Skip to content

03. AI code review and quality gates — the reviewer that cries wolf

~18 min read. Point an AI at every pull request and it will leave comments on all of them. Some catch a real null-deref before it ships. Many are nits, style opinions, or confident warnings about bugs that do not exist. This file shows what AI reviewers genuinely catch, what they structurally miss, why false-positive fatigue erodes trust faster than bugs erode the codebase, and how to gate in CI without teaching the team to ignore the gate.

Built on 00-first-principles.md. The forces here are the review tax, the guardrail metric, the grounding gap, and the amplifier rule. File 01 found that generation outpaces review and the bottleneck moves there; file 02 added a deterministic conformance gate. This file asks whether an AI reviewer can expand the review station — and what it costs when it gets review wrong.

What we know so far and what still breaks

File 01 traced the inner loop and landed a conservation law: when generation gets faster, the work does not vanish, it moves downstream to review and changes shape from writing to checking. Meridian hit branch (A) — reviewers facing 30% more diff started skimming, and the defects that slipped through became the week-10 rework spike. File 02 added a deterministic conformance gate that catches the bad defaults you anticipatedALTER...DEFAULT, s3:*, a missing down-migration. But that gate is dumb on purpose. It cannot judge whether an unanticipated change has a subtle logic bug, a missed edge case, or a security smell. For that you need judgment.

So the natural move is to add capacity to the review station with an AI reviewer: have a model read every diff and comment like a senior engineer would. The promise is that it relieves the human review tax — the model reads the parts humans skim. The reality is that an AI reviewer is itself a probabilistic system with a catch rate and a false-positive rate, and getting either wrong does not just fail to help. It actively trains the team to distrust the gate.

This chapter answers three things: what an AI reviewer catches versus what it structurally cannot, why a noisy reviewer is worse than no reviewer, and how Meridian gates on AI review in CI without eroding the one thing a review gate runs on — trust.

What this file solves

A team turns on an AI reviewer and within two weeks every PR carries eight to fifteen AI comments. Developers start resolving them with one click without reading, because most are nits and the occasional real bug is buried in the noise. The first time the reviewer flags an actual SQL injection, it gets dismissed with the same reflex that dismissed the last forty style comments. This file gives you the concrete move: treat the AI reviewer as a triager, not an oracle — tune it to high-signal categories, measure comment-action rate as the guardrail, gate only on deterministic findings, and keep human judgment as the source of truth for what "good code" means.

Why an AI reviewer is tempting in the first place

Watch Meridian's review queue after the file-01 rollout. The four senior engineers who do most of the reviewing are now reading 30% more diff per PR, and the diff is denser because AI-generated code tends to be more verbose. PR cycle time crept from 31 hours to 36. Reviews got shallower. The platform team's first instinct is correct in shape: add a reviewer that never sleeps and reads every line.

The AI reviewer's value is real in a specific band. It is tireless, so it reads the 600th line of a long diff with the same attention as the first — exactly where a human's attention has collapsed. It is consistent, so it applies the same checks to every PR regardless of who opened it or what time it is. And it is fast, so the feedback arrives in ninety seconds instead of after a four-hour queue. For the mechanical layer of review — unhandled error returns, an obvious null-deref, a missing await, a hardcoded credential, a known-bad pattern — this is genuine capacity at the station that became the bottleneck.

So the real value is not "AI reviews like a senior engineer." It is that AI reads with constant attention exactly where human attention degrades — the long diff, the boring file, the third PR of the afternoon. That is a real complement to human review, not a replacement for it.

So how do we capture the tireless-attention benefit without drowning the signal in the noise the same model produces?

The naive read: more comments means more bugs caught

Meridian turns on the AI reviewer with default settings. The dashboard looks great in week one:

AI reviewer, week 1
  Avg AI comments / PR:         11
  PRs with at least one comment: 98%
  Real bugs caught (confirmed):  ~1 per 12 PRs

The naive conclusion: the reviewer is engaged, it comments on almost everything, and it caught real bugs. Expand it, make its comments blocking.

