The problem
GitHub Copilot reviews ship your code to Microsoft. Same for Cursor's review feature. For consulting work under NDA, neither is permitted. Self-hosted code review keeps the diff on your hardware.
Recommended setup
| Agent | Nanobot or Hermes Agent |
| Hardware | Mac Mini M4 (24 GB) — the local LLM helps for code-heavy tasks |
| LLM | Qwen 2.5 Coder 7B Q4 local (Ollama) for routine, Claude 4.5 Sonnet for hard reviews |
How it works
Pre-commit or pre-push git hook invokes the agent with the staged diff and an inventory of changed files. Agent runs through a security checklist (input validation, auth, SSRF, deserialisation), checks test coverage, and outputs structured suggestions. You review, accept or reject, then push.
Reality check
Catches roughly 60% of real bugs on PRs under 200 lines. Catches less on bigger PRs (context window dilutes signal). False positive rate around 15% — the agent flags things that aren't actually issues. Doesn't replace human review, but catches the obvious stuff before a human gets pulled into it.
What breaks
- Multi-file refactors with logic split across many files
- Domain-specific bugs the model has no context for
- Anything requiring runtime understanding (the model only sees the diff)
Alternative setups
ZeroClaw + Llama 3 8B if you want fully cloud-free. Slower and slightly less accurate but data never leaves the machine.