Thirdpass Docs

Review Workflow

How Thirdpass reviews package files and shares coverage across projects.

File-Focused Review

Reviews are built from one or more file-focused inspections. For each selected file, the review agent uses that file as the focal point while the full package remains available for context.

This keeps inspections bounded and inspectable. When the review completes, the CLI bundles the file results and submits them to the server, which records the package version, reviewed files, findings, and public reviewer identity. That record lets Thirdpass share coverage across projects that use the same package files.

Assigned Reviews

The server keeps a prioritized queue of package versions that need review. The CLI can ask the server for a target from that queue:

thirdpass review-any

Nightshift mode repeats that process in a loop:

thirdpass review-any --nightshift

To focus assigned reviews on a specific registry, pass --registry:

thirdpass review-any --registry crates.io
thirdpass review-any --nightshift --registry pypi.org

After the server assigns a target, the CLI uses the configured ecosystem extension to resolve, cache, and extract the package archive for review.

Local Dependency Review

To review packages used by the project in the current directory, run:

thirdpass review-deps

The CLI asks enabled extensions to identify dependency files and resolve the reviewable package versions. It derives an ordered review plan from the current dependency files and existing coverage from local review storage and committed project reviews.

Those extensions retrieve selected package archives so Thirdpass can analyze their files and prepare review batches. Completed dependency reviews are also written under .thirdpass/reviews/ in the project checkout. When matching local reviews already exist on the machine, review-deps copies them into that project directory and skips the covered files.

The command continues through the plan until all review batches have coverage or the user stops it. If interrupted, run it again to resume; the CLI derives the plan again from the current dependency files, checks local pending and submitted reviews plus .thirdpass/reviews/, skips files that already have matching package artifact and file-hash coverage, and selects the next review batch with remaining files.

Installation

Install the Thirdpass CLI and ecosystem extensions.

Check Command

Check a project's dependencies against submitted Thirdpass reviews.

On this page

File-Focused ReviewAssigned ReviewsLocal Dependency Review