Skip to content

ashhuxt/CodeQuorum

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

🚀 CodeQuorum

Real-Time Collaborative Code Review Platform

Built with Java 21 • Spring Boot • PostgreSQL • Redis • React • Docker • WebSockets


Java Spring Boot React Redis PostgreSQL Docker WebSocket Prometheus Grafana


A distributed collaborative code review platform combining real-time synchronization, secure isolated code execution, automated analysis, and modern backend infrastructure.


🧠 Engineering Context

Modern software teams rarely review code alone.

A complete review workflow involves:

  • discussing changes collaboratively
  • reviewing code in real time
  • executing untrusted code safely
  • monitoring application health
  • enforcing security boundaries
  • maintaining scalable backend services

Most portfolio projects demonstrate only CRUD operations or basic authentication.

CodeQuorum explores a broader engineering problem:

How can multiple developers collaborate on code simultaneously while maintaining synchronization, security, observability, and execution isolation?

Instead of focusing on one feature, the project integrates several backend engineering disciplines into a single platform.


🎯 Project Goals

CodeQuorum was designed around five engineering objectives.

① Real-Time Collaboration

Allow multiple users to participate in the same review session with synchronized state.


② Secure Execution

Provide an isolated environment capable of executing user code without exposing the host machine.


③ Collaborative Review

Support threaded discussions, annotations, and structured review workflows rather than simple file uploads.


④ Operational Visibility

Expose metrics and health information suitable for monitoring distributed applications.


⑤ Extensible Architecture

Organize the backend into independent modules that can evolve without tightly coupling unrelated functionality.


💡 Why CodeQuorum?

Traditional review platforms primarily revolve around pull requests.

Those workflows are excellent for asynchronous development but less effective for live collaboration.

CodeQuorum explores a complementary model where developers can:

  • collaborate in real time
  • review together
  • execute code safely
  • inspect diagnostics
  • discuss improvements immediately

The project combines ideas commonly found across:

  • collaborative editors
  • pull request systems
  • online IDEs
  • static analysis tools
  • backend infrastructure platforms

into a unified engineering system.


⚙️ Design Principles

The architecture follows several guiding principles.

Modular Responsibilities

Each subsystem owns a clearly defined responsibility.

Examples include:

  • authentication
  • sandbox management
  • WebSocket messaging
  • AI integration
  • metrics
  • background jobs

This reduces coupling between unrelated components.


Stateless APIs

REST endpoints remain stateless wherever practical.

Authentication relies on JWT rather than server-side sessions, making horizontal scaling significantly easier.


Event-Driven Communication

Real-time updates are propagated through message broadcasting rather than repeated client polling.

This minimizes unnecessary HTTP traffic while improving synchronization latency.


Defense in Depth

Security is approached using multiple independent layers instead of relying on a single mechanism.

Examples include:

  • JWT verification
  • Spring Security filters
  • input validation
  • isolated execution environments
  • rate limiting
  • role-based authorization

Operational Observability

Applications become difficult to operate without visibility.

The project therefore includes infrastructure for:

  • metrics
  • health endpoints
  • monitoring
  • dashboards

instead of treating these as afterthoughts.


🚀 High-Level Architecture

                    ┌─────────────────────────────┐
                    │        React Frontend       │
                    │   Vite • TypeScript • UI    │
                    └──────────────┬──────────────┘
                                   │
                     REST APIs + WebSocket (STOMP)
                                   │
                                   ▼
                    ┌─────────────────────────────┐
                    │      Spring Boot Core       │
                    │ Authentication • Reviews    │
                    │ Rooms • Analysis • AI       │
                    └───────┬──────────┬──────────┘
                            │          │
                JPA         │          │Redis Pub/Sub
                            │          │
                            ▼          ▼
                    PostgreSQL      Redis

                            │
                            ▼

                  Docker Execution Sandbox

                            │
                            ▼

                 Prometheus + Grafana Monitoring

🔄 Request Lifecycle

A typical review session follows this sequence.

