Mesa

Code Review

AI code review that enforces your rules on every pull request and inside every coding agent session. Catches bugs, security issues, and convention violations before they ship.

GitHub Bot

Review every PR automatically. Installs as a GitHub App on your repo.

Sign in to set up

Local CLI

Review inside Claude Code, Codex, and Cursor. Free, open source, runs locally.

Get started
1.0IN ACTION

Your agent reviews its own code after every turn.

claude
$ claude "add cleanup job for expired sessions"
Read 4 files
Update(src/jobs/cleanup.ts)
Ran stop hook
Saguaro review — fix valid issues, dismiss the rest.
[error] src/jobs/cleanup.ts:47Two sequential DELETEs (session_tokens then sessions) without a transaction. If the first succeeds but the second fails, tokens are removed but expired sessions remain — leaving dangling references. Wrap in db.transaction().
Valid. Wrapping both deletes in a transaction.
Update(src/jobs/cleanup.ts)

sag init sets this up automatically. The background reviewer looks at every change like a staff engineer — catching bugs, security issues, and regressions without any configuration. The agent fixes findings while context is still hot.

For deterministic enforcement, Saguaro also supports rules — markdown files matched to changed files via globs:

.saguaro/rules/
no-raw-sql.md
require-error-boundary.md
use-server-functions.md
git diff main
M src/auth.ts
M src/api/users.ts
A src/components/Dashboard.tsx
codebase context
imports
dependents
related files
SAGUARO
1Match rules → files
2Gather context
3AI review per file
output
src/api/users.ts:42·no-raw-sql
Raw SQL string interpolation. Use parameterized queries.
2.0RULES

Codify your standards in markdown.

Rules are markdown files in .saguaro/rules/. Saguaro matches them to changed files via globs and feeds them to the AI reviewer alongside your diff.

.saguaro/rules/no-raw-sql.md
1---
2id: no-raw-sql
3title: Use parameterized queries for all database calls
4severity: error
5globs:
6  - "src/api/**/*.ts"
7  - "src/db/**/*.ts"
8---
9

10Do not use string interpolation or concatenation to build SQL queries.
11Use parameterized queries or the ORM's query builder.
12

13### Violations
14

15```typescript
16const user = await db.query(`SELECT * FROM users WHERE id = ${id}`)
17```
18

19### Compliant
20

21```typescript
22const user = await db.query('SELECT * FROM users WHERE id = ?', [id])
23```

sag init generates rules from your codebase automatically, or write them by hand. sag rules generate adds more at any time.

3.0INTEGRATION

Works with every major coding agent.

sag init wires everything automatically. Here's what it creates:

Claude Code

.claude/settings.json
1{
2  "hooks": {
3    "PreToolUse": [{
4      "matcher": "Edit|Write",
5      "hooks": [{
6        "type": "command",
7        "command": "sag hook pre-tool",
8        "timeout": 10
9      }]
10    }],
11    "Stop": [{
12      "hooks": [{
13        "type": "command",
14        "command": "sag hook run",
15        "timeout": 120
16      }]
17    }]
18  }
19}

PreToolUse injects relevant rules before the agent writes code. Stop reviews changes after each turn and blocks on violations.

Manual Review

terminal
$ sag review
src/api/users.ts:42·no-raw-sql[error]
Raw SQL string interpolation. Use parameterized queries.
| SELECT * FROM users WHERE id = ${id}
src/auth.ts:18·no-hardcoded-secrets[error]
Hardcoded API key. Use environment variables.
| const API_KEY = "sk-live-abc123..."
src/tracing.ts:31·otel-no-sensitive-params[warning]
Tracing credential object. Omit sensitive params from Tlm.trace.
| ['repoPath', 'credential']
3 violations: 2 errors, 1 warning
Files reviewed: 4 · Rules checked: 13 · Duration: 2.1s · Cost: $0.03

Run sag review on-demand to check your changes against all rules. JSON output available for CI.

Other Agents

Codex CLI
sag review — run manually or in CI
Gemini CLI
sag review — same CLI, same rules
Cursor
sag review --output json — deeplinks to violations
CI
sag review --output json — exit code 1 on errors

Background Daemon

For long sessions, sag daemon start reviews changes in parallel on localhost:7474 — findings surface as soft guidance, no blocking.

4.0OUTER LOOP

Code review on every pull request.

The inner-loop CLI catches issues while your agent is coding. The outer-loop review agent runs on every pull request in your GitHub repository — reviewing changes against your rules, org conventions, and the full context of your codebase. It comments directly on your PRs like a senior engineer on your team.

Same Rules

Uses your .saguaro/rules/ directory. Write once, enforce everywhere — locally and on PRs.

Full Context

The review agent understands your codebase structure, not just the diff. It catches issues that span multiple files.

GitHub Native

Installs as a GitHub App. Comments inline on PRs with file and line references. No configuration beyond connecting your repo.

Sign in to set up
5.0GET STARTED

Install in under a minute.

$ npm install -g @mesadev/saguaro && sag init
Get started View on GitHub
6.0SPECIFICATIONS

Built for how you already work.

Execution
Fully local. Your code never leaves your machine.
AI Providers
Anthropic, OpenAI, Google — uses your agent CLI subscription, no API key needed
Agents
Claude Code, Codex CLI, Gemini CLI, Cursor
Review Modes
On-demand CLI, automatic stop hook, background daemon
Output
Console with file:line locations, JSON for CI, Cursor deeplinks
Rule Format
Markdown with YAML frontmatter, glob-based file matching
License
Apache-2.0 — fully open source
Package
@mesadev/saguaro
Source
github.com/mesa-dot-dev/saguaro
Full documentation