Build a Multi-Agent AI Code Review System with OpenCode

Cloudflare’s new AI code review system lets you automate initial review passes across thousands of repositories using a multi-agent orchestration approach. Built on the open-source OpenCode terminal agent, the architecture delegates distinct review domains to specialized models rather than relying on a single monolithic prompt. This guide covers how to set up the system, configure model routing, and execute sandboxed code refactoring safely.

Multi-Agent Orchestration Architecture

Instead of a single reviewer, the system uses an orchestrator LLM to manage a coordinated group of up to seven specialized AI agents. The orchestrator evaluates incoming pull requests, determines when a review is necessary, and invokes the spawn_reviewers tool via a custom runtime plugin. Setting up this pattern requires an understanding of multi-agent systems to manage parallel execution and aggregate the resulting feedback.

Each spawned agent handles a highly specific domain. The system separates concerns across six distinct reviewer profiles:

• Security: Scans for vulnerabilities and insecure patterns.
• Performance: Detects potential performance regressions and inefficient algorithms.
• Code Quality: Evaluates general maintainability, readability, and style.
• Documentation: Audits README files and inline comments for accuracy.
• Compliance: Verifies adherence to internal standards, known as the Engineering Codex.
• Release Management: Audits proper versioning and deployment flag configurations.

The Compliance agent evaluates code against organizational guidelines distilled directly from internal RFCs. It cites specific rules from the Engineering Codex to provide structured, actionable feedback. This approach reduces manual audit work into a repeatable automated process.

Local Setup and Execution

Developers can run the exact same review orchestration locally before pushing code. This ensures the CI pipeline rules match the local development environment identically. Integrating these checks early is a core part of modern vibe coding workflows where continuous, immediate feedback dictates development speed.

Install the @opencode-reviewer/local plugin to add these review capabilities to your OpenCode terminal user interface. The plugin connects to the same proxy and orchestrator logic used in the primary continuous integration pipeline.

Once the plugin is installed, trigger the multi-agent review process by running the /fullreview command directly within the OpenCode TUI. The local instance launches the spawn_reviewers routine, pulling down feedback from all seven specialized agents straight to your terminal.

Model Routing and Infrastructure

The orchestrator routes tasks to different models based on complexity and context requirements. All requests pass through an AI Gateway for rate limiting, caching, and strict observability. Managing these routing rules effectively requires proper LLM observability to track token consumption across different model providers.

Documentation tasks and basic compliance checks are routed to Workers AI. This tier handles approximately 15% of the total reviewer traffic, relying heavily on the Kimi K2.5 model. Kimi K2.5 features a 256k context window, making it highly effective for standardizing long-form documentation reviews. You must use structured output natively with Kimi K2.5 to parse the resulting documentation feedback reliably.

Complex architectural analysis and deep security reviews require stronger reasoning capabilities. The orchestrator routes these specific tasks to frontier models like GPT-5.4 and Opus 4.6. This bifurcated routing strategy balances operational costs against the required reasoning depth for each specific domain.

Security and Sandboxing with Code Mode

Automated code modifications require strict security boundaries. The OpenCode system introduces Code Mode to handle agent-generated refactoring and execution safely.

Code Mode provides an isolated, sandboxed execution environment for the specialized agents. If an agent writes code to patch a vulnerability or fix a performance regression, that code executes entirely within the sandbox. This architectural boundary prevents malicious, untested, or malformed logic from running inside sensitive deployment environments.

All multi-agent LLM requests are proxied through a single dedicated Worker integrated with Cloudflare Access. This Zero Trust authentication layer enforces strict security policies on every single request. It ensures that only authenticated CI jobs and verified local users can trigger the orchestration pipeline.

Begin by installing the @opencode-reviewer/local plugin on a single repository. Route your initial local tests through the AI Gateway to establish baseline latency and token usage metrics before scaling the multi-agent orchestration across your broader CI pipeline.