CodeLens

Universal AI Code Review System (v0.2)

154 patterns, security taint tracking, PR risk scoring, and code explanation. Reviews in under 1 second, entirely on your machine.

TypeScriptRegex ParsersPersistent JSON IndexGitHub ActionsClaude Code Adapternpm
View on GitHub

The Problem

Commercial code review tools are slow, cloud-dependent, expensive, and do either pattern matching or AI reasoning. Never both. Teams need fast, private, accurate reviews that also catch security vulnerabilities, missing test coverage, and risky PRs without sending code to third-party servers.

The Solution

A hybrid review engine combining 154 deterministic patterns with AI reasoning in a multi-pass pipeline. v0.2 added security taint tracking (source-to-sink analysis with CWE/OWASP mapping), PR risk scoring (weighted 1-10 across 8 factors), a code explanation command powered by the codebase index, test coverage gap detection, and dependency vulnerability scanning against 42+ known vulns. It builds a persistent codebase index on first run, then does incremental updates in 60ms.

  • 154 patterns across 4 stacks with OWASP Top 10 and CWE mapping
  • Security taint tracking: traces user input through API to DB to output, flags unsanitized paths
  • PR Risk Score: weighted 1-10 rating across 8 factors (auth changes, schema mods, missing tests, etc.)
  • Code explanation: codelens explain <file> shows callers, callees, data flow, and risk analysis using the index
  • Test coverage gap detection: flags code changes with no corresponding test updates
  • Dependency vulnerability scanning against 42+ known CVEs
  • Persistent codebase index with 62K+ edges in the call graph
  • Self-learning noise filter using TF-IDF similarity, zero external dependencies
  • Dual mode: Terminal for instant checks, AI Agent mode for deep reasoning
  • Adapters for Claude Code, Codex CLI, Gemini, and Cursor
  • npm-publish ready: npx codelens review

System Architecture

Loading diagram...

Key Technical Decisions

Zero runtime dependencies

Regex-only parsers instead of heavy AST frameworks. No Java or Python runtime needed unlike SonarQube. Runs anywhere Node runs.

Persistent codebase index

Call graph, schema graph, and column registry stored in .code-review/ for instant incremental reviews instead of re-parsing the entire repo.

Source-to-sink taint tracking

v0.2 added a 222-line taint tracker that traces data from user input sources through the codebase to dangerous sinks (SQL, exec, innerHTML). Detects sanitizer functions and maps findings to CWE/OWASP.

Weighted PR risk scoring

8-factor scoring: auth logic changes, DB schema mods, missing tests, dependency changes, config file edits, error handling removal, API surface changes, and file count. Gives teams a 1-10 risk score per PR.

Self-learning noise filter

Tracks which findings developers fix vs ignore. Uses TF-IDF similarity to auto-suppress false positives. No cloud ML, fully local.

Results

154 patterns (up from 113 in v0.1)
First index: 4.0s on a 1,622-file production codebase
Incremental update: 60ms
7-file review: 780ms
Full PR (456 files): 12s
Multi-repo benchmarks: TypeScript, Next.js, Django
MIT licensed, 100% local, zero cloud dependencies
← All ProjectsWork with me