapse into a single track you can acknowledge once.

BeforeWhat GitHub gives you for a 145-change PR

Filesevilcorp/atlas · #482

Files (47)21 / 47

Filter by path…P

config
tenants.go+331 −0
tenants_test.go+628 −0
config.go+12 −16
config_test.go+12 −12
internal/keystore
store.go+46 −38
store_test.go+92 −12
errors.go+14 −0
internal/storage
bucket.go+18 −5
bucket_test.go+41 −8
migration.go+167 −0
internal/server
router.go+28 −11
middleware.go+33 −4
tenant_resolver.go+78 −0
internal/billing
ledger.go+22 −17
invoice.go+9 −9
ledger_test.go+71 −12
internal/metrics
tenant_metrics.go+19 −0
dashboards.json+138 −12
cmd/atlas
main.go+6 −4
boot.go+17 −9

+ 22 more files

AfterWhat DiffSight does with the same PR

Tracksevilcorp/atlas · #482

Review complete0 / 6

1
Modeling tenants as first-class config0 / 5
v1 baked one billing account and tenant id into env vars, so a single instance could only serve one tenant. The author starts by giving the server a registry of tenants so the rest of the change has something to look up.
- tenants.go
  /config
  +331 −0
- tenants_test.go
  /config
  +628 −0
- config.go
  /config
  +12 −16
- config_test.go
  /config
  +12 −12
- types.go
  /internal/types
  +1 −0
- All files read — chapter complete
2
Per-tenant key resolution0 / 5
Each tenant now carries its own KeyConfig, so the keystore can no longer read keys from a single global env.
3
Re-pathing storage under {tenantId}0 / 8
With keys scoped per tenant, the storage layout itself must isolate them.
4
Routing the tenant id through the request0 / 18
Storage and keys are tenant-scoped. The request layer must extract the id and propagate it down to handlers.
5
Migrating v1 buckets in place0 / 6
An existing v1 install upgrading to this build would silently lose every previously published asset without a migration.
6
Per-tenant metrics and dashboards0 / 4
Multiple tenants publishing through the same Prometheus instance would have collided on metric names.

Group by intent. Hunks land on a track automatically. Each gets a one-paragraph narrative on what it does and why.

Mute the noise. Lockfiles, snapshots, generated code — collapsed into one track. Acknowledge or skip.

Resume mid-track. Close the app. Come back tomorrow. DiffSight remembers the line.

Killer features

Built for the PRs your AI just opened.

A small set of primitives, each one answering a specific way an AI-generated PR will quietly betray you. No carousel of icons, no feature flags pretending to be products.

Flagship

Blast radius.

Find the +1 / −0 that broke 30 things.

Every changed file gets an impact score from your local call graph. The shared-type edit your agent shipped with confidence stops hiding at the bottom of the file list and shows up at the top — with the exact symbols it'll ripple into.

File list sorted by radius. Dangerous edits first, not last.
One click expands the exact call sites a change reaches.
Tests covering the change are tagged. High-radius, zero-coverage edits glow.

PR #487 · filessorted by radius

types.go30+1−0

↳User.Validateinternal/user/user.go:42
↳RegisterHandlerinternal/api/register.go:17
↳store.Insertinternal/db/store.go:88
↳billing.Chargeinternal/billing/charge.go:120
↳TestRegistertests/e2e/auth_test.go:88
+ 25 more callsites

callsites

files

tests hit

PR-aware

Versioned reviews.

Re-read what changed. Not the rest.

Your agent pushed 8 more commits to the same PR. Move the base or head SHA and review only the slice. Threads, AI findings, and read state stay anchored.

Any base/head SHA inside the PR.
One click expands back to the full diff.
No more re-reading the whole PR every force-push.

PR #487 · feat: token rotationslice 3 / 5

a4f1c1rework session.ts

8b2e09add token rotation

base

fc4421fix race in rotate()

21a902test: rotation flow

head

d92011docs: README

commits

files

+218 −47

changed

Vet AI code with AI you control.

Point at a file. Your Claude or Codex key reads every change against the local call graph, then returns a verdict on five axes — security, business logic, regression, tests, quality — with each finding pinned to the lines and files it touches.

