---
title: CodeReviewEnv
emoji: π
colorFrom: blue
colorTo: purple
sdk: docker
app_port: 7860
tags:
- openenv
---
# π CodeReviewEnv
### A Self-Improving AI Code Review Agent via GRPO + OpenEnv
[](https://python.org)
[](https://fastapi.tiangolo.com)
[](https://docker.com)
[](https://github.com/meta-pytorch/OpenEnv)
[](https://opensource.org/licenses/MIT)
*Train AI agents to review and fix real-world code bugs across **6 languages** using reinforcement learning.*
**π Meta Γ HuggingFace Γ PyTorch OpenEnv Grand Finale β Bangalore 2026**
---
## π Quick Links
| Resource | Link |
|----------|------|
| π **Live Demo** | https://lucifer0077-code-review-env.hf.space |
| π€ **Trained Model** | https://huggingface.co/lucifer0077/code-review-agent-grpo |
| π **Training Notebook** | https://huggingface.co/spaces/lucifer0077/code-review-training |
| π **Blog Post** | https://huggingface.co/spaces/lucifer0077/code-review-env/blob/main/BLOG.md |
| π» **GitHub** | https://github.com/Lucifer-cyber007/meta-hackathon-open-env |
---
## π― The Problem
Code review costs the software industry **$50 billion annually**. Every production bug was approved by at least one human reviewer. Existing AI tools can suggest code β but none of them *learn* from feedback to get better over time.
**CodeReviewEnv** is an OpenEnv-compliant RL environment where AI agents learn to:
1. **Find bugs** β structured comments with line numbers and severity
2. **Fix bugs** β suggest correct code for each issue found
3. **Issue verdicts** β approve or request changes with reasoning
4. **Improve over time** β via GRPO training with curriculum learning
---
## π Key Result
> **A 7B parameter model, after GRPO training on CodeReviewEnv, outperformed a 70B parameter baseline by 46% on average.**
| Task | Groq llama-3.3-70B | Qwen2.5-Coder-7B (GRPO) | Change |
|------|-------------------|--------------------------|--------|
| easy | 0.95 | 1.13 | β +0.18 |
| medium | 0.90 | 1.28 | β +0.38 |
| hard | 0.15 | 0.48 | β **+0.33 (3x!)** |
| api_security | 0.90 | 1.20 | β +0.30 |
| auth_system | 0.00 | 1.13 | β **+1.13 (from zero!)** |
| **AVERAGE** | **0.58** | **1.04** | **β +0.46** |
---
## π Training Results
### Learning Curve β GRPO Training on A100

*Reward increases from ~0.60 to ~1.15 over 250 training steps.
Red line = smoothed reward (window=25). Yellow dashed = Groq-70B baseline (0.58).*
### Before vs After Comparison

*Qwen2.5-Coder-7B after GRPO training vs Groq llama-3.3-70B baseline across 5 tasks.*
---
## π Environment β 13 Tasks, 6 Languages
| Language | Tasks | Bug Types |
|----------|-------|-----------|
| **Python** | easy, medium, hard, api_security, auth_system, orm_bugs, data_pipeline | ZeroDivisionError, SQL injection, race conditions, JWT bypass, N+1 queries |
| **JavaScript** | js_async, js-async, node-race | Missing await, callback hell, memory leaks, race conditions |
| **SQL** | sql-injection | ORDER BY injection, LIMIT injection, template literals |
| **React/JSX** | react-security | XSS via dangerouslySetInnerHTML, token leaks in URL |
| **Django** | django-auth | Timing attacks, plaintext comparison, DoesNotExist crash |
| **Node.js** | node-race | Inventory oversell via stale state, atomicity bugs |
---
## π Reward Function
Dense, shaped rewards over the full trajectory β not just binary end-of-episode:
| Signal | Reward | Why |
|--------|--------|-----|
| β
Critical bug found | **+0.20** | High-value find |
| β
Major bug found | **+0.12** | Important but less critical |
| β
Minor bug found | **+0.05** | Still valuable |
| β False positive | **β0.08** | Precision matters |
| β
Correct verdict | **+0.10** | Approve vs request_changes |
| β Wrong verdict | **β0.15** | Costly mistake |
| β
Correct fix (critical) | **+0.40** | Agent fixed what it found |
| β
Correct fix (major) | **+0.35** | Good fix |
| β Wrong fix | **β0.10** | Penalty for bad fixes |
| β±οΈ Step penalty | **β0.02/step** | Efficiency incentive |
**Range:** `[-1.0, 1.0]`
### Anti-Reward Hacking
Four server-side checks prevent gaming:
- **Spam detection** β >12 comments triggers proportional penalty
- **Duplicate detection** β copy-pasted comments penalized -0.20
- **Quality check** β descriptions <15 chars are penalized
- **Verdict gaming** β `request_changes` with zero comments caught
---
## π Curriculum Learning
The environment adapts to agent skill level automatically:
```
Episode 1-20: easy tasks β agent masters basic Python bugs
β
avg 0.75+ β promoted to medium!
Episode 20-60: medium tasks β agent learns security patterns
β
avg 0.70+ β promoted to hard!
Episode 60+: hard tasks β race conditions, JWT bypass
π scores climb from 0.30 β 0.65+
```
No human decides when to increase difficulty β the `/curriculum/update` endpoint tracks recent scores and promotes automatically after 3 consecutive episodes above threshold.
