feat(web): GitLab MR Review Agent

Adds support for the AI Review Agent to review GitLab Merge Requests, mirroring the existing GitHub PR review functionality. Also fixes several bugs discovered during implementation and improves the shared review pipeline.

---

 ## New files

 ### `packages/web/src/features/agents/review-agent/nodes/gitlabMrParser.ts`
Parses a GitLab MR webhook payload into the shared `sourcebot_pr_payload` format. Calls `MergeRequests.show()` and `MergeRequests.allDiffs()` in parallel — the API response is used for `title`, `description`, `sha`, and `diff_refs` (which can be absent in webhook payloads for `update` action events), while per-file diffs are parsed using the existing `parse-diff` library.

 ### `packages/web/src/features/agents/review-agent/nodes/gitlabPushMrReviews.ts`
Posts review comments back to GitLab using `MergeRequestDiscussions.create()` with a position object carrying `base_sha`, `head_sha`, and `start_sha`. Falls back to `MergeRequestNotes.create()` (a general MR note) if the inline comment is rejected by the API (e.g. the line is not within the diff), ensuring reviews are always surfaced even when precise positioning fails.

 ### Test files (4 new files, 34 tests total)
- `githubPrParser.test.ts` — diff parsing and metadata mapping for the GitHub parser
- `githubPushPrReviews.test.ts` — single-line vs multi-line comment parameters, error resilience
- `gitlabMrParser.test.ts` — API call arguments, metadata mapping, diff parsing, edge cases (empty diffs, nested groups, null description, API failures)
- `gitlabPushMrReviews.test.ts` — inline comment posting, fallback behaviour, missing `diff_refs` guard, multi-file iteration

---

 ## Modified files

 ### `packages/web/src/features/agents/review-agent/types.ts`
- Added `sourcebot_diff_refs` schema/type (`base_sha`, `head_sha`, `start_sha`) and an optional `diff_refs` field on `sourcebot_pr_payload`
- Added `GitLabMergeRequestPayload` and `GitLabNotePayload` interfaces for webhook event typing

 ### `packages/web/src/features/agents/review-agent/app.ts`
- Added `processGitLabMergeRequest()` function mirroring `processGitHubPullRequest()`: sets up logging, runs the GitLab parser, generates reviews via the shared LLM pipeline, and pushes results
- Removed stale `OPENAI_API_KEY` guards (model availability is now enforced inside `invokeDiffReviewLlm`)

 ### `packages/web/src/features/agents/review-agent/nodes/invokeDiffReviewLlm.ts`
**Replaces the hardcoded OpenAI client** with the Vercel AI SDK's `generateText` and the shared `getAISDKLanguageModelAndOptions` / `getConfiguredLanguageModels` utilities from `chat/utils.server.ts`. The review agent now uses whichever language model is configured in `config.json`, supporting all providers (Anthropic, Bedrock, Azure, etc.).

- `REVIEW_AGENT_MODEL` env var (matched against `displayName`) selects a specific model when multiple are configured; falls back to `models[0]` with a warning if the name is not found
- Prompt is passed via the `system` parameter with a `"Review the code changes."` user turn, satisfying providers (e.g. Bedrock/Anthropic) that require conversations to begin with a user message

 ### `packages/web/src/features/agents/review-agent/nodes/fetchFileContent.ts`
**Fixes "Not authenticated" error** when the review agent calls `getFileSource`. The original implementation used `withOptionalAuth`, which reads a session cookie — absent in webhook handlers. Now calls `getFileSourceForRepo` directly with `__unsafePrisma` and the single-tenant org, bypassing the session-based auth layer. The webhook handler has already authenticated the request via its own mechanism (GitHub App signature / GitLab token).