Deep analysis

Claude · session.ts · 9 findings

SecuritySafe
Business logicCritical
4
L40-58Critical
getSession now returns null for revoked tokens instead of throwing RevokedError. Two callers branch on that error to force re-auth — they now read a revoked session as anonymous and fall through to the public route.
Relatedauth/middleware.tsapi/guard.ts
Code qualityCareful
1
RegressionCareful
3
TestingPartial
1

Threads, inline.

Reply and resolve where the code lives. No tab-flip to a browser.

Should we fail closed here?

Yes. Pushed in fixup.

resolved2 replies

Split or unified. Per file.

Sync'd scroll, soft-wrap, syntax-aware coloring. Layout state persists per file so you pick up exactly where you left off.

function getUser(id) {

− return db.users.find(id);

}

function getUser(id) {

+ return cache.get(id) ??

+ db.users.find(id);

}

Full file. Inline.

Expand context without leaving the diff. No new tab. No spinner.

… 38 lines hidden

41if (token) {

42+ verify(token)

43}

… 12 lines hidden

Local repo indexing.

The call graph that powers everything.

Symlink parses your repo into typed symbols and a call graph, in-process. Definition jumps, references, blast radius, AI grounding — all run on your machine. Your source code never leaves it.

Supported languages

TypeScriptPythonGoRustJavaKotlinC#PHPSwiftSvelteBash+ more shipping

Indexed · 12,438 symbolslive

getSessionsrc/auth/session.ts:41
verifySignaturesrc/auth/verify.ts:12
SESSION_SECRETsrc/config.ts:8
store.lookupsrc/db/store.ts:60
rotateKeysrc/auth/keys.ts:24

12,438

symbols

847

files

1.2s

initial scan

Security & privacy

Your code never leaves your machine.

No code in the cloud. No proxy. No telemetry. Built for engineers who read threat models before they read pricing pages.

The backend never sees code.
Sign-in, licensing, and updates run through a DiffSight backend. Your code does not — diffs go straight from the desktop app to GitHub, GitLab, and your LLM provider.
Zero telemetry.
None today. Anything we add ships off by default, is disclosed in the changelog, and is a single toggle to confirm.
OS-native secret storage.
OAuth tokens, PATs, and LLM API keys are encrypted at rest using the macOS Keychain via Electron safeStorage. Never plaintext, never logged.
Local SQLite, local index.
Review history, comments-in-flight, repo index, and cached diffs live in a single SQLite file in your user data directory. Delete the file → DiffSight forgets everything.
Renderer is sandboxed.
Strict process isolation: contextIsolation: true, no nodeIntegration. Every privileged operation goes through a typed IPC contract. The UI cannot touch your tokens.
BYOK LLM, no proxy.
AI requests go from your machine straight to Anthropic / OpenAI / your local Claude Code or Codex CLI. DiffSight never sees, logs, or routes your prompts.
Open about what's sent.
Every outbound network call is documented. For AI reviews, you see exactly which files and hunks get included in the prompt before sending.
Read-only agent surface.
The review agent runs against a fixed set of tools: read_file, list_files, grep, read_pr_diff, list_pr_files, get_dep_graph. No shell. No write. No git push, no git commit, no arbitrary network. The agent can look, never act.
Scoped to the PR you opened.
Every tool call is bound to the current repository and pull request. The agent can't read another repo, jump to another branch, or pull data outside the PR's scope.
Bounded by design.
Per-review token and cost ceilings, configurable. Hard stop on tool-call count to prevent runaway loops. Streamed status with a visible kill switch. Interrupt mid-run, always.
Every step is on the record.
Every tool call (which file, which range, which query) is shown in the UI, in order, with inputs and outputs. Nothing happens off-screen. Save the trace, share it, audit it.
Locked-down renderer.
Strict Content-Security-Policy, no eval, no remote scripts. Even a compromised dependency cannot reach your tokens or open a back-channel to the network.

FAQ

Short answers. No fog.

The questions every engineer asks before installing a code review client. If yours is missing, email hello@diffsight.dev.

