{"slug": "i-built-an-ai-code-reviewer-with-6-parallel-agents-heres-the-architecture-warts", "title": "I built an AI code reviewer with 6 parallel agents. Here’s the architecture, warts and all.", "summary": "A developer built LGTM (Looks Good To Meow), an AI code reviewer that uses six parallel agents for security, bugs, performance, readability, best practices, and documentation. The architecture includes a synthesizer that merges findings, resolves conflicts via precedence, and limits output to the top 10 findings to improve readability. The project highlights challenges with multi-agent coordination and user engagement.", "body_md": "Six months ago I got fed up with my AI code review tool.\n\nTwo problems.\n\nThat combination broke my trust.\n\nSo I cancelled my subscription and started building my own.\n\nToday I'm launching **LGTM (Looks Good To Meow)**.\n\nThis isn't a launch post about features.\n\nIt's about the architecture, because that's the interesting part.\n\nThe obvious implementation looks like this:\n\nGive one LLM a giant system prompt telling it to review security, bugs, performance, readability, best practices and documentation all at once.\n\nI built exactly that first.\n\nIt didn't work.\n\nThe model spread its attention across every category equally.\n\nThat meant:\n\nBeta users simply stopped reading after the first few comments.\n\nI tried making the prompt more aggressive.\n\nPrioritize security above everything else.\n\nThat solved one problem and created another.\n\nSecurity became better.\n\nEverything else became dramatically worse.\n\nThe fundamental issue remained.\n\nOne prompt was trying to solve six different problems.\n\nInstead of making one model do everything, I split the review into six independent reviewers.\n\n| Agent | Responsibility |\n|---|---|\n| 🔒 Security | Auth, injection, secrets, XSS, unsafe deserialization |\n| 🐞 Bugs | Correctness, null handling, race conditions |\n| ⚡ Performance | N+1 queries, quadratic loops, allocations |\n| 📖 Readability | Naming, function size, cognitive complexity |\n| ✅ Best Practices | Language idioms and architectural patterns |\n| 📝 Documentation | JSDoc, docstrings, README updates |\n\nEach receives:\n\nEvery agent returns structured JSON.\n\n```\n{\n  \"agent\": \"security\",\n  \"findings\": [\n    {\n      \"severity\": \"high\",\n      \"file\": \"src/api/user.ts\",\n      \"line\": 47,\n      \"title\": \"Missing authorization check\",\n      \"description\": \"DELETE endpoint allows any authenticated user to delete accounts.\",\n      \"suggested_fix\": \"Verify ownership or admin role before deletion.\"\n    }\n  ]\n}\n```\n\nSix reports come back simultaneously.\n\nThat is where the interesting part begins.\n\nSimply concatenating six reports produces garbage.\n\nReal pull requests can easily end up with 40–60 findings.\n\nNobody reads that.\n\nThe synthesizer converts six raw reports into one review.\n\nIt performs four jobs.\n\nSecurity and bug reviewers frequently report the same issue.\n\nExample:\n\nInstead of showing duplicates, the synthesizer groups findings by:\n\nand keeps the strongest explanation.\n\nSometimes two reviewers disagree.\n\nFor example:\n\nSecurity says:\n\nAdd rate limiting.\n\nPerformance says:\n\nRemove rate limiting to improve latency.\n\nThey're both technically correct.\n\nSo I built a simple precedence system.\n\n```\nSecurity\n    >\nCorrectness\n    >\nPerformance\n    >\nStyle\n```\n\nWhen conflicts occur, the final report still includes both viewpoints so the developer can override the decision.\n\nOrdering matters more than people realize.\n\nNobody wants this:\n\nInstead, findings are sorted by:\n\n```\nSeverity\n→ Category Weight\n→ File\n→ Line\n```\n\nCritical issues always appear first.\n\nFinally the synthesizer emits one overall review.\n\nPossible outputs:\n\nbased entirely on blocker findings.\n\nOne surprising lesson from beta testing:\n\nPeople don't read long reviews.\n\nThe dashboard originally showed everything.\n\nAverage review length:\n\n27 findings\n\nAlmost nobody reached the bottom.\n\nToday LGTM only surfaces the **top 10 findings** plus a summary.\n\nEverything else stays available inside the dashboard.\n\nTen wasn't chosen mathematically.\n\nIt was chosen because users actually read ten.\n\nEarly versions had weird behavior.\n\nThe longest report usually won.\n\nNot because it found better issues.