Skip to content
/
Tier A A8 Cross-runtime harness

Patchwork OS

patchwork-os · last commit 2025-04-18

Primitive shape
No installable primitives
00

Summary

Patchwork OS — Summary

One-line description

Patchwork is a Python CLI and framework for automated code patching via composable AI-powered pipelines called "patchflows," targeting CI/CD integration for security fixes, dependency upgrades, and documentation generation.

Classification

  • Archetype: automated-pipeline-runner (closest to: none of the five seed archetypes — independent Python CLI, not Claude Code or IDE-centric)
  • Primary use case: CI/CD automation for code quality tasks (security patching, PR review, docstring generation, dependency updates)
  • Methodology fit: not a coding methodology; patchflows are standalone automation pipelines, not agent guidance frameworks

Key facts

Field Value
Repository https://github.com/patched-codes/patchwork
License AGPL-3.0 (framework); Apache-2.0 (individual steps + patchflows)
Stars ~1,558
Language Python
Install pip install patchwork-cli
Binary patchwork
Version 0.0.124
Last commit 2025-04-18
Contributors 15

Core abstractions

  • Step: reusable atomic Python class; 46+ built-in (CallLLM, CreatePR, ScanSemgrep, ModifyCode, ExtractDiff, etc.)
  • Patchflow: Python class that chains Steps + YAML prompt templates into a named automation pipeline
  • Prompt template: JSON/YAML files with {{variable}} substitution; one per patchflow, stored under patchwork/patchflows/<Name>/

Built-in patchflows (11)

AutoFix, DependencyUpgrade, GenerateCodeUsageExample, GenerateDiagram, GenerateDocstring, GenerateREADME, GenerateUnitTests, LogAnalysis, PRReview, ResolveIssue, SonarFix

Relationship to spec-driven development

Patchwork is not a spec-driven development framework. It does not generate code from specifications, manage agent context, or orchestrate developer workflows. It is a code automation tool that uses LLMs to patch, review, and document existing codebases, typically invoked from CI pipelines (GitHub Actions, etc.).

Included in this research batch because it was listed as a "Reddit-confirmed alt-SDD" reference — the Reddit context appears to be users describing automated code quality pipelines as a form of spec-driven maintenance.

Quality tier

Tier A — comprehensive: 1558-star active project with full Python source, pypi package, detailed docs.

01

Overview

Patchwork OS — Origin and Philosophy

Origin

Patchwork is maintained by patched-codes (patched.codes). The project began as tooling to automate security vulnerability fixes — specifically, to take scanner output and produce a PR with the fix applied. It evolved into a general-purpose code patching framework.

The dual license (AGPL-3.0 for the framework + Apache-2.0 for individual steps and patchflows) is explicitly designed to allow reuse of the building blocks in commercial products while keeping the full framework open.

Core thesis

From the README:

"Patchwork automates development tasks using LLMs. You can run a patchflow locally, or via GitHub Actions."

The philosophy is pipeline composition: complex code automation tasks decompose into sequences of atomic Steps. Each Step is a reusable Python class; a Patchflow wires them together. This makes automation tasks composable, testable, and version-controlled.

Primary target workflows

  1. Security patching (AutoFix): ingest vulnerability scanner output → LLM generates fix → commit + PR
  2. Dependency upgrades (DependencyUpgrade): identify outdated deps → LLM generates upgrade PR
  3. Documentation (GenerateDocstring, GenerateREADME, GenerateDiagram): generate missing docs for existing code
  4. PR review (PRReview): LLM-assisted code review with structured comments
  5. Unit test generation (GenerateUnitTests): generate tests for uncovered code
  6. Log analysis (LogAnalysis): parse and summarize application logs
  7. Issue resolution (ResolveIssue): attempt to resolve a GitHub issue automatically

Usage context

Patchwork runs:

  • Locally: developer invokes patchwork <PatchflowName> from terminal
  • CI/CD: GitHub Actions workflow calls patchwork step; outputs a PR
  • Programmatically: Python code imports patchflow classes directly

Relationship to coding agents / AI IDEs

Patchwork is not an AI coding assistant. It does not run inside an IDE and does not assist with interactive development. It operates on code repositories as a batch process, typically triggered by external events (vulnerability scan, PR open, scheduled CI run).