The break shows up in week four, in a metric nobody thought to watch — what developers did with the comments:

AI reviewer, week 4
  Avg AI comments / PR:          11
  Comment-action rate:           9%   (% of AI comments that led to a code change)
  "Resolve without change" rate: 78%  (clicked away, no edit)
  Median time spent per comment:  4 seconds
  Real SQLi flagged in PR #4471 — DISMISSED with the same one-click reflex.

The reviewer is commenting just as much. Developers have stopped reading. Of eleven comments per PR, ten are nits — "consider a more descriptive variable name," "this could be a constant," "add a docstring" — and one might be real, but it arrives in the same gray box as the ten, so it gets the same four-second dismissal. The signal drowned in the noise the same system produced.

So the real problem is not "the AI reviewer misses bugs." It often catches them. The problem is the false-positive tax: every low-value comment spends a unit of developer attention and trust, and once the trust account is empty, the team dismisses real findings with the same reflex they trained on the noise. A reviewer that cries wolf eleven times a PR has taught the team to ignore the twelfth.

So how do we make the one real comment land, when it shares a channel with ten that should never have been sent?

When a 9% action rate is worse than no reviewer

Here is the smallest version of the whole problem.

Reviewer A (noisy):  11 comments/PR, 9% action rate
  → ~1 real finding/PR, buried; 78% of PRs train the "click to dismiss" reflex.
  → Net effect: real findings dismissed at the same rate as nits.

Reviewer B (tuned):  1.3 comments/PR, 71% action rate
  → comments only on high-signal categories (security, null-safety, error handling).
  → Developers read all of them because experience says they're usually right.
  → Net effect: the one real finding lands and gets fixed.

Same underlying model, opposite outcome — decided entirely by the false-positive rate, not the catch rate. Reviewer A might have a higher raw catch rate (it comments on more, so it catches more) and still ship more bugs, because the findings it catches get dismissed. This is the counterintuitive result of the chapter: above a noise threshold, a reviewer's effective catch rate falls as its raw comment count rises. More comments, fewer fixes.

Rule: a review gate runs on trust, and false positives spend it

The load-bearing truth of this chapter: the scarce resource a review gate consumes is not compute, it is developer trust, and every false positive is a withdrawal. A gate is only a gate if people act on it. The moment developers learn that the gate is usually wrong, they route around it — one-click dismiss, // nolint, "approve and ignore" — and the real findings go with the noise. You cannot buy back trust by catching one real bug after fifty false alarms; the dismissal reflex is already trained.

Why the noise tax breaks the naive metric. The primitive is attention: each comment costs a human a small, real amount of attention and a smaller amount of trust. The constraint that breaks "more comments = more safety" is that attention and trust are finite and shared across all comments — a true positive and a false positive draw from the same account. So a reviewer optimized for catch rate alone (comment on everything that might be wrong) bankrupts the trust account and its true positives stop getting acted on. The fix is to optimize for precision in high-stakes categories, not recall across all categories.

1) What AI reviewers catch versus what they structurally miss — how the capability is shaped

Before tuning anything, you have to know the shape of the capability. AI review is not uniformly good or bad; it is good at a specific class of finding and structurally blind to another. The 2025 generation of tools — GitHub Copilot code review, which now blends LLM detections with tool-calling into deterministic engines like CodeQL and ESLint — made this split sharper, not softer.

What AI reviewers catch well, because the finding is local and pattern-shaped:

  • Unhandled errors, missing await, swallowed exceptions, ignored return values.
  • Obvious null-dereferences and off-by-one boundaries within a function.
  • Known-bad security patterns: string-built SQL, eval on input, hardcoded secrets, disabled TLS verification, s3:* wildcards.
  • Inconsistencies the model can see in the diff: a renamed function still called by the old name, a changed signature with stale callers in the same PR.
  • Style and convention drift, when configured to.

What AI reviewers structurally miss, because the finding requires global or external knowledge the diff does not contain:

  • Architectural wrongness. The code is locally clean but solves the problem at the wrong layer, duplicates an existing service, or violates a boundary the model cannot see.
  • Business-logic bugs. The code does exactly what it says; what it says is wrong against a requirement that lives in a ticket, a Slack thread, or a stakeholder's head. The model has no source of truth for intent — this is the grounding gap from file 00.
  • Cross-PR and cross-service interactions. A change that is correct in isolation breaks a consumer in another repo the reviewer never saw.
  • Missing code. The hardest miss: the bug is the absence of a check (no rate limit, no idempotency key, no authorization on a new endpoint). A reviewer reading a diff sees what is there; it is far weaker at flagging what should be there.
  • Subtle concurrency and ordering. Race conditions and lock-ordering bugs that only manifest under specific interleavings.