 ### `packages/web/src/features/git/getFileSourceApi.ts`
- Extracted the core repo-lookup + git + language-detection logic into a new exported `getFileSourceForRepo({ path, repo, ref }, { org, prisma })` function
- `getFileSource` now handles auth and audit logging then delegates to `getFileSourceForRepo` — all existing callers are unchanged

 ### `packages/web/src/app/api/(server)/webhook/route.ts`
- Added GitLab webhook handling alongside the existing GitHub branch
- Verifies `x-gitlab-token` against `GITLAB_REVIEW_AGENT_WEBHOOK_SECRET`
- Handles `Merge Request Hook` events (auto-review on `open`, `update`, `reopen`) and `Note Hook` events (manual `/review` command on MR comments)
- Initialises a `Gitlab` client at module load if `GITLAB_REVIEW_AGENT_TOKEN` is set

 ### `packages/web/src/app/(app)/agents/page.tsx`
- Split the single "Review Agent" card into two separate cards: **GitHub Review Agent** and **GitLab Review Agent**, each showing its own configuration status
- Removed `OPENAI_API_KEY` from the GitHub card's required env vars (no longer applicable)

 ### `packages/web/src/app/(app)/components/navigationMenu/navigationItems.tsx` & `index.tsx`
- Added an **Agents** nav item (with `BotIcon`) between Repositories and Settings
- Visible when the user is authenticated **and** at least one agent is configured (GitHub App triple or GitLab token pair), computed in the server component and passed down as `isAgentsVisible`

 ### `packages/shared/src/env.server.ts`
Added four new environment variables:
| Variable | Purpose |
|---|---|
| `GITLAB_REVIEW_AGENT_WEBHOOK_SECRET` | Verifies the `x-gitlab-token` header on incoming webhooks |
| `GITLAB_REVIEW_AGENT_TOKEN` | Personal or project access token used for GitLab API calls |
| `GITLAB_REVIEW_AGENT_HOST` | GitLab hostname (defaults to `gitlab.com`; set for self-hosted instances) |
| `REVIEW_AGENT_MODEL` | `displayName` of the configured language model to use for reviews; falls back to the first model if unset or not matched |

 ### `packages/web/package.json`
Added `@gitbeaker/rest` dependency (already used in `packages/backend`).

---

 ## Bug fixes

| Bug | Fix |
|---|---|
| `"Not authenticated"` when fetching file content from the review agent | `fetchFileContent` now calls `getFileSourceForRepo` directly instead of `getFileSource` (which gates on session auth) |
| `"diff_refs is missing"` when posting GitLab MR reviews | `gitlabMrParser` now fetches the full MR via `MergeRequests.show()` instead of relying on the webhook payload, which omits `diff_refs` on `update` events |
| Bedrock/Anthropic rejection: `"A conversation must start with a user message"` | `invokeDiffReviewLlm` now passes the prompt via `system` + a `prompt` user turn instead of a `system`-role entry inside `messages` |
| Review agent silently used `models[0]` with no way to specify a different model | New `REVIEW_AGENT_MODEL` env var selects by `displayName` |

Author: Gavin Williams

.gitignore

@@ -160,10 +160,11 @@ dist
 
 # End of https://www.toptal.com/developers/gitignore/api/yarn,node
 
+.claude
 .sourcebot
 /bin
 /config.json
 .DS_Store
 oss-licenses.json
 oss-license-summary.json
-license-audit-result.json
+license-audit-result.json

packages/shared/src/env.server.ts

@@ -195,6 +195,11 @@ const options = {
         GITHUB_REVIEW_AGENT_APP_ID: z.string().optional(),
         GITHUB_REVIEW_AGENT_APP_WEBHOOK_SECRET: z.string().optional(),
         GITHUB_REVIEW_AGENT_APP_PRIVATE_KEY_PATH: z.string().optional(),
+        // GitLab for review agent
+        GITLAB_REVIEW_AGENT_WEBHOOK_SECRET: z.string().optional(),
+        GITLAB_REVIEW_AGENT_TOKEN: z.string().optional(),
+        GITLAB_REVIEW_AGENT_HOST: z.string().default('gitlab.com'),
+        REVIEW_AGENT_MODEL: z.string().optional(),
         REVIEW_AGENT_API_KEY: z.string().optional(),
         REVIEW_AGENT_LOGGING_ENABLED: booleanSchema.default('true'),
         REVIEW_AGENT_AUTO_REVIEW_ENABLED: booleanSchema.default('false'),

packages/web/package.json

@@ -54,6 +54,7 @@
     "@codemirror/state": "^6.4.1",
     "@codemirror/view": "^6.33.0",
     "@floating-ui/react": "^0.27.2",
+    "@gitbeaker/rest": "^40.5.1",
     "@grpc/grpc-js": "^1.14.1",
     "@grpc/proto-loader": "^0.8.0",
     "@hookform/resolvers": "^3.9.0",

