Automated Code Review

Table of Contents

Overview

The automated code review system analyzes patches (git diffs, GitHub PRs, GitLab MRs) using Code Property Graph (CPG) analysis to provide comprehensive review feedback including:

  • Security vulnerability detection
  • Performance impact analysis
  • Error risk assessment
  • Architecture impact analysis
  • Definition of Done (DoD) validation
  • Scope-aware filtering with SARIF output

Quick Start

CLI Usage

# Review changes since a base ref
python -m src.cli review --base-ref HEAD~3

# Review staged changes only
python -m src.cli review --staged

# Review specific files
python -m src.cli review --files src/api/main.py src/api/auth.py

# Output as SARIF for CI integration
python -m src.cli review --base-ref HEAD~5 --format sarif --output-file report.sarif

# JSON output with separate SARIF file
python -m src.cli review --base-ref HEAD~3 --format json --sarif-file findings.sarif

# Skip security analysis
python -m src.cli review --base-ref HEAD~3 --no-security

# Custom database
python -m src.cli review --db data/projects/postgres.duckdb --base-ref origin/main

Programmatic Usage

import duckdb
from src.patch_review import ReviewWorkflow

# Connect to CPG database
from src.project_manager import ProjectManager
conn = duckdb.connect(ProjectManager.get_active_db_path())

# Configure DoD settings
dod_config = {
    'auto_generate': True,
    'interactive': False,
    'extraction': {
        'sources': ['pr_body', 'jira', 'commit_message'],
        'formats': ['checklist', 'yaml', 'markdown'],
    },
}

# Create workflow
workflow = ReviewWorkflow(conn, dod_config=dod_config)

# Run review
verdict = workflow.run(
    patch_source='git_diff',
    patch_data={'diff': diff_content},
    pr_body=pr_description,
    task_description=task_desc,
    interactive_mode=False,
)

# Access results
print(f"Score: {verdict.overall_score}/100")
print(f"Recommendation: {verdict.recommendation.value}")

# DoD validation results
if verdict.dod_validation:
    print(f"DoD Compliance: {verdict.dod_validation.compliance_score}%")

Architecture

Three-Layer Design

The code review system is organized into three layers, each serving a different use case:

┌─────────────────────────────────────────────────────────┐
│ Layer 1: CLI Review Pipeline (src/review/)              │
│   ReviewPipeline → ReviewAggregator → ReviewReport      │
│   Entry: python -m src.cli review                       │
│   Focus: CPG quality + security, SARIF, scope-aware     │
├─────────────────────────────────────────────────────────┤
│ Layer 2: Patch Review Workflow (src/patch_review/)       │
│   ReviewWorkflow (LangGraph) → Analyzers → Verdicts     │
│   Entry: ReviewWorkflow.run() / REST API / demo script  │
│   Focus: DoD, delta CPG, PR/MR integration              │
├─────────────────────────────────────────────────────────┤
│ Layer 3: Workflow Scenario 9 (src/workflow/scenarios/)   │
│   PRAnalyzer → ContextAggregator → ReviewReporter       │
│   Entry: MultiScenarioCopilot (scenario_id=code_review) │
│   Focus: LLM-based review, handler optimization         │
└─────────────────────────────────────────────────────────┘

Review Pipeline (Layer 1)

The CLI-facing pipeline in src/review/pipeline.py. Runs CPG quality queries (dead code, complexity, large methods) and security analysis. Outputs ReviewReport with SARIF support.

Patch Review Workflow (Layer 2)

The LangGraph-based workflow in src/patch_review/. Parses patches from multiple sources, generates delta CPG, runs 4 impact analyzers, produces 4 verdicts, and validates DoD. Used by REST API and programmatic access.

Workflow Scenario 9 (Layer 3)

LLM-augmented review via src/workflow/scenarios/code_review.py. Three-agent architecture with handler-based optimization. Invoked through the MultiScenarioCopilot workflow engine.

