Opulent Review
A faster way to review and understand what a session produced, including complex PRs.
As autonomous agents produce more work, the bottleneck shifts from producing deliverables to reviewing them. Opulent Review is a review surface within the Opulent platform that organizes the output of a session and explains it. It reviews reports, analyses, workflow plans, generated artifacts, and QA evidence, and when repo work is in scope it turns large, complex PRs into intuitively organized diffs and precise explanations. It supports GitHub (including GitHub Enterprise Server and Enterprise Cloud) and GitLab (including Self-Managed GitLab).
Opulent Review is Partial today. Code and PR review over connected GitHub and GitLab repositories works as described below, including the Bug Catcher, security scanning, auto-review, and workflow actions. Broader review of non-code deliverables such as reports, analyses, workflow plans, generated artifacts, and QA evidence is being brought onto the same surface. Today you review those inside the session that produced them and in the Workbench. Treat the non-code review lanes as the direction of the product, not a finished separate feature.
Opulent Review is available for PRs on GitHub repositories (including GitHub Enterprise Server and Enterprise Cloud) and merge requests on GitLab repositories (including Self-Managed GitLab). Public PRs don't require an Opulent account. Private PRs can be viewed with an Opulent account or via the CLI.
Features
Groups changes logically, putting related edits together instead of alphabetical order.
Detects when code has been copied or moved and displays changes cleanly, instead of full deletes and inserts.
Checks for bugs and labels them by confidence level. Severe bugs require immediate attention.
Detects security vulnerabilities and suggests hardening improvements, with CWE classification and severity levels.
Leave comments, approve PRs, request changes, all within Opulent Review, synced to GitHub.
Ask questions about the PR or deliverable and get answers with relevant context from the rest of the codebase and workspace. You can also ask Opulent directly from any comment, bug, or flag in the diff view.
Merge, close, convert to draft, mark ready for review, and toggle auto-merge directly from Opulent Review without leaving the page.
Ask the chat agent to make code edits. Review the suggested changes, then apply them as a commit to the PR branch without leaving Opulent Review.
Getting Started
- Opulent platform: Head to platform.opulentia.ai/review to see your open PRs organized by category (assigned to you, authored by you, review requested). When Opulent makes PRs, you'll see an orange "Review" button in the session.
- URL shortcut: For any GitHub.com PR link, replace
github.comwithreview.opulentia.aiin the URL. For private PRs, sign in to Opulent first or use the CLI. - GitHub Enterprise: Paste the full PR URL into the Opulent Review page at platform.opulentia.ai/review. All GitHub offerings (GitHub.com, Enterprise Server, Enterprise Cloud) have the same capabilities.
- CLI: Run
npx opulent-review {pr-url}from within a local clone. See CLI below for details.
Supported Git Providers
| Capability | GitHub | GitLab | Bitbucket | Azure DevOps |
|---|---|---|---|---|
| View diffs and analysis | Yes | Yes | No | No |
| Bug catcher | Yes | Yes | No | No |
| Codebase-aware chat | Yes | Yes | No | No |
| Code changes from chat | Yes | Yes | No | No |
| Comments and reviews | Yes | Yes | No | No |
| Merge / close / draft actions | Yes | Partial | No | No |
| Auto-merge | Yes | Partial | No | No |
| Auto-review | Yes | Yes | No | No |
GitHub includes GitHub.com, GitHub Enterprise Server, and GitHub Enterprise Cloud. All have the same capabilities. Write features (comments, reviews, merge actions, code changes from chat) require a GitHub App connection installed on your GitHub organization. PAT-based connections are read-only and cannot post comments, submit reviews, or perform merge actions. To set up the GitHub App, see the GitHub integration guide.
GitLab includes GitLab.com and Self-Managed GitLab. Write features for Self-Managed GitLab (comments, reviews, merge actions, code changes from chat) require a GitLab App connection. To set up the GitLab App, see the GitLab Self-Managed integration guide.
Permissions
Opulent Review access is controlled by account-level permissions configured in the role editor under Opulent Review permissions. By default, all members and admins receive full auto-review access, and admins additionally receive Manage Opulent Review.
