[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-cloudflare-ai-code-review-at-scale-en":3,"tags-cloudflare-ai-code-review-at-scale-en":30,"related-lang-cloudflare-ai-code-review-at-scale-en":41,"related-posts-cloudflare-ai-code-review-at-scale-en":45,"series-industry-b75f695d-d4b4-4c9f-868f-22b9131944b8":82},{"id":4,"title":5,"content":6,"summary":7,"source":8,"source_url":9,"author":10,"image_url":11,"keywords":12,"language":18,"translated_content":10,"views":19,"is_premium":20,"created_at":21,"updated_at":21,"cover_image":11,"published_at":22,"rewrite_status":23,"rewrite_error":10,"rewritten_from_id":24,"slug":25,"category":26,"related_article_id":27,"status":28,"google_indexed_at":29,"x_posted_at":10,"tweet_text":10,"title_rewritten_at":10,"title_original":10,"key_takeaways":10,"topic_cluster_id":10,"embedding":10,"is_canonical_seed":20},"b75f695d-d4b4-4c9f-868f-22b9131944b8","How Cloudflare runs AI code review at scale","\u003Cp data-speakable=\"summary\">\u003Ca href=\"\u002Ftag\u002Fcloudflare\">Cloudflare\u003C\u002Fa> built a CI-native AI review system that scans merge requests with up to seven specialist \u003Ca href=\"\u002Ftag\u002Fagents\">agents\u003C\u002Fa>.\u003C\u002Fp>\u003Cp>Cloudflare says its internal review system now processes tens of thousands of merge requests and replaces the usual single-model prompt with a coordinator plus specialist agents. The company built it because first-review waits were often measured in hours, and generic AI comments were too noisy to trust.\u003C\u002Fp>\u003Ctable>\u003Cthead>\u003Ctr>\u003Cth>Metric\u003C\u002Fth>\u003Cth>Value\u003C\u002Fth>\u003Cth>Why it matters\u003C\u002Fth>\u003C\u002Ftr>\u003C\u002Fthead>\u003Ctbody>\u003Ctr>\u003Ctd>Specialist reviewers\u003C\u002Ftd>\u003Ctd>Up to 7\u003C\u002Ftd>\u003Ctd>Splits security, quality, docs, release, and policy checks\u003C\u002Ftd>\u003C\u002Ftr>\u003Ctr>\u003Ctd>Internal pull requests upstream\u003C\u002Ftd>\u003Ctd>45+\u003C\u002Ftd>\u003Ctd>Shows Cloudflare is actively shaping \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fopencode-ai\u002Fopencode\" target=\"_blank\" rel=\"noopener\">OpenCode\u003C\u002Fa>\u003C\u002Ftd>\u003C\u002Ftr>\u003Ctr>\u003Ctd>Buffering interval\u003C\u002Ftd>\u003Ctd>100 lines or 50 ms\u003C\u002Ftd>\u003Ctd>Limits disk churn in the streaming pipeline\u003C\u002Ftd>\u003C\u002Ftr>\u003Ctr>\u003Ctd>Heartbeat interval\u003C\u002Ftd>\u003Ctd>30 seconds\u003C\u002Ftd>\u003Ctd>Prevents users from thinking the job froze\u003C\u002Ftd>\u003C\u002Ftr>\u003Ctr>\u003Ctd>Heap cap\u003C\u002Ftd>\u003Ctd>2.5 GB\u003C\u002Ftd>\u003Ctd>Protects the coordinator process from runaway memory use\u003C\u002Ftd>\u003C\u002Ftr>\u003C\u002Ftbody>\u003C\u002Ftable>\u003Ch2>Why Cloudflare rejected the one-big-prompt approach\u003C\u002Fh2>\u003Cp>The first version of AI review looked like what most teams try: feed the diff to a model and ask for bugs. Cloudflare found the output was noisy, repetitive, and full of false alarms, including hallucinated syntax errors and generic advice about error handling that already existed in the code.\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1777872650319-i27f.png\" alt=\"How Cloudflare runs AI code review at scale\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>That failure matters because code review is already a bottleneck. A merge request waits, a human reviewer switches context, and the author ends up in a back-and-forth over small issues before anyone gets to the real risk. If an AI reviewer adds more noise than signal, it slows the queue instead of clearing it.\u003C\u002Fp>\u003Cp>Cloudflare’s answer was to stop treating review as a single prompt problem and treat it as an orchestration problem. The system now runs inside CI, uses \u003Ca href=\"https:\u002F\u002Fblog.cloudflare.com\u002Fai-gateway\u002F\" target=\"_blank\" rel=\"noopener\">Cloudflare AI Gateway\u003C\u002Fa> for model routing, and relies on \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fopencode-ai\u002Fopencode\" target=\"_blank\" rel=\"noopener\">OpenCode\u003C\u002Fa> as the core \u003Ca href=\"\u002Fnews\u002Fcoding-agent-skills-form-factor-shift-en\">coding agent\u003C\u002Fa> rather than building a custom monolith.