CLI Command

Entry point: src/cli/review_command.pyadd_review_commands()

python -m src.cli review [OPTIONS]

Arguments

Argument Type Default Description
--db PATH auto-detect Path to DuckDB CPG database
--base-ref REF Git base ref for diff review (e.g. HEAD~3, origin/main)
--staged flag false Review staged changes only
--files PATH… Review specific files (one or more)
--no-security flag false Skip security analysis
--format choice markdown Output format: markdown, json, sarif
--output-file PATH stdout Write output to file instead of stdout
--sarif-file PATH Write SARIF output to separate file (can be combined with other formats)

Exit Codes

Code Meaning
0 No critical or high findings
1 Critical or high findings detected (or error)

Review Pipeline

ReviewPipeline (src/review/pipeline.py) orchestrates the full CLI review flow.

Pipeline Steps

pipeline = ReviewPipeline(
    db_path: Optional[str] = None,
    base_ref: Optional[str] = None,
    files: Optional[List[str]] = None,
    staged: bool = False,
    include_security: bool = True,
)
report = pipeline.run()  # -> ReviewReport

The 8-step pipeline:

  1. Resolve DB path — uses provided db_path or ProjectManager.get_active_db_path()
  2. Check CPG status — compares cpg_git_state.commit_hash to git rev-list HEAD
  3. Load parse scope — reads cpg_parse_scope table for scope boundaries
  4. Determine changed files — via git diff --name-only, filters to code extensions
  5. Run quality analysisReviewAggregator.quality_findings_from_cpg(): dead code (fan_in=0), high complexity (CC≥15), large methods (LOC≥100)
  6. Run security analysisSecurityPRReview (if enabled and base_ref provided)
  7. Aggregate and filter — scope-aware filtering: suppress, demote, or pass findings
  8. Build reportReviewReport with findings, CPG status, metadata, duration

ReviewReport

src/review/models.py — aggregated review report.

@dataclass
class ReviewReport:
    findings: List[ReviewFinding]          # All filtered findings
    cpg_status: Optional[CPGStatus]        # CPG freshness info
    parse_scope: Optional[ParseScope]      # Analysis scope boundaries
    project_name: str                      # Detected project name
    base_ref: str                          # Git base reference
    duration_ms: float                     # Pipeline execution time
    suppressed_count: int                  # Findings suppressed by scope
    metadata: Dict[str, Any]              # Extra info (db_path, counts)

Methods: - severity_counts() -> Dict[str, int] — count findings by severity - to_markdown() -> str — formatted markdown report - to_dict() -> Dict[str, Any] — JSON-serializable dict - to_sarif() -> Dict[str, Any] — SARIF 2.1.0 output

ReviewFinding

src/review/models.py — a single code review finding from quality or security analysis.

@dataclass
class ReviewFinding:
    file: str                              # Source file path
    line: Optional[int]                    # Line number
    type: str                              # Finding type (dead_code, high_complexity, etc.)
    severity: str                          # critical|high|medium|low|info
    message: str                           # Human-readable description
    suggestion: Optional[str]              # Fix suggestion
    metric_value: Optional[float]          # Numeric metric (CC, LOC, fan_in)
    scope_limited: bool                    # True if affected by partial scope
    source: str                            # "quality" or "security"

CPGStatus

src/review/models.py — CPG database freshness status.

@dataclass
class CPGStatus:
    available: bool         # True if DB exists and readable
    fresh: bool             # True if commits_behind == 0
    commits_behind: int     # Number of commits since last CPG update
    commit_hash: str        # CPG's recorded commit hash
    db_path: str            # Database file path

ParseScope

src/review/models.py — describes the boundaries of CPG analysis.

@dataclass
class ParseScope:
    source_path: str                       # Root source directory
    language: str                          # Primary language
    include_tests: bool                    # Whether tests are in CPG
    include_paths: List[str]               # Selective inclusion paths
    exclude_paths: List[str]               # Explicit exclusions
    default_excludes: List[str]            # Default excluded patterns
    import_mode: str                       # "full" or "selective"

Properties: - tests_in_scope: bool — were tests included in CPG? - is_partial: bool — has excludes or selective mode? - all_excludes: List[str] — combined explicit + default excludes - path_in_scope(path) -> bool — check if file falls within scope - scope_disclaimer() -> str — markdown disclaimer for reports

SARIF Output

The Review Pipeline supports SARIF 2.1.0 (Static Analysis Results Interchange Format) output for CI/CD integration.

