A distributed collaborative code review platform combining real-time synchronization, secure isolated code execution, automated analysis, and modern backend infrastructure.
Modern software teams rarely review code alone.
A complete review workflow involves:
- discussing changes collaboratively
- reviewing code in real time
- executing untrusted code safely
- monitoring application health
- enforcing security boundaries
- maintaining scalable backend services
Most portfolio projects demonstrate only CRUD operations or basic authentication.
CodeQuorum explores a broader engineering problem:
How can multiple developers collaborate on code simultaneously while maintaining synchronization, security, observability, and execution isolation?
Instead of focusing on one feature, the project integrates several backend engineering disciplines into a single platform.
CodeQuorum was designed around five engineering objectives.
Allow multiple users to participate in the same review session with synchronized state.
Provide an isolated environment capable of executing user code without exposing the host machine.
Support threaded discussions, annotations, and structured review workflows rather than simple file uploads.
Expose metrics and health information suitable for monitoring distributed applications.
Organize the backend into independent modules that can evolve without tightly coupling unrelated functionality.
Traditional review platforms primarily revolve around pull requests.
Those workflows are excellent for asynchronous development but less effective for live collaboration.
CodeQuorum explores a complementary model where developers can:
- collaborate in real time
- review together
- execute code safely
- inspect diagnostics
- discuss improvements immediately
The project combines ideas commonly found across:
- collaborative editors
- pull request systems
- online IDEs
- static analysis tools
- backend infrastructure platforms
into a unified engineering system.
The architecture follows several guiding principles.
Each subsystem owns a clearly defined responsibility.
Examples include:
- authentication
- sandbox management
- WebSocket messaging
- AI integration
- metrics
- background jobs
This reduces coupling between unrelated components.
REST endpoints remain stateless wherever practical.
Authentication relies on JWT rather than server-side sessions, making horizontal scaling significantly easier.
Real-time updates are propagated through message broadcasting rather than repeated client polling.
This minimizes unnecessary HTTP traffic while improving synchronization latency.
Security is approached using multiple independent layers instead of relying on a single mechanism.
Examples include:
- JWT verification
- Spring Security filters
- input validation
- isolated execution environments
- rate limiting
- role-based authorization
Applications become difficult to operate without visibility.
The project therefore includes infrastructure for:
- metrics
- health endpoints
- monitoring
- dashboards
instead of treating these as afterthoughts.
┌─────────────────────────────┐
│ React Frontend │
│ Vite • TypeScript • UI │
└──────────────┬──────────────┘
│
REST APIs + WebSocket (STOMP)
│
▼
┌─────────────────────────────┐
│ Spring Boot Core │
│ Authentication • Reviews │
│ Rooms • Analysis • AI │
└───────┬──────────┬──────────┘
│ │
JPA │ │Redis Pub/Sub
│ │
▼ ▼
PostgreSQL Redis
│
▼
Docker Execution Sandbox
│
▼
Prometheus + Grafana Monitoring
A typical review session follows this sequence.
Developer Login
│
▼
JWT Authentication
│
▼
Open Review Workspace
│
▼
WebSocket Connection Established
│
▼
Real-Time Synchronization
│
▼
Code Analysis Request
│
▼
Sandbox Execution
│
▼
Analysis Results
│
▼
Review Comments Broadcast
│
▼
Metrics Published
Every stage has a clearly defined responsibility rather than combining business logic into a single service.
The repository is organized into independent backend and frontend applications alongside infrastructure configuration.
codequorum/
│
├── backend/
│ ├── src/main/java/com/codequorum/
│ ├── ai/
│ ├── analysis/
│ ├── config/
│ ├── controller/
│ ├── dto/
│ ├── entity/
│ ├── exception/
│ ├── health/
│ ├── jobs/
│ ├── metrics/
│ ├── ratelimit/
│ ├── repository/
│ ├── sandbox/
│ ├── security/
│ ├── service/
│ └── websocket/
│
├── frontend/
│ ├── src/
│ │ ├── api/
│ │ ├── components/
│ │ ├── hooks/
│ │ ├── pages/
│ │ ├── styles/
│ │ └── types/
├── docker-compose.yml
└── README.md
| Module | Responsibility |
|---|---|
| Authentication | JWT login, authorization, identity management |
| WebSocket | Live collaboration and event synchronization |
| Sandbox | Secure isolated execution of submitted code |
| Analysis | Static diagnostics and review processing |
| AI | Future AI-assisted review capabilities |
| Metrics | Prometheus metrics exposure |
| Health | Application readiness and liveness endpoints |
| Jobs | Background task scheduling |
| Rate Limiting | Protection against abusive traffic |
| Security | Spring Security configuration and filters |
| Persistence | PostgreSQL entities and repositories |
The project is under active development.