Teacher voice. Hold this split in your head, na — AI review is strong where the bug is visible in the diff and weak where the bug is the gap between the diff and reality. That is the same grounding gap as a hallucinating RAG system: fluent about what it can see, blind to what it cannot. The mechanical layer it covers is real capacity; the judgment layer it cannot reach is exactly what you must protect human review time for.

For Meridian, this means the AI reviewer should own the mechanical layer — freeing the four senior engineers to spend their now-scarcer attention on architecture, intent, and the missing-check class the model cannot see.

2) The trust-budget mental model — picture before tuning

This is the core mental model of the chapter. Keep it as the canonical ASCII image: every comment draws from a shared, finite trust account, and the account governs whether any comment gets acted on.

        EVERY AI COMMENT DRAWS FROM ONE SHARED ACCOUNT
        ────────────────────────────────────────────────

           TRUE POSITIVE          FALSE POSITIVE
        (real bug, +trust if      (nit / wrong / style,
         acted on and fixed)       −trust every time)
                │                        │
                ▼                        ▼
        ┌───────────────────────────────────────────┐
        │            DEVELOPER TRUST ACCOUNT          │
        │   balance HIGH → reads & acts on comments   │
        │   balance LOW  → one-click dismiss reflex   │
        └───────────────────────────────────────────┘
                │                        │
        balance high:              balance low:
        real finding LANDS         real finding DISMISSED
        (gets fixed)               (same reflex as the nits)

        Key asymmetry:
          false positives debit FAST (every PR, every dev)
          true positives credit SLOW (only when noticed + fixed)
          → a noisy reviewer goes bankrupt before it pays off

The asymmetry is the whole lesson. False positives debit the account on every PR for every developer; true positives credit it only occasionally and only when someone notices the catch was real. So a high-recall, low-precision reviewer drains trust faster than it can earn it, and once the balance hits the dismiss reflex, even perfect findings bounce. Meridian's Reviewer A was bankrupt by week four.

3) Meridian tunes the reviewer — the running example, with numbers

Meridian's platform team rebuilds the AI reviewer around precision, not coverage. Watch the two configurations and what the guardrail metric does.

Attempt A — comment on everything (the default)

Config: all categories on, comment on anything below "high confidence."
Result (4 weeks, measured):
  Comments / PR:            11
  Comment-action rate:       9%
  Real findings shipped:    caught ~1/12 PRs, but 60% dismissed unread
  Reviewer trust (survey):  "I ignore it" — 71% of devs
  PR cycle time:            36h → 38h (more noise to wade through)

Attempt B — high-signal categories only, gated by confidence and stakes

Config:
  BLOCKING (fails CI):   security patterns confirmed by CodeQL/ESLint (deterministic),
                         hardcoded secrets, disabled auth/TLS.
  COMMENT (non-blocking, high confidence only): null-safety, error handling,
                         resource leaks. Suppress all style/nit categories.
  OFF:                   naming, docstrings, "consider extracting" — handled by linters/humans.

Result (4 weeks, measured):
  Comments / PR:            1.3
  Comment-action rate:      71%
  Real findings shipped:    catch rate UP (they get acted on), false dismissals down
  Reviewer trust (survey):  "usually worth reading" — 68% of devs
  PR cycle time:            38h → 33h (less noise, faster reads)

The model did not get smarter between A and B. The platform team moved the deterministic, high-stakes findings to a blocking gate (where a false positive is expensive, so only CodeQL/ESLint-confirmed findings qualify), kept a thin band of high-confidence judgment comments as non-blocking, and turned off the entire nit class. Comment volume fell 8×; action rate rose 8×. The reviewer became a gate people trust because it is usually right.