Developer Login
        │
        ▼
JWT Authentication
        │
        ▼
Open Review Workspace
        │
        ▼
WebSocket Connection Established
        │
        ▼
Real-Time Synchronization
        │
        ▼
Code Analysis Request
        │
        ▼
Sandbox Execution
        │
        ▼
Analysis Results
        │
        ▼
Review Comments Broadcast
        │
        ▼
Metrics Published

Every stage has a clearly defined responsibility rather than combining business logic into a single service.


🧩 Repository Overview

The repository is organized into independent backend and frontend applications alongside infrastructure configuration.

codequorum/
│
├── backend/
│   ├── src/main/java/com/codequorum/
│   ├── ai/
│   ├── analysis/
│   ├── config/
│   ├── controller/
│   ├── dto/
│   ├── entity/
│   ├── exception/
│   ├── health/
│   ├── jobs/
│   ├── metrics/
│   ├── ratelimit/
│   ├── repository/
│   ├── sandbox/
│   ├── security/
│   ├── service/
│   └── websocket/
│
├── frontend/
│   ├── src/
│   │   ├── api/
│   │   ├── components/
│   │   ├── hooks/
│   │   ├── pages/
│   │   ├── styles/
│   │   └── types/
├── docker-compose.yml
└── README.md

📦 Core Modules

Module Responsibility
Authentication JWT login, authorization, identity management
WebSocket Live collaboration and event synchronization
Sandbox Secure isolated execution of submitted code
Analysis Static diagnostics and review processing
AI Future AI-assisted review capabilities
Metrics Prometheus metrics exposure
Health Application readiness and liveness endpoints
Jobs Background task scheduling
Rate Limiting Protection against abusive traffic
Security Spring Security configuration and filters
Persistence PostgreSQL entities and repositories

🎯 Current Development Status

The project is under active development.

Area Status
Authentication ✅ Implemented
PostgreSQL Persistence ✅ Implemented
React Frontend ✅ Implemented
Docker Infrastructure ✅ Implemented
Redis Integration ✅ Implemented
WebSocket Foundation ✅ Implemented
Monitoring Infrastructure ✅ Implemented
Sandbox Execution 🚧 In Progress
AI Review Assistant 🚧 In Progress
Advanced Static Analysis 🚧 In Progress

Next: Part 2 covers the complete backend architecture, security model, Redis Pub/Sub topology, WebSocket synchronization, Docker sandbox design, and observability stack.

⚙️ Backend Architecture

CodeQuorum follows a layered backend architecture that separates responsibilities into independent modules instead of concentrating business logic inside controllers.

                 Client Request
                       │
                       ▼
              Spring Security Filter
                       │
                       ▼
                Authentication Layer
                       │
                       ▼
                 REST Controllers
                       │
                       ▼
                 Business Services
               ↙        ↓        ↘
          Analysis   Sandbox   AI Engine
               │        │         │
               └────────┼─────────┘
                        ▼
                 Repository Layer
                        │
                        ▼
                  PostgreSQL Database

Each layer owns a single responsibility:

Layer Responsibility
Security Authentication, authorization, JWT verification
Controller Request validation and routing
Service Business logic
Repository Data persistence
Analysis Static diagnostics
Sandbox Secure execution
AI Future intelligent review assistance

This separation reduces coupling and simplifies future feature expansion. :contentReference[oaicite:0]{index=0}


🔐 Security Architecture

Security is implemented using multiple independent protection layers rather than relying on a single authentication mechanism.

Authentication

The platform uses stateless JSON Web Tokens.

User Login
      │
      ▼
Credentials Verified
      │
      ▼
JWT Generated
      │
      ▼
Authorization Header
      │
      ▼
Spring Security Filter
      │
      ▼
Protected Resources

Advantages include:

  • Stateless authentication
  • Horizontal scalability
  • Reduced server memory usage
  • Clear authorization boundaries

Authorization

Protected endpoints are validated before controller execution.

Examples include:

  • Repository access
  • Review creation
  • Comment editing
  • Workspace administration
  • Sandbox execution

Authorization logic remains isolated inside Spring Security instead of scattered throughout controllers.


Request Validation

Incoming payloads are validated before entering business services.

Validation includes:

  • DTO constraints
  • malformed payload rejection
  • required field enforcement
  • type validation

This reduces invalid persistence operations.


Rate Limiting

Authentication endpoints are isolated behind a dedicated rate limiting layer.

