Scenario 09: Code Review¶
Automated code review for pull requests, patches, and local changes.
Quick Start¶
# Select Code Review Scenario
/select 09
Review Sources¶
GitHub Pull Request¶
/review github 123
GitLab Merge Request¶
/review gitlab 456
Local Git Changes¶
/review git
Patch File¶
/review file path/to/changes.patch
Understanding Review Output¶
╭─────────────── Review Results ────────────────────────────╮
│ │
│ Score: 72/100 Recommendation: REQUEST_CHANGES │
│ │
│ Findings: │
│ │
│ 🔴 CRITICAL SQL Injection Risk │
│ Location: src/api/user_query.c:45 │
│ Pattern: User input concatenated in query │
│ Fix: Use parameterized queries │
│ │
│ 🟡 MEDIUM Cyclomatic Complexity │
│ Location: src/parser/gram.y:1234 │
│ Value: 47 (threshold: 10) │
│ Fix: Extract helper functions │
│ │
│ 🟢 LOW Missing NULL check │
│ Location: src/utils/string.c:89 │
│ Fix: Add NULL pointer validation │
│ │
╰───────────────────────────────────────────────────────────╯
Review with Inline Comments¶
/review git --format md --inline
╭─────────────── Inline Comments ───────────────────────────╮
│ │
│ src/api/user_query.c │
│ │
│ Line 45: │
│ sprintf(query, "SELECT * FROM users WHERE id=%s", id); │
│ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^│
│ 🔴 SQL Injection: Use snprintf with proper escaping │
│ │
│ Line 67: │
│ char *result = malloc(len); │
│ ^^^^^^^^^^^^^^^^^^^^^^^^^^^ │
│ 🟡 Memory: Check malloc return value for NULL │
│ │
╰───────────────────────────────────────────────────────────╯
Output Formats¶
| Format | Description | Use Case |
|---|---|---|
--format md |
Markdown | Documentation, GitHub |
--format json |
JSON | CI/CD integration |
--format yaml |
YAML | Configuration |
Review Options¶
# Basic review
/review git
# With format
/review git --format json
# With inline comments
/review git --inline
# Combined
/review github 123 --format md --inline
CPG-Powered Code Review¶
The code review scenario leverages the CPG (Code Property Graph) for automated analysis:
Change Risk Assessment¶
Each changed method receives a risk score (0.0–1.0) based on 4 factors:
| Factor | Description |
|---|---|
| Caller count | More callers means wider impact |
| Signature complexity | Parameter count |
| Core module location | Domain plugins and base services |
| Interface layer | +0.15 if method is in CLI/API/TUI/MCP/ACP |
Levels: critical (≥0.8), high (≥0.6), medium (≥0.4), low (<0.4).
Interface Impact Detection¶
When files in interface layers are changed, the code review identifies which interfaces are affected:
Interface Layers:
CLI → src/cli/
REST API → src/api/routers/
TUI → src/tui/commands/
MCP → src/mcp/tools/, src/mcp/
ACP → src/acp/server/, src/acp/
Real Git Diff Analysis¶
The PRImpactHandler extracts changed files via git diff --name-only {base_ref} HEAD for accurate blast radius analysis. Supported extensions: .py, .go, .ts, .js, .c, .h, .java, .kt, .cs, .php.
Transitive Caller Analysis¶
CallerAnalysis performs 2-hop transitive search: finds not only direct callers of changed methods, but callers of callers – to assess the full blast radius.
Related Scenarios¶
- Security Audit - Deeper security analysis
- Test Coverage - Coverage analysis
- Refactoring - Code quality
- Composite Workflows - Scenario orchestration
- Claude Code & Git Integration - Code review hooks