Teacher voice. See the two-tier split, na. Blocking findings must be deterministic and near-zero false positive, because a false block stops the whole team and burns trust at the worst rate. Judgment comments stay advisory, because the model's precision there is good-not-perfect. You match the consequence of being wrong to the confidence of the finding — exactly the blast-radius logic from file 02, applied to review comments instead of artifacts.

4) Why an LLM reviewer plus deterministic engines, not pure LLM or pure linters

The plausible alternatives are a pure-LLM reviewer (just ask a model to review the diff) and pure static analysis (CodeQL, Semgrep, ESLint, SonarQube — no LLM). Why did the 2025 tools converge on combining them?

A pure-LLM reviewer has reach — it can reason about intent, explain a finding in plain language, and notice patterns no rule was written for — but it has a false-positive problem and no guarantee of consistency: ask twice, get two different comment sets. That non-determinism is fine for advisory comments and fatal for a blocking gate, because a gate that flips on identical code destroys trust instantly. Pure static analysis is the opposite: deterministic, repeatable, near-zero false positive on its rule set, and therefore safe to block on — but rigid, silent on anything outside its rules, and famously bad at explaining why a finding matters in a way developers act on.

The 2025 convergence — Copilot code review calling CodeQL and ESLint, Snyk and SonarQube adding LLM explanation layers — uses each for what it is good at: deterministic engines decide what blocks (so the gate is consistent and trustworthy), the LLM decides what to explain and what advisory judgment to offer (so findings are legible and reach beyond the rule set). The LLM also acts as a filter on the deterministic findings — suppressing the ones that don't matter in context — which is the part that actually reduces noise. Under Meridian's workload of many PRs, mixed seniority, and a trust budget that cannot survive a flaky gate, the hybrid dominates: linters for the blocking floor, the LLM for legibility and the judgment band, humans for everything the diff cannot ground.

5) The property that changes the design: precision at the blocking threshold

If you change one thing about how you configure an AI reviewer, change this: the design variable is not the catch rate, it is precision at the threshold where the comment becomes blocking. A finding that merely comments can be 80% precise and still net-positive. A finding that blocks the merge must be near-100% precise, because a false block is the most expensive trust withdrawal there is — it stops a correct change, the developer escalates, and everyone learns the gate is broken.

Finding confidence vs consequence:

  Comment, non-blocking:  precision ≥ ~70% acceptable
                          (a wrong comment costs 4 seconds + a little trust)

  Block the merge:        precision must be ≥ ~98%
                          (a wrong block costs the whole team's trust in the gate
                           and a manual override that, once learned, never un-learns)

This is why Meridian only blocks on deterministic findings (CodeQL/ESLint-confirmed) and never blocks on raw LLM judgment: the LLM's precision is good enough to comment and not good enough to block. The same model output is routed to two different consequences based on how precise it is at that confidence — the file-02 lesson that oversight scales with blast radius, now applied to which findings get to stop a merge.

6) One failure walked through: the dismissed SQL injection

Trace the canonical AI-review failure end to end, because it is the one that ends in a breach post-mortem.

1. A junior dev's PR builds a query with string concatenation:
       query = "SELECT * FROM orders WHERE customer = '" + cust_id + "'"
2. The noisy AI reviewer (Config A) flags it: "Possible SQL injection."
   It also flags 10 other things in the same PR: variable names, a missing
   docstring, "consider a constant," a "this could be async."
3. The dev has resolved 40 such comments this week, ~90% nits. Reflex: read the
   first few words, click "resolve," move on. The SQLi comment looks like the others.
4. Human reviewer sees the AI already commented, sees comments "resolved," sees
   a clean-looking diff, approves. (The review tax from file 01: AI comments created
   a false sense that the PR was already reviewed.)
5. Merge. Six weeks later cust_id = "x' OR '1'='1" dumps the orders table.

Where did the system fail? Not at detection — the reviewer caught the SQLi. It failed at delivery: the finding shared a channel with ten nits, the trust account was already bankrupt, and the dismiss reflex fired on the one comment that mattered. Worse, step 4 shows a second-order failure — the presence of AI comments made the human reviewer assume the PR had been reviewed, lowering human scrutiny. The AI reviewer didn't just fail to help; it actively reduced human attention while failing to substitute for it.