02

Architecture

Patchwork OS — Architecture

Distribution

Install

pip install patchwork-cli
patchwork --help

Runtime requirements

  • Python 3.x
  • An LLM API key (OpenAI, Anthropic, Groq, Google, HuggingFace, or local via Ollama/llama.cpp)
  • Git repository (most patchflows operate on a local checkout)

Directory structure

patchwork/
├── patchflows/               # 11 built-in patchflows
│   ├── AutoFix/
│   │   ├── AutoFix.py        # Patchflow Python class
│   │   └── AutoFix.json      # Prompt template
│   ├── PRReview/
│   │   ├── PRReview.py
│   │   └── PRReview.json
│   ├── GenerateDocstring/
│   ├── GenerateREADME/
│   ├── GenerateUnitTests/
│   ├── DependencyUpgrade/
│   ├── GenerateCodeUsageExample/
│   ├── GenerateDiagram/
│   ├── LogAnalysis/
│   ├── ResolveIssue/
│   └── SonarFix/
├── steps/                    # 46+ reusable Step classes
│   ├── CallLLM/
│   ├── CreatePR/
│   ├── CommitChanges/
│   ├── ExtractCode/
│   ├── ExtractDiff/
│   ├── ModifyCode/
│   ├── PreparePrompt/
│   ├── ScanSemgrep/
│   ├── ScanDepscan/
│   └── ...
├── common/                   # Shared utilities, LLM client abstraction
└── app.py                    # CLI entry point

Execution model

CLI invocation
  → resolve patchflow class
  → instantiate with config dict
  → run() → sequential Step execution
  → each Step: run() → modifies shared context dict → pass to next Step
  → final Step: CreatePR / CommitChanges / output report

Context is a mutable Python dict passed through the Step chain. Steps read and write keys in this dict. There is no async execution or parallel step branching.

LLM abstraction

patchwork/common/ provides a unified LLM client that routes to:

  • OpenAI / Azure OpenAI (default: gpt-4o)
  • Anthropic
  • Google Gemini
  • Groq
  • HuggingFace Inference API
  • Ollama (local)
  • llama.cpp (local)
  • Any OpenAI-compatible endpoint

Provider is selected via config key model (format: provider/model-name or bare model name for OpenAI).

GitHub Actions integration

- uses: patched-codes/patchwork@v0.0.124
  with:
    patchflow: AutoFix
    openai_api_key: ${{ secrets.OPENAI_API_KEY }}

Patchwork ships a GitHub Action wrapper; this is the primary CI/CD integration path.

03

Components

Patchwork OS — Components

Steps (46+)

Steps are the atomic building blocks. Each is a Python class with a run() method that reads from and writes to a shared context dict.

LLM interaction steps

Step Purpose
CallLLM Generic LLM call with prompt template; writes response to context
AgenticLLM Agentic loop: calls LLM repeatedly until no further tool calls; supports function calling
PreparePrompt Loads and renders a prompt template with context variable substitution

Code modification steps

Step Purpose
ModifyCode Apply LLM-generated code changes to files
ExtractCode Extract code blocks from LLM response text
ExtractDiff Generate diff from modified files

SCM / PR steps

Step Purpose
CreatePR Open a pull request on GitHub/GitLab
CommitChanges Stage and commit modified files
CreatePRComment Post a comment on an existing PR

Security scanning steps

Step Purpose
ScanSemgrep Run Semgrep SAST scanner; parse findings to context
ScanDepscan Run depscan dependency vulnerability scanner
ScanSnyk Run Snyk vulnerability scan

Analysis / utility steps

Step Purpose
ReadIssues Fetch GitHub issues
ReadPRs Fetch PR metadata and diffs
ReadFile Read file contents to context
FilterContext Prune context keys before next step
SliceSource Slice source code into logical chunks

(46+ total; above is a representative subset)

Built-in patchflows (11)

Patchflow Input Output
AutoFix Semgrep scan results PR with security fixes
DependencyUpgrade Package manifest PR with upgraded dependencies
GenerateCodeUsageExample Source file PR with usage examples added
GenerateDiagram Source code Mermaid/PNG architecture diagram
GenerateDocstring Python/JS source PR with docstrings added
GenerateREADME Repository README.md PR
GenerateUnitTests Source file PR with unit tests added
LogAnalysis Log file Markdown summary report
PRReview Open PR diff Structured review comments posted
ResolveIssue GitHub issue PR attempting resolution
SonarFix SonarQube findings PR with fixes applied

Prompt templates

Each patchflow ships a JSON prompt template alongside its Python class:

patchwork/patchflows/AutoFix/AutoFix.json
patchwork/patchflows/PRReview/PRReview.json
...