packages/web/src/app/(app)/agents/page.tsx

@@ -5,10 +5,17 @@ import { env } from "@sourcebot/shared";
 
 const agents = [
   {
-    id: "review-agent",
-    name: "Review Agent",
-    description: "An AI code review agent that reviews your PRs. Uses the code indexed on Sourcebot to provide codebase-wide context.",
-    requiredEnvVars: ["GITHUB_REVIEW_AGENT_APP_ID", "GITHUB_REVIEW_AGENT_APP_WEBHOOK_SECRET", "GITHUB_REVIEW_AGENT_APP_PRIVATE_KEY_PATH", "OPENAI_API_KEY"],
+    id: "github-review-agent",
+    name: "GitHub Review Agent",
+    description: "An AI code review agent that reviews your GitHub PRs. Uses the code indexed on Sourcebot to provide codebase-wide context.",
+    requiredEnvVars: ["GITHUB_REVIEW_AGENT_APP_ID", "GITHUB_REVIEW_AGENT_APP_WEBHOOK_SECRET", "GITHUB_REVIEW_AGENT_APP_PRIVATE_KEY_PATH"],
+    configureUrl: "https://docs.sourcebot.dev/docs/features/agents/review-agent"
+  },
+  {
+    id: "gitlab-review-agent",
+    name: "GitLab Review Agent",
+    description: "An AI code review agent that reviews your GitLab MRs. Uses the code indexed on Sourcebot to provide codebase-wide context.",
+    requiredEnvVars: ["GITLAB_REVIEW_AGENT_WEBHOOK_SECRET", "GITLAB_REVIEW_AGENT_TOKEN"],
     configureUrl: "https://docs.sourcebot.dev/docs/features/agents/review-agent"
   },
 ];

packages/web/src/app/(app)/components/navigationMenu/index.tsx

@@ -7,6 +7,7 @@ import { Separator } from "@/components/ui/separator";
 import { ServiceErrorException } from "@/lib/serviceError";
 import { isServiceError } from "@/lib/utils";
 import { OrgRole, RepoIndexingJobStatus, RepoIndexingJobType } from "@sourcebot/db";
+import { env } from "@sourcebot/shared";
 import Link from "next/link";
 import { MeControlDropdownMenu } from "../meControlDropdownMenu";
 import WhatsNewIndicator from "../whatsNewIndicator";
@@ -103,6 +104,10 @@ export const NavigationMenu = async () => {
                                 ) : false
                             }
                             isAuthenticated={isAuthenticated}
+                            isAgentsVisible={isAuthenticated && (
+                                !!(env.GITHUB_REVIEW_AGENT_APP_ID && env.GITHUB_REVIEW_AGENT_APP_WEBHOOK_SECRET && env.GITHUB_REVIEW_AGENT_APP_PRIVATE_KEY_PATH) ||
+                                !!(env.GITLAB_REVIEW_AGENT_WEBHOOK_SECRET && env.GITLAB_REVIEW_AGENT_TOKEN)
+                            )}
                         />
                     </NavigationMenuBase>
                 </div>

packages/web/src/app/(app)/components/navigationMenu/navigationItems.tsx

@@ -3,7 +3,7 @@
 import { NavigationMenuItem, NavigationMenuLink, NavigationMenuList, navigationMenuTriggerStyle } from "@/components/ui/navigation-menu";
 import { Badge } from "@/components/ui/badge";
 import { cn, getShortenedNumberDisplayString } from "@/lib/utils";
-import { SearchIcon, MessageCircleIcon, BookMarkedIcon, SettingsIcon } from "lucide-react";
+import { SearchIcon, MessageCircleIcon, BookMarkedIcon, SettingsIcon, BotIcon } from "lucide-react";
 import { usePathname } from "next/navigation";
 import { NotificationDot } from "../notificationDot";
 