# Direct SARIF output
python -m src.cli review --base-ref HEAD~5 --format sarif --output-file report.sarif

# Markdown output + separate SARIF file
python -m src.cli review --base-ref HEAD~5 --format markdown --sarif-file findings.sarif

ReviewReport.to_sarif() generates:

{
  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
  "version": "2.1.0",
  "runs": [{
    "tool": {
      "driver": {
        "name": "CodeGraph Review",
        "version": "1.0.0",
        "rules": [
          {"id": "dead_code", "shortDescription": {"text": "Dead Code"}},
          {"id": "high_complexity", "shortDescription": {"text": "High Complexity"}}
        ]
      }
    },
    "results": [
      {
        "ruleId": "high_complexity",
        "level": "warning",
        "message": {"text": "`MyClass.process` has cyclomatic complexity 25"},
        "locations": [{
          "physicalLocation": {
            "artifactLocation": {"uri": "src/service.py"},
            "region": {"startLine": 42}
          }
        }]
      }
    ]
  }]
}

Severity mapping: critical/high → error, medium → warning, low/info → note.

Scope-Aware Filtering

ReviewAggregator (src/review/aggregator.py) applies scope-aware filtering based on ParseScope:

Rule Condition Action
Suppress missing_test tests_in_scope == false Finding removed
Demote dead_code is_partial == true Severity → info, scope_limited = true
Demote blast_radius is_partial == true Severity → info, scope_limited = true

Configuration (in config.yamlreview_pipeline):

review_pipeline:
  scope_aware_filtering: true
  suppress_tests_outside_scope: true
  demote_dead_code_partial_scope: true

When scope is limited, the markdown report includes a disclaimer:

> **Limited analysis scope**
>
> CPG built with exclusions: `vendor/`, `generated/`
>
> This means:
> - Dead code findings may be false positives (callers may exist in excluded modules)
> - Blast radius is underestimated (call graph does not include excluded modules)

Patch Review Workflow

ReviewWorkflow (src/patch_review/workflow/review_workflow.py) — LangGraph-based workflow for deep patch analysis with DoD support.

Workflow Pipeline

parse_patch → extract_dod → [generate_dod] → [confirm_dod] → generate_delta_cpg
    ↓
run_analyzers → generate_verdicts → aggregate_verdict → validate_dod → format_output

Notes: - [generate_dod] runs only if DoD not found in sources and auto_generate: true - [confirm_dod] runs only in interactive mode (--interactive flag)

LangGraph Nodes (11): 1. parse_patch — PatchParser (git_diff, github_pr, gitlab_mr) 2. extract_dod — DoDExtractor (multi-source) 3. generate_dod — DoDGenerator (LLM-based) 4. confirm_dod — DoDConfirmer (interactive CLI) 5. generate_delta — DeltaCPGGenerator 6. run_analyzers — PatchCallGraphAnalyzer, PatchDataFlowAnalyzer, PatchControlFlowAnalyzer, PatchDependencyAnalyzer 7. generate_verdicts — SecurityVerdictGenerator, PerformanceVerdictGenerator, ErrorVerdictGenerator, ArchitectureVerdictGenerator 8. validate_dod — DoDValidator 9. aggregate_verdict — VerdictAggregator 10. format_output — JSONFormatter, MarkdownFormatter, PRCommentFormatter 11. handle_error — error handling

