Review Code
Comprehensive code review using specialized agents AND multi-LLM review. Catches bugs, security issues, and pattern violations.
Works on:
- •Local changes (uncommitted work) - default
- •GitHub PRs (with
--prflag)
Taxonomy:
- •
/create-plan→/create-code→/review-code- •This is the final quality gate before committing
Run /lint after - This skill finds semantic issues; lint afterward to clean up formatting.
Related:
- •
/review-plan- Review plans (different agents, different LLM models) - •
/create-code- Implement code from plan - •
/lint- Linting and formatting (run first)
Two-Phase Review
This skill combines:
- •Specialized Code Agents - Claude agents for pattern-specific checks
- •Multi-LLM Review - External models for diverse perspectives
| Phase | Models/Agents | Strength |
|---|---|---|
| Phase 1: Agents | Claude agents (race-condition-finder, etc.) | Pattern detection, domain-specific |
| Phase 2: Multi-LLM | Codex, Gemini, seq-server (see multi-llm-review.md) | Code quality, diverse perspectives |
Usage
/review-code # Local uncommitted changes (default) /review-code <file-or-directory> # Review specific path /review-code --pr 123 # Review GitHub PR #123 /review-code --pr 123 --quick # Quick PR review (Tier 1 only) /review-code --quick # Tier 1 agents only (no multi-LLM) /review-code --security # Security-focused review /review-code --full # All tiers + multi-LLM (most thorough) /review-code --agents-only # Skip multi-LLM review /review-code --llm-only # Skip agents, multi-LLM only
Multi-LLM Models (Code Review)
See .claude/docs/multi-llm-review.md for model selection, CLI commands, quota limits, and fallback logic. All three tools (Codex, Gemini, seq-server) MUST be used.
What It Does
/review-code [--pr <number>]
│
▼
┌─────────────────────────────────────────┐
│ Step 1: IDENTIFY CHANGES │
│ - Local: git diff (uncommitted) │
│ - PR mode: gh pr diff <number> │
│ - Detect languages (Go, TS, etc.) │
│ - Identify domains (API, store, UI) │
└─────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────┐
│ Step 2: RUN CODE AGENTS (Claude) │
│ │
│ Tier 1 (always): │
│ - race-condition-finder │
│ - simplicity-reviewer │
│ - pattern-reviewer │
│ - error-handling-reviewer │
│ │
│ Tier 2 (security): │
│ - xss-reviewer │
│ - validation-reviewer │
│ - permission-auditor │
│ │
│ Tier 3+ (domain-specific): │
│ - Based on files changed │
└─────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────┐
│ Step 3: MULTI-LLM REVIEW (in parallel) │
│ │
│ All models from multi-llm-review.md │
│ (Codex + Gemini + seq-server) │
│ │
│ Focus: Code quality, edge cases, │
│ security, performance │
└─────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────┐
│ Step 4: SYNTHESIZE FINDINGS │
│ - Merge agent + LLM findings │
│ - Prioritize by severity │
│ - Apply 80/20 filter │
│ - Only 2+ model agreement = MUST FIX │
└─────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────┐
│ OUTPUT: Review Report │
│ - MUST FIX (blockers) │
│ - SHOULD FIX (quality) │
│ - Passed checks │
└─────────────────────────────────────────┘
Multi-LLM Review Commands
Run all models from .claude/docs/multi-llm-review.md in parallel (single message, multiple tool calls). This includes Codex, Gemini, AND seq-server — do NOT skip any.
Code Review Prompt Template
Review this code for bugs, security issues, and quality. ## Code Changes <code> [paste git diff or file contents] </code> ## CRITICAL: Apply 80/20 Thinking **A MUST FIX blocker is ONLY:** - Bug that will cause runtime failure - Security vulnerability (injection, auth bypass, XSS) - Data integrity risk (corruption, loss) - Race condition / concurrency bug - Missing error handling that crashes **NOT a blocker (SHOULD FIX or SKIP):** - Style issues, naming preferences - Minor optimizations - Missing comments/docs - "Best practices" that don't affect correctness ## Evaluate 1. **Correctness**: Will this code work as intended? 2. **Security**: Any vulnerabilities? 3. **Edge Cases**: Null checks, error handling, boundary conditions? 4. **Performance**: Any obvious inefficiencies? 5. **Patterns**: Does it follow established codebase patterns? ## Output 1. **MUST FIX** (0-3 max): What breaks? File:line? Fix? 2. **SHOULD FIX** (0-5): Quality improvements 3. **VERDICT**: APPROVED / NEEDS WORK
Agent Tiers
Tier 1: Core (Always Run)
| Agent | Catches |
|---|---|
race-condition-finder | Concurrency bugs, TOCTOU, data races |
simplicity-reviewer | Over-engineering, YAGNI violations |
error-handling-reviewer | Missing error checks, swallowed errors |
Tier 2: Security
| Agent | Catches |
|---|---|
xss-reviewer | XSS vulnerabilities in frontend |
validation-reviewer | Missing input validation |
hardcoded-values-reviewer | Secrets, magic numbers, config in code |
Tier 3: Backend (Go files)
| Agent | Catches |
|---|---|
go-pro | Go patterns, error handling, concurrency |
concurrent-go-reviewer | Go concurrency safety |
postgres-expert | Database query optimization |
Tier 4: Frontend (TS/TSX files)
| Agent | Catches |
|---|---|
react-pro | React patterns, hooks, performance |
typescript-pro | TypeScript patterns, type safety |
Tier 5: Testing
| Agent | Catches |
|---|---|
test-coverage-reviewer | Missing test coverage for new code |
test-unit-expert | Test quality, assertions, mocking |
playwright-patterns-reviewer | E2E test patterns, flaky tests |
production-validator | Mock/stub code that should be real implementations |
Tier 6: Advanced/Expert (Optional)
| Agent | When |
|---|---|
websocket-expert | WebSocket patterns |
owasp-security | OWASP vulnerability checks |
accessibility-guardian | Accessibility compliance |
Tier 7: Quality/Maintenance (Optional)
| Agent | When |
|---|---|
duplication-reviewer | Code duplication detection |
comment-analyzer | Comment quality analysis |
DO NOT Use for Code Review
These are PLAN agents - use them in /create-plan and /review-plan:
- •
design-flaw-finder- Reviews design, not implementation - •
api-contract-reviewer- Reviews API design, not handler code - •
database-architecture-reviewer- Reviews schema design, not queries - •
ux-design-reviewer- Reviews UX design, not components - •
system-design-reviewer- Reviews architecture, not code
Full Agent Reference
For complete agent listing (~140 agents), see .claude/agents/AGENT_REGISTRY.md.
