Quorum
Sign inInstall
Changelog

What’s new in Quorum

Shipped weekly. Subscribe to RSS or follow @quorumdev.

Filter
16 entries · last 90d
2026-05-07
v0.1.2
fix

Backoff for OpenRouter 429s

Rate-limit responses were failing the whole review run instead of retrying. Backoff is now exponential with jitter, capped at 30s per attempt, and honors Retry-After when present.

  • Fixed: 429 + Retry-After header is honored before falling back to exponential backoff
  • Fixed: Cancelled runs were still counted against the per-repo concurrency cap
  • Fixed: Settings page incorrectly cached the previous account when switching orgs
2026-05-05
v0.1.1
improvement

Inline comments render as GitHub suggestions

When a finding includes a suggestion field, the inline comment now uses a fenced ```suggestion block so maintainers can apply the fix in one click. Existing reviews are not regenerated.

  • Improved: ```suggestion block emitted only when suggestion is non-empty and matches the diff context
  • Improved: Severity colors in the summary footer now match the policy palette
  • Removed: Legacy diff-as-prose fallback that nobody used
2026-05-02
v0.1.0
feature

Three-reviewer panel ships

Correctness, Security, and Architecture run in parallel through OpenRouter on every PR. The aggregator dedupes findings and posts a single GitHub review.

  • New: Inngest function reviewPullRequest with concurrency 5/repo, 2 retries
  • New: Reviewer fan-out via Promise.all on OpenRouter chat-completions
  • New: Single POST /pulls/n/reviews with summary + inline comments
  • New: All findings persisted to review_findings; usage_events ledger written per call
2026-04-28
v0.0.10
fix

Webhook signature + GitHub auth resilience

Two fixes from self-hosters reporting silent webhook drops. Thanks to @arn1ka and @lucash for the repros.

  • Fixed: HMAC verification was rejecting valid webhooks when the body included certain unicode whitespace
  • Fixed: GitHub App JWT signing now retries on 502 instead of crashing the worker
  • Fixed: Repositories without a default branch (mirrors, archived) no longer poison the install sync
2026-04-26
v0.0.9
feature

Aggregator + diff-position mapping

Findings are filtered by min_confidence, deduped by (file, line, lowercased title), sorted by severity, and truncated at max_inline_comments. Inline comments are only posted on lines that map to a unified-diff position.

  • New: aggregateFindings with severity rank (critical=4 … low=1) + confidence tiebreak
  • New: mapPatchLineToPosition parser walks @@ hunks and +/context lines
  • New: verdictForFindings → clean | minor | needs_attention
  • Note: findings without a diff position stay in DB but drop from inline post
2026-04-22
v0.0.8.1
improvement

Housekeeping

Dependency bumps and a small dead-code sweep. No behavioral changes for end users.

  • Changed: @inngest/sdk 3.18 → 3.21
  • Changed: zod 3.23 → 3.24 (no deprecation warnings)
  • Removed: Two unused peer deps from the migration scripts
2026-04-15
v0.0.8
feature

.ai-review.yml policy parsing

Repo-level policy parsed with Zod. Loaded from the PR head SHA when policy_source is "repository". Override per-reviewer model, raise min_confidence, or skip drafts.

  • New: parsePolicyYaml accepting trigger, skip.draft_prs, skip.labels, rules.*, reviewers[]
  • New: review_policies table with policy JSON per repo
  • New: defaults — min_confidence 0.75, max_inline_comments 10
  • New: skip.paths and skip.labels enforced before queueing when GitHub file listing is available
2026-04-09
v0.0.7.2
fix

Quota counter + BYOK attribution

Two billing/quota bugs reported by Pro and Team accounts. Numbers will look different after this deploy — the new numbers are the correct ones.

  • Fixed: 30-day quota chart was double-counting retried runs (some accounts showed >100% of quota; the post-fix number is the real one)
  • Fixed: BYOK runs were attributed to "platform" in usage_events; per-account BYOK runs are now correctly tagged
  • Fixed: Empty .ai-review.yml files were rejected with a confusing error; now treated as "use defaults"
2026-04-03
v0.0.7
feature

GitHub App webhook + signature verification

GitHub pull_request webhooks are HMAC-verified, then upsert accounts, github_installations, repositories, and review_policies before queuing the Inngest event.

  • New: HMAC verification with constant-time comparison
  • New: GitHub App JWT signing in lib/github/client.ts (no Octokit, fetch-only)
  • New: Auto-account-create on first install with plan_key=free
2026-03-28
v0.0.6.1
security

undici CVE patch

Patched CVE-2026-12345 in undici (transitive through Octokit). Quorum-managed infrastructure was not exposed; self-hosters should pull this version.

  • Security: undici 6.19 → 6.21 via Octokit upstream
  • Security: Refreshed all GitHub App private keys on managed infra as a precaution
2026-03-22
v0.0.6
feature

Stripe billing + quota enforcement

Stripe customer.subscription.* webhooks update stripe_subscriptions. The Inngest pipeline enforces monthly_review_quota by counting review_runs in the calendar month and hard-stopping on overage.

  • New: Five plans wired — free (10), developer (100), pro (300), team (1000), scale (custom)
  • New: Stripe webhook upserts on subscription created/updated/deleted
  • New: Quota check inside reviewPullRequest before any reviewer call
2026-03-15
v0.0.5.2
improvement

Logs that are useful in support tickets

Small quality-of-life pass on the run detail page. Mostly motivated by the things support kept asking customers for.

  • Improved: Each reviewer call now shows the OpenRouter request id (paste it into a support ticket)
  • Improved: Stack traces in failed runs are collapsible and copyable
  • Improved: Aggregator decisions (kept / dropped / deduped) are listed in the run timeline
2026-03-08
v0.0.5
security

BYOK key storage (AES-256-GCM)

OpenRouter API keys are stored encrypted at rest in account_ai_settings.openrouter_key_encrypted using AES-256-GCM with a per-row IV.

  • New: lib/crypto/secrets.ts — encrypt / decrypt helpers
  • New: Settings UI to add, rotate, and revoke an OpenRouter key
  • New: per-account BYOK routing used at review runtime on Developer and above
2026-03-01
v0.0.4.1
fix

Cost rounding + CSV export

Two small cost-related bugs surfaced during month-end reconciliation.

  • Fixed: Tokens-per-call were rounded down before multiplying by the per-token rate, undercounting cost by ~3% on long PRs
  • Fixed: Daily cost CSV export had a stray UTF-8 BOM that broke Excel imports on Windows
2026-02-22
v0.0.4
improvement

Run + finding history

Every review writes a review_runs row with verdict, summary, cost, and duration. Per-finding rows hold the file, line, severity, confidence, body, and optional suggestion.

  • Improved: Cost estimation at $1.50 per 1M tokens (flat, model-agnostic for now)
  • Improved: Run dashboard shows status timeline + cost breakdown
  • Fixed: Status correctly transitions queued → running → completed | failed
2026-02-09
v0.0.3
fix

Advisory review mode

Reviews are posted with event 'COMMENT'. The summary footer reminds maintainers that the panel is advisory and humans decide merge.

  • Fixed: System prompt now explicitly forbids requesting changes
  • Fixed: Verdict shown as a label, never enforced as a status check