Skip to content

Releases: infiniumtek/code-review-agent

v1.0.0

27 May 01:57
@spanosg131 spanosg131
v1.0.0
89013c1

Choose a tag to compare

View all tags
v1.0.0 Latest
Latest

code-review-agent v1.0.0

First stable release. An LLM-first, multi-language code & CI/CD review agent built on LangGraph, with review expertise delivered as portable Agent Skills (SKILL.md) rather than hard-coded personas.

Highlights

  • Multi-language review. Each changed file is classified by language/target and reviewed by the matching skill — bugs, security, performance, and improvement findings. Bundled skills: Python, JavaScript/TypeScript (.js/.jsx/.ts/.tsx), Java, plus optional CI/infra skills for Dockerfile, GitHub Actions, GitLab CI, and Jenkins.
  • LangGraph pipeline. Orchestrated StateGraph with Send fan-out: ingest → detect → per-unit review fan-out → aggregate → report. One-shot run (no checkpointer).
  • Multi-provider LLMs. OpenAI (default gpt-5-mini), Anthropic, and Google Gemini, selectable via config. Structured output with a tolerant free-form-JSON fallback, plus retry/timeout handling.
  • Runs locally or in CI. A Typer CLI reviews a local git diff; the same entrypoint runs in the worker container for GitHub Actions, GitLab CI, and Jenkins — no webhook server.
  • Composable, idempotent reporters. terminal, file (Markdown/JSON artifact), github (PR comment), and gitlab (MR note). SCM reporters locate their existing bot comment by a stable hidden marker and update it in place. auto selects the detected-platform reporter + terminal.

Security & trust model

  • Read-and-report only — the agent never writes to or auto-fixes the reviewed repository.
  • Prompt-injection hardening — reviewed code, comments, and CI YAML are treated as untrusted data, not instructions.
  • Fail-closed config in CIreview.toml is read from the trusted base ref (git show <ref>:review.toml), never the PR head; a CI run with no trusted ref fails closed rather than reading PR-controlled config.
  • Gated repo-local skills — repository-provided skills are honored only when an operator sets ALLOW_REPO_SKILLS=true.
  • Skills are prompt-only — no execution of skill-bundled scripts.

Packaging & tooling

  • Python 3.13 · uv (pinned uv.lock) · Pydantic v2 · LangGraph v1.
  • Docker image published to GHCR on v* tags; langgraph build / langgraph dev (Studio) supported.
  • Quality gates: ruff, mypy --strict, and a pytest suite (212 tests).

Getting started

python3.13 -m venv .venv && source .venv/bin/activate
pip install uv && uv sync --inexact --extra dev
cp .env.example .env   # add at least one LLM API key
make review            # review the current git diff

See the README for CI integration examples and configuration.

Findings are advisory and AI-generated; treat them as input to human review, not a gate.

Assets 2
Loading