Components

Component Description
PatchParser Parses git diffs, GitHub PRs, GitLab MRs into PatchContext
DoDExtractor Extracts DoD from PR body, Jira, commit message
DoDGenerator Generates DoD using LLM when not found
DoDConfirmer Interactive CLI confirmation for DoD (review, edit, skip)
DeltaCPGGenerator Creates delta CPG overlay for changes
PatchCallGraphAnalyzer Call graph impact analysis
PatchDataFlowAnalyzer Data flow / taint path analysis
PatchControlFlowAnalyzer Control flow / complexity analysis
PatchDependencyAnalyzer Dependency / coupling analysis
SecurityVerdictGenerator Security verdict from dataflow results
PerformanceVerdictGenerator Performance verdict from control flow + call graph
ErrorVerdictGenerator Error verdict from control flow
ArchitectureVerdictGenerator Architecture verdict from call graph + dependency
DoDValidator Validates DoD against review findings
VerdictAggregator Combines verdicts into final ReviewVerdict

Definition of Done (DoD)

DoD Sources

The system extracts DoD from multiple sources (configurable priority):

  1. PR Body — Markdown checklist in PR/MR description
  2. Jira — Custom field or description from linked ticket
  3. Commit Message — DoD section in first commit
  4. Manual Input — CLI or API input
  5. Auto-Generated — LLM generates from task description

DoD Formats

Supported formats for DoD extraction:

Markdown Checklist

## Definition of Done

- [ ] Feature works as expected
- [ ] No security vulnerabilities introduced
- [ ] Unit tests added
- [ ] Documentation updated

YAML Block

dod:
  - description: Feature works as expected
    type: functional
  - description: Unit tests pass
    type: test

JSON Block

{
  "dod": [
    {"description": "Feature works", "type": "functional"},
    {"description": "Tests pass", "type": "test"}
  ]
}

Criterion Types

Type Description Validation
functional Feature requirements Manual review (cannot auto-validate)
security No vulnerabilities Security verdict score
test Tests added/passing Error verdict suggestions
documentation Docs updated Manual review
performance No regressions Performance verdict score
code_quality Style compliance Architecture verdict score

Interactive DoD Confirmation

When running with --interactive flag, users can review and modify DoD before the review proceeds:

============================================================
DEFINITION OF DONE - CONFIRMATION
============================================================

Current DoD (from pr_body):
----------------------------------------
  1. [FUNC] Feature works as expected
  2. [SECU] No security vulnerabilities introduced
  3. [TEST] Unit tests added for new functionality
  4. [PERF] No performance regressions
  5. [CODE] Code follows project style guidelines
----------------------------------------
Total: 5 items

Options:
  [c] Confirm and continue
  [e] Edit items
  [a] Add new item
  [r] Remove item
  [s] Skip DoD validation
  [q] Quit review

Options: - Confirm (c) — Accept current DoD and proceed with review - Edit (e) — Modify item descriptions and types - Add (a) — Add new DoD items with type selection - Remove (r) — Delete items from the list - Skip (s) — Skip DoD validation entirely (review proceeds without DoD) - Quit (q) — Cancel the review

Type shortcuts for adding/editing:

Shortcut Type
f Functional
s Security
t Test
d Documentation
p Performance
q Code Quality

DoD Validation

Each DoD item is validated against review findings:

  • Security items: Validated against security verdict (critical/high findings fail)
  • Test items: Validated against test suggestions count
  • Performance items: Validated against performance score
  • Code Quality items: Validated against architecture score
  • Functional/Documentation: Cannot be auto-validated (pending for manual review)

REST API

src/api/routers/review.py provides 7 endpoints under the /review prefix.

Review Endpoints

POST /review/patch

Review a git diff/patch.

# Request: PatchReviewRequest
{
    "patch_content": "diff --git a/...",       # required
    "task_description": "Add auth feature",     # optional
    "dod_items": ["Tests pass", "No vulns"],    # optional
    "output_format": "json"                     # json|markdown|yaml
}
# Header: Authorization (JWT)

POST /review/pr

Review a GitHub Pull Request.

# Request: GitHubPRReviewRequest
{
    "owner": "myorg",
    "repo": "myrepo",
    "pr_number": 123,
    "task_description": "...",    # optional
    "dod_items": [...]            # optional
}
# Header: X-GitHub-Token (required)

POST /review/mr

Review a GitLab Merge Request.