Enterprise admins can use Custom Roles to restrict access to a lower usage tier (manual-only or on-PR-creation only), remove access entirely, or grant admin capabilities. Self-enrollment for auto-review does not require Manage Opulent Review. Any user with a usage tier and a connected GitHub account can enroll themselves.
See Account-level roles for the full list of Opulent Review permission tiers and what each one grants.
Enterprise accounts: Only users in the primary organization with Manage Opulent Review can manage review settings. Users in non-primary organizations can self-enroll but cannot change admin settings.
Governance
Enterprise admins can control who uses Opulent Review, what level of automation they have, and how much it costs, all from the Opulent platform.
The features in this section require an Opulent Enterprise account. For details on enterprise plans, contact sales.
Cost control
Opulent Review consumes compute credits from your enterprise's credit pool, the same pool used by Opulent sessions and other Opulent products. Enterprise admins have several tools to monitor and control review costs.
Consumption dashboard
The enterprise consumption dashboard at Settings > Consumption breaks down credit usage by product, including a dedicated Review line in the daily consumption chart. Organization admins can view their org's review consumption from Settings > Consumption Analytics.
The dashboard includes:
- Per-user breakdown: See how many review credits each user consumed in the current and previous billing cycle.
- Per-repository breakdown: See review credit consumption, review count, and the number of bugs caught by repository for the current and previous billing cycle, helping identify which repos drive the most review cost and where reviews catch the most issues.
Opulent Review credits do not count against per-organization credit limits. Per-org credit limits configured in Settings > Organizations apply to Opulent sessions only. Review consumption is tracked at the enterprise level and is not capped by org limits. Reviews continue to run even after an organization reaches its session credit limit.
Review size indicator
Each PR in Opulent Review displays a consumption pill showing the review's t-shirt size based on total credit usage across all review jobs on that PR:
| Size | Credit range |
|---|---|
| XS | ≤ 2.25 credits |
| S | 2.25 – 4.5 credits |
| M | 4.5 – 9 credits |
| L | 9 – 18 credits |
| XL | > 18 credits |
Hover over the size pill to see the exact credit total, the number of review jobs run, and the cost of the currently viewed review. This helps reviewers understand the cost impact of re-running reviews or enabling auto-review on high-churn PRs.
Per-PR auto-review spend limit
Admins can cap how much Opulent Review spends on automatic reviews of a single PR from Settings > Review under the Auto-review limits section. The limit is measured in credits on Enterprise plans, or in dollars of on-demand spend for Individual and Teams plans. Leave the field empty for no limit (the default).
Once a PR's total review spend across all of its review jobs reaches the limit, auto-review is turned off for that PR and future auto-reviews are skipped. Reaching the limit is a soft block:
- Manual reviews still work: the limit only pauses automatic reviews. You can always trigger a review yourself from the PR review page.
- Re-enable per PR: Turning auto-review back on for the PR from the actions menu (three dots in the header) resumes auto-reviews and exempts that PR from the limit.
When a limit is configured, the consumption pill's hover card shows the limit alongside the PR's usage and indicates when the limit has been reached. If PR description updates are enabled, the Opulent Review status row in the PR description also notes when auto-review was paused by the spend limit, with a link to re-enable it.
PR Workflow Actions
Opulent Review lets you take action on PRs directly from the review page, without switching to GitHub.
- Merge: Merge the PR using the repository's configured merge strategy (merge commit, squash, or rebase). The merge button reflects the PR's current mergeability status and required checks.
- Close: Close the PR without merging. Available from the dropdown menu next to the merge button.
- Convert to draft: Convert an open PR to draft status. Available from the dropdown menu when the PR is open and not already a draft.
- Mark ready for review: Mark a draft PR as ready for review. A "Ready for review" button appears in the merge bar for draft PRs.
- Auto-merge: Enable or disable GitHub auto-merge from the merge button dropdown. When enabled, the PR will merge automatically once all required checks pass. The merge bar shows the current auto-merge status, including who enabled it.
All workflow actions require a GitHub App connection and are disabled when viewing in read-only mode (for example, public repos without a connected account, or PAT-based connections).
Auto-Review
Opulent can automatically review PRs without you having to manually trigger it. Configure auto-review in Settings > Review. On any PR review page, the actions menu (three dots in the header) lets you toggle auto-review for that specific PR and links to the review settings pages.