\u003C\u002Fp>\u003Cul>\u003Cli>The system supports GitLab today, with room for other VCS providers later.\u003C\u002Fli>\u003Cli>It isolates provider-specific logic so the GitLab plugin does not care about AI routing.\u003C\u002Fli>\u003Cli>It keeps internal policy checks separate from model selection.\u003C\u002Fli>\u003Cli>It posts one structured review comment after deduplication and severity scoring.\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>The plugin model is the real design choice\u003C\u002Fh2>\u003Cp>The smartest part of the setup is the plugin boundary. Each plugin owns one job: GitLab integration, AI provider configuration, internal compliance checks, observability, AGENTS.md validation, remote model overrides, and telemetry. That separation keeps the system from turning into a pile of cross-dependencies that only one engineer understands.\u003C\u002Fp>\u003Cp>Cloudflare also made the lifecycle explicit. Bootstrap hooks run concurrently and can fail without killing the review. Configure hooks run sequentially and are fatal when a required dependency breaks. Post-configure hooks handle async work such as pulling remote overrides. That is a very practical way to keep a CI system predictable when dozens of repositories depend on it.\u003C\u002Fp>\u003Cblockquote>\u003Cp>\"The architecture: plugins all the way to the moon\" — Ryan Skidmore, Cloudflare\u003C\u002Fp>\u003C\u002Fblockquote>\u003Cp>The \u003Ca href=\"https:\u002F\u002Fdevelopers.cloudflare.com\u002Fcloudflare-one\u002F\" target=\"_blank\" rel=\"noopener\">Cloudflare\u003C\u002Fa> plugin model also keeps the final config assembly controlled. Plugins contribute through a context API, and the core system merges those contributions into the \u003Ccode>opencode.json\u003C\u002Fcode> file that OpenCode reads. No plugin gets direct access to the final object, which lowers the odds of one extension breaking another in subtle ways.\u003C\u002Fp>\u003Ch2>What the coordinator actually does\u003C\u002Fh2>\u003Cp>Cloudflare runs \u003Ca href=\"https:\u002F\u002Fbun.sh\" target=\"_blank\" rel=\"noopener\">Bun\u003C\u002Fa> as the process wrapper and starts the coordinator as a child process. It sends the prompt through stdin rather than as a command-line argument, which avoids the Linux \u003Ccode>ARG_MAX\u003C\u002Fcode> limit when merge requests get huge. Output comes back as JSONL, so the system can read and act on each event as it arrives.\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1777872658521-05ko.png\" alt=\"How Cloudflare runs AI code review at scale\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>That choice sounds boring until you think about failure modes. A normal JSON blob needs to close cleanly, which is a pain if a process crashes or gets killed mid-review. JSONL lets the pipeline keep moving line by line, which is much easier to debug and much safer for long-running jobs in CI.\u003C\u002Fp>\u003Cp>The coordinator watches for step events, \u003Ca href=\"\u002Ftag\u002Ftoken\">token\u003C\u002Fa> usage, errors, and truncation. If a model hits its token limit and returns with \u003Ccode>reason: \"length\"\u003C\u002Fcode>, the system retries. If there has been no output for a while, it prints a heartbeat line every 30 seconds so engineers do not assume the job is stuck.\u003C\u002Fp>\u003Cul>\u003Cli>Review output is buffered and flushed every 100 lines or 50 ms.\u003C\u002Fli>\u003Cli>Token usage is tracked from step finish events.\u003C\u002Fli>\u003Cli>Retries kick in when output is truncated.\u003C\u002Fli>\u003Cli>Heartbeat logs reduce false cancellation by users.\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>Why specialist reviewers beat one generalist\u003C\u002Fh2>\u003Cp>Cloudflare’s agents are narrow on purpose. The security reviewer only flags issues that are exploitable or concretely dangerous. The performance reviewer looks for real regressions. The documentation reviewer checks whether the change leaves future maintainers confused. The compliance reviewer checks against internal Engineering \u003Ca href=\"\u002Ftag\u002Fcodex\">Codex\u003C\u002Fa> rules. That kind of scoping is what keeps the system from producing the usual AI-review mush.