leerness gate reads every pull request's claims and fails the check when the evidence isn't there — no test run, a file that was never touched, a comment-only stub. The merge waits for reality.
The same engine behind leerness's verify-claim — now reading the PR diff itself.
The description claims work but shows no test run, results, or verification — the most common bluff.
It says it implemented payment.js, but that file isn't in the diff at all.
The claimed file is added — but every new line is a comment or blank. A shell pretending to be code.
"10 tests passed," but the diff adds two. Flagged as a warning before you trust the number.
It runs independently of the agent — on Cloudflare's edge, with read-only repo access — so a cooperative-by-default agent can't skip it.
GitHub sends a signed webhook to the Worker. The signature is verified before anything runs.
→It fetches the changed files and checks the description's claims against what actually changed.
→A pass/fail check lands on the PR. Mark it required, and a failing claim can't merge.
Uses your existing gh login. Same verdict the hosted check produces — exits non-zero on failure, so you can wire it into a local pre-push hook too.
Then host it as a check →# preview the leerness gate on a real PR $ npx leerness-gate acme/checkout 42 # leerness gate preview — acme/checkout #42 FAIL — leerness gate: 1 issue(s) found ✕ Claimed file absent from the PR diff: payment.js ✕ No verification evidence in the description. # fix the PR, run again → PASS — leerness gate: claims verified ✓
Deploy the Worker, register the App from a one-click manifest, set three secrets. Zero runtime dependencies, least-privilege permissions (contents: read), no secrets in the repo.
$ npx wrangler login $ npm run deploy # → your Worker URL # open deploy/register.html → create the App $ npx wrangler secret put GITHUB_WEBHOOK_SECRET $ npx wrangler secret put GITHUB_APP_ID $ npx wrangler secret put GITHUB_APP_PRIVATE_KEY $ npm run deploy # live ✓