Turn intercepted. One blocking finding returned to the coding agent.
Nothingpassesunseen.
Reviewgate sits between “code written” and “turn complete.” It captures the actual change, runs independent reviewers and keeps non-PASS outcomes visible.
npm i -g reviewgate
Case file / Incident 012
Built to distrust
the happy path.
The easy product is “send a diff to a model.” Reviewgate is the hard part around it: catch the final tree, distinguish outage from PASS, demand decisions and preserve the evidence. Its strongest guards are scars from reviewing its own code.
Inspect the source ↗Cached ownership
check is skipped.
Fallback path trusts the record before validating that the current actor owns the resource.
Turn 07F3A / Lifecycle trace
The stop
becomes a loop.
Blocking findings send the coding agent back into the same turn. Bounded deferral and escalation prevent both silent failure and infinite churn.
Change captured
PostToolUse hooks plus final HEAD and working-tree fingerprints capture committed and uncommitted work.
Risk classified
Deterministic checks, diff facts and sensitivity tags choose the necessary review depth.
Panel deployed
Independent providers inspect the diff with project research, evidence checks and optional critic.
Critical signal verified
The turn is blocked. Findings and source evidence return through plain local files.
Agent patches
The authoring agent fixes the path and records an explicit disposition for the finding.
Re-review pass
The content-true tree fingerprint is recorded and the turn may finish with an audit trail.
Witness roster / Heterogeneous by design
One author.
Six perspectives.
Start with one working reviewer. Add different providers because their blind spots do not overlap perfectly. OAuth-first CLIs can use existing eligible subscription quota.
Codex
Recommended default reviewer
Gemini
Independent CLI perspective
Claude
Additional reasoning path
OpenCode
Configurable local CLI models
OpenRouter
Hosted models by provider slug
Ollama
Local or cloud OpenAI-compatible API
“$0” means no additional per-review Reviewgate charge when an official OAuth CLI uses an existing eligible subscription quota. Provider limits still apply. OpenRouter and some Ollama configurations use API billing.
System map / More than an LLM call
Every quiet failure
gets a sensor.
Reviewgate combines deterministic evidence, model disagreement and persistent local state. A model is one component—not the control plane.
Deterministic checks
Run typecheck, lint, build or tests before inference. A non-zero exit becomes a non-rejectable CRITICAL.
phases.checksResearch context
Diff facts, conventions, symbol relationships and referenced documents ground the review.
tree-sitter + rgCritic & consensus
A demote-only critic, evidence checks, severity vetoes and consensus reduce noise without inventing a pass.
precision layerQuota & deadline control
Budget-aware fallbacks, cooldowns and bounded deferral keep outages visible and loops finite.
fail-closedDecision protocol
Every blocking finding needs a fixed, verified-not-applicable or reasoned human disposition.
JSONL ledgerTamper-evident audit
Every run appends SHA-256 hash-chained JSONL events that can be verified locally later.
audit verifyPolicy control plane
Config changes run under the last-known-good policy. Weakening or non-monotonic changes require human approval.
separate fingerprintBenchmark harness
Measure precision, recall, repeated runs, provider rosters and suppression-layer ablations.
bench run · matrixCold storage / Four trust boundaries
Memory with
named owners.
Reviewgate does not hide every kind of knowledge in one opaque blob. Project intent, validated facts, agent mistakes and reviewer noise each have a separate author and consumer.
Read the memory model ↗Lore
Maintainer-approved why-knowledge, anchored to files and checked for staleness.
draft → canonBrain & Curator
Curated repository facts proposed, validated, recalled and explicitly revocable.
opt-inAgent Lessons
Accepted-and-fixed mistakes become bounded guidance at the next session start.
agent-facingFP Ledger
Substantive human rejections calibrate reviewer patterns and reputation over time.
demote onlyDeployment order / Complete first run
One init.
The whole setup.
No hosted service. The guided flow configures policy, reviewers, hosts, hooks, last-known-good state and health checks inside the repository.
# Install the prebuilt binary for this machine
$ npm i -g reviewgate
✓ reviewgate installed
The npm package selects the matching native binary for your operating system and CPU architecture.
Codex activation / User controlled
Installed is not active yet.
reviewgate init writes the project hooks. Codex then asks you to inspect and trust their exact current hash through /hooks. Until that happens, Codex skips the new commands.
Can Reviewgate approve itself? No—and that is the security feature. A repository installer or coding agent silently approving its own commands would make the checkpoint meaningless.
Read the Codex activation guide ↗- 01Installedhooks.json + shims exist
- 02ReviewedOpen
/hooksin Codex - 03TrustedThe exact hash may execute
Threat model / Stated plainly
Strong controls.
Honest limits.
Reviewgate is a local enforcement layer inside the agent loop—not a cryptographic boundary against a malicious machine owner.
Read the full threat model ↗Denylist read model
Strict and permissive sandboxes mask known secret paths and isolate writes. Other non-denied host files may remain readable.
Network remains open
Reviewer subprocess network egress is not isolated. Gemini and OpenCode are agentic CLIs, so strict sandboxing matters especially for them.
Worktrees are separate
Every git worktree needs its own reviewgate init. Hooks and state do not propagate from the main checkout.
Pre-push is a warning
The installed Git hook warns when a commit lacks clean PASS evidence. It deliberately does not provide a CI hard gate.
Debrief / Short answers
Before you
arm the gate.
What exactly does Reviewgate enforce?+
It installs native repository hooks for Claude Code, Codex or both. When the agent tries to stop after a change, Reviewgate captures the batch, runs the configured review pipeline and blocks unresolved blocking findings. Defer and escalation remain explicitly non-PASS.
Do I need all six providers?+
No. One working reviewer is enough to start. A heterogeneous panel adds independence because provider blind spots differ.
Does Codex need an extra activation step?+
Yes. After init, open /hooks inside Codex, inspect SessionStart, PostToolUse and Stop, then trust their exact current hash. Reviewgate cannot perform that human checkpoint for you.
What happens during quota or infrastructure failure?+
An unsuccessful reviewer never becomes a clean pass. Reviewgate can use configured fallbacks, bounded deferral, cooldowns or a visible human escalation.
Does Reviewgate write or commit my code?+
No. Reviewgate reports and enforces. The authoring agent makes fixes; you still inspect and commit the final change.
Can it review plans before implementation?+
Yes. reviewgate review-plan <file…> runs the adversarial reviewer system against Markdown plans or specifications without entering the code Stop-hook loop.
Where does the state live?+
Findings, decisions, state, audit events, memory and escalations are plain files under .reviewgate/. There is no Reviewgate SaaS database.
Is it production-ready?+
Reviewgate is actively dogfooded and released as alpha software. Read the threat model, initialize each checkout, run Doctor and perform the documented smoke test before relying on it.
Deployment order / One command
Arm the
blacksite.
npm i -g reviewgate