code-review-agent v1.0.0

First stable release. An LLM-first, multi-language code & CI/CD review agent built on LangGraph, with review expertise delivered as portable Agent Skills (SKILL.md) rather than hard-coded personas.

Highlights

• Multi-language review. Each changed file is classified by language/target and reviewed by the matching skill — bugs, security, performance, and improvement findings. Bundled skills: Python, JavaScript/TypeScript (.js/.jsx/.ts/.tsx), Java, plus optional CI/infra skills for Dockerfile, GitHub Actions, GitLab CI, and Jenkins.
• LangGraph pipeline. Orchestrated StateGraph with Send fan-out: ingest → detect → per-unit review fan-out → aggregate → report. One-shot run (no checkpointer).
• Multi-provider LLMs. OpenAI (default gpt-5-mini), Anthropic, and Google Gemini, selectable via config. Structured output with a tolerant free-form-JSON fallback, plus retry/timeout handling.
• Runs locally or in CI. A Typer CLI reviews a local git diff; the same entrypoint runs in the worker container for GitHub Actions, GitLab CI, and Jenkins — no webhook server.
• Composable, idempotent reporters. terminal, file (Markdown/JSON artifact), github (PR comment), and gitlab (MR note). SCM reporters locate their existing bot comment by a stable hidden marker and update it in place. auto selects the detected-platform reporter + terminal.

Security & trust model

• Read-and-report only — the agent never writes to or auto-fixes the reviewed repository.
• Prompt-injection hardening — reviewed code, comments, and CI YAML are treated as untrusted data, not instructions.
• Fail-closed config in CI — review.toml is read from the trusted base ref (git show <ref>:review.toml), never the PR head; a CI run with no trusted ref fails closed rather than reading PR-controlled config.
• Gated repo-local skills — repository-provided skills are honored only when an operator sets ALLOW_REPO_SKILLS=true.
• Skills are prompt-only — no execution of skill-bundled scripts.

Packaging & tooling

• Python 3.13 · uv (pinned uv.lock) · Pydantic v2 · LangGraph v1.
• Docker image published to GHCR on v* tags; langgraph build / langgraph dev (Studio) supported.
• Quality gates: ruff, mypy --strict, and a pytest suite (212 tests).

Getting started

python3.13 -m venv .venv && source .venv/bin/activate
pip install uv && uv sync --inexact --extra dev
cp .env.example .env # add at least one LLM API key
make review # review the current git diff

See the README for CI integration examples and configuration.

Findings are advisory and AI-generated; treat them as input to human review, not a gate.