| Area | Status |
|---|---|
| Authentication | ✅ Implemented |
| PostgreSQL Persistence | ✅ Implemented |
| React Frontend | ✅ Implemented |
| Docker Infrastructure | ✅ Implemented |
| Redis Integration | ✅ Implemented |
| WebSocket Foundation | ✅ Implemented |
| Monitoring Infrastructure | ✅ Implemented |
| Sandbox Execution | 🚧 In Progress |
| AI Review Assistant | 🚧 In Progress |
| Advanced Static Analysis | 🚧 In Progress |
CodeQuorum follows a layered backend architecture that separates responsibilities into independent modules instead of concentrating business logic inside controllers.
Client Request
│
▼
Spring Security Filter
│
▼
Authentication Layer
│
▼
REST Controllers
│
▼
Business Services
↙ ↓ ↘
Analysis Sandbox AI Engine
│ │ │
└────────┼─────────┘
▼
Repository Layer
│
▼
PostgreSQL Database
Each layer owns a single responsibility:
| Layer | Responsibility |
|---|---|
| Security | Authentication, authorization, JWT verification |
| Controller | Request validation and routing |
| Service | Business logic |
| Repository | Data persistence |
| Analysis | Static diagnostics |
| Sandbox | Secure execution |
| AI | Future intelligent review assistance |
This separation reduces coupling and simplifies future feature expansion. :contentReference[oaicite:0]{index=0}
Security is implemented using multiple independent protection layers rather than relying on a single authentication mechanism.
The platform uses stateless JSON Web Tokens.
User Login
│
▼
Credentials Verified
│
▼
JWT Generated
│
▼
Authorization Header
│
▼
Spring Security Filter
│
▼
Protected Resources
Advantages include:
- Stateless authentication
- Horizontal scalability
- Reduced server memory usage
- Clear authorization boundaries
Protected endpoints are validated before controller execution.
Examples include:
- Repository access
- Review creation
- Comment editing
- Workspace administration
- Sandbox execution
Authorization logic remains isolated inside Spring Security instead of scattered throughout controllers.
Incoming payloads are validated before entering business services.
Validation includes:
- DTO constraints
- malformed payload rejection
- required field enforcement
- type validation
This reduces invalid persistence operations.
Authentication endpoints are isolated behind a dedicated rate limiting layer.
Goals:
- reduce brute-force attacks
- protect authentication resources
- prevent abuse
The implementation is intentionally independent from business logic.
Instead of trusting one security mechanism, CodeQuorum combines multiple protections.
Client
│
▼
HTTPS
│
▼
JWT Verification
│
▼
Role Validation
│
▼
DTO Validation
│
▼
Business Rules
│
▼
Database
Every layer assumes previous layers may fail.
Traditional web applications depend heavily on repeated HTTP polling.
Polling creates unnecessary traffic and increases latency.
CodeQuorum instead maintains persistent WebSocket connections.
Developer A
│
▼
WebSocket
│
▼
Spring Message Broker
│
▼
Redis Pub/Sub
│
▼
Spring Message Broker
│
▼
Developer B
Only incremental events are transmitted.
Examples include:
- new comments
- typing indicators
- review updates
- room notifications
- workspace synchronization
This dramatically reduces unnecessary client polling.
Persistent connections are established using:
- WebSocket
- SockJS fallback
- STOMP messaging
The messaging layer is responsible only for synchronization.
Business logic continues to execute inside service modules.
Benefits include:
- reduced latency
- persistent communication
- efficient broadcasting
- event-driven synchronization
Redis is used for two independent purposes.
User A
│
Publish Event
│
▼
Redis Pub/Sub
│
▼
WebSocket Nodes
│
▼
Users B,C,D...
Instead of directly communicating with every connected client, application nodes publish events into Redis.
Every WebSocket instance receives identical updates.
