Enforces code reviews using Claude, OpenAI Codex CLI, or Google Gemini before commits and deploys. Invoke via /code-review with single or multi-engine options.
npx claudepluginhub joshuarweaver/cascade-code-languages-misc-2 --plugin alinaqi-claude-bootstrapThis skill is limited to using the following tools:
**Purpose:** Enforce automated code reviews as a mandatory guardrail before every commit and deployment. Choose between Claude, OpenAI Codex, Google Gemini, or multiple engines for comprehensive analysis.
Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.
Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.
Checks Next.js compilation errors using a running Turbopack dev server after code edits. Fixes actionable issues before reporting complete. Replaces `next build`.
Purpose: Enforce automated code reviews as a mandatory guardrail before every commit and deployment. Choose between Claude, OpenAI Codex, Google Gemini, or multiple engines for comprehensive analysis.
When running /code-review, users can choose their preferred review engine:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CODE REVIEW - Choose Your Engine โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ โ Claude (default) โ
โ Built-in, no extra setup, full conversation context โ
โ โ
โ โ OpenAI Codex CLI โ
โ GPT-5.2-Codex specialized for code review, 88% detection โ
โ Requires: npm install -g @openai/codex โ
โ โ
โ โ Google Gemini CLI โ
โ Gemini 2.5 Pro with 1M token context, free tier available โ
โ Requires: npm install -g @google/gemini-cli โ
โ โ
โ โ Dual Engine (any two) โ
โ Run two engines, compare findings, catch more issues โ
โ โ
โ โ All Three (maximum coverage) โ
โ Run Claude + Codex + Gemini for critical/security code โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
| Aspect | Claude | Codex | Gemini | Multi-Engine |
|---|---|---|---|---|
| Setup | None | npm + OpenAI API | npm + Google Account | All setups |
| Speed | Fast | Fast | Fast | 2-3x time |
| Context | Conversation | Fresh per review | 1M tokens | N/A |
| Detection | Good | 88% (best) | 63.8% SWE-Bench | Combined |
| Free Tier | N/A | Limited | 1,000/day | Varies |
| Best for | Quick reviews | High accuracy | Large codebases | Critical code |
# ~/.claude/settings.toml or project CLAUDE.md
[code-review]
default_engine = "claude" # Options: claude, codex, gemini, dual, all
# Use default engine
/code-review
# Explicitly choose engine
/code-review --engine claude
/code-review --engine codex
/code-review --engine gemini
# Dual engine (pick any two)
/code-review --engine claude,codex
/code-review --engine claude,gemini
/code-review --engine codex,gemini
# All three engines
/code-review --engine all
# Quick shortcuts
/code-review # Uses default
/code-review --codex # Use Codex
/code-review --gemini # Use Gemini
/code-review --all # All three engines
When using multiple engines, findings are compared and deduplicated:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CODE REVIEW RESULTS - DUAL ENGINE (Claude + Codex) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ โ
AGREED (Found by both): โ
โ ๐ด SQL injection in auth.ts:45 โ
โ ๐ก Missing error handling in api.ts:112 โ
โ โ
โ ๐ท CLAUDE ONLY: โ
โ ๐ Potential race condition in worker.ts:89 โ
โ ๐ข Consider extracting helper function โ
โ โ
โ ๐ถ CODEX ONLY: โ
โ ๐ Memory leak - unclosed stream in upload.ts:34 โ
โ ๐ก N+1 query pattern in orders.ts:156 โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ SUMMARY โ
โ Agreed: 2 | Claude only: 2 | Codex only: 2 โ
โ Critical: 1 | High: 2 | Medium: 2 | Low: 1 โ
โ Status: โ BLOCKED - Fix critical/high issues โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CODE REVIEW RESULTS - TRIPLE ENGINE โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ โ
UNANIMOUS (All 3 found): โ
โ ๐ด SQL injection in auth.ts:45 โ
โ โ
โ โ
MAJORITY (2 of 3 found): โ
โ ๐ Memory leak - unclosed stream in upload.ts:34 (Codex+Gemini)โ
โ ๐ก Missing error handling in api.ts:112 (Claude+Codex) โ
โ โ
โ ๐ท CLAUDE ONLY: โ
โ ๐ Potential race condition in worker.ts:89 โ
โ โ
โ ๐ถ CODEX ONLY: โ
โ ๐ก N+1 query pattern in orders.ts:156 โ
โ โ
โ ๐ข GEMINI ONLY: โ
โ ๐ก Consider using batch API for better performance โ
โ ๐ข Type could be more specific in types.ts:23 โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ SUMMARY โ
โ Unanimous: 1 | Majority: 2 | Single: 5 โ
โ Critical: 1 | High: 2 | Medium: 3 | Low: 2 โ
โ Status: โ BLOCKED - Fix critical/high issues โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