When Does Auto-Review Run?
Auto-review triggers when:
- A PR is opened (non-draft)
- New commits are pushed to a PR
- A draft PR is marked as ready for review
- An enrolled user is added as a reviewer or assignee
Draft PRs are skipped until marked ready.
Trigger Modes
Repositories and individual users can each be configured with a trigger mode that controls when auto-review runs:
- Auto review (default): Reviews trigger on all events: PR opened, new commits pushed, draft marked ready, and reviewer/assignee added.
- On PR creation: Reviews only trigger when a PR is first opened or a draft PR is marked as ready for review. Subsequent pushes to the PR do not trigger a new review.
- Manual: No reviews run automatically. You trigger a review yourself from the PR review page whenever you want one. This is the base tier for personal enrollment.
Repository trigger modes are limited to Auto review and On PR creation. Personal enrollment additionally supports Manual for users who only want to trigger reviews on demand.
When a PR matches both an enrolled repository and an enrolled user, the most permissive trigger mode applies.
Admins can set the trigger mode per repository from Settings > Review, and each user can set their personal trigger mode from Settings > Preferences.
Self-Enrollment (All Users)
Any user with a connected GitHub account can enroll themselves for auto-reviews. No admin permissions needed.
- Go to Settings > Preferences
- Under Opulent Review, set your Review trigger to On PR creation or Auto-review (leave it on Manual if you only want to trigger reviews yourself)
Once enrolled with Auto-review, Opulent will automatically review any PR you create, are added to as a reviewer, or are assigned to, on any repository. With On PR creation, Opulent reviews only when the PR is first opened or marked ready for review.
You can also turn auto-review on or off for a specific PR from the actions menu (three dots in the header) on its review page, which also links to your personal review settings.
Review Comment Language
You can choose the language Opulent Review uses for its comments and analysis from Settings > Preferences under the Opulent Review section.
- Use your display language (default): Review comments follow your display language setting.
- Specific language: Choose from English, Spanish, Portuguese, Japanese, Chinese, Korean, French, German, Russian, Arabic, Hebrew, or Indonesian.
Language instructions in your REVIEW.md take precedence over this setting. If your REVIEW.md specifies a language for review comments, Opulent will use that language regardless of your personal preference.
Admin Configuration
Admins have additional options in Settings > Review:
- Repositories: Add repositories to auto-review ALL PRs on that repo. Use the Add repo button to search and select from connected repositories, and set each repository's trigger mode from the list.
- Users: View all enrolled users across the organization along with each user's trigger mode. Users enroll themselves through self-enrollment. Admins cannot enroll other users directly.
- Add "Opulent Review" link in PR description: When enabled (default), Opulent adds a link to the review in the PR description.
Posting to GitHub
Admins can configure what Opulent Review posts back to GitHub from Settings > Review under the Post as PR comments section:
- Post GitHub CI checks: When enabled (default), Opulent creates a commit status check on the PR for each review. This lets you see review results directly in your PR's checks list.
- Bugs: Post bugs (likely errors or incorrect behavior) as PR comments.
- Security: Post security vulnerabilities and hardening suggestions as PR comments. Only visible when security scanning is enabled.
- Flags (investigate): Post investigate flags (potential issues worth a closer look) as PR comments.
- Flags (note): Post informational flags (observations that may not require action) as PR comments.
By default, bugs and "investigate" flags are posted as PR comments. Admins can toggle each finding type independently.
Enterprise accounts: Settings apply across all organizations in the enterprise. Only users in the primary organization with enterprise admin permissions can manage settings. Users in non-primary orgs can only self-enroll.
Auto-review is not available for public repos that aren't connected to your organization.
Bug Catcher
The Bug Catcher automatically analyzes your PR for potential issues and displays findings in the Analysis sidebar. Findings are organized into Bugs, Flags, and Security.
Bugs
Bugs are actionable errors that should be fixed in the code. These represent issues the Bug Catcher has high confidence are actual problems.
Bugs are displayed with two severity levels:
- Severe: High-confidence issues that require immediate attention
- Non-severe: Lower severity issues that should still be reviewed
When you see a bug, you should investigate and fix it in your code.
Flags
Flags are informational code annotations that may or may not require action. They come in two classes:
Investigate: Flags that warrant further investigation. You should review the flagged code yourself and verify whether there is an actual bug or issue.