Agent Selection Logic
# Pseudo-logic for agent selection
agents = []
# Tier 1: Always run (MUST RUN)
agents.extend([
"race-condition-finder",
"simplicity-reviewer",
"error-handling-reviewer"
])
# Tier 2: Security (always for production code)
if not test_files_only:
agents.extend([
"hardcoded-values-reviewer",
"owasp-security"
])
# Tier 3: Backend (Go files)
if has_go_files:
agents.append("go-pro")
agents.append("concurrent-go-reviewer")
if has_db_changes:
agents.append("postgres-expert")
# Tier 4: Frontend (TS/TSX files)
if has_ts_files:
agents.append("react-pro")
agents.append("typescript-pro")
# Tier 5: Testing
if has_test_files:
if has_go_tests:
agents.append("test-unit-expert")
if has_e2e_tests:
agents.append("playwright-patterns-reviewer")
Output Format
## Code Review: [files reviewed] ### MUST FIX (Blockers) | Issue | File:Line | Agent | Fix | |-------|-----------|-------|-----| | Race condition in cache access | `cache.go:45` | race-condition-finder | Add mutex | | Missing permission check | `api.go:123` | permission-auditor | Add HasPermission call | ### SHOULD FIX (Quality) | Issue | File:Line | Agent | Recommendation | |-------|-----------|-------|----------------| | Overly complex function | `utils.go:89` | simplicity-reviewer | Extract helper | ### Passed Checks - ✅ No XSS vulnerabilities - ✅ Input validation present - ✅ Error handling complete - ✅ Tests cover new code ### Agent Summary | Agent | Verdict | Findings | |-------|---------|----------| | race-condition-finder | ⚠️ ISSUES | 1 race condition | | simplicity-reviewer | ✅ PASS | - | | xss-reviewer | ✅ PASS | - | | permission-auditor | ⚠️ ISSUES | 1 missing check | --- ### Verdict: NEEDS WORK / APPROVED Fix MUST FIX items before committing.
Flags
| Flag | Effect |
|---|---|
--pr <number> | Review GitHub PR instead of local changes |
--quick | Tier 1 agents only, no multi-LLM (fastest) |
--security | Focus on Tier 2 security agents + LLM security review |
--full | All tiers + multi-LLM (most thorough) |
--agents-only | Skip multi-LLM review (Claude agents only) |
--llm-only | Skip agents, run multi-LLM review only |
Examples
# Full review of local changes (agents + multi-LLM) - RECOMMENDED /review-code # Review specific file /review-code server/app/item_core.go # Review a GitHub PR /review-code --pr 123 # Quick PR review (Tier 1 agents only) /review-code --pr 123 --quick # Security-focused PR review /review-code --pr 123 --security # Quick review (Tier 1 agents only, no LLM) /review-code --quick # Security-focused review /review-code --security # Full review (all tiers + multi-LLM) /review-code --full # Agents only (skip external LLMs) /review-code --agents-only # Multi-LLM only (skip agents) /review-code --llm-only
CLI Reference
See .claude/docs/multi-llm-review.md for CLI commands and quota fallback logic.
When to Use
| Scenario | Command | Skip review |
|---|---|---|
After /create-code | /review-code | |
| Before committing | /review-code | |
| Reviewing a PR | /review-code --pr 123 | |
| Security-sensitive code | /review-code --security | |
| Quick PR check | /review-code --pr 123 --quick | |
| Tiny typo fix | ✅ | |
| Documentation only | ✅ |
Integration with Workflow
/create-plan "feature" # Create plan
│
▼
/create-code plan.md # Implement
│
▼
/review-code # Agent review ← THIS SKILL
│
▼
Fix MUST FIX items
│
▼
/lint # Final formatting
│
▼
Commit changes
Tips
- •Run before every commit - Catch issues early
- •Use
--quickfor WIP - Full review before PR - •Fix MUST FIX immediately - They're blockers for a reason
- •SHOULD FIX can wait - Address in follow-up if time-constrained
- •Trust multi-model consensus - 2+ models agreeing = real issue
- •Parallel execution - Run all LLM calls in single message
- •Use
--agents-onlyfor speed - When external LLMs are slow/unavailable - •Be skeptical of single-model findings - Could be false positive