@@ -12,13 +12,15 @@ interface NavigationItemsProps {
     isReposButtonNotificationDotVisible: boolean;
     isSettingsButtonNotificationDotVisible: boolean;
     isAuthenticated: boolean;
+    isAgentsVisible: boolean;
 }
 
 export const NavigationItems = ({
     numberOfRepos,
     isReposButtonNotificationDotVisible,
     isSettingsButtonNotificationDotVisible,
     isAuthenticated,
+    isAgentsVisible,
 }: NavigationItemsProps) => {
     const pathname = usePathname();
 
@@ -65,6 +67,18 @@ export const NavigationItems = ({
                 </NavigationMenuLink>
                 {isActive('/repos') && <ActiveIndicator />}
             </NavigationMenuItem>
+            {isAgentsVisible && (
+                <NavigationMenuItem className="relative">
+                    <NavigationMenuLink
+                        href="/agents"
+                        className={navigationMenuTriggerStyle()}
+                    >
+                        <BotIcon className="w-4 h-4 mr-1" />
+                        Agents
+                    </NavigationMenuLink>
+                    {isActive('/agents') && <ActiveIndicator />}
+                </NavigationMenuItem>
+            )}
             {isAuthenticated && (
                 <NavigationMenuItem className="relative">
                     <NavigationMenuLink

packages/web/src/app/api/(server)/webhook/route.ts

@@ -3,14 +3,15 @@
 import { NextRequest } from "next/server";
 import { App, Octokit } from "octokit";
 import { WebhookEventDefinition} from "@octokit/webhooks/types";
+import { Gitlab } from "@gitbeaker/rest";
 import { env } from "@sourcebot/shared";
-import { processGitHubPullRequest } from "@/features/agents/review-agent/app";
+import { processGitHubPullRequest, processGitLabMergeRequest } from "@/features/agents/review-agent/app";
 import { throttling, type ThrottlingOptions } from "@octokit/plugin-throttling";
 import fs from "fs";
-import { GitHubPullRequest } from "@/features/agents/review-agent/types";
+import { GitHubPullRequest, GitLabMergeRequestPayload, GitLabNotePayload } from "@/features/agents/review-agent/types";
 import { createLogger } from "@sourcebot/shared";
 
-const logger = createLogger('github-webhook');
+const logger = createLogger('webhook');
 
 const DEFAULT_GITHUB_API_BASE_URL = "https://api.github.com";
 type GitHubAppBaseOptions = Omit<ConstructorParameters<typeof App>[0], "Octokit"> & { throttle: ThrottlingOptions };
@@ -95,6 +96,40 @@ function isIssueCommentEvent(eventHeader: string, payload: unknown): payload is
     return eventHeader === "issue_comment" && typeof payload === "object" && payload !== null && "action" in payload && typeof payload.action === "string" && payload.action === "created";
 }
 
+function isGitLabMergeRequestEvent(eventHeader: string, payload: unknown): payload is GitLabMergeRequestPayload {
+    return (
+        eventHeader === "Merge Request Hook" &&
+        typeof payload === "object" &&
+        payload !== null &&
+        "object_attributes" in payload &&
+        typeof (payload as GitLabMergeRequestPayload).object_attributes?.action === "string" &&
+        ["open", "update", "reopen"].includes((payload as GitLabMergeRequestPayload).object_attributes.action)
+    );
+}
+
+function isGitLabNoteEvent(eventHeader: string, payload: unknown): payload is GitLabNotePayload {
+    return (
+        eventHeader === "Note Hook" &&
+        typeof payload === "object" &&
+        payload !== null &&
+        "object_attributes" in payload &&
+        (payload as GitLabNotePayload).object_attributes?.noteable_type === "MergeRequest"
+    );
+}
+
+let gitlabClient: InstanceType<typeof Gitlab> | undefined;
+
+if (env.GITLAB_REVIEW_AGENT_TOKEN) {
+    try {
+        gitlabClient = new Gitlab({
+            host: `https://${env.GITLAB_REVIEW_AGENT_HOST}`,
+            token: env.GITLAB_REVIEW_AGENT_TOKEN,
+        });
+    } catch (error) {
+        logger.error(`Error initializing GitLab client: ${error}`);
+    }
+}
+
 export const POST = async (request: NextRequest) => {
     const body = await request.json();
     const headers = Object.fromEntries(Array.from(request.headers.entries(), ([key, value]) => [key.toLowerCase(), value]));
@@ -161,5 +196,62 @@ export const POST = async (request: NextRequest) => {
         }
     }
 
