Open Code Review A AI-based CLI tool for code verification

The Open Source CI Code Review Agent. Open Code Review is an AI-based CLI tool for code verification. It was created as an internal official AI code review assistant of the Alibaba Group – in the last two years it has served tens of thousands of developers and identified millions of code errors. After a thorough and comprehensive validation, we developed an open source project for the community. Just configure a model endpoint to start. It reads Git dials, sends modified files to a configurable via an agent with tool usage functions LLM and generates structured review comments with precision at line level. The agent can read the entire file content, search the code base, check other modified files for context and create detailed checks – not only diffuse feedback on the surface. If you have all-purpose agents like Claude Code with Skills used for code verification, you are likely to have encountered these vulnerabilities:

- Complete coverage – For larger volumes of change, agents tend to make smears by selectively checking only a few files and overlooking others. - Position deviation – Reported problems often do not match the actual code position, as line numbers or file references differ from the target. - Instable quality skills based on natural language are difficult to debugging and the quality of the review fluctuates significantly in case of minor deviations in the prompts. The main cause: A purely language-controlled architecture lacks strict restrictions on the review process. The core philosophy of Open Code Review is to combine deterministic engineering with an agent that takes care of what he can best do. Deterministic Engineering – Hard limitations

The technical logic – not the language model – guarantees correctness in checking steps that cannot go wrong:

- Precise file selection – Defines exactly which files need to be checked and which are to be filtered to ensure that no important changes are overlooked. - Intelligent file bundling – Groups related files in a single check unit (e.g. message en.properties

andmessage zh.properties

are bundled). Each bundle is executed as a subagent with an isolated context – a dividend and conversation strategy that remains stable even with very large volumes of change and naturally supports simultaneous reviews. - Fine-grained rule matching – Adjusts check rules to the features of each file, keeping the attention of the model sharply focused and eliminating information noise at the source. Compared to the purely speech-controlled control, the control adjustment on template engine basis is more stable and predictable. - External positioning and reflection modules – Independent comment positioning and comment reflection modules systematically improve the location accuracy as well as the content accuracy of the AI feedback. Agent – Dynamic decision-making

The strengths of the agent are where they are most important – dynamic decisions and dynamic context retrieval:

- Command Prompts tailored to the scenario – Command Prompt Templates that are comprehensively optimized for code verification, thereby improving effectiveness and reducing token consumption at the same time. - Toolset – Distilled from a comprehensive analysis of tool-call traces in large production data – including call frequency distributions, repetition rates per tool and the impact of new tools on the entire call chain – resulting in a specially developed toolkit that is more stable and predictable for code verification than a generic agent toolkit. About NPM (recommended)

npm install -g @alibaba-group/open-code-review

After installation, the

The command is available globally. From GitHub-Version

Download the latest binary file from GitHub Releases:

♪ macOS (Apple Silicone

curl -Lo ocr https://github.com/alibaba/open-code-review/releases/latest/download/opencodereview-darwin-arm64

chmod +x ocr && sudo mv ocr /usr/local/bin/ocr

# macOS (Intel)

curl -Lo ocr https://github.com/alibaba/open-code-review/releases/latest/download/opencodereview-darwin-amd64

chmod +x ocr && sudo mv ocr /usr/local/bin/ocr

♪ Linux (x86 64)

curl -Lo ocr https://github.com/alibaba/open-code-review/releases/latest/download/opencodereview-linux-amd64

chmod +x ocr && sudo mv ocr /usr/local/bin/ocr

# Linux (ARM64)

curl -Lo ocr https://github.com/alibaba/open-code-review/releases/latest/download/opencodereview-linux-arm64

chmod +x ocr && sudo mv ocr /usr/local/bin/ocr

♪ Windows (x86 64) – move ocr.exe to a directory in your PATH

curl -Lo ocr.exe https://github.com/alibaba/open-code-review/releases/latest/download/opencodereview-windows-amd64.exe

# Windows (ARM64) – Move ocr.exe to a directory in your PATH

curl -Lo ocr.exe https://github.com/alibaba/open-code-review/releases/latest/download/opencodereview-windows-arm64.exe

