Your first PR

Once you've installed the GitHub App and approved a repo, the next PR opened (or pushed to) gets analyzed end-to-end. Here's what you'll actually see, minute by minute.

T+0 — PR opens

A pending check-run appears on the PR within ~5 seconds, labelled Veriva · pipeline. The webhook delivery is signed + deduplicated against a 24-hour Redis set before it gets enqueued, so retries never double-fire.

T+5s — Sanitize + Static

The first three stages run synchronously: prompt-injection sanitization, pre-ingest hygiene (PR description present, no committed secrets, tests touched if src/ changed), and deterministic static analysis. Any HIGH or CRITICAL finding here flows straight to the AI review with full context.

T+15s — AI review

The right model tier reads your diff with the full enrichment bundle (repo profile, author profile, similar PRs, dep graph, agent identity). Findings get a self-disagreeing cross-check from a second cheap model — disagreements get demoted to Discovery and re-audited by the deep tier.

T+30s — Merge gate

Findings are reduced to a check-run conclusion based on your merge policy: success, failure, or neutral. The PR comment thread gets a single review-style summary comment plus any inline notes on specific lines (Team and above).

First 1-2 PRs — baseline warm-up

For your very first PRs, the trust score calibration leans on the public corpus baseline. As your repo accumulates post-merge outcomes (reverts, incident-linked commits), the per-repo calibration takes over. Expect grade variability to tighten after ~10-15 PRs.

Customizing from here

• Set a merge policy tier per org or per repo.
• Add .veriva.yml to version your policy alongside code.
• Layer Shell or Webhook hooks to plug your own checks into the pipeline.
• Add agent identities so per-agent trust scores get tracked from PR one.