REVIEWGATE / RG-01
Enforcement online GitHub ↗
POINTER 0000:0000 / SIGNAL LOCKED

Blacksite protocol / Independent code verification

Claude Code + Codex / Native stop enforcement

Nothingpassesunseen.

Signal 01Critical
Gate closed

Turn intercepted. One blocking finding returned to the coding agent.

Reviewgate sits between “code written” and “turn complete.” It captures the actual change, runs independent reviewers and keeps non-PASS outcomes visible.

npm i -g reviewgate
Arm the repo
Fail closed Native hooks Six provider paths Local state Hash-chained audit Fail closed Native hooks Six provider paths Local state Hash-chained audit

Built to distrust
the happy path.

The easy product is “send a diff to a model.” Reviewgate is the hard part around it: catch the final tree, distinguish outage from PASS, demand decisions and preserve the evidence. Its strongest guards are scars from reviewing its own code.

Inspect the source ↗
Reviewer / Independent panelFrame 0118
[Critical] authorization bypass

Cached ownership
check is skipped.

Fallback path trusts the record before validating that the current actor owns the resource.

src/api/delete.ts:117 / Evidence verified / Confidence .96

The stop
becomes a loop.

Blocking findings send the coding agent back into the same turn. Bounded deferral and escalation prevent both silent failure and infinite churn.

14:02:11

Change captured

PostToolUse hooks plus final HEAD and working-tree fingerprints capture committed and uncommitted work.

Edit
14:02:12

Risk classified

Deterministic checks, diff facts and sensitivity tags choose the necessary review depth.

Triage
14:02:13

Panel deployed

Independent providers inspect the diff with project research, evidence checks and optional critic.

Review
14:04:03

Critical signal verified

The turn is blocked. Findings and source evidence return through plain local files.

Gate closed
14:06:18

Agent patches

The authoring agent fixes the path and records an explicit disposition for the finding.

Continue
14:07:41

Re-review pass

The content-true tree fingerprint is recorded and the turn may finish with an audit trail.

Gate open

One author.
Six perspectives.

Start with one working reviewer. Add different providers because their blind spots do not overlap perfectly. OAuth-first CLIs can use existing eligible subscription quota.

01 / PrimaryOAuth

Codex

Recommended default reviewer

02 / PanelOAuth

Gemini

Independent CLI perspective

03 / PanelOAuth

Claude

Additional reasoning path

04 / FlexibleCLI auth

OpenCode

Configurable local CLI models

05 / HostedAPI key

OpenRouter

Hosted models by provider slug

06 / LocalEndpoint

Ollama

Local or cloud OpenAI-compatible API

“$0” means no additional per-review Reviewgate charge when an official OAuth CLI uses an existing eligible subscription quota. Provider limits still apply. OpenRouter and some Ollama configurations use API billing.

8 / 8
bugs found.

Inspect the benchmark ↗
.90 → .40Clean-code false-positive rate after critic
0 recall lostOn the 18-case labelled smoke corpus
MIT / LOCALOpen source, plain-file control plane
Small-N benchmark, published with its real limits: 18 hand-labelled smoke cases. Inspect every case and matcher in the repository.

Every quiet failure
gets a sensor.

Reviewgate combines deterministic evidence, model disagreement and persistent local state. A model is one component—not the control plane.

PRE / 01

Deterministic checks

Run typecheck, lint, build or tests before inference. A non-zero exit becomes a non-rejectable CRITICAL.

phases.checks
CTX / 02

Research context

Diff facts, conventions, symbol relationships and referenced documents ground the review.

tree-sitter + rg
RUN / 03

Critic & consensus

A demote-only critic, evidence checks, severity vetoes and consensus reduce noise without inventing a pass.

precision layer
OPS / 04

Quota & deadline control

Budget-aware fallbacks, cooldowns and bounded deferral keep outages visible and loops finite.

fail-closed
CTL / 05

Decision protocol

Every blocking finding needs a fixed, verified-not-applicable or reasoned human disposition.