From the source

Git-Klon https://github.com/alibaba/open-code-review.git

CD Open Code Review

building

sudo cp dist/opencodereview /usr/local/bin/ocr

1. Configuring LLM

You need to configure an LLM before checking the code. # Option A: Interactive configuration

ocr config set llm.url https://api.anthropic.com/v1/messages

ocr config set llm.auth token your-api-key-here

OCR Configuration Set llm.model claude-opus-4-6

ocr config set llm.use anthropic true

# Option B: environment variables (maximum priority)

Export OCR LLM URL=https://api.anthropic.com/v1/messages

export OCR LLM TOKEN=your-api-key-here

export OCR LLM MODEL=claude-opus-4-6

export OCR USE ANTHROPIC=true

The configuration is stored in ~/.opencodereview/config.json

. It is also compatible with Claude Code environment variables (ANTHROPIC BASE URL)

ANTHROPIC AUTH TOK

ANTHROPIC MODEL

) and analyses ~/.zshrc

/ ~/.bashrc

for these exports. Note for CC switch users: If you use CC switch with activated routing service, you can show

llm.url

to the CC-Switch-Proxy address without additional configuration:

- For Claude providers: discontinued

llm.url

tohttp://127.0.0.1:15721

- For CodeX providers: set

llm.url

tohttp://127.0.0.1:15721/v1

- Ready

llm.model

according to the settings of your providersllm.auth token

can be any valueextra body

The settings continue to apply

Two. Test Connectivity

OCR-LM test

3. Review

cd your project

# Workspace mode – check all provided, unprovided and unsuccessful changes

OCR review

# Branch area – Compare two references

OCR review – from the main branch to the feature branch

# Single Commit

ocr review --commit abc123

As a Slash command, OCR can be seamlessly integrated into AI encoding agents and enables the code check directly in your agent workflow. Use npx

How to install the OCR capability in your project:

Npx-Skills add alibaba/open-code-review --skill open-code-review

This will install the open code review

Skill from the Skills registration that teaches your programming agent how he calls OCR

Classify problems by priority for the code check and apply optional corrections. Install the command plugin for Claude Code using the following command in Claude Code:

/plugin marketplace alibaba/open-code-review add

/plugin install open-code-review@open-code-review

This will register /open-code-review:review

Slash command that performs OCR and automatically filters and fixes problems. For a quick setup without package manager, simply copy the command file to use /open code review

Slash command in Claude Code. Project level (shared by Git with the team):

mkdir -p .claude/commands

curl -o .claude/commands/open-code-review.md \

https://raw.githubusercontent.com/alibaba/open-code-review/main/plugins/open-code-review/commands/review.md

User level (personal global use across all projects):

mkdir -p ~/.claude/commands

curl -o ~/.claude/commands/open-code-review.md \

https://raw.githubusercontent.com/alibaba/open-code-review/main/plugins/open-code-review/commands/review.md

Prerequisite: All integration methods require

okr

CLI must be installed and an LLM must be configured. See “Install and configure LLM” above. OCR can CI/CD-Pipelines are integrated to automate the code check for Merge Requests/Pull Requests. The core command for CI integration:

OCR review \

--from "origin/main" \

--to "origin/feature-branch" \

--format json

--format json

Flag outputs machine-readable results that are suitable for parsing in CI scripts. See examples/

List of examples of integration:

github actions/

– GitHub Actions-Integrationsmustergitlab ci/

– GitLab CI-integration example

| Command | Alias | Description |

|-----------

OCR Review |

ocr r

Start a code check |

Check OCR Rules |

— | Preview which check rule applies to a file path |

ocr config set |

— | Set configuration values |

OCR-LM test |

— test LLM connectivity |

OCR viewer |

ocr v |

Start the WebUI Session Viewer on localhost:5483 |

OCR version |

— | View version info |

| Flag | Brief | Standard | Description |

|-------------

--repo

— | current directory | root directory of the Git repository |

--of |

— | — Source reference (e.g. main ) |

--to |

— | — target reference (e.g. feature-branch ) |

--commit

-c |

— | Single Commit to review |

--preview |

-p |

wrong |

Preview the files that are checked without running the LLM |

--format |

-f |

Text |

Output format: text or JSON |

--concurrency

— | 8 |

Max. simultaneous file checks |

--timeout

— 10 |

Overtime with simultaneous task in minutes |

--audience

— human being

Human (show progress) or agent (only summary) |

--rule |

— | — | path to custom JSON- Checking rules |

--max-tools

— | built-in | Max. Tool call rounds per file; only becomes effective if greater than the default template value |