| Mode | Use When |
|---|---|
| Single (Claude) | Quick in-flow reviews, exploration |
| Single (Codex) | CI/CD automation, high accuracy needed |
| Single (Gemini) | Large codebases (100+ files), free tier |
| Dual | Important PRs, pre-merge reviews |
| Triple (All) | Security-critical code, payment systems, auth |
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CODE REVIEW IS NON-NEGOTIABLE โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ Every commit must pass code review. โ
โ Every PR must be reviewed before merge. โ
โ Every deployment must include review sign-off. โ
โ โ
โ AI catches what humans miss. Humans catch what AI misses. โ
โ Together: fewer bugs, cleaner code, better security. โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ INVOKE: /code-review โ
โ PLUGIN: code-review@claude-plugins-official โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
| Trigger | Action | Command |
|---|---|---|
| Before commit | Review staged changes | /code-review |
| Before PR | Review all changes vs base | /code-review |
| Before merge | Final review of PR | /code-review |
| Before deploy | Review deployment diff | /code-review |
Run code review automatically before every commit:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ COMMIT WORKFLOW โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ 1. Write code โ
โ 2. Run tests (TDD - must pass) โ
โ 3. Run /code-review โ MANDATORY โ
โ 4. Address critical/high issues โ
โ 5. Commit โ
โ 6. Push โ
โ โ
โ Skip step 3? โ NO COMMIT ALLOWED โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
# Review current changes
/code-review
# Review specific files
/code-review src/auth/*.ts
# Review a PR
/code-review --pr 123
# Review with specific focus
/code-review --focus security
/code-review --focus performance
/code-review --focus architecture
The code review plugin analyzes:
| Category | What It Checks |
|---|---|
| Security | Vulnerabilities, injection risks, auth issues, secrets |
| Performance | N+1 queries, memory leaks, inefficient algorithms |
| Architecture | Design patterns, SOLID principles, coupling |
| Code Quality | Readability, complexity, duplication |
| Best Practices | Language idioms, framework conventions |
| Testing | Coverage gaps, test quality, edge cases |
| Documentation | Missing docs, outdated comments |
| Level | Action Required | Can Commit? |
|---|---|---|
| ๐ด Critical | Must fix immediately | โ NO |
| ๐ High | Should fix before commit | โ NO |
| ๐ก Medium | Fix soon, can commit | โ YES |
| ๐ข Low | Nice to have | โ YES |
| โน๏ธ Info | Suggestions only | โ YES |
#!/bin/bash
# .git/hooks/pre-commit
echo "๐ Running code review..."
# Run Claude code review on staged files
STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep -E '\.(ts|tsx|js|jsx|py|go|rs)$')
if [ -n "$STAGED_FILES" ]; then
# Invoke code review (requires claude CLI)
claude --print "/code-review $STAGED_FILES" > /tmp/code-review-result.txt 2>&1
# Check for critical/high issues
if grep -q "๐ด\|Critical\|๐ \|High" /tmp/code-review-result.txt; then
echo "โ Code review found critical/high issues:"
cat /tmp/code-review-result.txt
echo ""
echo "Fix these issues before committing."
exit 1
fi
echo "โ
Code review passed"
fi
exit 0
chmod +x .git/hooks/pre-commit
If you want to use Codex or Both modes, install the Codex CLI:
# Prerequisites: Node.js 22+
node --version # Must be 22+
# Install Codex CLI
npm install -g @openai/codex
# Authenticate (choose one):
# Option 1: ChatGPT subscription (Plus, Pro, Team, Enterprise)
codex # Follow prompts to sign in
# Option 2: API key
export OPENAI_API_KEY=sk-proj-...
# Check Codex is installed
codex --version
# Test review
codex
> /review
See codex-review.md skill for full Codex documentation.
If you want to use Gemini or multi-engine modes, install the Gemini CLI:
# Prerequisites: Node.js 20+
node --version # Must be 20+
# Install Gemini CLI
npm install -g @google/gemini-cli
# Or via Homebrew (macOS)
brew install gemini-cli
# Install Code Review extension
gemini extensions install https://github.com/gemini-cli-extensions/code-review
# Option 1: Google Account (recommended, 1000 req/day free)
gemini # Follow browser login prompts
# Option 2: API key (100 req/day free)
export GEMINI_API_KEY="your-key-from-aistudio.google.com"
# Check Gemini is installed
gemini --version
# List extensions
gemini extensions list
# Test review
gemini
> /code-review
See gemini-review.md skill for full Gemini documentation.
