Code Review as a Service
You don't actually know
what's in that codebase.
A new hire's first PR, a pre-acquisition target, a contractor's deliverable, a repo you haven't opened in 12 months. The quiet dread of "I don't know what I'm inheriting" is expensive. Get a grounded, written answer — architecture shape, top-10 findings by severity, risk rating — in 48–120 hours. Async. No consulting calendar dance.
How it works
Three steps. No live meetings required for Starter.
Submit
Pick a tier, fill the intake form with your repo URL, access method, and main concerns. Payment confirms your slot — Standard+ includes a free 15-min qualification call first.
Review
I run the 7-phase checklist — a Claude agent swarm (Opus orchestrator + Sonnet workers) does the heavy lifting; I verify access, review every output, calibrate findings, and record a Loom walkthrough for Standard+ tiers.
Debrief
You receive a Markdown report + PDF export with architecture diagrams, top-10 findings table, risk rating, and recommended actions. Standard+ includes a 30–60 min Q&A call.
The 7-phase checklist
The checklist is the product. Nothing is skipped because "the repo looked fine." Every engagement runs all seven phases.
Repo Setup & Orientation
"Get the repo running locally and understand its top-level shape before reading any code."
Architecture Scan
"Build a mental model of the system's layers, data flow, and key integration points."
Dependency Audit
"Know what you're inheriting — outdated, vulnerable, or abandoned dependencies are risk."
Test Coverage Check
"Know what's tested, what's not, and whether the tests protect real business logic."
CI/CD Review
"Understand the automated quality gates before your first push."
Security Surface Review
"Identify the most exposed attack surfaces before writing any code that touches them."
Synthesis & Handoff
"Produce a crisp written output so findings don't stay in your head."
Total runtime: ~4–5 hours of focused human + agent work per repo. The agent swarm (Opus 4.7 orchestrator + 6 Sonnet 4.6 workers) runs the checklist phases in parallel; I review, calibrate, and narrate before delivery.
What's in the report
Every engagement ships one Markdown report + one PDF export. Standard+ tiers also include a Loom walkthrough video.
Executive summary
Risk rating (Low / Medium / High / Critical) + top 3 risks in plain English + recommended next step. One page, non-technical.
Architecture summary
Pattern + layer map (Mermaid graph), end-to-end data flow (Mermaid sequence diagram), external integrations table.
Top 10 findings
Ranked table: severity, category, file location, one-line finding, recommended action.
Dependency audit output
npm audit / cargo audit / Gradle results with HIGH and CRITICAL CVEs flagged.
Test coverage snapshot
Pass rate, coverage %, zero-test modules, brittle-test flags.
CI/CD map
Workflows, merge gates, secret hygiene, deploy pipeline, silent-failure traps.
Security surface review
Auth validation, hardcoded credentials scan, input validation, SQLi/XSS risk, CORS/rate-limit policy.
Missing documents list
Things that had to be discovered manually that should have been documented — with recommendations.
Stacks covered in v1
Pricing
Flat rate in EUR. All tiers include the full 7-phase checklist. VAT reverse-charged for EU B2B clients.
Starter
€750
1 repo · <10k LOC · 5 business days
- All 7 phases of the checklist
- Full Markdown report + PDF export
- Top-10 findings ranked by severity
- Dependency audit + security surface review
- Risk rating: Low / Medium / High / Critical
- Email delivery — no call required
Standard
€1,800
1 repo · any size · 72 hours
- Everything in Starter
- No LOC ceiling
- Loom walkthrough video (narrated by me)
- 30-min Q&A call included
- Free 15-min qualification call before booking
Deep Dive
€4,500
Mono-repo or up to 3 services · <50k LOC · 48 hours
- Everything in Standard
- Multi-service: per-service sub-reports
- <50k LOC combined ceiling
- 60-min architecture Q&A call
- 2 weeks async Slack follow-up
- Free 15-min qualification call
SLA clocks start when payment is confirmed and repo access is verified. Weekends excluded. Miss-the-SLA → 25% automatic refund. Rush available at +50% (Standard) or +100% (Deep Dive).
100% money-back guarantee — all three tiers
If the report doesn't surface at least one actionable finding you didn't already know about, I'll refund you in full. No questions asked. The 7-phase checklist, run by an agent swarm and calibrated by a 12-year senior engineer, is thorough enough that I'm confident taking that risk off your plate.
What this is not
Deliberate exclusions that keep turnaround promises deliverable.
Fix implementation
I report; I don't apply fixes. Post-review implementation is available at standard hourly rates.
Live pairing sessions
The service is async-first. If you need live pairing, book a Fractional CTO hourly engagement.
Penetration testing
Phase 6 is a surface-level security review — not a pen test. For adversarial testing, I refer to NCC Group or Trail of Bits.
Compliance certification
HIPAA, GDPR, SOC 2 attestations require accredited auditors. I flag gaps but cannot certify.
Ongoing monitoring
One-shot review per purchase. Recurring quarterly review is roadmap, not v1.
Style / formatter opinions
The report ignores tabs-vs-spaces. Only findings that affect correctness, security, performance, or maintainability.
- 12+
- Years engineering
- 37+
- Projects delivered
- 4
- Production stacks covered
- 150M+
- Users impacted
Questions about the service
What stacks do you cover?
Android (Jetpack Compose + Kotlin), Next.js / Node.js / NestJS, Astro, and Rust (including JNI bridges to Android). These are the four stacks I use daily in paid client work — the checklist annotations are real, not theoretical. Repos outside these four stacks are out of scope for v1.
How do I share my repo with you?
The <a href="/code-review-intake" class="text-[var(--accent)] underline underline-offset-2">intake form</a> collects your preferred access method: GitHub collaborator invite (read-only), GitLab guest role, or a zip upload for private repos with no external collaborator policy. I verify access within one business hour of payment — the SLA clock doesn't start until access is confirmed.
What exactly is in the report?
A one-page executive summary (risk rating + top 3 risks in plain English), an architecture summary with Mermaid diagrams, Top 10 findings ranked by severity, a full dependency audit (npm audit / cargo audit output), test coverage snapshot, CI/CD pipeline map, security surface review, and a "missing documents" list. Delivered as Markdown + PDF.
Do you fix the issues, or just report them?
Report only — by design. Scope creep from "just one fix" is the #1 way audits turn into 40-hour projects. If you want the findings addressed, post-review implementation is available at my standard Fractional CTO hourly rate. The report will include recommended actions for every finding so the work is well-scoped.
What is the money-back guarantee?
If the report doesn't surface at least one actionable finding you didn't already know about, I'll refund you in full. No questions asked. I'm confident enough in the 7-phase checklist + human calibration pass to take that risk.
What happens if you miss the turnaround SLA?
You get a 25% automatic refund — no need to ask. The only exception is client-side delays (e.g. repo access not provisioned in time). My on-time rate target is ≥95%.
Can I get a rush turnaround?
Yes, for Standard and Deep Dive: +50% for 24-hour Standard, +100% for 24-hour Deep Dive. Rush must be booked at least 24 hours in advance and repo access must be pre-provisioned. Starter does not offer 24-hour rush.
Is VAT included in the prices?
Prices are in EUR, ex-VAT. For EU B2B clients, VAT is reverse-charged to you under standard EU rules. An invoice is issued for every engagement.
Not sure which tier is right?
Book a free 15-minute call. I'll tell you honestly which tier fits your situation — and whether there's a fit at all.
Book a free call