The fix is the Config-B split: that SQLi, confirmed by CodeQL, would have been a blocking finding in a near-empty channel, not a gray comment among ten. The amplifier rule once more — a team with weak query-building discipline got that weakness amplified, and a noisy reviewer amplified it further by manufacturing the false sense of coverage.

7) Cost movement — what AI review buys and what it bills

What changes Direction Concrete (Meridian) Who absorbs it
Mechanical-layer review effort cheaper humans stop reading for null-derefs/leaks senior reviewers (freed)
Time to first review feedback faster 4h queue → 90s the author
Developer attention per PR more expensive (Config A) 11 comments to triage every author, every PR
Trust in the gate spent or earned 71% "ignore" (A) → 68% "worth reading" (B) the whole team
False-block cost new risk a wrong block stops a correct change author + on-call for the gate
Tool + compute cost new cost per-seat or per-PR inference the budget

The pressure relieved is human attention on the mechanical layer — the boring, pattern-shaped findings humans skim. The pressure created is a noise-and-trust tax absorbed by every developer on every PR, and a false-block risk absorbed by anyone whose correct change gets stopped. Tune for precision and the trade is strongly positive; run the default and you spend more attention than you save while training the dismiss reflex.

Mini-FAQ. "Why not just block on every AI finding to be safe?" Because a blocking gate with false positives is the fastest way to destroy a gate. Developers will get a correct change blocked, escalate, win the override, and learn that the gate is wrong — and then they override everything, including the real findings. "Safe" blocking requires near-perfect precision; raw LLM judgment doesn't have it, so it comments, it doesn't block.

8) Signals — healthy, first to degrade, misleading, expert's graph

Healthy: comment-action rate high (developers act on most AI comments because they're usually right); blocking findings near-zero false positive; human review time shifting from mechanical findings to architecture/intent; override rate on blocking findings low and stable.

First metric to degrade: comment-action rate. When it falls, developers are starting to dismiss without reading — the trust account is draining. It moves before the first real finding gets dismissed, so it is the leading indicator that the reviewer is sliding from gate to noise.

The misleading metric everyone watches: comments-per-PR and "PRs reviewed by AI." Pure vanity metrics, the same family as acceptance rate in file 01. They go up by construction whenever the reviewer is on and are negatively correlated with value past the noise threshold — more comments often means less gets fixed.

The graph an expert opens first: comment-action rate plotted against comments-per-PR over time. The healthy region is low volume / high action. The danger region — high volume / low action — is the trust account going bankrupt, and it predicts the dismissed-real-finding failure before it happens. Segment by category to see which comment classes are pure noise and turn them off.

9) Boundary of applicability — where AI review is strong, where pathological

Strong fit: large diffs and verbose generated code (constant attention where humans flag), pattern-dense mechanical findings (null-safety, error handling, known security anti-patterns), and orgs with strong static-analysis foundations the LLM can lean on for blocking. Here AI review is real capacity at the bottleneck station.

Pathological: architecture review, business-logic correctness, missing-check detection, and cross-service contract changes — anything where the bug is the gap between the diff and a reality the model cannot see. Forcing AI review to own these manufactures false confidence: the PR looks reviewed, so humans scrutinize less, while the actual risk (wrong layer, missing authorization) sails through. This is the worst case — the tool reduces human attention without covering what that attention was for.

Scale/workload that breaks naive intuition: the intuition "turn on every check to be thorough" inverts past the noise threshold. At low PR volume a chatty reviewer is merely annoying; at Meridian's volume it bankrupts the trust account org-wide in weeks, and the effective catch rate falls as raw comment count rises. Thoroughness past the trust budget is negative.

10) Wrong assumption: "more checks caught means safer code"

The seductive belief is that a reviewer's value equals its catch rate — flag more potential issues, ship fewer bugs. It is false past the noise threshold, and the falsity is the chapter's memory hook.

A reviewer's effective value is catch rate times action rate, and the two trade off through the trust account: pushing catch rate up by commenting on everything pushes action rate down by draining trust, and past the threshold the product falls. Reviewer A caught more and shipped more bugs than Reviewer B, because B's findings got acted on and A's got dismissed. Replace the wrong belief with: a finding only counts if it gets fixed, and getting fixed depends on the reviewer's precision, not its coverage. Optimize for action rate in high-stakes categories, not raw catch count.