# .github/workflows/code-review.yml
name: Code Review
on:
pull_request:
types: [opened, synchronize, reopened]
jobs:
code-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get changed files
id: changed-files
run: |
echo "files=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | tr '\n' ' ')" >> $GITHUB_OUTPUT
- name: Run Claude Code Review
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
npx @anthropic-ai/claude-code --print "/code-review ${{ steps.changed-files.outputs.files }}" > review.md
- name: Post Review Comment
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const review = fs.readFileSync('review.md', 'utf8');
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: `## ๐ Claude Code Review\n\n${review}`
});
- name: Check for Critical Issues
run: |
if grep -q "Critical\|๐ด" review.md; then
echo "โ Critical issues found"
exit 1
fi
# .github/workflows/codex-review.yml
name: Codex Code Review
on:
pull_request:
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Codex Review
uses: openai/codex-action@main
with:
openai_api_key: ${{ secrets.OPENAI_API_KEY }}
model: gpt-5.2-codex
safety_strategy: drop-sudo
# .github/workflows/dual-review.yml
name: Dual Code Review
on:
pull_request:
jobs:
claude-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Claude Review
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
npx @anthropic-ai/claude-code --print "/code-review" > claude-review.md
- uses: actions/upload-artifact@v4
with:
name: claude-review
path: claude-review.md
codex-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-node@v4
with:
node-version: '22'
- name: Install Codex
run: npm install -g @openai/codex
- name: Codex Review
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
run: |
codex exec --full-auto --sandbox read-only \
--output-last-message codex-review.md \
"Review this code for bugs, security issues, and quality problems"
- uses: actions/upload-artifact@v4
with:
name: codex-review
path: codex-review.md
combine-reviews:
needs: [claude-review, codex-review]
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@v4
- name: Combine Reviews
run: |
echo "## ๐ Dual Code Review Results" > combined-review.md
echo "" >> combined-review.md
echo "### Claude Findings" >> combined-review.md
cat claude-review/claude-review.md >> combined-review.md
echo "" >> combined-review.md
echo "### Codex Findings" >> combined-review.md
cat codex-review/codex-review.md >> combined-review.md
- name: Post Combined Review
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const review = fs.readFileSync('combined-review.md', 'utf8');
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: review
});
# .github/workflows/gemini-review.yml
name: Gemini Code Review
on:
pull_request:
types: [opened, synchronize]
jobs:
review:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install Gemini CLI
run: npm install -g @google/gemini-cli
- name: Run Review
env:
GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
run: |
# Get diff
git diff origin/${{ github.base_ref }}...HEAD > diff.txt
# Run Gemini review
gemini -p "Review this pull request diff for bugs, security issues, and code quality problems. Be specific about file names and line numbers.
$(cat diff.txt)" > review.md
- name: Post Review Comment
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const review = fs.readFileSync('review.md', 'utf8');
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: `## ๐ค Gemini Code Review\n\n${review}`
});
- name: Check for Critical Issues
run: |
if grep -qi "critical\|security vulnerability\|injection" review.md; then
echo "โ Critical issues found"
exit 1
fi
# .github/workflows/triple-review.yml
name: Triple Engine Code Review
on:
pull_request:
jobs:
claude-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Claude Review
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
npx @anthropic-ai/claude-code --print "/code-review" > claude-review.md
- uses: actions/upload-artifact@v4
with:
name: claude-review
path: claude-review.md
codex-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-node@v4
with:
node-version: '22'
- name: Install Codex
run: npm install -g @openai/codex
- name: Codex Review
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
run: |
codex exec --full-auto --sandbox read-only \
--output-last-message codex-review.md \
"Review this code for bugs, security issues, and quality problems"
- uses: actions/upload-artifact@v4
with:
name: codex-review
path: codex-review.md
gemini-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install Gemini CLI
run: npm install -g @google/gemini-cli
- name: Gemini Review
env:
GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
run: |
git diff origin/${{ github.base_ref }}...HEAD > diff.txt
gemini -p "Review this code diff for bugs, security, and quality issues:
