Skip to content

feat(multi-agent-review): spin sub-agents to review specific aspects #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Cali93 wants to merge 7 commits into
base: master
Choose a base branch
from
Open

feat(multi-agent-review): spin sub-agents to review specific aspects #64

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
cd79a8f
feat(multi-agent-review): spin sub-agents to review specific aspects
Cali93 Jan 16, 2026
c5ced01
chore(agents): reference agents in action.yml
Cali93 Jan 20, 2026
aff2352
Merge origin/master into chore/auto-review-multi-agent
Cali93 Jan 20, 2026
2311ae2
fix(auto-review): remove duplicative ID prefix specs from action.yml
bkrem Jan 23, 2026
f5e581b
chore(agents): align issue format with main action.yml spec
bkrem Jan 23, 2026
95e8d3a
feat(auto-review): add selective subagent spawning heuristic
bkrem Jan 23, 2026
21f0a9e
feat(agents): expand agent scope to include best practice recommendat…
bkrem Feb 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
156 changes: 130 additions & 26 deletions claude/auto-review/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,57 @@ inputs:
description: "Post inline PR comments generated from findings.json"
required: false
default: "true"
force_all_agents:
description: "Force all review agents regardless of heuristic (overrides selective spawning)"
required: false
default: "false"

runs:
using: "composite"
steps:
- name: Determine agents to spawn
shell: bash
env:
GH_TOKEN: ${{ github.token }}
FORCE_ALL_AGENTS: ${{ inputs.force_all_agents }}
run: |
SCRIPT_PATH="${{ github.action_path }}/scripts/determine-agents.js"

if [[ ! -f "$SCRIPT_PATH" ]]; then
echo "::warning::Determine agents script not found, spawning all agents"
echo "AGENTS_TO_RUN=bug,security,patterns" >> $GITHUB_ENV
echo "AGENT_REASON=Script not found (fallback)" >> $GITHUB_ENV
exit 0
fi

RESULT=$(node "$SCRIPT_PATH")

AGENTS=$(echo "$RESULT" | jq -r '.agents | join(",")')
REASON=$(echo "$RESULT" | jq -r '.reason')
SKIPPED=$(echo "$RESULT" | jq -r '.skipped | join(",")')

echo "AGENTS_TO_RUN=$AGENTS" >> $GITHUB_ENV
echo "AGENT_REASON=$REASON" >> $GITHUB_ENV
echo "AGENTS_SKIPPED=$SKIPPED" >> $GITHUB_ENV

# Set skip flag if no agents to spawn
if [[ -z "$AGENTS" ]]; then
echo "SKIP_REVIEW=true" >> $GITHUB_ENV
else
echo "SKIP_REVIEW=false" >> $GITHUB_ENV
fi

echo "::group::Agent Selection"
echo "Agents to spawn: ${AGENTS:-none}"
echo "Reason: $REASON"
if [[ -n "$SKIPPED" ]]; then
echo "Skipped agents: $SKIPPED"
fi
if [[ -z "$AGENTS" ]]; then
echo "Review will be skipped"
fi
echo "::endgroup::"

- name: Set up review prompt
shell: bash
run: |
Expand Down Expand Up @@ -83,33 +130,74 @@ runs:

---

## AUTOMATED CHECKS
Copy link
Member

@bkrem bkrem Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see this was moved into review-patterns, but let's ensure these checks are preserved in the main prompt if agents only trigger on heuristics like PR size? 🙏 We need them to happen for sure on every PR.

## MULTI-AGENT REVIEW"

# Check if we have any agents to spawn
if [[ -z "$AGENTS_TO_RUN" ]]; then
# No agents to spawn - skip review
PROMPT="$PROMPT

