Bug and correctness checks
The AI identifies logic errors, off-by-one mistakes, null-pointer risks, and incorrect API usage — issues that often slip through manual review.
AI Workloads
Review, fix, and ship
Kabori reviews your code before it reaches humans, fixes broken pipelines automatically, and writes the commit messages and MR descriptions that give reviewers everything they need — so merges happen faster and with more confidence.
01 · Perform a Code Review
Code review that never gets tired
Kabori performs thorough code reviews with full codebase context — catching bugs, security issues, and architectural inconsistencies before they reach your main branch.
MR !42 · feature/rate-limiting · AI Review
● Critical
src/auth/session.ts:42 — Session token stored in localStorage; use sessionStorage to reduce XSS exposure
● Critical
src/api/auth.ts:28 — JWT secret read from process.env without validation; app will silently accept an empty secret
● Medium
src/api/users.ts:87 — Missing input validation on userId; could accept non-UUID values
● Medium
src/services/payment.ts:103 — Promise chain without catch handler; unhandled rejections will crash the process
○ Info
src/middleware/rateLimiter.ts — Consider extracting SlidingWindowStore to a shared utility for reuse
✓ Passed
Error handling (6/8 files), test coverage (92%), naming conventions, TypeScript strictness
2 critical · 2 medium · 1 info · 4 passedRequires changes before merge
Security analysis
OWASP Top 10 patterns, injection vulnerabilities, insecure deserialization, and exposure of sensitive data are flagged before code is merged.
Architectural consistency
Reviews consider your existing patterns and conventions — flagging deviations from the codebase's established architecture, not just the diff in isolation.
Actionable feedback
Every finding comes with a specific suggestion — not just a description of what's wrong, but a concrete recommendation for how to fix it.
02 · Fixing Failed CI/CD Pipelines
Fix broken pipelines in minutes
Kabori reads your CI/CD logs, identifies the root cause of the failure, and generates a targeted fix — so your pipeline is green again before the next standup.
pipeline #1842 · feature/rate-limiting · failed
Scanning 4,821 log lines across 3 stages...
✓ stage:lint — passed (12s)
✓ stage:build — passed (48s)
✗ stage:test — failed (2m 14s)
FAIL src/services/payment.test.ts
TypeError: Cannot read property 'stripe' of undefined
at PaymentService.charge (src/services/payment.ts:42)
at Object.<anonymous> (src/services/payment.test.ts:18)
Root cause:
Mock for PaymentService not initialised before test suite
paymentService.stripe is undefined at test runtime
Fix:
+ beforeEach(() => {
+ paymentService = new MockPaymentService();
+ paymentService.stripe = createStripeMock();
+ });
Fix ready · estimated pipeline time: 2m 30sAnalysis completed in 4s
Intelligent log analysis
The AI parses pipeline logs to isolate the root cause — filtering noise from test runners, linters, and build tools to surface what actually broke.
Root cause in seconds
Stop scrolling through thousands of log lines. Kabori identifies the failing step, the failing assertion, and the code responsible — instantly.
Targeted patch generation
Rather than rewriting surrounding code, Kabori produces a minimal, surgical fix — reducing the review surface and the risk of regressions.
Pipeline-config aware
Kabori reads your CI/CD configuration alongside your source code — so fixes respect your environment variables, stages, and runner constraints.
03 · Write Commit Messages
Commit messages that tell the story
Kabori writes commit messages that explain the why, match your project's conventions, and make your git history a useful artefact — not an afterthought.
Before
wip
Changed files:
src/auth/oauth.ts
src/auth/session.ts
src/auth/oauth.test.ts
+219 / -87 lines
After — AI-generated
feat(auth): add PKCE flow to OAuth2 authorization Replace the implicit grant with PKCE to comply with RFC 9700. Code verifier stored in sessionStorage to reduce XSS exposure. The implicit flow was deprecated in RFC 9700 due to token leakage in the redirect URI fragment; PKCE binds the token request to the initiating client instance via a one-time challenge. Test coverage: full round-trip integration test plus unit tests for verifier/challenge generation. Closes #412
Diff-aware messages
The AI reads the full diff — not just the filenames — to understand what actually changed and why, producing messages that explain the intent, not just the mechanics.
Convention-aware formatting
Kabori learns your project's commit style — Conventional Commits, gitmoji, custom prefixes — and formats messages to match without any configuration.
Task context included
When a task spec is available, commit messages reference the relevant requirement or ticket — giving future git blame readers the full picture.
History that tells a story
Good commit messages make git log useful. Kabori ensures every commit is a clear, searchable entry in your project's history.
Related features:
Customization04 · Write MR Descriptions
MR descriptions that tell the full story
Kabori writes merge request descriptions that give reviewers everything they need — context, testing evidence, and linked references — so approvals happen faster and with more confidence.
MR !43 · feat/rate-limiting → main · AI-generated description
## Summary Replace implicit OAuth2 grant with PKCE (RFC 9700) across all authentication flows to prevent token leakage via redirect URI fragments. ## Changes - Added PKCE code verifier/challenge generation util - Updated AuthService.startFlow() to attach challenge - Updated callback handler to verify code verifier - Migrated session token storage to sessionStorage - Removed legacy implicit grant code paths ## Testing - [x] Unit tests for PKCE generator (100% branch coverage) - [x] Integration test: full OAuth round-trip with PKCE - [x] Regression: existing sessions unaffected after upgrade - [x] Manual: tested with GitHub and Google OAuth providers - [ ] Load test: token exchange under concurrent sessions ## Security Notes Addresses OWASP A07 (Identification & Authentication Failures). The implicit flow is no longer recommended per RFC 9700 §2.1.2. ## Related - Closes #412 (Security: OAuth2 PKCE compliance) - Part of Q2 security hardening milestone
Comprehensive change summary
Kabori reads all commits in the branch and synthesises a coherent summary — what changed, why, and what was deliberately excluded.
Linked context
Task specs, related issues, and documentation references are woven in automatically — giving reviewers everything they need without hunting for links.
Testing and validation section
A testing checklist derived from the task's acceptance criteria and test plan — so reviewers know exactly what was validated before the MR was opened.
Your template, respected
If your project has an MR description template, Kabori fills it in — populating every section correctly rather than generating a free-form description.
Merge with confidence
Join the private beta and let Kabori review your code, fix your pipelines, and write your commit messages — so every merge is something to be proud of.