Template format:

[
  {
    "role": "system",
    "content": "You are a senior software engineer..."
  },
  {
    "role": "user",
    "content": "Fix the following vulnerability:\n{{vulnerability_details}}\n\nCode:\n{{source_code}}"
  }
]

Variables use {{variable_name}} syntax. PreparePrompt renders templates against the context dict.

Configuration

All patchflows accept configuration via:

  1. CLI flags: patchwork AutoFix --openai_api_key=... --github_api_key=...
  2. YAML config file: patchwork AutoFix --config=my-config.yaml
  3. Environment variables: OPENAI_API_KEY, GITHUB_API_KEY, etc.
  4. .patchwork.yaml in the repository root: project-level defaults
05

Prompts

Patchwork OS — Prompt Files

AutoFix prompt template (patchwork/patchflows/AutoFix/AutoFix.json)

Technique: Structured output prompt with explicit section labeling

[
  {
    "role": "system",
    "content": "You are a senior software engineer who is best in the world at fixing vulnerabilities without breaking existing functionality. Your task is to fix the vulnerability in the code below. Do not change any other code. Respond in the following format:\nA. Commit message\nB. Change summary\nC. Compatibility Risk\nD. Fixed Code"
  },
  {
    "role": "user",
    "content": "Fix the following vulnerability:\n{{vulnerability_details}}\n\nHere is the code with the vulnerability:\n{{source_code}}"
  }
]

Key design choices:

  • System prompt establishes persona + explicit constraint ("Do not change any other code")
  • Enumerated output sections force structured response that ExtractCode can parse reliably
  • Compatibility risk field makes the model surface regression risk before the fix is applied

PRReview prompt template (patchwork/patchflows/PRReview/PRReview.json)

Technique: Diff-context review with citation format requirements

[
  {
    "role": "system",
    "content": "You are an expert code reviewer. Review the following code changes and provide actionable feedback. For each issue found, specify the exact file and line number."
  },
  {
    "role": "user",
    "content": "Review the following pull request:\n\nTitle: {{pr_title}}\nDescription: {{pr_description}}\n\nChanges:\n{{pr_diff}}"
  }
]

Key design choices:

  • "exact file and line number" requirement maps review output to the CreatePRComment step's input schema
  • PR title + description provide semantic context beyond raw diff

GenerateDocstring prompt

Technique: Function-scoped prompt with language inference

[
  {
    "role": "user",
    "content": "Generate a docstring for the following {{language}} function:\n\n{{function_code}}\n\nReturn only the docstring, no other text."
  }
]

Key design choices:

  • {{language}} is inferred from file extension by the patchflow; injected at render time
  • "Return only the docstring, no other text" eliminates need for post-processing beyond insertion

Variable substitution mechanism

All templates use {{variable_name}} syntax. PreparePrompt step renders templates:

# PreparePrompt.run() pseudocode
rendered = template_string
for key, value in self.context.items():
    rendered = rendered.replace(f"{{{{{key}}}}}", str(value))

Variables come from earlier Steps writing to the shared context dict. No separate template engine; substitution is a simple string replace.

Prompting techniques observed

  1. Enumerated output sections (A/B/C/D) — forces predictable structure for downstream parsing; avoids JSON schema enforcement
  2. Persona + constraint pattern — "best in the world at X without breaking Y"; persona sets quality bar, constraint narrows scope
  3. Citation format requirements — PRReview asks for "exact file and line number" to make comments programmatically actionable
  4. Language/context injection — file extension, PR metadata, and scan results are injected as context variables, not described in prose
  5. Output-only instruction — "Return only the docstring, no other text" eliminates extraction complexity
09

Uniqueness

Patchwork OS — Uniqueness & Differentiation

Primary differentiator: composable step library as the unit of reuse

Most code automation tools are monolithic — they do one thing (e.g., "review PRs"). Patchwork's architecture separates the reusable primitives (Steps) from the composed automation (Patchflows). A new automation task is built by wiring existing Steps; adding a new scanner is a new Step that slots into any patchflow.

