Gabe Giro

Code Review as a Service

You don't actually know
what's in that codebase.

A new hire's first PR, a pre-acquisition target, a contractor's deliverable, a repo you haven't opened in 12 months. The quiet dread of "I don't know what I'm inheriting" is expensive. Get a grounded, written answer, architecture shape, top-10 findings by severity, risk rating, in 48–120 hours. Async. No consulting calendar dance.

See pricing Book a discovery call

How it works

Three steps. No live meetings required for Starter.

Submit

Pick a tier, fill the intake form with your repo URL, access method, and main concerns. Payment confirms your slot, Standard+ includes a free 15-min qualification call first.

Review

I run the 7-phase checklist, a Claude agent swarm (Opus orchestrator + Sonnet workers) does the heavy lifting; I verify access, review every output, calibrate findings, and record a Loom walkthrough for Standard+ tiers.

Debrief

You receive a Markdown report + PDF export with architecture diagrams, top-10 findings table, risk rating, and recommended actions. Standard+ includes a 30–60 min Q&A call.

The 7-phase checklist

The checklist is the product. Nothing is skipped because the repo looked fine. Every engagement runs all seven phases.

  1. 1

    30–60 min

    Repo Setup & Orientation

    Get the repo running locally and understand its top-level shape before reading any code.

  2. 2

    60–90 min

    Architecture Scan

    Build a mental model of the system's layers, data flow, and key integration points.

  3. 3

    30–45 min

    Dependency Audit

    Know what you're inheriting, outdated, vulnerable, or abandoned dependencies are risk.

  4. 4

    30–45 min

    Test Coverage Check

    Know what's tested, what's not, and whether the tests protect real business logic.

  5. 5

    20–30 min

    CI/CD Review

    Understand the automated quality gates before your first push.

  6. 6

    30–45 min

    Security Surface Review

    Identify the most exposed attack surfaces before writing any code that touches them.

  7. 7

    20–30 min

    Synthesis & Handoff

    Produce a crisp written output so findings don't stay in your head.

Total runtime: ~4–5 hours of focused human + agent work per repo. The agent swarm (Opus 4.7 orchestrator + 6 Sonnet 4.6 workers) runs the checklist phases in parallel; I review, calibrate, and narrate before delivery.

What's in the report

Every engagement ships one Markdown report + one PDF export. Standard+ tiers also include a Loom walkthrough video.

Executive summary

Risk rating (Low / Medium / High / Critical) + top 3 risks in plain English + recommended next step. One page, non-technical.

Architecture summary

Pattern + layer map (Mermaid graph), end-to-end data flow (Mermaid sequence diagram), external integrations table.

Top 10 findings

Ranked table: severity, category, file location, one-line finding, recommended action.

Dependency audit output

npm audit / cargo audit / Gradle results with HIGH and CRITICAL CVEs flagged.

Test coverage snapshot

Pass rate, coverage %, zero-test modules, brittle-test flags.

CI/CD map

Workflows, merge gates, secret hygiene, deploy pipeline, silent-failure traps.

Security surface review

Auth validation, hardcoded credentials scan, input validation, SQLi/XSS risk, CORS/rate-limit policy.

Missing documents list

Things that had to be discovered manually that should have been documented, with recommendations.

Stacks covered in v1

Android (Jetpack Compose + Kotlin) Next.js / Node.js NestJS Astro Rust Rust + JNI (Android bridge)

Pricing

Flat rate in EUR. All tiers include the full 7-phase checklist. VAT reverse-charged for EU B2B clients.

Starter

€750

1 repo · <10k LOC · 5 business days

  • All 7 phases of the checklist
  • Full Markdown report + PDF export
  • Top-10 findings ranked by severity
  • Dependency audit + security surface review
  • Risk rating: Low / Medium / High / Critical
  • Email delivery, no call required
Money-back guarantee if no actionable findings
Book Starter review
Most popular

Standard

€1,800

1 repo · any size · 72 hours

  • Everything in Starter
  • No LOC ceiling
  • Loom walkthrough video (narrated by me)
  • 30-min Q&A call included
  • Free 15-min qualification call before booking
Money-back guarantee if no actionable findings
Book Standard review

Deep Dive

€4,500

Mono-repo or up to 3 services · <50k LOC · 48 hours

  • Everything in Standard
  • Multi-service: per-service sub-reports
  • <50k LOC combined ceiling
  • 60-min architecture Q&A call
  • 2 weeks async Slack follow-up
  • Free 15-min qualification call
Money-back guarantee if no actionable findings
Book Deep Dive

SLA clocks start when payment is confirmed and repo access is verified. Weekends excluded. Miss-the-SLA → 25% automatic refund. Rush available at +50% (Standard) or +100% (Deep Dive).