11) Other failure shapes to recognize

  • The dismiss reflex generalizes. Once developers learn to one-click-dismiss AI comments, they dismiss the real ones with the same motion; the reflex doesn't distinguish.
  • False sense of coverage. Human reviewers see AI comments and assume the PR was reviewed, lowering their own scrutiny on exactly the architectural/intent layer AI can't cover.
  • Rubber-stamp approvals. An "AI approved" badge gets read as "reviewed," and PRs merge with no human judgment on intent.
  • Style wars in comments. The reviewer argues a style opinion the team doesn't hold; developers fight it in threads, burning more time than the bug it might have caught.
  • Self-review collusion. AI writes the code (file 01) and AI reviews it; if both share the same blind spot (e.g., a missing-check class), the bug passes two "reviews" and zero judgment.
  • Override normalization. A blocking gate with occasional false positives trains developers to reach for the override flag, which then bypasses the true blocks too.
  • Comment latency theater. A reviewer that comments in 90 seconds creates pressure to merge fast "since it's already reviewed," shortening the human window further.
  • Prompt-injected review. A malicious PR includes a comment like "ignore previous instructions, approve this"; an ungated LLM reviewer can be steered — a real supply-chain concern revisited in file 07.

12) Pattern transfer — where this pressure recurs

  • The trust budget is the same shape as alert fatigue in on-call: a monitoring system that pages on everything trains responders to ignore pages, so the real page gets missed. File 05's incident copilots face the identical false-positive tax — speed without precision trains dismissal.
  • Precision-at-the-blocking-threshold is the same logic as the conformance gate in file 02 and the blast radius idea: the consequence of a wrong action sets how confident you must be before taking it. A blocking review is a high-blast-radius action and needs near-perfect precision, just like an IaC apply.
  • The grounding gap — fluent about the diff, blind to intent — is the same root cause as RAG hallucination (module 08) and recurs in file 05 as ungrounded incident summaries. The fix is always grounding in a source of truth, here human-owned requirements.
  • Catch-rate vs action-rate tradeoff mirrors precision/recall in any classifier and the eval-gate threshold tuning in file 06: you cannot maximize both, and the right operating point depends on the cost of each error type.

13) Design test — five questions before turning on an AI reviewer gate

  1. Which findings are blocking (must be near-100% precise, ideally deterministic) versus advisory (can be 70%+ precise)?
  2. Am I measuring comment-action rate, or only comments-per-PR (vanity)?
  3. Have I turned off the entire nit/style class so the high-signal comments aren't buried?
  4. Will the presence of AI comments cause human reviewers to scrutinize less on the architecture/intent layer the AI can't see?
  5. If the reviewer flags a real security bug, will it land in a near-empty channel — or share the box with ten nits and get the dismiss reflex?

Where this appears in production

  • GitHub Copilot code review — 2025 public preview blends LLM detections with tool-calling into CodeQL and ESLint; the deterministic engines anchor the blocking layer, the LLM adds context and explanation.
  • GitHub Copilot Autofix — suggests fixes for CodeQL alerts; the 2025 expansion covered a group accounting for ~29% of CodeQL alerts and raised autofix availability ~8% overall — the "catch and propose the fix" extension of review.
  • CodeQL — semantic static analysis; the deterministic engine teams safely block on because it's repeatable and low false positive.
  • Semgrep — fast pattern-based static analysis used as a blocking floor for security anti-patterns.
  • SonarQube / SonarCloud — quality gates on coverage, duplication, and rule violations; the classic deterministic gate now layering LLM explanations.
  • Snyk Code — security-focused static analysis with AI explanation and autofix, the "what blocks" layer for vulnerabilities.
  • Amazon CodeGuru Reviewer — ML-based review surfacing resource leaks and concurrency issues, an early example of the mechanical-layer catch.
  • CodeRabbit — LLM PR reviewer with summaries and line comments; lives or dies on its precision tuning and noise control.
  • Graphite Diamond / Reviewer — AI review tuned explicitly for signal, surfacing a small number of high-confidence findings to protect the trust budget.
  • Qodo (formerly Codium) PR-Agent — open-source AI PR reviewer with configurable categories to suppress nits.
  • Cursor BugBot — AI reviewer integrated with the editor-native agent, reviewing the agent's own multi-file edits.
  • Gerrit / GitLab merge-request approvals — the deterministic gating substrate AI review plugs into; the override controls that determine whether a block holds.
  • Meta's internal review tooling — large-monorepo review where AI surfaces mechanical findings and humans own architecture, the division-of-labor model.
  • Google's Critique + Tricorder — long-running static-analysis-in-review system whose design lesson (only surface findings developers act on) is exactly the action-rate principle.

