Python Code Review with LGTM

Tree-sitter parses every .py file in the repo at index time, extracting module-level functions, classes, methods, decorated handlers, and imports. The indexer respects __init__.py re-exports and follows the import graph so the 'who calls this?' lookup works across packages.

Per-PR review: the diff plus the 5-15 highest PageRank-ranked symbols (called functions, referenced types, imported modules) get attached to each agent's prompt. The Bugs agent for Python looks specifically at: mutable default args, missing `await`, exception swallowing (bare `except:`), unclosed file handles, integer division surprises (`/` vs `//`), and missing type hints on public APIs in repos that use them elsewhere.

Python's flexibility means a lot of patterns are 'maybe a bug' depending on intent. The agent flags with calibrated confidence — high confidence for unambiguous bugs (mutable defaults, missing await), lower confidence for stylistic concerns that get rolled into the summary rather than inline.

Mutable default arguments. `def append_item(item, items=[]):` — items is shared across all calls. Classic, hard to spot in review, the Bugs agent catches every instance.

Missing await on async calls. `async def save(): db.write(data)` — the coroutine is never awaited and runs as fire-and-forget. The agent detects async function definitions and verifies their bodies await coroutines they call.

Bare exception clauses. `except:` or `except Exception:` swallowing too much. The Security agent flags these as masking real failures including keyboard interrupts.

SQL injection via string formatting. `cursor.execute(f"SELECT * FROM users WHERE id={user_id}")` — even with int casts the pattern is risky. Recommends parameterized queries.

subprocess shell=True with user input. `subprocess.run(cmd, shell=True)` where cmd contains user-supplied content — flagged as command injection risk.

Type hints inconsistency. Repo uses type hints in 80% of files; a new PR adds untyped public API. The Best-Practices agent surfaces this only when the convention is already established elsewhere — not on repos without hints.

Python's tree-sitter grammar is solid for Python 3 (3.6+). Type hints (PEP 484, PEP 526), f-strings, async/await, dataclasses, match statements (3.10+), walrus operator — all parse cleanly.

Python 2 is supported but the symbol extractor is tuned for Python 3 patterns. If you're still on 2.x (heroic at this point), reviews work but the type-hint-aware checks won't apply.

Notebooks (.ipynb) are NOT indexed — they're JSON wrapping Python, not Python files. If you do notebook-heavy work, the review applies to non-notebook code only. Adding notebook support is on the roadmap.

Install the LGTM GitHub App on the repo. Index time: 20-60 seconds for typical Django/FastAPI projects, longer for monorepos.

Virtual env / package manager: LGTM doesn't run your code, doesn't execute pytest, doesn't need access to your venv. The review is fully static — tree-sitter parsing + LLM reasoning over the parsed structure. Pip / Poetry / uv / conda — all treated the same.

Django specifics: signals.py, admin.py, models.py get indexed with awareness of Django patterns. Migrations are auto-excluded from review (they're auto-generated). Models with `Meta` classes, querysets, and serializers all parse cleanly.

FastAPI / Flask specifics: route decorators surface as symbols. The agents reason about request/response handling, dependency injection, and Pydantic schemas.