+    const gitlabEvent = headers['x-gitlab-event'];
+    if (gitlabEvent) {
+        logger.info('GitLab event received:', gitlabEvent);
+
+        const token = headers['x-gitlab-token'];
+        if (!env.GITLAB_REVIEW_AGENT_WEBHOOK_SECRET || token !== env.GITLAB_REVIEW_AGENT_WEBHOOK_SECRET) {
+            logger.warn('GitLab webhook token is invalid or GITLAB_REVIEW_AGENT_WEBHOOK_SECRET is not set');
+            return Response.json({ status: 'ok' });
+        }
+
+        if (!gitlabClient) {
+            logger.warn('Received GitLab webhook event but GITLAB_REVIEW_AGENT_TOKEN is not set');
+            return Response.json({ status: 'ok' });
+        }
+
+        if (isGitLabMergeRequestEvent(gitlabEvent, body)) {
+            if (env.REVIEW_AGENT_AUTO_REVIEW_ENABLED === "false") {
+                logger.info('Review agent auto review (REVIEW_AGENT_AUTO_REVIEW_ENABLED) is disabled, skipping');
+                return Response.json({ status: 'ok' });
+            }
+
+            await processGitLabMergeRequest(
+                gitlabClient,
+                body.project.id,
+                body,
+                env.GITLAB_REVIEW_AGENT_HOST,
+            );
+        }
+
+        if (isGitLabNoteEvent(gitlabEvent, body)) {
+            const noteBody = body.object_attributes?.note;
+            if (noteBody === `/${env.REVIEW_AGENT_REVIEW_COMMAND}`) {
+                logger.info('Review agent review command received on GitLab MR, processing');
+
+                const mrPayload: GitLabMergeRequestPayload = {
+                    object_kind: "merge_request",
+                    object_attributes: {
+                        iid: body.merge_request.iid,
+                        title: body.merge_request.title,
+                        description: body.merge_request.description,
+                        action: "update",
+                        last_commit: body.merge_request.last_commit,
+                        diff_refs: body.merge_request.diff_refs,
+                    },
+                    project: body.project,
+                };
+
+                await processGitLabMergeRequest(
+                    gitlabClient,
+                    body.project.id,
+                    mrPayload,
+                    env.GITLAB_REVIEW_AGENT_HOST,
+                );
+            }
+        }
+    }
+
     return Response.json({ status: 'ok' });
 }

packages/web/src/features/agents/review-agent/app.ts

@@ -1,9 +1,12 @@
 import { Octokit } from "octokit";
+import { Gitlab } from "@gitbeaker/rest";
 import { generatePrReviews } from "@/features/agents/review-agent/nodes/generatePrReview";
 import { githubPushPrReviews } from "@/features/agents/review-agent/nodes/githubPushPrReviews";
 import { githubPrParser } from "@/features/agents/review-agent/nodes/githubPrParser";
+import { gitlabMrParser } from "@/features/agents/review-agent/nodes/gitlabMrParser";
+import { gitlabPushMrReviews } from "@/features/agents/review-agent/nodes/gitlabPushMrReviews";
+import { GitHubPullRequest, GitLabMergeRequestPayload } from "@/features/agents/review-agent/types";
 import { env } from "@sourcebot/shared";
-import { GitHubPullRequest } from "@/features/agents/review-agent/types";
 import path from "path";
 import fs from "fs";
 import { createLogger } from "@sourcebot/shared";
@@ -23,11 +26,6 @@ const logger = createLogger('review-agent');
 export async function processGitHubPullRequest(octokit: Octokit, pullRequest: GitHubPullRequest) {
     logger.info(`Received a pull request event for #${pullRequest.number}`);
 
