OpenReview AI is an open-source, self-hostable GitHub App for automated pull request reviews using configurable LLM providers and repository-specific review standards.
The goal is not to replace human reviewers. OpenReview AI is designed to act as a senior engineer doing the first review pass: catching security risks, correctness issues, architectural drift, and production-readiness problems before a maintainer spends time on the PR.
Most AI review tools are generic, closed, or tied to one vendor. OpenReview AI is built around a different set of assumptions:
- teams should own their review standards
- security findings should be first-class, not an afterthought
- review prompts should be inspectable and versioned
- providers should be swappable
- self-hosting should be normal
- local models should be possible for privacy-sensitive teams
This repository is early-stage. The current Go service contains the foundation for:
- GitHub webhook handling
- reviewer personas
- prompt planning and rendering
- safe prompt include expansion
- defensive prompt wrapping
- normalized finding models
- in-memory review/profile storage
- mock provider execution
The next major implementation milestones are real GitHub App authentication, PR diff fetching, structured LLM output parsing, and OpenRouter/OpenAI-compatible provider support.
GitHub Pull Request
-> Webhook API
-> Review Engine
-> Reviewer Personas
-> Prompt Planner
-> Prompt Renderer
-> LLM Provider
-> Findings Normalizer
-> GitHub Comments and Summary
See docs/architecture.md and docs/prompts.md for more detail.
Requirements:
- Go 1.25+
- Docker, optional
To run OpenReview AI as a real GitHub App, see docs/github-app.md.
Run locally:
go run ./cmd/openreviewThe service listens on :8080 by default.
$env:OPENREVIEW_ADDR=":8081"
$env:GITHUB_WEBHOOK_SECRET="dev-secret"
go run ./cmd/openreviewUse OpenRouter:
$env:OPENREVIEW_PROVIDER="openrouter"
$env:OPENROUTER_API_KEY="..."
$env:OPENREVIEW_MODEL="anthropic/claude-sonnet-4"
go run ./cmd/openreviewConfigure GitHub App credentials:
$env:GITHUB_APP_ID="123456"
$env:GITHUB_APP_PRIVATE_KEY_PATH="C:\path\to\private-key.pem"
$env:GITHUB_WEBHOOK_SECRET="..."
go run ./cmd/openreviewUse an OpenAI-compatible API:
$env:OPENREVIEW_PROVIDER="openai-compatible"
$env:OPENREVIEW_PROVIDER_BASE_URL="http://localhost:1234/v1"
$env:OPENREVIEW_PROVIDER_API_KEY="..."
$env:OPENREVIEW_MODEL="local-model"
go run ./cmd/openreviewRun with Docker:
docker compose up --buildGET /healthzPOST /webhooks/githubGET /reviews/{id}GET /repositoriesPOST /review-profilesPUT /review-profiles/{id}
Review profiles let teams define standards and reviewer personas.
{
"id": "security-first",
"name": "Security First",
"rules": [
"prioritize security",
"flag SQL injection risks",
"detect authorization issues"
],
"reviewers": [
"security-engineer",
"staff-backend-engineer"
]
}Profiles will later be loaded from repository-level openreview.yml files.
OpenReview AI treats prompts/ as a prompt library. The application selects a curated set of prompts based on review profile and reviewer persona, then wraps them with defensive PR-review policy before sending them to a model.
Current prompt orchestration supports:
- prompt registry
@include(...)expansion- path traversal protection
- variable interpolation
- JSON output contract injection
See ROADMAP.md.
For the step-by-step build plan and implementation checklist, see IMPLEMENTATION_PLAN.md.
Contributions are welcome. Start with CONTRIBUTING.md, then check open issues or propose a focused change.
Contributor workflows for GitHub App testing, provider testing, and per-file commits are documented in docs/contributor-workflows.md.
Useful commands:
gofmt -w cmd internal
go test ./...
go build ./cmd/openreviewPlease do not report vulnerabilities through public issues. See SECURITY.md.
OpenReview AI contains security review prompts, but the application itself must remain defensive by default. Prompts and provider integrations should not enable autonomous exploitation, credential extraction, or destructive testing.
OpenReview AI is licensed under the MIT License.