AI Code Review¶
The code review feature analyzes a PR's changes and produces structured, actionable issues with severity ratings, suggested fixes, and per-issue chat.
Generating a Code Review¶
Open a PR in the web UI, then click Code Review in the toolbar. Optional parameters:
| Parameter | Default | Description |
|---|---|---|
| Max issues | -- | Limit the number of issues returned |
| Context lines | -- | Lines of surrounding context to include |
| Custom prompt | -- | Additional instructions for the reviewer (e.g., "focus on security") |
Click Generate to start. The review pipeline runs in three phases, with progress streamed in real-time.
Review Pipeline¶
- File-level review -- each changed file is analyzed independently for issues. Files are processed in parallel for speed.
- Cross-boundary check -- a second pass looks for cross-file wiring issues: changed function signatures with unchecked callers, renamed exports with stale imports, modified type definitions with unconverted consumers.
- Consolidation -- duplicates are merged, false positives pruned, and all issues get final severity ratings.
Severity Ratings¶
Issues are rated on a P0-P4 scale:
| Severity | Meaning | Action |
|---|---|---|
| P0 | Blocks merge | Correctness bug, security vulnerability, data loss risk |
| P1 | Should fix before merge | Significant logic error, missing error handling, API contract violation |
| P2 | Should fix soon | Edge case handling, suboptimal design, missing boundary validation |
| P3 | Consider fixing | Minor improvement, better naming, small refactoring opportunity |
| P4 | Nit | Style preference, optional cleanup |
P0 and P1 issues undergo extra self-verification: the reviewer must quote the exact problematic lines, trace a concrete triggering input, and confirm no existing guard clause prevents the issue. If it can't construct a real trigger, it drops the issue rather than downgrading.
Review Dimensions¶
The reviewer adapts focus to the content of the diff:
- Correctness -- logic errors, off-by-one, unhandled error paths, race conditions
- Security -- injection vulnerabilities, auth gaps, data exposure, insecure defaults
- Performance -- N+1 queries, unnecessary allocations, blocking in async code
- Design -- coupling issues, abstraction mismatches, breaking API changes
- Frontend -- accessibility, XSS, state management, missing error boundaries
- Cross-codebase wiring -- changed signatures with unchecked callers, stale imports after renames
Reading Issues¶
Each issue includes:
- Severity (P0-P4) and title
- File and line range -- clicking navigates to the issue location in the diff
- Description -- what the problem is and why it matters
- Suggested fix -- concrete code suggestion when possible
Issues are ordered by severity (P0 first), then by narrative flow within the same severity level.
Per-Issue Chat¶
At each issue, you can open the chat to discuss it with the AI assistant. The chat agent has the same codebase investigation tools as the walkthrough chat:
search_annotations-- search PR annotationsgrep_codebase-- regex search across the repolist_files-- browse the file treeread_file-- read file content with diffs
The agent thinks critically -- if its investigation contradicts the original issue, it says so directly rather than deferring to the prior analysis.
Dismissing Issues¶
If an issue is a false positive or not actionable, click the dismiss button to hide it. Dismissed issues are tracked per PR and won't reappear when switching between issues.
Tips¶
- Use the custom prompt to focus the review on specific concerns (e.g., "focus on SQL injection risks" or "check that all new endpoints require authentication")
- For large PRs, the reviewer processes files in parallel to keep generation fast
- Issues only flag lines that appear in the diff, not unchanged context lines