$(cat diff.txt)" > gemini-review.md
- uses: actions/upload-artifact@v4
with:
name: gemini-review
path: gemini-review.md
combine-reviews:
needs: [claude-review, codex-review, gemini-review]
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@v4
- name: Combine Reviews
run: |
echo "## ๐ Triple Engine Code Review Results" > combined-review.md
echo "" >> combined-review.md
echo "### ๐ฃ Claude Findings" >> combined-review.md
cat claude-review/claude-review.md >> combined-review.md
echo "" >> combined-review.md
echo "---" >> combined-review.md
echo "### ๐ข Codex Findings" >> combined-review.md
cat codex-review/codex-review.md >> combined-review.md
echo "" >> combined-review.md
echo "---" >> combined-review.md
echo "### ๐ต Gemini Findings" >> combined-review.md
cat gemini-review/gemini-review.md >> combined-review.md
- name: Post Combined Review
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const review = fs.readFileSync('combined-review.md', 'utf8');
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: review
});
- name: Check Critical Issues
run: |
# Fail if any engine found critical issues
if grep -qi "critical\|๐ด" combined-review.md; then
echo "โ Critical issues found by at least one engine"
exit 1
fi
/code-review on staged changes| Issue | Example | Fix |
|---|---|---|
| SQL Injection | query = f"SELECT * FROM users WHERE id = {id}" | Use parameterized queries |
| XSS | innerHTML = userInput | Sanitize or use textContent |
| Secrets in code | apiKey = "sk-xxx" | Use environment variables |
| Missing auth | Unprotected endpoints | Add authentication middleware |
| Insecure crypto | MD5/SHA1 for passwords | Use bcrypt/argon2 |
| Issue | Example | Fix |
|---|---|---|
| N+1 queries | Loop with individual queries | Use batch/eager loading |
| Memory leak | Unclosed connections | Use connection pooling |
| Missing index | Slow queries | Add database indexes |
| Large payload | Fetching unused fields | Select only needed fields |
| No pagination | Loading all records | Implement pagination |
| Issue | Example | Fix |
|---|---|---|
| Long function | 100+ lines | Extract into smaller functions |
| Deep nesting | 5+ levels | Early returns, extract methods |
| Magic numbers | if (status === 3) | Use named constants |
| Duplicate code | Copy-pasted blocks | Extract shared function |
| Missing types | any everywhere | Add proper TypeScript types |
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ TDD + CODE REVIEW WORKFLOW โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ 1. RED: Write failing tests โ
โ 2. GREEN: Write code to pass tests โ
โ 3. REFACTOR: Clean up code โ
โ 4. REVIEW: Run /code-review โ NEW STEP โ
โ 5. FIX: Address critical/high issues โ
โ 6. VALIDATE: Lint + TypeCheck + Coverage โ
โ 7. COMMIT: Only after review passes โ
โ โ
โ Review catches what tests miss: โ
โ - Security vulnerabilities โ
โ - Performance issues โ
โ - Architecture problems โ
โ - Code maintainability โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
When code review finds issues, respond with:
## Code Review Results
### ๐ด Critical Issues (Must Fix)
1. **SQL Injection in userController.ts:45**
- Issue: User input directly interpolated into query
- Fix: Use parameterized query
- Code: `db.query('SELECT * FROM users WHERE id = $1', [userId])`
### ๐ High Issues (Should Fix)
1. **Missing authentication on /api/admin endpoints**
- Issue: Admin routes accessible without auth
- Fix: Add auth middleware
### ๐ก Medium Issues (Fix Soon)
1. **N+1 query in getOrders function**
- Consider eager loading or batch query
### ๐ข Low Issues (Nice to Have)
1. **Consider extracting validation logic to separate file**
### โ
Strengths
- Good test coverage
- Clear function names
- Proper error handling
### ๐ Summary
- Critical: 1 | High: 1 | Medium: 1 | Low: 1
- **Status: โ BLOCKED** - Fix critical/high issues before commit
Claude should automatically suggest or run code review:
Prioritize review based on change type:
| Change Type | Focus Areas |
|---|---|
| Auth/Security code | Security, input validation, crypto |
| Database code | SQL injection, N+1, transactions |
| API endpoints | Auth, rate limiting, validation |
| Frontend code | XSS, state management, performance |
| Infrastructure | Secrets, permissions, logging |
# Basic review
/code-review
# Review specific files
/code-review src/auth.ts src/users.ts
# Review with focus
/code-review --focus security
# Review PR
/code-review --pr 123
๐ด Critical โ STOP. Fix now. No commit.
๐ High โ STOP. Fix now. No commit.
๐ก Medium โ Note it. Fix soon. Can commit.
๐ข Low โ Optional. Nice to have.
โน๏ธ Info โ FYI only.
Code โ Test โ Review โ Fix โ Commit โ Push โ PR โ Review โ Merge โ Deploy
โ โ โ
/code-review /code-review /code-review