01What is DiffSight?
DiffSight is a local-first desktop client for reviewing pull and merge requests on GitHub and GitLab. It's built for engineers reviewing code their AI wrote — themed tracks, call-graph blast radius, and versioned reviews on top of fast keyboard-driven diffs.
02How do I review an AI-generated pull request with DiffSight?
Open the PR in DiffSight. The 47 files become 6 themed tracks, each with a one-paragraph narrative of what it does. Files sort by blast radius so the dangerous edits — the +1/−0 in a shared type — surface first. Run a deep AI pass per file with your own key, then walk threads inline. Read state, AI findings, and comments persist locally.
03What is blast radius in code review?
Blast radius is an impact score DiffSight computes for every changed file from your local call graph. Files whose edits ripple into many other symbols rank high. It catches the failure mode AI-generated PRs ship most often: a one-line edit to a shared type or helper that silently shifts behavior in dozens of callers.
04How is DiffSight different from reviewing on github.com or gitlab.com?
It's a native desktop app, not a browser tab. Keyboard-driven, dense, sync'd-scroll diffs with whole-file context inline. A local repo index for definition jumps and references. Blast-radius scoring per file. Versioned reviews between any two SHAs in a PR. Deep AI analysis grounded in your code, with your own provider key. Your review state lives on your machine and survives restarts.
05Does DiffSight upload my source code anywhere?
No. DiffSight runs a backend for sign-in, licensing, and updates — never for your code. The app talks directly to GitHub or GitLab from your machine, and AI requests go straight to the provider you configured (Anthropic, OpenAI, Claude Code, Codex). Your code, diffs, and prompts never pass through our servers.
06Which AI providers can I use?
Bring your own key for Anthropic or OpenAI. Or wire up an existing Claude Code or Codex CLI. DiffSight never proxies, relays, or aggregates your prompts.
07Which Git providers does it support?
GitHub and GitLab, in the same UI. Switch between repos and providers without leaving the keyboard.
08Which platforms are supported?
macOS only at launch. Windows and Linux to come. The first installable build ships to the waitlist.
09Is DiffSight free?
Free during the closed beta. Pricing for the public release will be announced before 1.0 — waitlist hears first.
10How are my tokens and API keys stored?
OAuth tokens, personal access tokens, and LLM API keys are encrypted at rest using the macOS Keychain via Electron safeStorage. Never plaintext, never logged.
11Does DiffSight collect telemetry?
None today. If we ever add any, it ships off by default, is disclosed in the changelog, and is a single toggle in settings.
12Can the AI agent modify my code or push commits?
No. The review agent is read-only by construction. It can read files, list files, grep, and inspect the PR. It cannot run a shell, write files, commit, push, or open arbitrary network connections.
13When will DiffSight be available?
Pre-1.0 closed beta. Join the waitlist — one email when there's an installable build for you. No drip campaign.

Pre-1.0 · Closed beta

Be in the first install.

The first installable build ships to the waitlist. No public download yet. No drip campaign. One email, when there's something to install.

macOS only for now. Windows and Linux to come. Free during beta.

Stay in controlof every merge.

The craft of reading code is dying.

AI-assisted, not AI-replaced.

A code review client. Nothing more. Nothing less.

Local-first. Code stays put.

Bring your own model.

Deep reads, grounded in your code.

GitHub and GitLab. One client.

A 47-file PR is not a wall of diff.It's six chapters.

Built for the PRs your AI just opened.

Blast radius.

Versioned reviews.

Vet AI code with AI you control.

Threads, inline.

Split or unified. Per file.

Full file. Inline.

Local repo indexing.

Your code never leaves your machine.

The backend never sees code.

Zero telemetry.

OS-native secret storage.

Local SQLite, local index.

Renderer is sandboxed.

BYOK LLM, no proxy.

Open about what's sent.

Read-only agent surface.

Scoped to the PR you opened.

Bounded by design.

Every step is on the record.

Locked-down renderer.

Short answers. No fog.

Be in the first install.

Stay in control
of every merge.

A 47-file PR is not a wall of diff.
It's six chapters.