This allows future horizontal scaling without redesigning the messaging layer.
Redis also serves as a high-speed in-memory cache.
Frequently accessed information can be retrieved without repeated database queries.
Examples:
- workspace metadata
- active sessions
- review summaries
- frequently requested resources
Persistent application data is stored inside PostgreSQL.
The relational model provides:
- ACID transactions
- referential integrity
- indexing
- reliable consistency
Entity persistence is managed through Spring Data JPA.
Typical persisted resources include:
- users
- review sessions
- repositories
- comments
- review history
Rather than optimizing prematurely, the persistence layer prioritizes:
- normalized schemas
- explicit entity relationships
- transaction consistency
- maintainability
Indexes are introduced where query patterns justify them.
Executing arbitrary source code directly on the application server creates severe security risks.
Instead, CodeQuorum isolates execution inside dedicated Docker containers.
User Source Code
│
▼
Execution Request
│
▼
Sandbox Manager
│
▼
Docker Engine API
│
▼
Ephemeral Container
│
▼
Compiler / Runtime
│
▼
Execution Logs
│
▼
Client
This architecture separates untrusted code from the application process.
Potential benefits include:
- process isolation
- filesystem isolation
- resource constraints
- safer execution environment
Modern backend systems require visibility into runtime behavior.
CodeQuorum therefore includes an observability layer rather than treating monitoring as an afterthought.
Current infrastructure includes:
- Prometheus
- Grafana
- health endpoints
- application metrics
Metrics are exposed through dedicated endpoints.
Typical categories include:
- request counts
- response latency
- JVM memory usage
- CPU utilization
- active WebSocket sessions
- database connections
These metrics provide operational visibility during development and deployment.
Collected metrics can be visualized using Grafana dashboards.
Dashboards may include:
- request throughput
- error rates
- JVM memory
- response time
- active sessions
- system health
Visual dashboards simplify identifying performance regressions and operational issues.
Health endpoints provide quick visibility into service availability.
Typical subsystem checks include:
- PostgreSQL connectivity
- Redis availability
- application readiness
- application liveness
These endpoints simplify orchestration and deployment diagnostics.
Long-running operations should not delay client responses.
Dedicated background jobs are used where asynchronous execution provides better responsiveness.
Potential responsibilities include:
- cleanup operations
- scheduled maintenance
- notification processing
- metrics aggregation
This keeps request-response latency predictable.
Several architectural decisions intentionally favor maintainability over unnecessary complexity.
| Decision | Reason |
|---|---|
| Stateless JWT | Easier horizontal scaling |
| Redis Pub/Sub | Decoupled event broadcasting |
| PostgreSQL | Strong consistency guarantees |
| Docker Sandbox | Isolated execution of untrusted code |
| Layered Services | Lower coupling between modules |
| WebSockets | Low-latency collaboration |
| Prometheus | Standardized metrics collection |
| Grafana | Operational visualization |
Each technology was selected because it addresses a specific engineering concern rather than simply adding another framework.
The frontend is designed as a reactive single-page application that prioritizes low-latency collaboration over frequent page refreshes.
Unlike traditional CRUD dashboards, CodeQuorum maintains persistent communication with the backend through REST APIs and WebSockets simultaneously.
React Application
│
┌─────────────┴─────────────┐
│ │
▼ ▼
REST API Requests WebSocket Events
│ │
└─────────────┬─────────────┘
▼
State Synchronization
│
▼
Responsive UI Updates
The interface is organized into independent feature modules.
| Module | Responsibility |
|---|---|
| Authentication | Login, registration, JWT persistence |
| Dashboard | Active review sessions |
| Workspace | Collaborative review interface |
| Review Panel | Comments, suggestions, discussions |
| Sandbox | Execution output and diagnostics |
| Metrics | Runtime statistics |
| Settings | User preferences |
The workspace acts as the central interaction point.
Each review session contains:
- Source files
- Inline discussions
- Review threads
- Code execution output
- Static analysis reports
- AI recommendations (planned)
Rather than reloading the page after every action, the interface reacts to server events.
This significantly improves the collaborative experience.
Synchronization is event-driven.
Developer A
│
Adds Comment
│
▼
Spring Backend
│
Publishes Event
▼
Redis Pub/Sub
▼
WebSocket Gateway
▼
Developer B
Developer C
Developer D
Only incremental changes are transmitted.