The 46+ built-in Steps cover the full lifecycle: scan → analyze → generate → apply → commit → create PR → comment. Users rarely need to write custom Steps; they write custom Patchflows that wire existing ones.

CI/CD-first design

Patchwork is designed to run headlessly in CI pipelines, not interactively. The primary trigger is a scheduled GitHub Action, not a developer command. This positions it as infrastructure maintenance tooling, not developer tooling — it runs when no one is watching and creates a PR for human review.

This is a distinct design point from AI coding assistants (which help in-session) and from code generation frameworks (which run at development time).

Security patching as a primary use case

AutoFix + SonarFix + ScanSemgrep + ScanDepscan form an end-to-end security remediation pipeline. The system ingests structured vulnerability scanner output (not freeform instructions) and generates targeted fixes with explicit compatibility risk assessment. This is a narrower, more reliable task than general code generation.

Dual license strategy

AGPL-3.0 for the framework + Apache-2.0 for individual Steps and Patchflows. Users can extract any Step or Patchflow and use it in a commercial product under Apache-2.0. Only the orchestration harness (the framework itself) is AGPL. This maximizes reuse of building blocks while keeping the platform open.

Comparison to seed frameworks

Dimension Patchwork Closest seed (none)
Execution model Batch CLI / CI trigger Interactive session
IDE integration None Primary interface
Context model Ephemeral dict per run Persistent files / memory
Output GitHub PR Code in editor
Orchestration Sequential Step pipeline Task queue / agent loop
Primary user DevOps / security engineer Developer

Patchwork does not fit any of the five seed archetypes. It is not behavioral guidance for an IDE agent; it is an automated code transformation pipeline that uses LLMs as one step in a larger process.

Scope within this research batch

Patchwork was listed as a "Reddit-confirmed alt-SDD" reference. The Reddit context appears to involve users discussing automated code maintenance pipelines as an alternative to manual spec-driven development. Patchwork automates repetitive code quality tasks (security, docs, deps) but does not implement or enforce a development specification workflow.

Limitations

  • No cross-run memory; each run is stateless
  • No interactive mode; not usable for exploratory development
  • No rollback if a mid-pipeline Step fails (e.g., commit created but PR not opened)
  • No parallel step execution within a patchflow
  • AGPL-3.0 framework license may be a barrier for some commercial embedding scenarios
04

Workflow

Patchwork OS — Workflow

AutoFix workflow (canonical example)

Scan → Parse findings → Prepare prompt → Call LLM → Extract code → Apply fix → Commit → Create PR

Step-by-step:

  1. ScanSemgrep — run Semgrep on the repo; parse findings JSON into context
  2. SliceSource — extract the relevant source code around each vulnerability
  3. PreparePrompt — render AutoFix.json template with vulnerability details + source code
  4. CallLLM — send to LLM; receive structured response (commit message, change summary, compatibility risk, fixed code)
  5. ExtractCode — parse fixed code from LLM response
  6. ModifyCode — write fixed code to files
  7. CommitChanges — stage and commit with generated commit message
  8. CreatePR — open PR with change summary as description

PRReview workflow

Fetch PR diff → Prepare prompt → Call LLM → Post review comments
  1. ReadPRs — fetch the open PR diff
  2. PreparePrompt — render PRReview.json with diff content
  3. CallLLM — LLM produces structured review with specific file/line citations
  4. CreatePRComment — post review comments to the PR

GenerateDocstring workflow

Read source → Slice into functions → For each function: PreparePrompt → CallLLM → ModifyCode → Commit → PR

The loop over functions is handled inside the patchflow Python class. Each function is processed independently; results are batched into a single commit.