\u003C\u002Fp>\u003Cp>This is also where the scale story becomes interesting. The company says the system now runs across tens of thousands of merge requests, approves clean code, catches serious bugs, and blocks merges when it sees \u003Ca href=\"\u002Fnews\u002Fwhy-bitcoin-regulation-should-be-treated-as-a-national-secur-en\">security issue\u003C\u002Fa>s that matter. That is a much higher bar than “summarize the diff” or “leave some helpful comments.” It is closer to a gatekeeper than a note-taker.\u003C\u002Fp>\u003Cp>Cloudflare’s own numbers suggest the team is serious about keeping the stack maintainable too. Engineers have already landed more than 45 upstream pull requests in OpenCode, which means the review system is not a one-off internal hack. It is tied to an open-source project that Cloudflare can inspect, extend, and repair when the workflow changes.\u003C\u002Fp>\u003Ch2>What this means for teams building their own review bots\u003C\u002Fh2>\u003Cp>The lesson here is simple: AI code review works better when the product is an orchestration layer, not a giant prompt. Teams that want this to work at scale need clear plugin boundaries, structured output, good observability, and a way to separate policy from model behavior. Without those pieces, the reviewer becomes another source of friction.\u003C\u002Fp>\u003Cp>Cloudflare’s setup also shows that the hard part is operational, not just linguistic. You need retry logic, memory caps, streaming logs, provider abstraction, and a way to keep engineers informed while a model thinks. That is a very different job from asking an \u003Ca href=\"\u002Ftag\u002Fllm\">LLM\u003C\u002Fa> to summarize a diff and hoping for the best.\u003C\u002Fp>\u003Cp>The most useful takeaway is that AI review can earn a place in CI only if it behaves like infrastructure. If your team is considering a similar system, the question is not whether a model can read code. The question is whether your pipeline can turn model output into dependable decisions without flooding engineers with noise.\u003C\u002Fp>\u003Ch2>Conclusion: the winning pattern is orchestration, not magic\u003C\u002Fh2>\u003Cp>Cloudflare’s system is a strong signal for where AI-assisted review is heading in large engineering orgs: more specialization, more structured control, and less trust in a single general-purpose prompt. The next step for teams is to ask a practical question, not a hype question: which parts of review should be automated, and which ones still need a human in the loop?\u003C\u002Fp>\u003Cp>If you want to compare this with other AI workflow patterns, OraCore’s coverage of agentic tooling and developer automation is a good place to start, including \u003Ca href=\"\u002Fnews\u002Fclaude-code-at-scale\" target=\"_blank\" rel=\"noopener\">Claude Code at scale\u003C\u002Fa> and \u003Ca href=\"\u002Fnews\u002Fai-agents-in-ci\" target=\"_blank\" rel=\"noopener\">AI agents in CI\u003C\u002Fa>.\u003C\u002Fp>","Cloudflare built a CI-native AI review system that scans merge requests with up to seven specialist agents.","blog.cloudflare.com","https:\u002F\u002Fblog.cloudflare.com\u002Fai-code-review\u002F",null,"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1777872650319-i27f.png",[13,14,15,16,17],"AI code review","Cloudflare","OpenCode","GitLab","CI\u002FCD","en",3,false,"2026-05-04T05:30:35.138288+00:00","2026-05-04T05:30:35.122+00:00","done","eaced51d-af7e-454b-b8c3-619fd365e955","cloudflare-ai-code-review-at-scale-en","industry","2bbd2c8d-6682-4105-8596-0400a04d6499","published","2026-05-04T09:00:13.805+00:00",[31,33,35,37,39],{"name":16,"slug":32},"gitlab",{"name":14,"slug":34},"cloudflare",{"name":13,"slug":36},"ai-code-review",{"name":15,"slug":38},"opencode",{"name":17,"slug":40},"cicd",{"id":27,"slug":42,"title":43,"language":44},"cloudflare-ai-code-review-at-scale-zh","Cloudflare 如何做 AI 程式碼審查","zh",[46,52,58,64,70,76],{"id":47,"slug":48,"title":49,"cover_image":50,"image_url":50,"created_at":51,"category":26},"6ff3920d-c8ea-4cf3-8543-9cf9efc3fe36","circles-agent-stack-targets-machine-speed-payments-en","Circle’s