Goals:

  • reduce brute-force attacks
  • protect authentication resources
  • prevent abuse

The implementation is intentionally independent from business logic.


Defense in Depth

Instead of trusting one security mechanism, CodeQuorum combines multiple protections.

Client
   │
   ▼
HTTPS
   │
   ▼
JWT Verification
   │
   ▼
Role Validation
   │
   ▼
DTO Validation
   │
   ▼
Business Rules
   │
   ▼
Database

Every layer assumes previous layers may fail.


📡 Real-Time Collaboration

Traditional web applications depend heavily on repeated HTTP polling.

Polling creates unnecessary traffic and increases latency.

CodeQuorum instead maintains persistent WebSocket connections.

Developer A
      │
      ▼
WebSocket
      │
      ▼
Spring Message Broker
      │
      ▼
Redis Pub/Sub
      │
      ▼
Spring Message Broker
      │
      ▼
Developer B

Only incremental events are transmitted.

Examples include:

  • new comments
  • typing indicators
  • review updates
  • room notifications
  • workspace synchronization

This dramatically reduces unnecessary client polling.


🌐 WebSocket Synchronization

Persistent connections are established using:

  • WebSocket
  • SockJS fallback
  • STOMP messaging

The messaging layer is responsible only for synchronization.

Business logic continues to execute inside service modules.

Benefits include:

  • reduced latency
  • persistent communication
  • efficient broadcasting
  • event-driven synchronization

🔴 Redis Event Fabric

Redis is used for two independent purposes.

Distributed Event Broadcasting

User A
   │
Publish Event
   │
   ▼
Redis Pub/Sub
   │
   ▼
WebSocket Nodes
   │
   ▼
Users B,C,D...

Instead of directly communicating with every connected client, application nodes publish events into Redis.

Every WebSocket instance receives identical updates.

This allows future horizontal scaling without redesigning the messaging layer.


Caching

Redis also serves as a high-speed in-memory cache.

Frequently accessed information can be retrieved without repeated database queries.

Examples:

  • workspace metadata
  • active sessions
  • review summaries
  • frequently requested resources

🐘 Persistence Layer

Persistent application data is stored inside PostgreSQL.

The relational model provides:

  • ACID transactions
  • referential integrity
  • indexing
  • reliable consistency

Entity persistence is managed through Spring Data JPA.

Typical persisted resources include:

  • users
  • review sessions
  • repositories
  • comments
  • review history

🗄️ Database Design Philosophy

Rather than optimizing prematurely, the persistence layer prioritizes:

  • normalized schemas
  • explicit entity relationships
  • transaction consistency
  • maintainability

Indexes are introduced where query patterns justify them.


🐳 Docker Sandbox

Executing arbitrary source code directly on the application server creates severe security risks.

Instead, CodeQuorum isolates execution inside dedicated Docker containers.

User Source Code
        │
        ▼
Execution Request
        │
        ▼
Sandbox Manager
        │
        ▼
Docker Engine API
        │
        ▼
Ephemeral Container
        │
        ▼
Compiler / Runtime
        │
        ▼
Execution Logs
        │
        ▼
Client

This architecture separates untrusted code from the application process.

Potential benefits include:

  • process isolation
  • filesystem isolation
  • resource constraints
  • safer execution environment

📊 Observability

Modern backend systems require visibility into runtime behavior.

CodeQuorum therefore includes an observability layer rather than treating monitoring as an afterthought.

Current infrastructure includes:

  • Prometheus
  • Grafana
  • health endpoints
  • application metrics

Prometheus Metrics

Metrics are exposed through dedicated endpoints.

Typical categories include:

  • request counts
  • response latency
  • JVM memory usage
  • CPU utilization
  • active WebSocket sessions
  • database connections

These metrics provide operational visibility during development and deployment.


Grafana Dashboards

Collected metrics can be visualized using Grafana dashboards.

Dashboards may include:

  • request throughput
  • error rates
  • JVM memory
  • response time
  • active sessions
  • system health

Visual dashboards simplify identifying performance regressions and operational issues.


❤️ Health Monitoring

Health endpoints provide quick visibility into service availability.

Typical subsystem checks include:

  • PostgreSQL connectivity
  • Redis availability
  • application readiness
  • application liveness

These endpoints simplify orchestration and deployment diagnostics.