Custom patchflow authoring

Users define custom patchflows by:

  1. Creating MyPatchflow/MyPatchflow.py extending Step
  2. Creating MyPatchflow/MyPatchflow.json with the prompt template
  3. Wiring existing Steps in run():
from patchwork.step import Step
from patchwork.steps import CallLLM, ModifyCode, CreatePR

class MyPatchflow(Step):
    def run(self) -> dict:
        self.context = CallLLM(self.context).run()
        self.context = ModifyCode(self.context).run()
        self.context = CreatePR(self.context).run()
        return self.context
  1. Running: patchwork MyPatchflow

CI/CD integration pattern

# .github/workflows/security-patch.yml
on:
  schedule:
    - cron: '0 2 * * 1'  # Weekly Monday 2am

jobs:
  autofix:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: patched-codes/patchwork@v0.0.124
        with:
          patchflow: AutoFix
          openai_api_key: ${{ secrets.OPENAI_API_KEY }}
          github_api_key: ${{ secrets.GITHUB_TOKEN }}

The workflow runs on schedule; Patchwork opens PRs for any found vulnerabilities; human reviews and merges.

Error handling

Steps raise exceptions on failure. Patchflow run() does not retry by default; failures propagate to the CLI and exit with non-zero status code. In CI, this fails the action, triggering normal CI failure notifications.

06

Memory Context

Patchwork OS — Memory & Context

Context model

Patchwork uses a single mutable Python dict as the execution context for a patchflow run. This dict is passed from Step to Step; each Step reads input keys and writes output keys.

context = {
    "openai_api_key": "...",
    "github_api_key": "...",
    "base_path": "/path/to/repo",
    # populated by ScanSemgrep:
    "vulnerability_details": "...",
    "source_code": "...",
    # populated by CallLLM:
    "llm_response": "...",
    # populated by ExtractCode:
    "fixed_code": "...",
    # ...
}

There is no session state, no database, no embedding store. Context is ephemeral — it exists only for the duration of one patchwork invocation.

Cross-run persistence

Patchwork has no cross-run memory. Each invocation is stateless from the framework's perspective.

However, Git is the implicit persistent memory:

  • CommitChanges writes a commit with the LLM's generated commit message
  • CreatePR opens a PR with change summary and compatibility risk from the LLM response
  • The PR description and diff become the permanent record of the automated action

Configuration as persistent state

.patchwork.yaml in the repository root stores project-level configuration (model choice, API keys, thresholds). This file is version-controlled and serves as the persistent configuration layer across runs.

No agent context window management

Patchwork is not an agent framework. There is no concept of context window, memory compaction, or multi-turn conversation. Each LLM call in a patchflow is a fresh request with a fully-rendered prompt assembled from context dict values.

For large codebases, SliceSource and FilterContext steps manage what gets included in each LLM call — but this is prompt assembly, not memory management.

Context schema documentation

Each built-in patchflow documents its required and optional context keys in its class docstring. For example, AutoFix requires:

Required:
  - openai_api_key or anthropic_api_key
  - github_api_key (for CreatePR step)
  - base_path (repository root)

Optional:
  - model (default: gpt-4o)
  - branch_prefix (default: "patchwork-")
  - pr_title (default: auto-generated)

Custom patchflows must document their own schemas.

07

Orchestration

Patchwork OS — Orchestration

Orchestration model

Patchwork uses linear sequential pipeline orchestration. A patchflow is a Python class that calls Steps in sequence; each Step's output feeds the next. There is no parallel execution, no branching, and no sub-agent delegation.

Patchflow.run()
  → Step1.run(context) → context updated
  → Step2.run(context) → context updated
  → Step3.run(context) → context updated
  → return context

No multi-agent architecture

Patchwork does not spawn sub-agents and does not have an orchestrator/worker pattern. There is one process, one patchflow, one sequential Step chain.

AgenticLLM is the closest thing to agent behavior: it loops on a single LLM call until the model stops issuing tool calls. This is an agentic loop within a single Step, not multi-agent coordination.

GitHub Actions as external orchestrator

The intended production orchestration is:

GitHub Actions trigger (schedule/PR/push)
  → run patchwork <PatchflowName>
  → patchwork creates PR
  → human reviews and merges

GitHub Actions handles scheduling, parallel workflows (e.g., AutoFix + PRReview run simultaneously on different triggers), and retry logic. Patchwork itself is the leaf node in this pipeline.

Custom orchestration via Python

Users can orchestrate multiple patchflows by writing Python scripts:

from patchwork.patchflows.AutoFix import AutoFix
from patchwork.patchflows.GenerateDocstring import GenerateDocstring

# Sequential
context = {"base_path": ".", "openai_api_key": "..."}
context = AutoFix(context).run()
context = GenerateDocstring(context).run()

Or call patchflows in CI matrix strategies to parallelize across repositories.