Informational: The Bug Catcher has either concluded correctness or is explaining how something works. These help you understand the code changes without requiring action.
Security
Opulent Review scans for security vulnerabilities and displays them in a dedicated Security section of the Analysis sidebar, alongside Bugs and Flags. Security scanning is enabled by default and can be toggled from Settings > Review under the Security scan section.
The scanner checks for the following vulnerability categories:
- Injection (SQL, XSS, command, template)
- Auth flaws (missing/broken access control, privilege escalation, auth bypass)
- Secrets exposure (hardcoded keys, tokens in logs, credentials in source)
- SSRF and path traversal
- Insecure deserialization, prototype pollution
- Missing input validation on untrusted data
- Weak cryptography (algorithms, key management)
- Transport/cookie security (missing HTTPS enforcement, permissive CORS, insecure cookie flags)
- Insecure defaults or misconfigurations introduced by the PR
Findings are displayed with two severity levels:
- Critical: High-confidence vulnerabilities that should be fixed before merging
- Warning: Potential security weaknesses worth investigating
Each finding includes a description of the issue, a recommendation for how to fix it, and where applicable a CWE identifier classifying the vulnerability type.
The security scan also respects any security-related instructions in your instruction files. For example, you can add security policies, sensitive areas, or threat models to your REVIEW.md to guide what the scanner looks for.
Resolving Findings
You can mark bugs, flags, and security findings as resolved once you've addressed them or determined they don't require action. Resolved items are dimmed in the sidebar and sorted to the bottom of each section.
Review Actions
Starting a Review
When creating a new inline comment or replying to an existing thread, you can check the Start a review checkbox to batch your comments into a pending review instead of posting them individually. This mirrors the GitHub review workflow, letting you collect all your feedback before submitting. Once a review is in progress, subsequent comments are automatically added to it and the checkbox is hidden.
Resolving Comments
You can resolve review threads to indicate they've been addressed. When all threads in a bot-authored review are resolved, Opulent automatically minimizes that review on GitHub to keep the PR conversation clean. If a thread is later unresolved, the review is automatically unminimized.
In the diff view, you can expand or collapse individual comment threads using the caret toggle to focus on outstanding feedback.
Code Owner Indicators
When a code owner has been requested as a reviewer, Opulent Review displays a shield icon next to their name in the reviewer sidebar with a "Requested as code owner" tooltip. This makes it easy to identify which pending reviewers have code ownership over the changed files.
Auto-Fix
Opulent Review can automatically suggest and apply fixes for bugs it detects in your PRs. When Auto-Fix is enabled, Opulent will propose code changes directly alongside its bug findings.
How to Enable It
There are two ways to enable Auto-Fix:
- From the review sidebar: On any Opulent-authored PR, the Analysis sidebar shows an Auto-fix section with an Enable auto-fix button. Clicking it enables Auto-Fix for all Opulent PRs in your organization. This requires organization admin permissions.
- From global Customization settings: Go to Settings > Customization > Pull requests > Responding to bots, then either:
- Set the mode to Selected only and add
opulent-integration[bot]to the allowlist, or - Set the mode to All bots.
- Set the mode to Selected only and add
When Opulent Review finds bugs and Auto-Fix is enabled, it will generate suggested fixes that you can review and apply directly from the diff view.
Permissions & Constraints
- Only organization admins can change this setting.
- If the bot mode is set to All bots, Auto-Fix shows as enabled and cannot be changed from the review sidebar. Use Customization settings to modify the bot mode.
- Opulent Review's No Issues Found summary comments are always ignored. Only comments with actual findings trigger Auto-Fix.
If Opulent Review feedback is currently ignored in your repository, you'll see a prompt in the session timeline to enable it.
CLI
The Opulent Review CLI lets you run code reviews directly from your terminal. This is especially useful for private repositories or when you want a streamlined local workflow.
Installation & Usage
Run the CLI from within a local clone of the repository, no authentication required:
cd path/to/repo
npx opulent-review https://github.com/owner/repo/pull/123
You must run this command from within the repository being reviewed.
How it works:
- Git-based diff extraction: The CLI uses your local git access to fetch the PR branch and compute the diff. This means you need read access to the repository on your machine.