-    if (!env.OPENAI_API_KEY) {
-        logger.error("OPENAI_API_KEY is not set, skipping review agent");
-        return;
-    }
-
     let reviewAgentLogPath: string | undefined;
     if (env.REVIEW_AGENT_LOGGING_ENABLED) {
         const reviewAgentLogDir = path.join(env.DATA_CACHE_DIR, "review-agent");
@@ -50,5 +48,38 @@ export async function processGitHubPullRequest(octokit: Octokit, pullRequest: Gi
 
     const prPayload = await githubPrParser(octokit, pullRequest);
     const fileDiffReviews = await generatePrReviews(reviewAgentLogPath, prPayload, rules);
-    await githubPushPrReviews(octokit, prPayload, fileDiffReviews); 
+    await githubPushPrReviews(octokit, prPayload, fileDiffReviews);
+}
+
+export async function processGitLabMergeRequest(
+    gitlabClient: InstanceType<typeof Gitlab>,
+    projectId: number,
+    mrPayload: GitLabMergeRequestPayload,
+    hostDomain: string,
+) {
+    logger.info(`Received a merge request event for !${mrPayload.object_attributes.iid}`);
+
+    let reviewAgentLogPath: string | undefined;
+    if (env.REVIEW_AGENT_LOGGING_ENABLED) {
+        const reviewAgentLogDir = path.join(env.DATA_CACHE_DIR, "review-agent");
+        if (!fs.existsSync(reviewAgentLogDir)) {
+            fs.mkdirSync(reviewAgentLogDir, { recursive: true });
+        }
+
+        const timestamp = new Date().toLocaleString('en-US', {
+            year: 'numeric',
+            month: '2-digit',
+            day: '2-digit',
+            hour: '2-digit',
+            minute: '2-digit',
+            second: '2-digit',
+            hour12: false
+        }).replace(/(\d+)\/(\d+)\/(\d+), (\d+):(\d+):(\d+)/, '$3_$1_$2_$4_$5_$6');
+        reviewAgentLogPath = path.join(reviewAgentLogDir, `review-agent-mr-${mrPayload.object_attributes.iid}-${timestamp}.log`);
+        logger.info(`Review agent logging to ${reviewAgentLogPath}`);
+    }
+
+    const prPayload = await gitlabMrParser(gitlabClient, mrPayload, hostDomain);
+    const fileDiffReviews = await generatePrReviews(reviewAgentLogPath, prPayload, rules);
+    await gitlabPushMrReviews(gitlabClient, projectId, prPayload, fileDiffReviews);
 }

packages/web/src/features/agents/review-agent/nodes/fetchFileContent.ts

@@ -1,21 +1,30 @@
 import { sourcebot_context, sourcebot_pr_payload } from "@/features/agents/review-agent/types";
-import { fileSourceResponseSchema, getFileSource } from '@/features/git';
+import { fileSourceResponseSchema, getFileSourceForRepo } from '@/features/git';
+import { SINGLE_TENANT_ORG_ID } from "@/lib/constants";
 import { isServiceError } from "@/lib/utils";
+import { __unsafePrisma } from "@/prisma";
 import { createLogger } from "@sourcebot/shared";
 
 const logger = createLogger('fetch-file-content');
 
 export const fetchFileContent = async (pr_payload: sourcebot_pr_payload, filename: string): Promise<sourcebot_context> => {
     logger.debug("Executing fetch_file_content");
 
+    const org = await __unsafePrisma.org.findUnique({
+        where: { id: SINGLE_TENANT_ORG_ID },
+    });
+    if (!org) {
+        throw new Error("Organization not found");
+    }
+
     const repoPath = pr_payload.hostDomain + "/" + pr_payload.owner + "/" + pr_payload.repo;
     const fileSourceRequest = {
         path: filename,
         repo: repoPath,
-    }
+    };
     logger.debug(JSON.stringify(fileSourceRequest, null, 2));
 
-    const response = await getFileSource(fileSourceRequest);
+    const response = await getFileSourceForRepo(fileSourceRequest, { org, prisma: __unsafePrisma });
     if (isServiceError(response)) {
         throw new Error(`Failed to fetch file content for ${filename} from ${repoPath}: ${response.message}`);
     }
@@ -27,8 +36,8 @@ export const fetchFileContent = async (pr_payload: sourcebot_pr_payload, filenam
         type: "file_content",
         description: `The content of the file ${filename}`,
         context: fileContent,
-    }
+    };
 
     logger.debug("Completed fetch_file_content");
     return fileContentContext;
-}
+};