Agent Stack targets machine-speed payments","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778871659638-hur1.png","2026-05-15T19:00:44.756112+00:00",{"id":53,"slug":54,"title":55,"cover_image":56,"image_url":56,"created_at":57,"category":26},"1270e2f4-6f3b-4772-9075-87c54b07a8d1","iren-signs-nvidia-ai-infrastructure-pact-en","IREN signs Nvidia AI infrastructure pact","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778871059665-3vhi.png","2026-05-15T18:50:38.162691+00:00",{"id":59,"slug":60,"title":61,"cover_image":62,"image_url":62,"created_at":63,"category":26},"b308c85e-ee9c-4de6-b702-dfad6d8da36f","circle-agent-stack-ai-payments-en","Circle launches Agent Stack for AI payments","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778870450891-zv1j.png","2026-05-15T18:40:31.462625+00:00",{"id":65,"slug":66,"title":67,"cover_image":68,"image_url":68,"created_at":69,"category":26},"f7028083-46ba-493b-a3db-dd6616a8c21f","why-nebius-ai-pivot-is-more-real-than-hype-en","Why Nebius’s AI Pivot Is More Real Than Hype","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778823055711-tbfv.png","2026-05-15T05:30:26.829489+00:00",{"id":71,"slug":72,"title":73,"cover_image":74,"image_url":74,"created_at":75,"category":26},"b63692ed-db6a-4dbd-b771-e1babdc94af7","nvidia-backs-corning-factories-with-billions-en","Nvidia backs Corning factories with billions","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778822444685-tvx6.png","2026-05-15T05:20:28.914908+00:00",{"id":77,"slug":78,"title":79,"cover_image":80,"image_url":80,"created_at":81,"category":26},"26ab4480-2476-4ec7-b43a-5d46def6487e","why-anthropic-gates-foundation-ai-public-goods-en","Why Anthropic and the Gates Foundation should fund AI public goods","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778796645685-wbw0.png","2026-05-14T22:10:22.60302+00:00",[83,88,93,98,103,108,113,118,123,128],{"id":84,"slug":85,"title":86,"created_at":87},"d35a1bd9-e709-412e-a2df-392df1dc572a","ai-impact-2026-developments-market-en","AI's Impact in 2026: Key Developments and Market Shifts","2026-03-25T16:20:33.205823+00:00",{"id":89,"slug":90,"title":91,"created_at":92},"5ed27921-5fd6-492e-8c59-78393bf37710","trumps-ai-legislative-framework-en","Trump's AI Legislative Framework: What's Inside?","2026-03-25T16:22:20.005325+00:00",{"id":94,"slug":95,"title":96,"created_at":97},"e454a642-f03c-4794-b185-5f651aebbaca","nvidia-gtc-2026-key-highlights-innovations-en","NVIDIA GTC 2026: Key Highlights and Innovations","2026-03-25T16:22:47.882615+00:00",{"id":99,"slug":100,"title":101,"created_at":102},"0ebb5b16-774a-4922-945d-5f2ce1df5a6d","claude-usage-diversifies-learning-curves-en","Claude Usage Diversifies, Learning Curves Emerge","2026-03-25T16:25:50.770376+00:00",{"id":104,"slug":105,"title":106,"created_at":107},"69934e86-2fc5-4280-8223-7b917a48ace8","openclaw-ai-commoditization-concerns-en","OpenClaw's Rise Raises Concerns of AI Model Commoditization","2026-03-25T16:26:30.582047+00:00",{"id":109,"slug":110,"title":111,"created_at":112},"b4b2575b-2ac8-46b2-b90e-ab1d7c060797","google-gemini-ai-rollout-2026-en","Google's Gemini AI Rollout Extended to 2026","2026-03-25T16:28:14.808842+00:00",{"id":114,"slug":115,"title":116,"created_at":117},"6e18bc65-42ae-4ad0-b564-67d7f66b979e","meta-llama4-fabricated-results-scandal-en","Meta's Llama 4 Scandal: Fabricated AI Test Results Unveiled","2026-03-25T16:29:15.482836+00:00",{"id":119,"slug":120,"title":121,"created_at":122},"bf888e9d-08be-4f47-996c-7b24b5ab3500","accenture-mistral-ai-deployment-en","Accenture and Mistral AI Team Up for AI Deployment","2026-03-25T16:31:01.894655+00:00",{"id":124,"slug":125,"title":126,"created_at":127},"5382b536-fad2-49c6-ac85-9eb2bae49f35","mistral-ai-high-stakes-2026-en","Mistral AI: Facing High Stakes in 2026","2026-03-25T16:31:39.941974+00:00",{"id":129,"slug":130,"title":131,"created_at":132},"9da3d2d6-b669-4971-ba1d-17fdb3548ed5","cursors-meteoric-rise-pressures-en","Cursor's Meteoric Rise Faces Industry Pressures","2026-03-25T16:32:21.899217+00:00"]