📦 Background Jobs

Long-running operations should not delay client responses.

Dedicated background jobs are used where asynchronous execution provides better responsiveness.

Potential responsibilities include:

  • cleanup operations
  • scheduled maintenance
  • notification processing
  • metrics aggregation

This keeps request-response latency predictable.


🧩 Engineering Decisions

Several architectural decisions intentionally favor maintainability over unnecessary complexity.

Decision Reason
Stateless JWT Easier horizontal scaling
Redis Pub/Sub Decoupled event broadcasting
PostgreSQL Strong consistency guarantees
Docker Sandbox Isolated execution of untrusted code
Layered Services Lower coupling between modules
WebSockets Low-latency collaboration
Prometheus Standardized metrics collection
Grafana Operational visualization

Each technology was selected because it addresses a specific engineering concern rather than simply adding another framework.


Next: Part 3 covers the Frontend Architecture, Static Analysis Engine, AI Review Pipeline, Repository Workflow, Performance Considerations, API Design, and Engineering Trade-offs.

🎨 Frontend Architecture

The frontend is designed as a reactive single-page application that prioritizes low-latency collaboration over frequent page refreshes.

Unlike traditional CRUD dashboards, CodeQuorum maintains persistent communication with the backend through REST APIs and WebSockets simultaneously.

                React Application
                       │
         ┌─────────────┴─────────────┐
         │                           │
         ▼                           ▼
 REST API Requests          WebSocket Events
         │                           │
         └─────────────┬─────────────┘
                       ▼
               State Synchronization
                       │
                       ▼
                Responsive UI Updates

The interface is organized into independent feature modules.

Module Responsibility
Authentication Login, registration, JWT persistence
Dashboard Active review sessions
Workspace Collaborative review interface
Review Panel Comments, suggestions, discussions
Sandbox Execution output and diagnostics
Metrics Runtime statistics
Settings User preferences

🖥️ Collaborative Review Workspace

The workspace acts as the central interaction point.

Each review session contains:

  • Source files
  • Inline discussions
  • Review threads
  • Code execution output
  • Static analysis reports
  • AI recommendations (planned)

Rather than reloading the page after every action, the interface reacts to server events.

This significantly improves the collaborative experience.


🔄 State Synchronization Strategy

Synchronization is event-driven.

Developer A
      │
Adds Comment
      │
      ▼
Spring Backend
      │
Publishes Event
      ▼
Redis Pub/Sub
      ▼
WebSocket Gateway
      ▼
Developer B
Developer C
Developer D

Only incremental changes are transmitted.

Examples include:

  • cursor movement
  • new comments
  • file updates
  • review completion
  • participant activity

This minimizes bandwidth while maintaining near real-time collaboration.


🔬 Static Analysis Engine

One objective of CodeQuorum is to move beyond simple syntax highlighting by incorporating automated review diagnostics.

The analysis module is designed around multiple independent processing stages.

Incoming Source Code
         │
         ▼
Lexical Validation
         │
         ▼
Structural Parsing
         │
         ▼
Complexity Analysis
         │
         ▼
Rule Evaluation
         │
         ▼
Review Report

Current and planned analysis capabilities include:

  • syntax validation
  • structural inspection
  • complexity estimation
  • coding standard enforcement
  • maintainability indicators

Future releases may integrate additional language-specific analyzers.


📊 Code Quality Metrics

Rather than presenting raw compiler output, the platform aims to summarize quality indicators useful during reviews.

Examples include:

Metric Purpose
Cyclomatic Complexity Estimates branching complexity
Function Length Identifies oversized methods
Nesting Depth Highlights readability concerns
Comment Density Measures documentation coverage
Warning Count Aggregated diagnostics
Execution Status Compile / Runtime outcome

These metrics are intended to support reviewers rather than replace human judgment.


🤖 AI Review Pipeline (Roadmap)

The AI module is intentionally isolated from the core review workflow.

Source Code
      │
Metadata Collection
      │
      ▼
Prompt Construction
      │
      ▼
LLM Interface
      │
      ▼
Review Suggestions
      │
      ▼
Reviewer Approval

Potential AI-assisted capabilities include:

  • readability improvements
  • refactoring suggestions
  • duplicate code detection
  • naming recommendations
  • documentation generation
  • potential bug identification

Importantly, AI suggestions are advisory and require reviewer approval before adoption.


