AI code review+ CI/CD security, before bad code merges.

No. Code is read on-demand via the GitHub API when a PR opens or a push lands on the default branch. We index symbol tables, definitions, and a file-level dependency graph in MongoDB to power PageRank-ranked context — that's structural metadata, not source. File contents are loaded into agent prompts at review time and not persisted after the review completes. Your source never leaves GitHub except as the slice of context an LLM call needs.

Your API key is encrypted at rest in MongoDB with a key only the LGTM server holds. At review time the server uses the key to call OpenAI on your behalf, then drops the in-memory reference. We do not proxy your inference through our infrastructure, we don't see your token billed against our account, and we don't subsidize your usage. You pay OpenAI directly for tokens; you pay LGTM ₹399/mo for the platform.

Both providers are wired into the AI service layer (SDK upgrades done, JSON-mode mapping done, system-instruction shape corrected) but they haven't been live-tested against the full 6-agent + synthesizer pipeline with real workloads. We're not going to ship them under "production" until they pass end-to-end verification on your dollar. Until then they show as Coming Soon in Settings.

It depends on diff size and how many files the agents need to pull in for context. A typical PR with ~10 changed files completes in 1-3 minutes wall-clock: six LLM specialists run concurrently with 150ms stagger, then a synthesizer pass. The deterministic ci-security agent only runs if you touched workflow YAML / Dockerfiles / lockfiles and adds milliseconds, not minutes. Cold indexing on a 5000-file backfill takes 5-30 minutes once, then incremental indexing on push completes in seconds.

Tree-sitter parsing covers TypeScript, JavaScript, Python, Go, Rust, Java, Kotlin, C, C++, C#, Ruby, and PHP. That gets you symbol-level indexing and the PageRank graph. The LLM specialists can read and reason about code in any language; you just lose the smarter context bundling outside the tree-sitter list. Most reviews of unindexed languages still surface real findings — they just see less of the surrounding codebase.

Three gates. Gate 1: inline PR review surfaces the finding on the offending line as a critical comment. Gate 2: a Check Run named "LGTM Security" posts with conclusion=failure on any rule whose configured action is block — if you add this check to your branch protection "required" list, the merge button is disabled until resolved. Gate 3: the LGTM Security Watchdog GitHub Action (lgtm-action) runs as the first step of your CI job, polls our pipeline-decision API, and exits non-zero before checkout, before tests, before deploys. Bad config can't reach production.

Secrets: hardcoded API keys, GitHub PATs, AWS access keys, private keys, JWTs. Workflow YAML: unpinned actions/checkout, unpinned third-party actions, permissions write-all, missing job permissions, untrusted-input shell injection, pull_request_target with head checkout, self-hosted runner on public repo, privileged container, external reusable workflow, weak workflow_dispatch triggers. Dockerfile: --privileged flag in RUN, USER root in final stage, ADD from HTTP URL. Dependencies: lockfile-only edits without a manifest change. Network: unallowlisted curl/wget in CI shell blocks (escalates if piped to bash). Each rule has a default action (block / warn) you can override per-repo.

Yes. Each detector ships with a default action — block, warn, or off — and you can override it per-repo in the policy editor or via CLI: lgtm security policy set <rule-id> <block|warn|off>. You can also maintain allowlists for trusted action sources (e.g. actions/*, your-org/*), permitted outbound domains, and approved self-hosted runner labels. The policy is versioned so audits show exactly what was active at the time of any finding.

The CLI talks to the LGTM API at api.looksgoodtomeow.in for review orchestration, BYOK validation, and context fetching. It can't run fully air-gapped today — agents run on the LGTM server, not your laptop. If you need on-prem or self-hosted, get in touch; it's something we'd consider for serious teams.

We're a single founder operating from India. Source code is read via GitHub API and not persisted as source. User account data is minimal (GitHub username, email from the GitHub /user endpoint, encrypted BYOK keys). We're working through the DPDP Act 2023 obligations — formal data fiduciary disclosures, retention policies, grievance officer details — and will publish a compliant Privacy Policy on docs.looksgoodtomeow.in before any India-specific enterprise launch.

Free is ₹0/month with a hard cap of 20 reviews per calendar month (resets on the 1st), full access to all 6 specialist agents, all 16 security detectors, the CLI, and the dashboard. Pro is ₹399/month and removes the cap (unlimited reviews) and turns on auto-review — every PR opened on a connected repo gets reviewed automatically, no manual click. Payments go through Dodo Payments; cancel anytime, no contracts.

"LGTM" — Looks Good To Me — is what reviewers type when they're done. We made it Looks Good To Meow because (a) it's memorable, (b) the brand permits being friendly about a dry topic, and (c) every senior engineer secretly wishes their reviews were one-line approvals. The tool exists so yours can be.