Code Reviewer
Goal: Produce a code review report (best practices, security, style, complexity) with file:line findings and a clear Approval Status for pipeline or human use.
Description
Automated code review checking for best practices, security vulnerabilities, code smells, and style violations.
Usage
- •"Review PR #123"
- •"Check [file] for issues"
- •"Review the code in [directory]"
- •"What's wrong with this code: [code snippet]"
When run by pipeline with --files or --json, also end with a one-line Approval Status: APPROVED, APPROVED WITH COMMENTS, or NOT APPROVED.
Pipeline Contract (sdlc-full.lobster and sdlc-tdd-full.lobster)
Inputs (when used in pipeline; bin wrapper passes --files or PR context):
- •
files(array of paths) orpr_number(number). If PR: fetch diff viagh pr diff <pr_number>. - •
security_report(JSON, optional): Security scan results from security-scanner - •
quality_report(JSON, optional): Quality gate results from quality-gate-checker - •
stories(JSON array, optional): User stories for acceptance criteria verification - •
strict_mode(boolean, optional): If true, fail recommendation on warnings.
Output: JSON with structure:
json
{
"approval_status": "APPROVED",
"code_review": {
"critical_issues": 0,
"warnings": 2,
"suggestions": 5
},
"security_summary": {
"status": "PASS",
"vulnerabilities": 0
},
"quality_summary": {
"coverage_percent": 82,
"complexity_max": 8,
"linting_errors": 0
},
"acceptance_criteria_met": true
}
Implementation
Execute in order. Do not run the Lobster tool or any pipeline. Prefer workspace-relative paths. Use bash for gh/linters.
Step 0: Review Quality and Security Reports (NEW)
- •If
security_reportprovided: Check for vulnerabilities, failed OWASP checks - •If
quality_reportprovided: Check coverage, complexity, linting status - •If
security_report.status = "FAIL"ORquality_report.status = "FAIL":- •Set
approval_status = "NOT APPROVED" - •List blocking issues in review findings
- •Include specific security vulnerabilities or quality failures
- •Set
Step 1: Obtain Code to Review
- •If input is a PR number: run
gh pr diff <number>and capture output; optionallygh pr view <number>for title/body. - •If input is a list of files: read_file each path (workspace-relative).
- •If input is a directory: list_dir then read_file key files (prioritize source over tests). Prefer diff when available (e.g.
git diff main -- <files>).
Step 2: Run Static Analysis (by language)
- •Python: Run
bandit -r <path> -f txt(security);flake8 <path>orruff check <path>(style);radon cc <path> -a(complexity). If a linter is not installed, say so and continue with manual review. - •JavaScript/TypeScript: Run
eslint <path>ornpx eslint <path>. If missing, say so and continue with manual review. - •Go: Run
golangci-lint run <path>. If missing, say so and continue with manual review. - •Generic: Grep for dangerous patterns (e.g.
eval(,innerHTML =, raw SQL with string concat) and cite line numbers.
Step 3: Check Project Conventions
- •Read
.editorconfig,.eslintrc*,pyproject.toml, orpackage.jsonfor lint/format config if present; note any violations. - •Look for existing test files for the same module; note coverage or missing tests.
Step 4: Verify Acceptance Criteria (if stories provided)
- •If
storiesprovided, check that implementation matches acceptance criteria - •For each story's Given-When-Then scenarios, verify corresponding tests exist and pass
- •Flag any acceptance criteria not covered by implementation
- •Set
acceptance_criteria_met: trueif all scenarios implemented
Step 5: Generate Review Report
- •Use the Output Format below. Include file:line for every finding. Group by Critical / Warning / Info.
- •Include Quality Gate Summary if quality_report provided (coverage, complexity, linting)
- •Include Security Report if security_report provided (vulnerabilities, OWASP checks)
- •End with exactly one line:
Approval Status: NOT APPROVEDif any critical issues;Approval Status: APPROVED WITH COMMENTSif only warnings;Approval Status: APPROVEDif clean. This line allows the pipeline to parse the result. - •If pipeline passed
strict_mode: true, set NOT APPROVED if there are any warnings. - •Output JSON block at end with approval_status, code_review, security_summary, quality_summary, acceptance_criteria_met
Output Format
markdown
# Code Review for [Feature/PR]
## Quality Gate Summary
✅ Coverage: 82% (target: 70%)
✅ Complexity: Max 8 (limit: 10)
✅ Linting: 0 errors, 2 warnings
## Security Report
✅ No SQL injection vulnerabilities
✅ No XSS vulnerabilities
✅ No hardcoded secrets
✅ Dependencies: 0 high, 3 medium, 5 low
## Review Findings
✅ **Passed (8 checks)**
⚠️ **Suggestions (2)**
❌ **Issues (0)**
### Passed Checks
- No security vulnerabilities detected
- Style conventions followed
- No code duplication
- Test coverage adequate (82%)
- Documentation present
- All acceptance criteria implemented
- SOLID principles followed
- Git commits well-structured
### Suggestions (Non-Blocking)
- Function `calculateMetrics()` has complexity 8 (close to limit)
→ api/metrics.py:42 - Consider simplifying for future maintainability
- Missing error handling in API call
→ api/client.py:105 - Add try-catch block for network errors
## Acceptance Criteria Verification
✅ STORY-001: All scenarios covered by tests
✅ STORY-002: Implementation matches Given-When-Then
✅ STORY-003: Edge cases handled
## Recommendations
1. Consider adding error handling to API client (non-blocking)
2. Keep monitoring complexity of calculateMetrics() function
## Approval Status
**APPROVED** ✅
```json
{
"approval_status": "APPROVED",
"code_review": {
"critical_issues": 0,
"warnings": 0,
"suggestions": 2
},
"security_summary": {
"status": "PASS",
"vulnerabilities": 0
},
"quality_summary": {
"coverage_percent": 82,
"complexity_max": 8,
"linting_errors": 0
},
"acceptance_criteria_met": true,
"quality_score": 9.0,
"security_score": 10.0
}
code