Step composition

Patchflow authors compose Steps by instantiating them in run() order. There is no DAG, no dependency resolution, and no conditional branching in the framework itself. Conditional logic must be written as Python if/else in the patchflow class.

Error propagation

Exceptions from any Step propagate up and terminate the patchflow. The CLI catches the exception and exits with a non-zero code. There is no retry mechanism, no partial completion state, and no rollback. If CreatePR fails after CommitChanges succeeded, the commit is left without a corresponding PR (requires manual recovery).

08

Ui Cli Surface

Patchwork OS — UI & CLI Surface

CLI

# Install
pip install patchwork-cli

# Run a patchflow
patchwork AutoFix --openai_api_key=<key> --github_api_key=<key>

# Run with config file
patchwork AutoFix --config=my-config.yaml

# List available patchflows
patchwork --list

# Help
patchwork --help
patchwork AutoFix --help

No interactive mode. CLI accepts flags or a YAML config file; runs to completion; exits. Output is to stdout/stderr.

Configuration file

.patchwork.yaml in the repository root:

model: gpt-4o
openai_api_key: ${OPENAI_API_KEY}
github_api_key: ${GITHUB_API_KEY}
branch_prefix: patchwork-
pr_draft: false

Environment variable interpolation (${VAR}) is supported.

GitHub Actions interface

- uses: patched-codes/patchwork@v0.0.124
  with:
    patchflow: AutoFix
    openai_api_key: ${{ secrets.OPENAI_API_KEY }}
    github_api_key: ${{ secrets.GITHUB_TOKEN }}
    # Any patchflow-specific config key can be passed here

The Action wraps the CLI; any CLI flag maps to an with: key.

No local UI

Patchwork has no web dashboard, no desktop app, and no TUI. The primary human surface is the GitHub PR it creates — the PR description, diff, and comments are the output interface.

Python API

from patchwork.patchflows.AutoFix import AutoFix

result = AutoFix({
    "base_path": "/path/to/repo",
    "openai_api_key": "sk-...",
    "github_api_key": "ghp_...",
}).run()

This allows programmatic invocation from other Python scripts or test harnesses.

Output artifacts

Depending on the patchflow:

Artifact Patchflows
GitHub PR AutoFix, DependencyUpgrade, GenerateDocstring, GenerateREADME, GenerateUnitTests, GenerateCodeUsageExample, ResolveIssue, SonarFix
PR comment PRReview
Markdown report LogAnalysis
Diagram file GenerateDiagram

The PR is the canonical output: it carries the commit message, change summary, and compatibility risk notes generated by the LLM, serving as a human-reviewable audit trail.

Logging

Patchwork uses Python's logging module. Log level is configurable via --log_level CLI flag (DEBUG, INFO, WARNING, ERROR). In CI contexts, step-by-step progress appears in the Actions log.

Related frameworks

same archetype · same primary tool · same memory type

claude-mem (thedotmack) ★ 78k
A8 Cross-runtime harness

Background worker service captures every tool call as an observation, AI-compresses sessions, and auto-injects relevant past…

pi (badlogic/earendil) ★ 55k
A8 Cross-runtime harness

A minimal, hackable, multi-provider terminal coding agent that adapts to your workflows via npm-installable TypeScript Extensions…

Agent Skills (Addy Osmani) ★ 46k
A8 Cross-runtime harness

Encodes senior-engineer software development lifecycle as 23 auto-routed skills and 7 slash commands for any AI coding agent.

wshobson/agents Plugin Marketplace ★ 36k
A8 Cross-runtime harness

Single Markdown source for 83 domain-specialized plugins that auto-generates idiomatic artifacts for five AI coding harnesses.

TabbyML/Tabby ★ 34k
A8 Cross-runtime harness

Self-hosted AI coding assistant server (alternative to GitHub Copilot) with admin dashboard, RAG-based completions, and multi-IDE…

Compound Engineering ★ 17k
A8 Cross-runtime harness

Make each unit of engineering work compound into easier future work via brainstorm→plan→execute→review→learn cycles.