📂 Review Lifecycle

A complete review session typically follows the sequence below.

Repository Created
        │
        ▼
Reviewer Invited
        │
        ▼
Workspace Opened
        │
        ▼
Live Collaboration
        │
        ▼
Static Analysis
        │
        ▼
Sandbox Execution
        │
        ▼
Review Discussion
        │
        ▼
Approval / Requested Changes
        │
        ▼
Review Archived

This lifecycle mirrors common collaborative development practices while enabling real-time interaction.


📡 REST API Design

The backend follows resource-oriented REST conventions.

Representative endpoint groups include:

Authentication

POST   /api/auth/register
POST   /api/auth/login
POST   /api/auth/refresh

Reviews

GET    /api/reviews
POST   /api/reviews
GET    /api/reviews/{id}
PUT    /api/reviews/{id}
DELETE /api/reviews/{id}

Comments

POST   /api/comments
PUT    /api/comments/{id}
DELETE /api/comments/{id}

Sandbox

POST /api/sandbox/run
GET  /api/sandbox/{executionId}

Metrics

GET /actuator/health
GET /actuator/prometheus

⚡ Performance Considerations

Several architectural decisions prioritize predictable performance.

Design Choice Engineering Benefit
Stateless JWT Eliminates session affinity
Redis Pub/Sub Efficient event distribution
WebSockets Low-latency communication
Docker Isolation Safe execution of untrusted code
PostgreSQL Transactional consistency
Layered Services Easier optimization and testing

These choices aim to improve maintainability while supporting future scaling.


⚖️ Engineering Trade-offs

Every engineering decision introduces trade-offs.

CodeQuorum intentionally favors maintainability and correctness over unnecessary optimization.

Decision Benefit Trade-off
Monolithic Spring Boot Simpler deployment Less service isolation
PostgreSQL Strong consistency Vertical scaling considerations
Docker Sandbox Improved security Additional startup overhead
Redis Pub/Sub Decoupled messaging Additional infrastructure dependency
WebSockets Real-time updates Persistent connection management

Documenting these trade-offs makes architectural intent explicit and supports future evolution.


📈 Scalability Strategy

The platform is structured to support incremental scaling.

                Load Balancer
                      │
        ┌─────────────┴─────────────┐
        ▼                           ▼
 Spring Boot Node A         Spring Boot Node B
        │                           │
        └─────────────┬─────────────┘
                      ▼
                 Redis Pub/Sub
                      │
                      ▼
                 PostgreSQL

Potential future improvements include:

  • read replicas
  • distributed caching
  • object storage
  • container orchestration
  • horizontal WebSocket scaling

The current modular architecture is intended to simplify these transitions.


Next: Part 4 completes the README with installation, Docker deployment, project structure, screenshots, testing, observability dashboards, limitations, research direction, roadmap, contribution guide, acknowledgements, and the premium closing section.

⚡ Performance & Scalability Considerations

CodeQuorum is designed around minimizing latency while keeping each subsystem independently scalable.

Component Design Strategy Benefit
REST APIs Stateless JWT Authentication Horizontal scaling
Collaboration Redis Pub/Sub Multi-instance synchronization
Database PostgreSQL Indexing Fast repository retrieval
WebSockets STOMP + SockJS Reliable real-time messaging
Code Execution Ephemeral Docker Containers Secure isolation
Database Schema Flyway Migrations Repeatable deployments

⚠️ Current Limitations

Like every production system, CodeQuorum intentionally documents its current engineering boundaries.

Current limitations include:

  • Monolithic backend deployment
  • Single-region Redis topology
  • No distributed object storage
  • Prometheus/Grafana infrastructure containerized, with application custom metrics collection actively being instrumented across services.
  • No Kubernetes orchestration
  • AI review suggestions remain optional and asynchronous
  • Sandboxed execution currently targets predefined runtime images

These limitations provide a clear roadmap for future architectural evolution rather than representing unfinished functionality.