# Request: GitLabMRReviewRequest
{
    "project_id": "group/project",
    "mr_iid": 456,
    "gitlab_url": "https://gitlab.com",   # default
    "task_description": "...",
    "dod_items": [...]
}
# Header: X-GitLab-Token (required)

POST /review/sourcecraft

Review a SourceCraft Merge Request (Yandex Cloud).

# Request: SourceCraftMRReviewRequest
{
    "project_id": "project-id",
    "mr_iid": 789,
    "sourcecraft_url": "https://api.sourcecraft.yandex.cloud",   # default
    "task_description": "...",
    "dod_items": [...]
}
# Header: X-SourceCraft-Token (required)

POST /review/gitverse

Review a GitVerse Pull Request (Sber).

# Request: GitVersePRReviewRequest
{
    "project_id": "owner/repo",
    "pr_number": 101,
    "gitverse_url": "https://gitverse.ru/api/v1",   # default
    "task_description": "...",
    "dod_items": [...]
}
# Header: X-GitVerse-Token (required)

Utility Endpoints

POST /review/summary

Generate a structured MR summary from diff content.

# Request: SummaryRequest
{"diff_content": "...", "title": "...", "description": "..."}

# Response: SummaryResponse
{
    "summary": "This MR adds authentication...",
    "changed_files": ["src/auth.py"],
    "additions": 45,
    "deletions": 12,
    "changed_methods": ["authenticate", "reset_password"],
    "risk_areas": ["SQL injection in auth.py"]
}

POST /review/commit-message

Generate a conventional commit message from diff.

# Request: CommitMessageRequest
{"diff_content": "..."}

# Response: CommitMessageResponse
{"message": "feat(auth): add password reset flow", "type": "feat", "scope": "auth", "files_changed": 3}

Response Model

All review endpoints return ReviewResponse:

class ReviewResponse:
    recommendation: str      # APPROVE | REQUEST_CHANGES | COMMENT | BLOCK
    score: float             # 0-100
    findings: List[Finding]
    dod_validation: Optional[List[DODItem]]
    summary: str
    processing_time_ms: float
    request_id: str
    metadata: Dict[str, Any]

Workflow Scenario 9

src/workflow/scenarios/code_review.py — LLM-augmented code review invoked through the MultiScenarioCopilot workflow engine.

Three-Agent Architecture

Agent 1: PRAnalyzer — parses PR/diff data

  • parse_pr_diff(diff_text, pr_metadata) -> Dict — parse unified diff
  • extract_changed_methods(pr_data) -> List[ChangedMethod] — extract methods
  • identify_affected_subsystems(changed_files) -> List[str] — identify subsystems

Agent 2: ContextAggregator — gathers CPG context

  • Constructor: ContextAggregator(cpg_service: CPGQueryService)
  • gather_method_context(method_id) -> MethodContext — callers, callees, complexity, test count
  • find_impacted_methods(changed_methods) -> List[Dict] — blast radius
  • check_test_coverage(changed_methods) -> Dict — test coverage report

Agent 3: ReviewReporter — generates review output

  • analyze_changes(pr_data, method_contexts, test_coverage) -> List[ReviewFinding]
  • calculate_review_score(findings) -> float — 0-100 score
  • recommend_action(score, findings) -> ReviewAction — APPROVE | REQUEST_CHANGES | COMMENT
  • generate_review_report(pr_data, findings, method_contexts) -> ReviewReport

Code Review Handlers

src/workflow/scenarios/code_review_handlers/ — handler-based optimization (Phase 2) loaded dynamically via integrate_handlers().