- Isolated worktree checkout: The CLI creates a git worktree in a cached directory to check out the PR branch. This keeps your working directory untouched, with no stashing and no branch switching. The worktree is automatically cleaned up after the review completes.
- Diff sent to Opulent servers: The computed diff and file contents are sent to Opulent's servers for analysis.
Privacy & Access Control
The CLI uses a localhost server to authenticate your review session:
- Local-only access by default: When you run
opulent-review, it starts a localhost server on your machine that serves a secure token. Only processes on your local machine can access this token, meaning only you can view the review page while logged out. - Transfer to your Opulent account: If you log in to an Opulent account that has access to the GitHub organization, the review session is transferred to your account. This lets you access the review from other devices and share it with teammates.
When you run the CLI, opulent-review can execute commands locally on your machine to gather additional context for finding bugs. This enables deeper analysis than diff-only review.
The Bug Catcher can execute a limited set of read-only operations scoped to the worktree directory:
- File reading: Read file contents within the repository
- Search: Grep for patterns and glob for file names
- Bash commands: Only read-only commands like
ls,cat,pwd,file,head,tail,wc,find,tree,stat, anddu
Commit & Comment Attribution
- Bug findings, flags, and automated annotations always appear as the Opulent bot.
- When a user writes a comment or review through Opulent Review, it appears under the user's GitHub identity.
- When a user asks the chat agent to make a code change, the resulting commit is made as the Opulent bot.
- GitHub Suggested Changes follow standard GitHub behavior: any reviewer (including Opulent) can leave a suggested edit in a review comment. When a user clicks "Apply suggestion," the commit is authored by that user, in the same way as GitHub.
- Opulent will never create commits or comments on behalf of a user without the user explicitly initiating the action.
AGENTS.md / Instruction Files
Opulent Review respects instruction files in your repository. If any of these files exist, they'll be used as context when analyzing your PR:
**/REVIEW.md**/AGENTS.md**/CLAUDE.md(case-insensitive)**/CONTRIBUTING.md(case-insensitive).cursorrules.windsurfrules.cursor/rules*.rules*.mdc.coderabbit.yaml/.coderabbit.ymlgreptile.json
Files inside agent-like subdirectories (.agents/, .opulentia/, .cursor/, .github/) are treated as belonging to the parent directory for scoping purposes. For example, src/.agents/REVIEW.md applies to files under src/.
These files can contain coding standards, project conventions, or other guidelines that help provide more relevant feedback.
Custom Review Rules
You can configure additional files to be ingested as review context from Settings > Review under the Review Rules section. This lets you add custom file glob patterns beyond the defaults listed above.
To add a custom rule:
- Go to Settings > Review
- Under Review Rules, type a file glob pattern (e.g.
docs/**/*.md) - Click Add
Custom rules appear in the list alongside the default **/REVIEW.md rule. You can remove any custom rule by clicking the trash icon next to it.
This is useful when your project has review-relevant documentation in non-standard locations, such as architecture decision records, style guides, or team-specific conventions stored in custom paths.
REVIEW.md
REVIEW.md is a dedicated instruction file for Opulent Review. Place it anywhere in your repository to customize how Opulent reviews PRs in your project. Opulent automatically picks up REVIEW.md files at any directory level (**/REVIEW.md), so you can scope review guidelines to specific subdirectories if needed.
Use REVIEW.md to define review-specific guidelines such as:
- Areas of the codebase that need extra scrutiny
- Common pitfalls or anti-patterns to watch for
- Project-specific conventions that reviewers should enforce
- Files or directories that can be safely ignored during review
- Security or performance considerations unique to your project
Example REVIEW.md:
# Review Guidelines
## Critical Areas
- All changes to `src/auth/` must be reviewed for security implications.
- Database migration files should be checked for backward compatibility.
## Conventions
- API endpoints must include input validation and proper error handling.
- All public functions require TypeScript return types. Do not use `any`.
- React components should use functional components with hooks, not class components.
## Ignore
- Auto-generated files in `src/generated/` do not need review.
- Lock files (package-lock.json, yarn.lock) can be skipped unless dependencies changed.
## Performance
- Flag any database queries inside loops.
- Watch for N+1 query patterns in API resolvers.