Examples include:
- cursor movement
- new comments
- file updates
- review completion
- participant activity
This minimizes bandwidth while maintaining near real-time collaboration.
One objective of CodeQuorum is to move beyond simple syntax highlighting by incorporating automated review diagnostics.
The analysis module is designed around multiple independent processing stages.
Incoming Source Code
│
▼
Lexical Validation
│
▼
Structural Parsing
│
▼
Complexity Analysis
│
▼
Rule Evaluation
│
▼
Review Report
Current and planned analysis capabilities include:
- syntax validation
- structural inspection
- complexity estimation
- coding standard enforcement
- maintainability indicators
Future releases may integrate additional language-specific analyzers.
Rather than presenting raw compiler output, the platform aims to summarize quality indicators useful during reviews.
Examples include:
| Metric | Purpose |
|---|---|
| Cyclomatic Complexity | Estimates branching complexity |
| Function Length | Identifies oversized methods |
| Nesting Depth | Highlights readability concerns |
| Comment Density | Measures documentation coverage |
| Warning Count | Aggregated diagnostics |
| Execution Status | Compile / Runtime outcome |
These metrics are intended to support reviewers rather than replace human judgment.
The AI module is intentionally isolated from the core review workflow.
Source Code
│
Metadata Collection
│
▼
Prompt Construction
│
▼
LLM Interface
│
▼
Review Suggestions
│
▼
Reviewer Approval
Potential AI-assisted capabilities include:
- readability improvements
- refactoring suggestions
- duplicate code detection
- naming recommendations
- documentation generation
- potential bug identification
Importantly, AI suggestions are advisory and require reviewer approval before adoption.
A complete review session typically follows the sequence below.
Repository Created
│
▼
Reviewer Invited
│
▼
Workspace Opened
│
▼
Live Collaboration
│
▼
Static Analysis
│
▼
Sandbox Execution
│
▼
Review Discussion
│
▼
Approval / Requested Changes
│
▼
Review Archived
This lifecycle mirrors common collaborative development practices while enabling real-time interaction.
The backend follows resource-oriented REST conventions.
Representative endpoint groups include:
POST /api/auth/register
POST /api/auth/login
POST /api/auth/refreshGET /api/reviews
POST /api/reviews
GET /api/reviews/{id}
PUT /api/reviews/{id}
DELETE /api/reviews/{id}POST /api/comments
PUT /api/comments/{id}
DELETE /api/comments/{id}POST /api/sandbox/run
GET /api/sandbox/{executionId}GET /actuator/health
GET /actuator/prometheusSeveral architectural decisions prioritize predictable performance.
| Design Choice | Engineering Benefit |
|---|---|
| Stateless JWT | Eliminates session affinity |
| Redis Pub/Sub | Efficient event distribution |
| WebSockets | Low-latency communication |
| Docker Isolation | Safe execution of untrusted code |
| PostgreSQL | Transactional consistency |
| Layered Services | Easier optimization and testing |
These choices aim to improve maintainability while supporting future scaling.
Every engineering decision introduces trade-offs.
CodeQuorum intentionally favors maintainability and correctness over unnecessary optimization.
| Decision | Benefit | Trade-off |
|---|---|---|
| Monolithic Spring Boot | Simpler deployment | Less service isolation |
| PostgreSQL | Strong consistency | Vertical scaling considerations |
| Docker Sandbox | Improved security | Additional startup overhead |
| Redis Pub/Sub | Decoupled messaging | Additional infrastructure dependency |
| WebSockets | Real-time updates | Persistent connection management |
Documenting these trade-offs makes architectural intent explicit and supports future evolution.
The platform is structured to support incremental scaling.
Load Balancer
│
┌─────────────┴─────────────┐
▼ ▼
Spring Boot Node A Spring Boot Node B
│ │
└─────────────┬─────────────┘
▼
Redis Pub/Sub
│
▼
PostgreSQL
Potential future improvements include:
- read replicas
- distributed caching
- object storage
- container orchestration
- horizontal WebSocket scaling
The current modular architecture is intended to simplify these transitions.