--max-git-procs |

— | built-in | Max. simultaneous Git subprocesses |

--tools

— | — | Path to custom JSON tool configuration |

# Preview the files to be checked (no LLM calls)

OCR Review – Preview

OCR review -c abc123 -p

# Check You workspace changes with default settings

OCR review

# Check the branch difference with higher parallelity

ocr review – from main – to my-feature – concurrency 4

# Check a specific commit with detailed JSON output

ocr review --commit abc123 --format json --audience agent

# Use custom review rules

OCR review --rule /path/to/my-rules.json

# Preview which rule applies to a file

OCR rules check src/main/java/com/example/Foo.java

OCR Control --rule custom.json src/main/resources/mapper/UserMapper.xml

# See the progress of the review session in the browser

OCR viewer

OCR Viewer --addr:3000

The viewer provides session JSONL content (LLM request messages and responses) via HTTP. It forces a host header registration list at each request: loopback names (localhost)

, 127.0.0/8

::1

) and the specific Bind host are always permitted. Placeholder bindings (-addr :3000

, --addr 0.0.0.0:3000

) and other non-loopback host names must be added via OCR VIEWER ALLOWED HOSTS

Environment variable (separated by comma):

OCR VIEWER ALLOWED HOSTS=review.internal,ocr.lan ocr viewer --addr :3000

This blocks DNS-release attacks against the local viewer. OCR resolves review rules using a four-stage priority chain. Each level uses “First Match Wins”: If a file path matches a pattern, this rule is used; otherwise it falls into the next layer. | Priority | Source | Path | Description |

|-------------

| 1 (highest) | --rule Flag |

Path specified by user | CLI-explizite overwriting |

| 2 | Project configuration | /.opencodereview/rule.json |

Project-specific rules, can be passed to git |

| 3 | Global configuration | ~/.opencodereview/rule.json |

User-wide personal preferences |

| 4 (lowest) | System standard | Embedded system rules.json |

Integrated rules for common languages and file types |

Layers 1–3 use the same JSON format:

♪

‘Rules’:

♪

‘path’ means ‘force-api/**/*.java’;

‘Rule’: ‘All new methods must validate necessary parameters to zero values’

},

♪

"path": "**/*mapper*.xml",

‘rule’: ‘Check SQL on injection risks, parameter errors and missing closing tags.’

}

]

}

Path

supported* *

recursive balance and {java,kt}

Clamp extension. – Within each level, the rules in the declaration sequence are evaluated – the first match is obtained. – If a rule file is not present, it will be tacitly skipped. Configuration file: ~/.opencodereview/config.json

| Key | Enter an example |

|-----------

llm.url |

string | https://api.openai.com/v1/chat/completions |

llm.auth token |

string | sk-xxxx |

llm.model |

string | claude-opus-4-6 |

llm.use anthropic |

boolean value | true | wrong |

Language |

string | English | Chinese (standard: Chinese) |

telemetry.activated |

boolean value | true | wrong |

telemetry.exporter |

string | Console | otlp |

telemetry.otlp endpoint |

string | OTLP collector address |

telemetry.content logging

Boolean value | Include command requests in telemetry |

Environment variables have priority over the configuration file. | Variable | Purpose

|--|--|

OCR LLM URL

LLMAPI- Endpoint URL

OCR LLM TOKEN

API key/authentication key |

OCR LLM MODEL

Model name |

OCR USE ANTHROPIC |

true = Anthropic, false = OpenAI |

OpenTelemetry integration for observability (spans, metrics). By default disabled. ocr config set telemetry.enabled true

ocr config set telemetry.exporter otlp

ocr config set telemetry.otlp endpoint localhost:4317

Set telemetry.content logging

to include LLM input requests and responses in exported data. CONTRIBUTING.md provides information on the development facility, coding policies and the transmission of pull requests. Apache-2.0 – Copyright 2026 Alibaba