🚀 Future Roadmap

Distributed Collaboration

  • CRDT-based document synchronization
  • Operational Transformation conflict resolution
  • Multi-region collaboration support

Cloud Native Infrastructure

  • Kubernetes deployment
  • Horizontal Pod Autoscaling
  • Service Mesh integration

Observability

  • OpenTelemetry
  • Prometheus metrics
  • Grafana dashboards
  • Distributed tracing

AI-Assisted Reviews

  • Local LLM integration
  • Automated review summaries
  • Security vulnerability suggestions
  • Refactoring recommendations
  • Test generation

Secure Execution

  • Resource quotas
  • Network-isolated containers
  • Multi-language runtime images
  • Automatic cleanup policies

📂 Project Structure

codequorum/
├── backend/
│   ├── src/main/java/
│   ├── src/main/resources/
│   ├── Dockerfile
│   └── pom.xml
│
├── frontend/
│   ├── src/
│   ├── public/
│   ├── package.json
│   └── vite.config.js
│
├── docker-compose.yml
├── README.md
└── docs/

🚀 Getting Started

Prerequisites

  • Java 21
  • Maven
  • Node.js 20+
  • PostgreSQL
  • Redis
  • Docker Desktop

Clone Repository

git clone <repository-url>

cd codequorum

Backend

cd backend

mvn spring-boot:run

Backend starts at

http://localhost:8080

Frontend

cd frontend

npm install

npm run dev

Frontend starts at

http://localhost:5173

Docker Deployment

docker compose up --build

🔐 Environment Variables

POSTGRES_DB=codequorum

POSTGRES_USER=postgres

POSTGRES_PASSWORD=password

REDIS_HOST=redis

JWT_SECRET=change-this-secret

DOCKER_HOST=unix:///var/run/docker.sock

📡 REST API Overview

Authentication

POST /api/auth/register

POST /api/auth/login

POST /api/auth/refresh

Repository

GET /api/repos

POST /api/repos

GET /api/repos/{id}

DELETE /api/repos/{id}

Pull Requests

POST /api/pullrequests

GET /api/pullrequests/{id}

POST /api/pullrequests/{id}/comments

Collaboration

/ws

/topic/review

/topic/editor

/topic/comments

Execution

POST /api/execute

POST /api/lint

POST /api/analyze

🧪 Engineering Philosophy

CodeQuorum is built around several engineering principles.

  • Security before convenience
  • Stateless backend services
  • Event-driven communication
  • Isolation of untrusted execution
  • Independent infrastructure components
  • Modular package organization
  • Production-oriented development practices

📚 Learning Outcomes

Developing CodeQuorum required applying concepts from multiple areas of Computer Science:

  • Distributed Systems
  • Backend Engineering
  • Concurrent Programming
  • Network Communication
  • Containerization
  • Software Security
  • Database Design
  • Real-Time Collaboration
  • Program Analysis
  • Software Architecture

🌟 Why This Project Stands Out

Unlike traditional portfolio projects, CodeQuorum combines several advanced engineering domains into one cohesive system.

It demonstrates:

  • Real-time collaboration
  • Distributed messaging
  • Secure sandbox execution
  • Modern backend architecture
  • JWT authentication
  • Redis event broadcasting
  • Database migrations
  • Docker orchestration
  • Static code analysis
  • AI-ready review pipeline

Rather than solving one isolated problem, CodeQuorum explores how multiple infrastructure components cooperate inside a modern collaborative developer platform.


👨‍💻 Developer

Ashish Patel

Computer Science Engineering

Interested in:

  • Distributed Systems
  • Backend Engineering
  • AI-assisted Developer Tools
  • Software Architecture
  • Scalable Infrastructure

⭐ Final Statement

CodeQuorum is a research-inspired, production-oriented collaborative code review platform that brings together real-time communication, secure execution, and intelligent code analysis into a unified engineering system.

It is designed not as a showcase of frameworks, but as an exploration of modern backend architecture, distributed collaboration, and secure developer tooling.

Build Together. Review Smarter. Execute Safely.

About

A real-time collaborative code review platform featuring a decoupled Spring Boot backend, React+TS frontend, Redis Pub/Sub room clustering, a secure isolated Docker sandbox for code execution, and automated static analysis pipelines.

Topics

Resources

Stars

1 star

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors