🎮 The Next Input — Issue #055

The AI That Patches Your Code

Aaron Bost
September 16, 2025

In partnership with

⚡ The Briefing — 60 sec

OpenAI upgrades Codex with a new version of GPT-5. Cookin’ with Codex: powered by GPT-5.
Replit announces Agent-3 — their most autonomous agent yet. New agent. Who dis?
ByteDance launches SeeDream 4.0 to rival Google’s “nano banana” AI. The model wars are heating up—aprons on.

🛠️ The Playbook — Autonomous Code Review & Patch Factory (GPT-5 Codex + Agent-3)

Mission Stand up a guard-railed, end-to-end pipeline where GPT-5 Codex proposes patches, Replit Agent-3 executes structured refactors, and human reviewers ship with confidence.
Difficulty Advanced | Build time 2–3 hours (pilot)
ROI Teams save ≈ 12–18 h/week on maintenance, repetitive refactors, and “nits”—while improving defect catch-rate.

0) Why now

With GPT-5 Codex reasoning over repos and Agent-3 executing repeatable editor flows, we can reliably automate the 80% of changes that are boring but error-prone: log hardening, null checks, unsafe API migrations, dependency bumps, and test scaffolding. Success = automation does the grind, humans handle design.

1) Reference Architecture

Layer	Tooling	Purpose
Trigger	GitHub Actions / Cron	Nightly or on-PR label `auto-review`
Static Checks	Semgrep / CodeQL / SonarQube	Produce concrete findings w/ locations
Planner (LLM)	GPT-5 Codex	Turn findings → stepwise patch plan per file
Executor	Replit Agent-3	Apply edits via reproducible “flows” (safe transforms)
Tests	Pytest/Jest/Vitest + Coverage	Run focused suites; capture failures
Gate	PR bot + Policy Rules	Require ✅ on tests + style + risk score
Human Checkpoint	CODEOWNERS	Final sign-off on medium/high-risk diffs

2) End-to-End Workflow

Trigger:
- Label a PR auto-review or run nightly on main.
Harvest Signals:
- Run Semgrep/CodeQL; export findings JSON (rule_id, path, line, message).
Plan (GPT-5 Codex):
- Prompt converts findings → Patch Plan with scoped edits: file, region, rationale, tests to add/modify.
Execute (Agent-3):
- For each step, Agent-3 runs an editor flow (structured commands): insert guard, rename API call, add unit test skeleton, update import.
Test & Lint:
- Run impacted tests; compute diff coverage; auto-fix lint/format.
Risk Score & PR:
- Score = change size + file criticality + test pass + rule severity.
- If Score ≤ threshold → open PR with checklist & artifacts; else mark Needs Human with a summary.
Human Review (required):
- CODEOWNERS must approve; bot blocks merge on failing checks.
Learn:
- If reviewer edits, feed delta back into a small “patterns” file to improve future plans.

3) Prompts (drop-in)

A) Planner Prompt — GPT-5 Codex

SYSTEM: You are a senior software engineer generating SAFE patch plans.
INPUTS:
- Findings (JSON array): [{rule_id, path, start_line, end_line, message, severity}]
- Code excerpts (for each finding, +/- 30 lines)
- Repo guidelines: language, style, test framework, logging policy

TASK:
For each finding, propose a MINIMAL patch plan:
[
  {
    "path": "src/api/user.ts",
    "intent": "Add null guard on user.id before logging",
    "edits": [
      {"type":"insert_before","line":42,"code":"if (!user?.id) { return next(new BadRequest('missing id')); }"}
    ],
    "tests": [
      {"path":"tests/api/user.spec.ts","intent":"Add case for missing id -> 400"}
    ],
    "risk": "low",
    "rationale": "Semgrep rule X123 (PII logging) fired at L45; guard prevents unsafe log."
  }
]
RULES:
- No wide refactors; prefer surgical edits.
- Always propose at least one test change when logic shifts.
- Never change public API signatures without 'high' risk tag.

B) Executor Prompt — Replit Agent-3

SYSTEM: You are Agent-3 applying a structured plan. 
For each plan.edits[]:
- open(path) 
- apply exact change at indicated lines 
- run formatter ("npm run fmt" or "black")
- if tests specified, scaffold file if missing with minimal passing stub.

On failure: revert file and emit "needs_human" with reason.

C) PR Body Template

## Auto Patch Summary
- Findings addressed: {n}
- Risk score: {score} (low/med/high)
- Tests: {added}/{modified}; Coverage Δ: {delta}%
- Rules: {rule_ids}

### Reviewer Checklist
- [ ] Logic change verified
- [ ] Tests sufficiently cover fix
- [ ] Naming & style conform

4) Guardrails & Policy

Scope Control: deny edits outside src/ unless rule explicitly targets config/migrations.
Data Safety: block any addition of secrets/PII to logs; enforce logger.safe() wrapper.
Risk Thresholds:
- Low: auto-PR.
- Medium: PR + second reviewer.
- High: require team lead + run full test matrix.
Kill-Switch: label no-bots on a PR or path to skip agents entirely.

5) Pilot: 90-Minute Rollout

Pick one repo + 3 Semgrep rules (e.g., PII logging, insecure random, missing awaits).
Wire GitHub Action → harvest findings JSON → call Planner (GPT-5 Codex) → Agent-3 execution on a branch.
Run impacted tests; open first PR; capture baseline metrics (review time, diff size).
Iterate thresholds based on reviewer feedback; add 1–2 rules per week.

6) Metrics that Matter

MTTR for “nit” fixes (hours → minutes).
% Findings auto-remediated (target > 50% of low-risk rules).
Diff coverage (not just repo-wide).
Rework rate (how often humans rewrite bot patches).
Lead time to merge for bot PRs vs human-only PRs.

Pro tip: Start with harmless refactors (format, dead code, null guards). Earn trust, then expand to migrations and security hardening.

🎯 The Arsenal — Tools & Prompts

Asset	What it does	Link
Semgrep	Fast static analysis with CI JSON output	https://semgrep.dev
CodeQL	Vulnerability queries at scale	https://codeql.github.com
Replit Agent-3	Autonomous editor-flow executor	https://blog.replit.com/introducing-agent-3-our-most-autonomous-agent-yet
GitHub Actions	Wire triggers & artifacts	https://github.com/features/actions
Prompt · “Patch Plan → PR”	Convert plan to reviewer-friendly PR text

Summarise the patch plan into a PR body with: files changed, rationale per finding, risk score, tests added, and a reviewer checklist.

💡 Free Office Hours

Need help piloting a patch factory or tuning guardrails?
Book a free 15-minute Office Hours slot—no sales pitch, just workflows solved.

→ https://calendly.com/aaron-cylentis/the-next-input-office-hours

Top Publishers Hand-Selecting Amazon Brands to Promote this Holiday Season

This holiday season, top publishers are actively sourcing brands to include in their gift guides, newsletters, listicles, reviews, and more to drive high-intent shoppers straight to Amazon storefronts.

Here’s why it matters:

Amazon brands are seeing a 5:1 conversion rate compared to their DTC site
Millions of shoppers discover products through trusted publishers

Levanta is working directly with these publishers to introduce them to a small number of 7–9 figure brands.

If you qualify, your products could be featured in high-traffic placements that deliver predictable CAC and directly measurable sales.

See if your brand qualifies

🕹️ Game Over

Automate one low-risk refactor tonight—tomorrow’s PR queue will breathe.
Share your win; you could headline Issue #056.

— Aaron
Automating the boring. Amplifying the brilliant.

Forwarded this? Subscribe → https://cylentisai.beehiiv.com/subscribe