JSONL ledger
AUD / 06

Tamper-evident audit

Every run appends SHA-256 hash-chained JSONL events that can be verified locally later.

audit verify
CFG / 07

Policy control plane

Config changes run under the last-known-good policy. Weakening or non-monotonic changes require human approval.

separate fingerprint
LAB / 08

Benchmark harness

Measure precision, recall, repeated runs, provider rosters and suppression-layer ablations.

bench run · matrix

Memory with
named owners.

Reviewgate does not hide every kind of knowledge in one opaque blob. Project intent, validated facts, agent mistakes and reviewer noise each have a separate author and consumer.

Read the memory model ↗
01 / Human → Reviewer

Lore

Maintainer-approved why-knowledge, anchored to files and checked for staleness.

draft → canon
02 / Repo → Reviewer

Brain & Curator

Curated repository facts proposed, validated, recalled and explicitly revocable.

opt-in
03 / Finding → Agent

Agent Lessons

Accepted-and-fixed mistakes become bounded guidance at the next session start.

agent-facing
04 / Decision → Calibration

FP Ledger

Substantive human rejections calibrate reviewer patterns and reputation over time.

demote only

One init.
The whole setup.

No hosted service. The guided flow configures policy, reviewers, hosts, hooks, last-known-good state and health checks inside the repository.

Terminal / 01 install
# Install the prebuilt binary for this machine
$ npm i -g reviewgate

✓ reviewgate installed

The npm package selects the matching native binary for your operating system and CPU architecture.

RequirementsmacOS or LinuxgitOne reviewer CLI or API providerWindows via WSL2

Installed is not active yet.

reviewgate init writes the project hooks. Codex then asks you to inspect and trust their exact current hash through /hooks. Until that happens, Codex skips the new commands.

Can Reviewgate approve itself? No—and that is the security feature. A repository installer or coding agent silently approving its own commands would make the checkpoint meaningless.

Read the Codex activation guide ↗
  1. 01
    Installedhooks.json + shims exist
  2. 02
    ReviewedOpen /hooks in Codex
  3. 03
    TrustedThe exact hash may execute

Strong controls.
Honest limits.

Reviewgate is a local enforcement layer inside the agent loop—not a cryptographic boundary against a malicious machine owner.

Read the full threat model ↗
01

Denylist read model

Strict and permissive sandboxes mask known secret paths and isolate writes. Other non-denied host files may remain readable.

02

Network remains open

Reviewer subprocess network egress is not isolated. Gemini and OpenCode are agentic CLIs, so strict sandboxing matters especially for them.

03

Worktrees are separate

Every git worktree needs its own reviewgate init. Hooks and state do not propagate from the main checkout.

04

Pre-push is a warning

The installed Git hook warns when a commit lacks clean PASS evidence. It deliberately does not provide a CI hard gate.

Before you
arm the gate.

What exactly does Reviewgate enforce?+

It installs native repository hooks for Claude Code, Codex or both. When the agent tries to stop after a change, Reviewgate captures the batch, runs the configured review pipeline and blocks unresolved blocking findings. Defer and escalation remain explicitly non-PASS.

Do I need all six providers?+

No. One working reviewer is enough to start. A heterogeneous panel adds independence because provider blind spots differ.

Does Codex need an extra activation step?+

Yes. After init, open /hooks inside Codex, inspect SessionStart, PostToolUse and Stop, then trust their exact current hash. Reviewgate cannot perform that human checkpoint for you.

What happens during quota or infrastructure failure?+

An unsuccessful reviewer never becomes a clean pass. Reviewgate can use configured fallbacks, bounded deferral, cooldowns or a visible human escalation.

Does Reviewgate write or commit my code?+

No. Reviewgate reports and enforces. The authoring agent makes fixes; you still inspect and commit the final change.

Can it review plans before implementation?+

Yes. reviewgate review-plan <file…> runs the adversarial reviewer system against Markdown plans or specifications without entering the code Stop-hook loop.

Where does the state live?+

Findings, decisions, state, audit events, memory and escalations are plain files under .reviewgate/. There is no Reviewgate SaaS database.

Is it production-ready?+

Reviewgate is actively dogfooded and released as alpha software. Read the threat model, initialize each checkout, run Doctor and perform the documented smoke test before relying on it.

Arm the
blacksite.

npm i -g reviewgate