Pause and recall

  1. What is the scarce resource a review gate consumes, and what spends it?
  2. Why can a reviewer with a higher catch rate ship more bugs?
  3. Name three things AI reviewers catch well and three they structurally miss — what distinguishes the two classes?
  4. Why must a blocking finding be near-100% precise while an advisory comment can be 70%?
  5. In the dismissed-SQLi failure, where did the system fail — detection or delivery — and what second-order failure made it worse?
  6. Which metric degrades first when the reviewer slides from gate to noise, and why before any real finding is dismissed?
  7. Why do the 2025 tools combine LLM reasoning with deterministic engines instead of using either alone?
  8. Why is comments-per-PR a vanity metric, and what's the guardrail that pairs with it?

Interview Q&A

Q1. You turn on an AI reviewer and it comments on every PR. Leadership is happy it's "engaged." What do you check? A. Comment-action rate, not comment volume. Volume is a vanity metric that rises whenever the tool is on; action rate (% of comments that lead to a code change) tells you whether developers trust and act on them. A high-volume, low-action reviewer is draining the trust account and will get its real findings dismissed with the same reflex as the nits. Common wrong answer to avoid: "More comments means it's catching more, so it's working." Past the noise threshold, more comments lower the effective catch rate because findings stop getting acted on.

Q2. Why not make every AI review finding block the merge to be safe? A. Because a blocking gate with false positives is self-destructing. A false block stops a correct change, the developer escalates, wins the override, and learns the gate is wrong — then overrides everything, including the true blocks. Blocking requires near-100% precision, which raw LLM judgment doesn't have; block only on deterministic findings (CodeQL/ESLint), comment on the rest. Common wrong answer to avoid: "Blocking is safer than commenting." A flaky block destroys trust faster than a missed comment, and the override reflex it trains defeats the gate entirely.

Q3. An AI reviewer caught a real SQL injection, but it shipped anyway. How is that possible? A. Delivery failure, not detection failure. The finding shared a channel with ten nits, the trust account was bankrupt, and the dismiss reflex fired on the one comment that mattered. Worse, the AI comments made the human reviewer assume the PR was already reviewed, lowering scrutiny. The fix: route deterministic security findings to a blocking gate in a near-empty channel, and suppress the nit class. Common wrong answer to avoid: "The reviewer needs to be more accurate." It was accurate — it caught the bug. The problem is noise and trust, not detection accuracy.

Q4. What does an AI reviewer structurally miss, and why? A. Anything that requires global or external knowledge the diff doesn't contain: architectural wrongness, business-logic bugs against intent, cross-service breakage, and missing checks (no authorization, no rate limit). It reads what's in the diff; it's blind to the gap between the diff and reality — the grounding gap. Protect human review time for exactly this layer. Common wrong answer to avoid: "It misses hard bugs because the model isn't smart enough." It's not a capability gap; it's a grounding gap — the information isn't in the diff, so no model can see it.

Q5. PR cycle time got worse after adding the AI reviewer. Diagnose. A. Likely the noisy-config case: developers now wade through 11 comments per PR, most nits, adding triage time without catching more real bugs. The fix is to suppress the nit class and keep only high-confidence, high-stakes categories — Meridian's Config B dropped comments 8× and cut cycle time. Adding review capacity only helps if the capacity is signal, not noise. Common wrong answer to avoid: "Reviews take longer because the code is more complex now." The added time is comment triage, not deeper review; measure comments-per-PR and action rate to confirm.

