Every merge request is a small act of trust. Someone you may not know proposes a change, and your pipeline runs against it. Add an AI reviewer to that pipeline and the trust question gets sharper: you're now pointing a capable, instruction-following model at code that anyone can write, and giving it a job to do in your infrastructure.

This is the story of how I added an automated Claude review to the merge requests of an old, self-hosted GitLab instance, one with no native AI integration, running on hardware that predates half the assumptions modern tooling makes. The interesting part isn't that it works. It's the one design decision everything else hangs from: the AI never holds a token and reads untrusted input at the same time.

The problem: a legacy GitLab with nothing in the box

The hosted platforms have made this easy. GitLab Duo, GitHub's review bots, a dozen SaaS integrations. On a current platform it's a few clicks of setup. None of that was on the table. The instance I was working with is self-hosted, several major versions behind, and the runner it schedules jobs on is old enough that some modern binaries won't even start on it.

So the goal was deliberately modest: when someone opens a merge request against a protected branch, a reviewer should read the diff, leave inline comments where it finds real problems, and (this was the part the team actually wanted) block the merge when something serious shows up. All of it on infrastructure I couldn't replace, only build on.