---
## π§ Bug Fixing Agent
Beyond finding bugs, the agent suggests fixes:
```
[COMMENT]
line: 25
severity: critical
type: bug
message: Race condition β queue.pop(0) not thread-safe, multiple workers
can pop the same task simultaneously
fix: Use collections.deque with a threading.Lock for thread-safe access
[/COMMENT]
[VERDICT]
decision: request_changes
[/VERDICT]
```
The `/fix` endpoint verifies fixes against known issues and awards bonus reward for correct fixes.
---
## π€ GRPO Training
### Setup
| Parameter | Value |
|-----------|-------|
| **Base Model** | Qwen2.5-Coder-7B-Instruct |
| **GPU** | A100 (40GB) |
| **Episodes** | 500 |
| **Framework** | Unsloth + TRL |
| **LoRA Rank** | 32 |
| **Learning Rate** | 3e-6 |
| **Training Time** | 2h 43min |
### Training Loop
```python
# Each episode:
obs = reset_env(task_id) # 1. Get buggy code diff
review = model.generate(obs) # 2. Generate review + fixes
reward = step_env(review) # 3. Submit review β reward
fix_reward = fix_env(review) # 4. Submit fixes β bonus reward
combined = review + (fix * 0.4) # 5. Combined reward signal
next_task = curriculum.update(reward) # 6. Curriculum promotes if ready
# GRPO updates model weights
```
### Trained Model
π€ **https://huggingface.co/lucifer0077/code-review-agent-grpo**
---
## π API Reference
| Method | Endpoint | Description |
|--------|----------|-------------|
| `GET` | `/health` | Status check |
| `POST` | `/reset` | Reset env, get code diff |
| `POST` | `/step` | Submit review, get reward |
| `POST` | `/fix` | Submit bug fixes, get fix reward |
| `GET` | `/state` | Current episode state |
| `GET` | `/tasks` | All 13 tasks |
| `POST` | `/grader` | Score completed episode |
| `POST` | `/baseline` | Run Groq baseline agent |
| `POST` | `/curriculum/update` | Update curriculum tracker |
| `GET` | `/curriculum/state` | View curriculum progress |
### Quick Test
```bash
# Run AI review on any task
curl -X POST https://lucifer0077-code-review-env.hf.space/baseline \
-H "Content-Type: application/json" \
-d '{"task_id": "hard"}'
# Submit your own review
curl -X POST https://lucifer0077-code-review-env.hf.space/step \
-H "Content-Type: application/json" \
-d '{
"comments": [{
"line_number": 25,
"issue_type": "bug",
"severity": "critical",
"description": "Race condition β queue.pop(0) not thread-safe"
}],
"verdict": "request_changes"
}'
```
---
## ποΈ Architecture
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β FastAPI Server (app.py) β
ββββββββββββ¬βββββββββββ¬βββββββββββ¬βββββββββββ¬ββββββββββββββββββ€
β /reset β /step β /fix β /curric β /baseline β
ββββββββββββ΄βββββββββββ΄βββββββββββ΄βββββββββββ΄ββββββββββββββββββ€
β CodeReviewEnv (environment.py) β
β reset() β observe β step() β reward β
βββββββββββββββββ¬βββββββββββββββ¬βββββββββββββββββββββββββββββββ€
β tasks.py β graders.py β fix_verifier.py β
β 13 tasks β Det. scoringβ Fix verification β
βββββββββββββββββ΄βββββββββββββββ΄βββββββββββββββββββββββββββββββ€
β curriculum.py β reward.py β
β Adaptive difficulty β Dense reward shaping β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
---
## π Project Structure
```
code-review-env/
βββ app.py β FastAPI server + all endpoints
βββ environment.py β Core env: reset() / step() / state()
βββ models.py β Pydantic models: Action, Observation, Reward
βββ tasks.py β 13 tasks with diffs + known issues
βββ graders.py β Deterministic grader 0.0-1.0
βββ reward.py β Dense reward shaping + anti-hacking
βββ fix_verifier.py β Bug fix verification logic
βββ curriculum.py β Adaptive curriculum learning
βββ inference.py β Groq baseline agent
βββ free_review.py β Free review on any code
βββ dashboard.html β Web UI
βββ BLOG.md β Full writeup / blog post
βββ openenv.yaml β OpenEnv spec metadata
βββ Dockerfile β HF Spaces container
βββ requirements.txt β Dependencies
```
---
## π Local Setup
```bash
git clone https://github.com/Lucifer-cyber007/meta-hackathon-open-env
cd meta-hackathon-open-env
pip install -r requirements.txt
export GROQ_API_KEY=your_key_here
uvicorn app:app --host 0.0.0.0 --port 7860 --reload
```
---
## π οΈ Tech Stack
| Component | Technology |
|-----------|------------|
| Web Framework | FastAPI + Uvicorn |
| Data Validation | Pydantic v2 |
| LLM Provider | Groq (llama-3.3-70b-versatile) |
| Training | Unsloth + TRL + GRPO |
| Base Model | Qwen2.5-Coder-7B-Instruct |
| Hosting | HuggingFace Spaces (Docker) |
| Grading | Deterministic β no LLM-as-judge |
---
**Built at Meta Γ HuggingFace Γ PyTorch OpenEnv Grand Finale β April 2026, Bangalore**
*Theme 4: Self-Improving Agent | Theme 3.1: Professional Tasks*
*CodeReviewEnv β teaching AI to review and fix code like a senior engineer* π