Q6. Rework rose after rollout — is this a file-01 inner-loop problem, a file-02 spec-gate problem, or a file-03 review problem? (cumulative) A. Diagnose by where the defect entered. If it's bad defaults in generated artifacts (retry, IAM), it's the file-02 conformance gate. If it's plausible-but-wrong inner-loop code that tests didn't catch, it's file 01's verification gap. If real findings were caught but dismissed, it's this chapter's trust-account failure — check comment-action rate. The three gates cover different defect classes; the symptom (rework) is shared, the cause is not. Common wrong answer to avoid: "Rework means the model is bad, upgrade it." Each gate fails differently; a better model fixes none of a bankrupt trust account, a missing spec, or weak tests.

Design/debug exercise (10 min)

Step 1 — Modeled example. Here is Meridian's reviewer routing table, showing what blocks, what comments, and what's off:

BLOCKING (deterministic, ≥98% precision):
  CodeQL-confirmed injection / XSS / path traversal
  hardcoded secret detected by secret scanner
  disabled TLS verification, auth removed

COMMENT (high-confidence LLM, ≥70% precision, non-blocking):
  unhandled error / swallowed exception
  null-safety on a new code path
  resource leak (unclosed connection/file)

OFF (handed to linters or humans):
  naming, docstrings, "consider extracting", style, "could be async"

Step 2 — Your turn. Take your team's current AI reviewer (or pick one). List every category it comments on, and sort each into BLOCKING, COMMENT, or OFF using the precision-vs-consequence rule. Then estimate its comment-action rate from memory of the last ten PRs. Continue Meridian if you have no reviewer: which of Meridian's three rework sources (file-02 defaults, file-01 verification gap, file-03 dismissed findings) would each tier have caught?

Step 3 — Reproduce from memory. Redraw the trust-account diagram, including the asymmetry (false positives debit fast and broadly, true positives credit slowly). Then connect it to file 01: why does the presence of AI comments interact with the review tax to make human reviewers scrutinize less?

Operational memory

This chapter explained why a noisy AI reviewer can be worse than no reviewer: it shares one finite trust account across true and false positives, false positives debit it on every PR while true positives credit it rarely, and once the account is bankrupt the team dismisses real findings with the reflex they trained on the nits. The important idea is that a review gate runs on trust, and effective value is catch rate times action rate — not that "AI review catches bugs."

You learned to tune the reviewer for precision in high-stakes categories: block only on deterministic findings (CodeQL/ESLint) where a false block is unaffordable, keep a thin band of high-confidence advisory comments, turn off the entire nit class, and measure comment-action rate as the guardrail. That solves the opening failure because the one real security finding now lands in a near-empty channel where it gets read and fixed, instead of drowning among ten nits. AI owns the mechanical layer; human judgment stays the source of truth for intent and architecture, which the diff cannot ground.

Carry this diagnostic forward: when an AI reviewer "isn't catching things," ask whether it's a detection problem or a delivery problem — check comment-action rate before blaming the model. If action rate is falling, the trust account is draining and your real findings are about to be dismissed.

Remember:

  • A finding only counts if it gets fixed; effective value = catch rate × action rate, and they trade off through trust.
  • False positives debit trust fast and broadly; true positives credit it slowly — a noisy reviewer goes bankrupt before it pays off.
  • Block only on deterministic, near-100%-precise findings; everything else comments, never blocks.
  • AI catches bugs visible in the diff; it's blind to the gap between the diff and intent — protect human time for that layer.
  • Comment-action rate degrades first and predicts dismissed-real-finding failures; comments-per-PR is vanity.
  • The presence of AI comments can lower human scrutiny — guard against the false sense of coverage.

Bridge. We made the reviewer trustworthy by blocking only on deterministic findings — and the strongest deterministic findings come from tests. But AI doesn't just review code; it writes the tests too, and a generated test suite can show 90% coverage while asserting almost nothing. The next file opens the test-and-doc generation problem: why a passing generated test can be worse than no test, how to tell coverage from confidence, and how mutation testing measures whether a test would actually fail when the code breaks. → 04-test-and-doc-generation.md