Handler Priority Description
CallerAnalysisHandler 3 Analyzes callers of changed methods
SignatureImpactHandler 5 Analyzes impact of signature changes
PRImpactHandler 10 Overall PR impact analysis (files, blast radius)
ChangeRiskHandler 20 Risk assessment (risk score, review priority)

Intent Detector

CodeReviewIntentDetector maps user queries to handler types:

Intent Type Priority Keywords
pr_impact 10 PR impact, pull request, affected, blast radius
change_risk 20 risk, risky, dangerous, critical change
review_priority 30 review priority, what to review, focus review
dependency_impact 40 dependency, caller, callee, transitive

Configuration

config/code_review.yaml

# Definition of Done Configuration
dod:
  sources:
    - pr_body
    - jira
    - commit_message
    - manual
  source_priority:
    - pr_body
    - jira
    - commit_message
  formats:
    - checklist
    - yaml
    - markdown
    - json
  auto_generate: true
  interactive_confirm: false

  # Jira integration
  jira:
    url: ${JIRA_URL}
    api_key: ${JIRA_API_KEY}
    dod_field: "customfield_10001"

  # DoD generation settings (when auto_generate=true)
  generation:
    use_llm: true
    fallback_to_rules: true
    include_security: true
    include_performance: true
    require_tests: true

  # Validation settings
  validation:
    strict_mode: false
    blocking_severities:
      - critical
      - high

# Review Policy
policy:
  block_on_critical_security: true
  block_on_high_security: false
  block_on_critical_errors: true
  block_on_breaking_changes: false
  min_score_to_approve: 70.0
  min_score_to_comment: 60.0
  max_critical_findings: 0
  max_high_findings: 5
  max_complexity_increase: 20
  require_dod_compliance: false
  min_dod_compliance_score: 60.0
  custom_rules: []

# Analyzer Configuration
analyzers:
  call_graph:
    enabled: true
    max_depth: 5
    include_indirect: true
  dataflow:
    enabled: true
    max_path_length: 10
    sanitization_threshold: 0.7
  control_flow:
    enabled: true
    complexity_threshold: 10
    max_nesting_depth: 5
  dependency:
    enabled: true
    check_circular: true
    max_coupling_increase: 0.2

# Verdict Weights
verdicts:
  weights:
    security: 0.35
    performance: 0.20
    error: 0.25
    architecture: 0.20
  dod_compliance_weight: 0.10
  thresholds:
    block: 40
    request_changes: 60
    comment: 80
    approve: 80

# Output Configuration
output:
  formats:
    - json
    - markdown
    - pr_comment
  include_dod: true
  include_findings: true
  include_snippets: true
  max_findings_per_category: 10
  pr_comment:
    max_length: 10000
    use_emoji: true
    collapsible_sections: true

Environment Variables

Variable Description
JIRA_URL Jira server URL for DoD extraction
JIRA_API_KEY Jira API authentication key
GITHUB_TOKEN GitHub API token for PR access
GITLAB_TOKEN GitLab API token for MR access

API Reference

ReviewWorkflow

workflow = ReviewWorkflow(
    conn: duckdb.DuckDBPyConnection,
    config: Optional[AggregationConfig] = None,
    policy: Optional[ReviewPolicy] = None,
    dod_config: Optional[Dict[str, Any]] = None,
)

verdict = workflow.run(
    patch_source: str,          # 'git_diff', 'github_pr', 'gitlab_mr'
    patch_data: Dict[str, Any],
    session_id: Optional[str] = None,
    policy: Optional[ReviewPolicy] = None,
    task_description: Optional[str] = None,
    pr_body: Optional[str] = None,
    jira_ticket: Optional[str] = None,
    interactive_mode: bool = False,
)

ReviewVerdict

src/patch_review/models.py — final aggregated review verdict.

@dataclass
class ReviewVerdict:
    # Core
    patch_id: str
    overall_score: float                      # 0-100
    recommendation: Recommendation            # APPROVE, REQUEST_CHANGES, BLOCK, COMMENT
    security: SecurityVerdict
    performance: PerformanceVerdict
    error: ErrorVerdict
    architecture: ArchitectureVerdict

    # Aggregated findings
    all_findings: List[Finding]
    critical_count: int
    high_count: int
    medium_count: int
    low_count: int

    # Impact metrics
    blast_radius_score: float                 # 0-100, higher = smaller radius
    review_time_seconds: float
    summary: str
    reviewed_at: Optional[datetime]

    # DoD
    dod_validation: Optional[DoDValidationResult]
    dod_compliance_score: float               # 0-100, default 100.0

    # Identification
    review_id: str                            # auto-generated REVIEW_xxxx
    session_id: str

DoDValidationResult

@dataclass
class DoDValidationResult:
    dod: DefinitionOfDone
    total_items: int
    satisfied_count: int
    failed_count: int
    pending_count: int
    compliance_score: float                   # 0-100
    blocking_failures: List[DoDItem]

    @property
    def is_compliant(self) -> bool:
        """Computed property: True if failed_count == 0 and pending_count == 0."""
        ...

