LLM code review pipeline

Stage 1: Webhook receipt. GitHub fires pull_request (opened, synchronized, reopened, closed) to the review tool's HTTPS endpoint. The endpoint verifies the X-Hub-Signature-256 HMAC and deduplicates by X-GitHub-Delivery so retry storms don't trigger duplicate reviews.

Stage 2: Gating. Before enqueuing work, the tool checks billing quota, repo activation state, user consent (if applicable for legal/compliance reasons), and rate limits. Atomic reservation on the quota counter prevents two simultaneous PRs from double-spending the same slot.

Stage 3: Diff parsing. Worker fetches the PR diff via GitHub App installation token (which itself has 15-second timeout + retry semantics for resilience against GitHub API blips). Parses unified diff into per-file hunks with line numbers.

Stage 4: Context gathering. If the repo is indexed, tree-sitter symbol graph is queried for symbols referenced by the diff. Personalized PageRank ranks them. Top 5-15 symbol bodies get fetched fresh from GitHub and attached to the relevant agent prompts.

Stage 5: Agent execution. One BullMQ child job per agent. Each gets the diff + context slice + system prompt scoped to its lens (Bugs / Security / etc.). LLM call runs on the user's BYOK key.

Stage 6: Synthesizer. Receives all six reports + diff + custom guidelines. Produces the final verdict + summary + dedup'd inline comments mapped to (file, line).

Stage 7: GitHub posting. Single POST to /repos/{owner}/{repo}/pulls/{pr}/reviews with the verdict and inline comments. 422 retry without comments if GitHub rejects due to line-not-found (typical for force-pushed PRs mid-review).

Code reviews are bursty. A repo can get 1 PR a day for a week, then 30 PRs in an hour during sprint-end. Naive 'spawn-a-thread-per-review' breaks under bursts.

Queue-based pipelines (BullMQ on Redis, AWS SQS, GCP Pub/Sub) decouple webhook receipt from worker capacity. Webhook handler does the gating + enqueue and returns 200 in milliseconds; workers pull jobs at their own pace. Backpressure handles itself.

Backoff + retry is also queue-level. Failed jobs go to a delayed queue with exponential backoff before retry. Stuck jobs (no progress in N minutes) get marked failed and emit a notification to the user so they aren't waiting on an opaque spinner forever.

A code review takes 30-90s end-to-end. Without progress feedback, the user opens the PR, looks for the AI comment, doesn't see it, refreshes, sees the spinner, refreshes again, eventually sees the comment. Bad UX.

Better: Socket.IO (or Server-Sent Events) streams progress events to the dashboard as the pipeline progresses. Events like review:started, agent:started (per agent), agent:completed, synthesizer:started, review:completed.

The user watches the agents finish in real-time. Adds a UX warmth that's hard to articulate but matters — the system feels alive, not opaque. Also: if an agent fails, the streaming event surfaces it immediately instead of leaving the user staring at a hung review.

Stage 1 (Webhook) failures: signature mismatch → 401 to GitHub (which retries). Duplicate delivery → 200 (idempotent).

Stage 2 (Gating) failures: quota exhausted → return a friendly 'upgrade' notification, don't enqueue. Auth failure → 401, no review.

Stage 3 (Diff fetch) failures: GitHub API 5xx → retry with exponential backoff (3 attempts, 1s/4s/16s + jitter), then mark job failed. GitHub API rate limit → respect X-RateLimit-Remaining, defer the job.

Stage 4 (Context) failures: tree-sitter parsing fails on edge-case syntax → log + fall back to diff-only review (no context attached). Acceptable degradation; the review still ships.

Stage 5 (Agent) failures: LLM provider 429/503 → retry within agent (the LLM service layer handles its own backoff). LLM returns malformed JSON → ask once more with a stricter prompt, then fail the agent. Other agents continue.

Stage 6 (Synthesizer) failures: works on whichever agents succeeded; produces a degraded review noting which agents failed.

Stage 7 (GitHub post) failures: 422 (line not found, usually force-push race) → retry without inline comments. 5xx → retry with backoff. Permanent failure → mark job failed, notify user with the actual error.

Per-agent system prompts: each agent should focus on ONE lens. Mixing concerns in a prompt drops quality. Bugs agent shouldn't be asked about style.

Structured output: agents return JSON with a fixed schema, not freeform text. Makes the synthesizer's dedup logic deterministic and avoids parsing errors.

Idempotency: webhook delivery IDs deduplicated. PR review re-runs don't post duplicate inline comments — they update or replace previous review.

Cost control: per-repo focus areas (only run agents that matter for that repo) cut token spend. Per-repo model overrides (pin Haiku on cheap repos, Opus on critical ones) tune cost/quality.

Observability: every agent run logged. Per-agent latency tracked. Per-finding precision can be computed by joining 'AI flagged X' with 'human resolved X as true/false-positive'. This data feeds back into prompt iteration.