Agent Code Review Findings
Summary
Agent code reviews store the canonical model output as XML in artifact storage. The pull request inbox and review history load only review status, aggregate finding counts, and the artifact URI. Detailed finding bodies are loaded lazily when a user opens a review row that has one or more findings.
The Vue app does not parse raw XML. It calls the backend findings endpoint for one review record, and the backend loads the artifact, validates the XML contract, and returns typed reviewer and finding DTOs.
Clean Reviews
If a review record has zero aggregate findings and no source telemetry, the app does not request the findings artifact. The review body shows a compact success alert indicating that the pull request was clean of findings.
A clean review that still consulted the knowledge base does request its findings response, because that response also carries the source telemetry used to render the "Sources consulted" panel. The backend returns the telemetry without opening the (empty) findings artifact, so a clean review still avoids the artifact read.
The clean success alert is shown only for completed reviews. Failed reviews show a warning alert, and non-completed zero-count reviews show an in-progress state instead of claiming the pull request is clean.
Clean reviews do not show severity tabs, XML messaging, or artifact placeholders. This keeps the common "no findings" state quick to scan.
Detailed Findings
Reviews with findings are displayed by severity:
- Critical
- Major
- Minor
- Suggestion
- Comment
Within each severity tab, findings are grouped by reviewer facet and reviewer agent. Reviewer facet bodies are collapsible; the first reviewer section in each severity tab opens by default, and additional reviewer sections start collapsed. Each reviewer section can copy reconstructed XML guidance to the clipboard. Each finding shows the severity, summary, repository-relative file location, optional line and diff side, and body text.
Data Flow
User opens review row
-> store checks aggregate finding count and hasSourceTelemetry
-> zero findings and no telemetry: render success alert and stop
-> otherwise: call generated CodeReviews.getCodeReviewFindings
-> backend checks organization membership and review partition key
-> backend reads FindingsStorageUri through ICodeReviewArtifactStore (only when findings exist)
-> backend validates XML with CodeReviewXmlOutputValidator
-> backend deserializes source telemetry from the review record
-> frontend renders typed reviewer/finding DTOs and the sources panel
The endpoint requires both the review id and createdAtUtc partition timestamp. This matches the rest of the code-review API and avoids cross-partition id scans.
Local MCP Reviews
Coding agents can request the same expert reviewer agents before a pull request is pushed by using the expert_code_review MCP tool. This path reviews a local unified git diff instead of a GitHub pull request snapshot.
The flow has three steps:
- Call
expert_code_reviewwithaction=create_upload_url. - Write a raw diff locally and upload it with the returned
curl --data-binarycommand. - Call
expert_code_reviewwithaction=run_review, the returnedjobId, the returneduploadToken,ownerQualifiedRepoName, and optional title and description context.
The MCP response returns the canonical <reviews> XML directly to the local agent. It also includes instructions telling the agent to evaluate each finding, plan concrete fixes, and provide context if it asks for a follow-up review.
Uploaded diffs are limited by CodeReview.DiffUploadMaxBytes, stored temporarily, and deleted after a review run attempt finishes. Re-uploading to the same upload URL before expiry overwrites the previous diff for that job.
If the repository is configured in Zeeq, repository file filters and configured reviewer agents apply. If the repository is not mapped, Zeeq still runs the built-in principal software engineer reviewer so local review remains available for ad hoc repositories.
Storage Rule
The durable source of detailed review output is the artifact referenced by FindingsStorageUri; the application only hydrates that artifact on demand.
The review record's SourceTelemetryPayload column holds the compact source telemetry snapshot — which knowledge-base documents and snippets the reviewers consulted — captured for both completed and failed runs. It is display and durable-capture data, not the finding bodies.
Local MCP reviews are intentionally not durable CodeReviewRecord rows. They return XML on the MCP call path and clean up the uploaded diff immediately after the run attempt.