100% money-back guarantee, all three tiers

If the report doesn't surface at least one actionable finding you didn't already know about, I'll refund you in full. No questions asked. The 7-phase checklist, run by an agent swarm and calibrated by a 12-year senior engineer, is thorough enough that I'm confident taking that risk off your plate.

What this is not

Deliberate exclusions that keep turnaround promises deliverable.

Fix implementation

I report; I don't apply fixes. Post-review implementation is available via a Fractional CTO Builder retainer.

Live pairing sessions

The service is async-first. If you need live pairing, book a Fractional CTO Advisor retainer.

Penetration testing

Phase 6 is a surface-level security review, not a pen test. For adversarial testing, I refer to NCC Group or Trail of Bits.

Compliance certification

HIPAA, GDPR, SOC 2 attestations require accredited auditors. I flag gaps but cannot certify.

Ongoing monitoring

One-shot review per purchase. Recurring quarterly review is roadmap, not v1.

Style / formatter opinions

The report ignores tabs-vs-spaces. Only findings that affect correctness, security, performance, or maintainability.

12+
Years engineering
37+
Projects delivered
4
Production stacks covered
150M+
Users impacted

See also

Reviews often surface a "rewrite, don't refactor" or "leave Lovable Cloud" recommendation as Finding #1. The services below pick up where the audit ends.

Scalable MVP Sprint →

Fixed-price 4-week productized rebuild that ships a maintainable production MVP, for when the audit verdict is "rewrite, don't refactor."

Lovable Rescue →

Productized rebuild off Lovable onto a stack you own, plus optional ongoing dev partnership. Three tiers: Rebuild, Maintain, or Build with me.

Fractional CTO →

Ongoing engineering leadership for founders who want a senior voice in the room without a full-time hire.

Questions about the service

What stacks do you cover?

Android (Jetpack Compose + Kotlin), Next.js / Node.js / NestJS, Astro, and Rust (including JNI bridges to Android). These are the four stacks I use daily in paid client work, the checklist annotations are real, not theoretical. Repos outside these four stacks are out of scope for v1.

How do I share my repo with you?

The <a href="/code-review-intake" class="text-[var(--accent)] underline underline-offset-2">intake form</a> collects your preferred access method: GitHub collaborator invite (read-only), GitLab guest role, or a zip upload for private repos with no external collaborator policy. I verify access within one business hour of payment, the SLA clock doesn't start until access is confirmed.

What exactly is in the report?

A one-page executive summary (risk rating + top 3 risks in plain English), an architecture summary with Mermaid diagrams, Top 10 findings ranked by severity, a full dependency audit (npm audit / cargo audit output), test coverage snapshot, CI/CD pipeline map, security surface review, and a "missing documents" list. Delivered as Markdown + PDF.

Do you fix the issues, or just report them?

Report only, by design. Scope creep from "just one fix" is the #1 way audits turn into 40-hour projects. If you want the findings addressed, post-review implementation is available via a Fractional CTO retainer (Builder plan recommended for fix-implementation work, see /services/fractional-cto). The report will include recommended actions for every finding so the work is well-scoped.

What is the money-back guarantee?

If the report doesn't surface at least one actionable finding you didn't already know about, I'll refund you in full. No questions asked. I'm confident enough in the 7-phase checklist + human calibration pass to take that risk.

What happens if you miss the turnaround SLA?

You get a 25% automatic refund, no need to ask. The only exception is client-side delays (e.g. repo access not provisioned in time). My on-time rate target is ≥95%.

Can I get a rush turnaround?

Yes, for Standard and Deep Dive: +50% for 24-hour Standard, +100% for 24-hour Deep Dive. Rush must be booked at least 24 hours in advance and repo access must be pre-provisioned. Starter does not offer 24-hour rush.

Is VAT included in the prices?

Prices are in EUR, ex-VAT. For EU B2B clients, VAT is reverse-charged to you under standard EU rules. An invoice is issued for every engagement.

Not sure which tier is right?

Book a free 15-minute call. I'll tell you honestly which tier fits your situation, and whether there's a fit at all.

Book a free call