Reference
Architecture
4-pass pipeline, Drupal-specific RAG corpus 1968 chunks, AST-aware mechanical findings.
Pipeline (4 passes)
| Pass | Co robi | Czas | Output |
|---|---|---|---|
| Pass 0 · Mechanical | PHPCS + custom PHP-Parser logic analyzer (8 Drupal-idiom detectors) | ~2 sec | Deterministic findings (no LLM) |
| Pass 1 · Triage | LLM klasyfikuje risk level + wybiera files for deep review | ~5 sec | {risk: low|medium|high, files_for_deep_review: [...]} |
| Pass 2 · Deep review | RAG retrieval (5 best chunks per file) + LLM review per file | ~10-30 sec | Findings z TRACE methodology |
| Pass 2.5 · Propose-verify (optional) | SGCR-style alternative suggestions z RAG verification (anti-hallu) | +30-60 sec | Additional vetted findings |
| Pass 3 · Aggregate | Dedupe, severity ranking, format markdown/JSON | ~1 sec | Final review output |
RAG corpus (1968 chunks)
| Source | Chunks | Why |
|---|---|---|
| api.drupal.org core docs | ~800 | Hook signatures, service interfaces, deprecation guidance |
| Drupal coding standards | ~150 | PHP style, naming conventions, file headers |
| Top-200 contrib modules (sample) | ~400 | Real-world patterns (paragraphs, webform, pathauto, etc.) |
| OWASP cheatsheets | ~200 | Generic web security context (SQLi, XSS, CSRF) |
| Drupal core security commits | ~250 | Historical bugs + fixes (for pattern matching) |
| Hook + #[Hook] migration patterns | ~70 | D11.1+ OOP refactor guidance |
| Custom (user-ingested via UI) | opt-in | Your codebase, style guides, internal docs |
Drupal idiom detectors (Pass 0)
- Missing DI —
\Drupal::service('...')in controllers (should be constructor inject) - Missing cache contexts — render arrays without
#cache.contexts - Procedural hooks —
function my_module_node_view()instead of#[Hook('node_view')] - Missing static
create()— class implementsContainerInjectionInterfacebut no factory - Non-translatable messages — raw strings in user-facing messages
- Raw entity loads in loops — N+1 query patterns
- Deprecated API calls —
drupal_get_path(),db_query(), etc. - Direct DB access — bypassing Drupal abstraction layer
Benchmarks (honest)
| Test | Recall | Precision | Notes |
|---|---|---|---|
| Controlled benchmark (10 obvious bugs) | 100% | — | n=48 synthetic cases across 12 modules |
| Curated Drupal contrib MRs (n=30) | 18.7% | 14.5% | 115 inline maintainer comments as ground truth |
| Blind Drupal core MR (z propose-verify) | 17.6% | 30% | Verified by core maintainers |
Realistic ceiling 25-30% recall — 60-70% maintainer comments to subjective discussions niemożliwe do automatycznego matchowania. Model jest complementem maintainer review, nie replacementem. Bonus: znajduje rzeczy które maintainer przegapił (DI violations, deprecations, race conditions).
Stack
- Model: Qwen3-Coder-30B-A3B (MoE 3.3B active / 30B total, Apache 2.0, 256K ctx)
- Inference: Ollama (local) lub RunPod / vast.ai (cloud GPU on-demand)
- RAG: Qdrant + jina-embeddings-v2-base-code (ONNX)
- Static analysis: PHPCS + custom PHP-Parser logic analyzer
- Orchestrator: Python 3.12 + Typer CLI
- UI: FastAPI + HTMX (no React/Vue) + SSE streaming
- Token vault: Fernet (AES-128) + PBKDF2 480k iterations from UI_PASS
Full architecture: docs/ARCHITECTURE.md on GitHub