\n\nBecause the model subconsciously treated verbose output as more important.\n\nI fixed that by normalizing token counts before synthesis.\n\nThen another issue appeared.\n\nThe synthesizer became *too* aggressive.\n\nDifferent findings got merged together.\n\nThat caused genuine bugs to disappear.\n\nThe fix was introducing a confidence score for every finding so uncertain matches remained separate.\n\nMost of the work wasn't building reviewers.\n\nIt was teaching them how to disagree.\n\nThe CI/CD scanner doesn't use AI.\n\nIt shouldn't.\n\nIt consists of 16 deterministic detectors.\n\nExample:\n\n```\non:\n  pull_request_target:\n\njobs:\n  test:\n    steps:\n      - uses: actions/checkout@v3\n        with:\n          ref: ${{ github.event.pull_request.head.sha }}\n```\n\nThat's a classic `pull_request_target`\n\nvulnerability.\n\nStatic analysis detects it instantly.\n\nI benchmarked several popular LLMs.\n\nTwo missed it completely.\n\nOne detected it but couldn't explain why it was dangerous.\n\nPattern matching wins here.\n\nAnother example:\n\n```\nenv:\n  API_KEY: \"sk_live_xxxxxxxxx\"\n```\n\nDetected immediately.\n\nNo reasoning required.\n\nAnother:\n\n```\nuses: some-org/action@main\n```\n\nUnpinned GitHub Actions.\n\nAgain, deterministic.\n\nNot AI.\n\nThe scanner currently includes detectors for:\n\n`pull_request_target`\n\n...and several more.\n\nSometimes boring software beats AI.\n\nAnother decision I made early:\n\nLGTM never owns your API usage.\n\nYou connect your own:\n\nEvery review runs against your account.\n\nNot mine.\n\nThat means:\n\nMost AI products bundle token costs into subscriptions.\n\nEventually someone pays for that.\n\nUsually the customer.\n\nI preferred making pricing explicit.\n\nThe downside is obvious.\n\nUsers now have two bills.\n\nFor solo developers that's usually cheaper.\n\nFor larger organizations wanting one invoice, it's friction.\n\nI'm considering managed API keys in the future.\n\nNot today.\n\n| Plan | Price |\n|---|---|\n| Free | ₹0/month |\n| Hobby | ₹399/month |\n| Pro | ₹999/month |\n| Enterprise | Custom |\n\nTop-ups are available separately for additional reviews and CI scans.\n\nPayments are handled through **Dodo Payments**.\n\nCLI:\n\n```\nnpm install -g @tarin/lgtm-cli\n```\n\nI'm the only person building this.\n\nThe part I'm watching most closely isn't whether the AI finds bugs.\n\nIt's whether the synthesizer makes the same prioritization decisions that experienced engineers would.\n\nIf it disagrees with your judgment, I want to know why.\n\nThat's the failure mode I'm most interested in fixing.\n\n🌐 Website\n\n[https://looksgoodtomeow.in](https://looksgoodtomeow.in)\n\n🚀 Dashboard\n\n[https://app.looksgoodtomeow.in](https://app.looksgoodtomeow.in)\n\n📚 Documentation\n\n[https://docs.looksgoodtomeow.in](https://docs.looksgoodtomeow.in)\n\n🏆 Product Hunt\n\n[https://www.producthunt.com/products/lgtm-looks-good-to-meow?utm_source=other&utm_medium=social](https://www.producthunt.com/products/lgtm-looks-good-to-meow?utm_source=other&utm_medium=social)\n\n🐛 Feedback & Issues\n\n[https://github.com/tarinagarwal/lgtm-feedback](https://github.com/tarinagarwal/lgtm-feedback)\n\nThanks for reading.\n\nIf you're building AI developer tools, I'd genuinely love to hear how you're approaching review quality, ranking, or synthesis. I think that's where the next generation of AI coding tools will differentiate themselves.", "url": "https://wpnews.pro/news/i-built-an-ai-code-reviewer-with-6-parallel-agents-heres-the-architecture-warts", "canonical_source": "https://dev.to/looksgoodtomeow/i-built-an-ai-code-reviewer-with-6-parallel-agents-heres-the-architecture-warts-and-all-dfc", "published_at": "2026-07-11 12:22:49+00:00", "updated_at": "2026-07-11 12:57:45.614566+00:00", "lang": "en", "topics": ["ai-agents", "developer-tools", "large-language-models", "ai-products", "ai-tools"], "entities": ["LGTM", "Looks Good To Meow"], "alternates": {"html": "https://wpnews.pro/news/i-built-an-ai-code-reviewer-with-6-parallel-agents-heres-the-architecture-warts", "markdown": "https://wpnews.pro/news/i-built-an-ai-code-reviewer-with-6-parallel-agents-heres-the-architecture-warts.md", "text": "https://wpnews.pro/news/i-built-an-ai-code-reviewer-with-6-parallel-agents-heres-the-architecture-warts.txt", "jsonld": "https://wpnews.pro/news/i-built-an-ai-code-reviewer-with-6-parallel-agents-heres-the-architecture-warts.jsonld"}}