A review gate for agent-speed development
Trust the merge,
not the speed.
AI code review that blocks bad merges. Postil reviews every pull request, comments only when it can affect the merge, and stays completely silent on clean PRs. We say less. What we say is right.
Apache-2.0 CLI · free on public repos · self-hosted forever
01 — The noise problem
AI review tools have a trust problem before they have a quality problem.
36%
of comments in an independent 28-PR audit of the category leader were noise or nitpicking — 15% rated useless, another 21% pure style nits.
30%
of a leading reviewer's comments were addressed by developers before it retuned its defaults — by its own published numbers. Most AI review comments change nothing.
571
agent-driven pull requests one developer publicly documented pushing in 30 days. At that volume, every unnecessary comment is multiplied by hundreds.
Postil inverts the default. A finding ships only when it cites a diff location, clears a confidence threshold, and could change the merge decision. Everything else is silence — and silence is measured, not assumed.
Figures as of June 2026. Sources: the 28-PR audit is LycheeOrg's public review of CodeRabbit; the 30% comments-addressed figure is from Greptile's v4 release notes; the 571-PR month is publicly documented. See the sourced breakdown on Why Postil.
02 — The gate
Two check-runs. One blocks, one advises. Never conflated.
postil/gate
Fails only on gate-level findings (default: severity error). Require it in branch protection and nothing below the threshold can block a merge. Fails closed on operational errors by default — an unreviewed head is not a passing head. Repos can opt into gate.onError: advisory to fail open on provider outages only.
postil/review
Advisory findings as inline comments in a single batched review: warnings, escalations to accountable humans, guardrail candidates. Informative, never required.
clean PR
Both checks complete green. No comment, no summary poem, no "LGTM" filler. The check-run is the entire conversation.
A grey, neutral check that "reads as didn't fail" is how a critical finding gets merged on a Friday. Postil's gate is a real CI check with real semantics: it fails on what matters and passes on what doesn't, separately from advisory commentary.
No other mainstream reviewer ships this separation. Teams currently rebuild it by hand out of raw check statuses — or merge past advisory comments they have learned to ignore.
03 — On the pull request
What the two checks look like on a failing PR.
Add refund webhook handler
feat/refund-webhook → main · 4 files, +212 −18
Some checks were not successful
- postil/gateFailing1 gate-level finding (severity error)
- postil/reviewNeutral2 advisory comments
84 + await issueRefund(charge.id, { idempotencyKey })
Postil — gate findingconfidence 0.91 · kind: riskThe refund path does not pass an idempotency key. A retried webhook delivery will issue a second refund and double-credit the customer. Pass the event id as the idempotency key before calling the provider.
On GitHub, Postil shows up as exactly two check-runs plus, when warranted, batched inline comments. The gate fails on a finding it can stand behind — here a missing idempotency key on a refund path — while advisory commentary stays out of the blocking lane.
- →Every finding cites a file and line, and carries a confidence score you can threshold on.
- →Require
postil/gatein branch protection to make the verdict binding. - →A clean PR shows two green checks and no comments at all.
04 — One engine everywhere
The same binary runs locally, in CI, and behind the hosted app.
$ postil review --staged
reviewing 4 files, 212 added lines
(model: deepseek/deepseek-v4-pro)
error src/billing/invoice.ts:84
Refund path skips idempotency key;
a retried webhook double-credits the
customer. (confidence 0.91, kind: risk)
warn src/api/export.ts:31
Unbounded query feeds the CSV stream;
the new endpoint has no pagination or
row cap. (confidence 0.78, kind: risk)
2 findings
5 suppressed below confidence 0.6
gate: failing (fail-on: error)
exit 1postil review works on your staged changes, against any base ref, on a saved diff, or on a remote PR. The GitHub Action and the hosted worker shell out to the same pinned binary — there is no second review engine to drift.
- →Exit codes carry the verdict: 0 clean, 1 gate-failing, 2 operational error.
- →
--output-jsonemits the full envelope for tooling. - →Fails closed: ungrounded model output becomes a synthetic error finding, never a silent pass.
05 — Provable restraint
Silence is a metric, not a hope.
Silence rate
n = 126confidence of the findings it did ship
Every Postil dashboard leads with the silence rate: the share of pull requests where we had nothing merge-relevant to say and said nothing. Next to it, the confidence distribution of every finding we did ship.
If the bot is drifting noisy, you see it in a chart before your engineers feel it in their notifications. No incumbent surfaces this number; most would rather you didn't ask.
06 — Pricing without meter anxiety
Flat $10 per developer. Inference on your own key, zero markup.
Free
Public repos and the local CLI, forever. Apache-2.0.
$10 / dev / mo
Flat orchestration. Bring your own OpenRouter, Anthropic, Azure, or Bedrock key — we pass inference through at provider rates. Hosted beta is currently free.
Self-hosted
Free forever. Docker Compose that works on the first run, including with Ollama.
Your worst-case monthly bill is your seat count times ten dollars. Your LLM spend is visible in your provider's dashboard, not hidden in ours. No per-review surcharges, no credits, no billing shock at 10x PR volume.
Review by default. Trust by evidence.
Install the GitHub App or run the CLI on your next diff. If we have nothing to say, you will hear nothing.