Note: is_compliant is a @property, not a dataclass field. It is computed from failed_count and pending_count.

ReviewPolicy

src/patch_review/models.py — configurable review policy.

@dataclass
class ReviewPolicy:
    block_on_critical_security: bool = True
    block_on_high_security: bool = False
    block_on_critical_errors: bool = True
    block_on_breaking_changes: bool = False
    min_score_to_approve: float = 70.0
    min_score_to_comment: float = 60.0
    max_critical_findings: int = 0
    max_high_findings: int = 5
    max_complexity_increase: int = 20
    custom_rules: List[PolicyRule] = field(default_factory=list)

PolicyRule fields: rule_id, name, condition, action ("block", "warn", "comment"), message.

Output Formats

JSON Output

{
  "patch_id": "PATCH_abc123",
  "overall_score": 45.5,
  "recommendation": "REQUEST_CHANGES",
  "dod_compliance_score": 60.0,
  "findings": [...],
  "dod_validation": {
    "compliance_score": 60.0,
    "items": [
      {"description": "...", "satisfied": true, "evidence": "..."},
      {"description": "...", "satisfied": false, "evidence": "..."}
    ]
  }
}

Markdown Output

## Patch Review Summary

**Overall Score:** 45/100
**Recommendation:** REQUEST_CHANGES

### Definition of Done

**Compliance Score:** 60%

- [+] Feature works as expected
- [-] No security vulnerabilities introduced
  - Evidence: Security issues found: SQL Injection
- [?] Unit tests added (pending manual review)

### Security Findings

1. [HIGH] SQL Injection vulnerability
   - Location: src/auth/login.py:14
   - CWE-89

Troubleshooting

“DoD not found”

If DoD is not being extracted:

  1. Check that PR body contains DoD section with correct format
  2. Verify dod.sources includes your source type
  3. Check dod.formats includes your DoD format
  4. Enable auto_generate: true to generate when not found

“DoD validation skipped”

DoD validation requires: - DoD successfully extracted or generated - Review verdict generated - No workflow errors

“Jira extraction failed”

  1. Verify JIRA_URL and JIRA_API_KEY environment variables
  2. Check Jira API permissions
  3. Verify dod_field points to correct custom field

“CPG is N commit(s) behind HEAD”

The CPG database is stale. Re-run import:

gocpg parse --input=/path/to/source --output=project.duckdb

Examples

Demo Script

A demo script is available at examples/demo_patch_review.py:

python examples/demo_patch_review.py --db data/projects/postgres.duckdb
python examples/demo_patch_review.py --no-dod
python examples/demo_patch_review.py --auto-dod
python examples/demo_patch_review.py --interactive

GitHub PR Integration

pr_data = {
    'number': 123,
    'title': 'Add authentication',
    'body': pr_body_with_dod,
    'diff_url': 'https://api.github.com/repos/...',
}

verdict = workflow.run(
    patch_source='github_pr',
    patch_data=pr_data,
    pr_body=pr_data['body'],
)

GitLab MR Integration

mr_data = {
    'iid': 456,
    'title': 'Add authentication',
    'description': mr_description_with_dod,
}

verdict = workflow.run(
    patch_source='gitlab_mr',
    patch_data=mr_data,
    pr_body=mr_data['description'],
)

Manual DoD Creation

from src.patch_review.dod import DoDExtractor

extractor = DoDExtractor()
dod = extractor.create_manual_dod(
    items=[
        "Feature works as expected",
        "No security vulnerabilities",
        "Unit tests added",
    ],
    types=["functional", "security", "test"],
)