xreview
Agent-native code review engine for Claude Code and Codex CLI, powered by Codex.
xreview delegates code review to Codex (a separate AI model) so your coding agent gets an independent second opinion. It orchestrates a three-party review loop: Codex reviews, your agent verifies, you decide.
中文版 README
Curious why this exists? I wrote a post about the motivation and how it works: Why I built xreview
How It Works
When you ask your coding agent to review your code, the xreview skill takes over:
- Codex reviews your code and reports findings (bugs, security issues, logic errors)
- Your agent verifies each finding independently — reads the actual source code, confirms or challenges false positives by discussing with Codex
- Your agent presents a Fix Plan with only verified findings — trigger, impact, cascade, and fix options
- You decide — approve all recommended fixes, pick by severity, or adjust per finding
- Your agent fixes strictly per your approved plan
- Codex verifies the fixes in a follow-up round, may find new issues or reopen dismissed ones
- Repeat until all parties agree (or 5 rounds max)
- Summary — your agent produces a detailed verbal summary of all findings, decisions, and fixes
This isn't your agent reviewing its own work. It's a genuinely independent review from a different model, with your agent acting as a verification layer that filters out false positives before presenting to you.
Installation
Claude Code
Register the marketplace and install:
/plugin marketplace add davidleitw/xreview
/plugin install xreview@xreview-marketplace
Codex CLI
Paste this to your Codex CLI session:
Fetch and follow instructions from https://raw.githubusercontent.com/davidleitw/xreview/master/.codex/INSTALL.md
Or install manually:
# Install binary
curl -fsSL https://raw.githubusercontent.com/davidleitw/xreview/master/scripts/install.sh | bash
# Install skill
mkdir -p ~/.agents/skills/xreview
curl -fsSL -o ~/.agents/skills/xreview/SKILL.md https://raw.githubusercontent.com/davidleitw/xreview/master/.agents/skills/xreview/SKILL.md
Prerequisites
- Codex CLI installed and authenticated (
npm install -g @openai/codex)
- OpenAI API key configured for Codex
Usage
Just ask your coding agent to review:
Use xreview to check my code for bugs and security issues
Or be specific about which files:
Use xreview to review store/db.go and handler/exec.go for security vulnerabilities
The xreview skill triggers automatically. In Claude Code, you can also invoke it directly with /xreview.
What It Catches
| Category | Examples |
|---|
| Security | SQL injection, command injection, hardcoded secrets, missing auth |
| Logic | Nil pointer dereference, race conditions, off-by-one errors |
| Error Handling | Ignored errors, resource leaks, unclosed connections |
| Performance | N+1 queries, unnecessary allocations |
Language-Specific Review
xreview supports language-aware review via --language. When the skill detects that review targets are written in a supported language, it automatically adds language-specific guidelines to the Codex prompt.
| Language | Key | Guidelines |
|---|
| C++ | cpp | ISO C++ Core Guidelines — memory safety, UB, concurrency, exception safety, ownership, class design |
| Go | go | Effective Go + Go Code Review Comments — goroutine safety, data race, resource leak, error handling, concurrency patterns |
Unsupported languages fall back to general-purpose review (same behavior as without the flag).
The Three-Party Loop
Each finding goes through a structured analysis:
F-001: SQL Injection (security/high)
store/db.go:34 — FindUser()
Trigger: user sends malicious string via /user?name=' OR '1'='1
Root cause: fmt.Sprintf concatenates user input directly into SQL query
Impact: attacker can read, modify, or delete any data in the database
-> Fix: changed to parameterized query db.Query("...WHERE name = ?", name)
- All findings presented at once — you see the full picture before any code changes
- Multiple fix options per finding — your agent lists alternatives with effort levels; you pick
- Every finding includes "Don't fix" — you always have the final say
After all findings are addressed, Codex verifies the fixes. If it disagrees with a dismissal or finds an incomplete fix, the loop continues.
Auto-Update
xreview keeps itself up to date automatically. During preflight (the first step of every review), it checks GitHub Releases for a newer version. The check is cached locally for 24 hours to avoid slowing things down.