CodeQuorum is designed around minimizing latency while keeping each subsystem independently scalable.
| Component | Design Strategy | Benefit |
|---|---|---|
| REST APIs | Stateless JWT Authentication | Horizontal scaling |
| Collaboration | Redis Pub/Sub | Multi-instance synchronization |
| Database | PostgreSQL Indexing | Fast repository retrieval |
| WebSockets | STOMP + SockJS | Reliable real-time messaging |
| Code Execution | Ephemeral Docker Containers | Secure isolation |
| Database Schema | Flyway Migrations | Repeatable deployments |
Like every production system, CodeQuorum intentionally documents its current engineering boundaries.
Current limitations include:
- Monolithic backend deployment
- Single-region Redis topology
- No distributed object storage
- Prometheus/Grafana infrastructure containerized, with application custom metrics collection actively being instrumented across services.
- No Kubernetes orchestration
- AI review suggestions remain optional and asynchronous
- Sandboxed execution currently targets predefined runtime images
These limitations provide a clear roadmap for future architectural evolution rather than representing unfinished functionality.
- CRDT-based document synchronization
- Operational Transformation conflict resolution
- Multi-region collaboration support
- Kubernetes deployment
- Horizontal Pod Autoscaling
- Service Mesh integration
- OpenTelemetry
- Prometheus metrics
- Grafana dashboards
- Distributed tracing
- Local LLM integration
- Automated review summaries
- Security vulnerability suggestions
- Refactoring recommendations
- Test generation
- Resource quotas
- Network-isolated containers
- Multi-language runtime images
- Automatic cleanup policies
codequorum/
├── backend/
│ ├── src/main/java/
│ ├── src/main/resources/
│ ├── Dockerfile
│ └── pom.xml
│
├── frontend/
│ ├── src/
│ ├── public/
│ ├── package.json
│ └── vite.config.js
│
├── docker-compose.yml
├── README.md
└── docs/
- Java 21
- Maven
- Node.js 20+
- PostgreSQL
- Redis
- Docker Desktop
git clone <repository-url>
cd codequorumcd backend
mvn spring-boot:runBackend starts at
http://localhost:8080
cd frontend
npm install
npm run devFrontend starts at
http://localhost:5173
docker compose up --buildPOSTGRES_DB=codequorum
POSTGRES_USER=postgres
POSTGRES_PASSWORD=password
REDIS_HOST=redis
JWT_SECRET=change-this-secret
DOCKER_HOST=unix:///var/run/docker.sockPOST /api/auth/register
POST /api/auth/login
POST /api/auth/refreshGET /api/repos
POST /api/repos
GET /api/repos/{id}
DELETE /api/repos/{id}POST /api/pullrequests
GET /api/pullrequests/{id}
POST /api/pullrequests/{id}/comments/ws
/topic/review
/topic/editor
/topic/commentsPOST /api/execute
POST /api/lint
POST /api/analyzeCodeQuorum is built around several engineering principles.
- Security before convenience
- Stateless backend services
- Event-driven communication
- Isolation of untrusted execution
- Independent infrastructure components
- Modular package organization
- Production-oriented development practices
Developing CodeQuorum required applying concepts from multiple areas of Computer Science:
- Distributed Systems
- Backend Engineering
- Concurrent Programming
- Network Communication
- Containerization
- Software Security
- Database Design
- Real-Time Collaboration
- Program Analysis
- Software Architecture
Unlike traditional portfolio projects, CodeQuorum combines several advanced engineering domains into one cohesive system.
It demonstrates:
- Real-time collaboration
- Distributed messaging
- Secure sandbox execution
- Modern backend architecture
- JWT authentication
- Redis event broadcasting
- Database migrations
- Docker orchestration
- Static code analysis
- AI-ready review pipeline
Rather than solving one isolated problem, CodeQuorum explores how multiple infrastructure components cooperate inside a modern collaborative developer platform.
Ashish Patel
Computer Science Engineering
Interested in:
- Distributed Systems
- Backend Engineering
- AI-assisted Developer Tools
- Software Architecture
- Scalable Infrastructure
CodeQuorum is a research-inspired, production-oriented collaborative code review platform that brings together real-time communication, secure execution, and intelligent code analysis into a unified engineering system.
It is designed not as a showcase of frameworks, but as an exploration of modern backend architecture, distributed collaboration, and secure developer tooling.
Build Together. Review Smarter. Execute Safely.