**Review skipped:** $AGENT_REASON

Respond with: \\\"✅ No code review needed - $AGENT_REASON\\\""
else
# Build agent list dynamically
AGENT_COUNT=0
AGENT_LIST=""

if [[ "$AGENTS_TO_RUN" == *"bug"* ]]; then
AGENT_COUNT=$((AGENT_COUNT + 1))
AGENT_LIST="$AGENT_LIST
$AGENT_COUNT. **Bug Agent** - Spec: ${{ github.action_path }}/agents/review-bugs.md"
fi

if [[ "$AGENTS_TO_RUN" == *"security"* ]]; then
AGENT_COUNT=$((AGENT_COUNT + 1))
AGENT_LIST="$AGENT_LIST
$AGENT_COUNT. **Security Agent** - Spec: ${{ github.action_path }}/agents/review-security.md"
fi

if [[ "$AGENTS_TO_RUN" == *"patterns"* ]]; then
AGENT_COUNT=$((AGENT_COUNT + 1))
AGENT_LIST="$AGENT_LIST
$AGENT_COUNT. **Patterns Agent** - Spec: ${{ github.action_path }}/agents/review-patterns.md"
fi

if [[ $AGENT_COUNT -eq 1 ]]; then
AGENT_WORD="subagent"
else
AGENT_WORD="subagents"
fi

PROMPT="$PROMPT

Based on PR analysis: $AGENT_REASON

Conduct review using $AGENT_COUNT specialized $AGENT_WORD IN PARALLEL.

**Agent specs:** ${{ github.action_path }}/agents/

### Step 1: Spawn Agents Simultaneously

**Only report if violations found. Skip check if none detected.**
Use Task tool to launch agents in a SINGLE message. Use subagent_type=\\\"general-purpose\\\".

### External Domain URLs
Flag URLs to domains other than reown.com, walletconnect.com, walletconnect.org:
🔒 **External Domain URL** (Non-blocking) **URL:** [url] **File:** [path:line] - Verify intentional, review security implications.
**For EACH agent prompt include:**
1. \\\"Read your spec file at [path] and follow its instructions.\\\"
2. PR number, repository, list of changed files

### Static Resource Cache-Control
Flag static files (.woff, .woff2, .ttf, .jpg, .png, .css, .js, .mp4, etc.) with max-age < 31536000 or missing explicit Cache-Control:
⚠️ **Cache-Control Issue** **Resource:** [url] **File:** [path:line] **Current:** [value] **Recommendation:** \"Cache-Control: public, max-age=31536000, immutable\"
**Agents:**$AGENT_LIST

### GitHub Actions Workflow Security
Scan .github/workflows/*.y*ml for:
- **CRITICAL:** pull_request_target + PR head checkout (github.event.pull_request.head.*) = arbitrary code execution
- **HIGH:** pull_request_target + script execution
- **MEDIUM:** Any pull_request_target usage (runs with secrets)
Format: 🚨 **GitHub Actions Security Risk** **Severity:** [level] **File:** [path:line] **Pattern:** [issue] **Recommendation:** [fix]
### Step 2: Consolidate Findings

### WalletConnect Pay Architecture
Flag anti-patterns in payment/wallet/transaction code:
1. **CRITICAL:** Cross-service DB access (imports, queries, connections) → 🚨 Services must use APIs
2. **HIGH:** Missing idempotency keys in POST/PUT/PATCH/DELETE → ⚠️ Extract key, check store, return cached response
3. **HIGH:** External calls without timeout/retry → ⚠️ Add timeout, retry+backoff, circuit breaker
4. **HIGH:** Event consumers (SQS/SNS/Kafka) without message deduplication → ⚠️ Check message ID before mutations
5. **MEDIUM:** Multi-step workflows without saga compensation → ⚠️ Add rollback/compensating events
6. **MEDIUM:** State transitions without trace context → ⚠️ Add structured logging with traceId/correlationId"
After agents complete:
1. Collect all issues
2. **Deduplicate** (same file + same/adjacent line + similar description): keep higher severity, merge context, prefer sec- > bug- > pat-
3. Sort by severity: CRITICAL > HIGH > MEDIUM > LOW

### Step 3: Output

Produce SINGLE consolidated summary in collapsed \\\`<details>\\\` format. No separate agent sections."
fi


# Add project context
Expand Down Expand Up @@ -195,17 +283,33 @@ runs:
echo "::warning::The 'timeout_minutes' input is deprecated and has no effect in claude-code-action@v1. Please use job-level 'timeout-minutes' instead. See: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes"
fi

- name: Skip review notification
if: env.SKIP_REVIEW == 'true'
shell: bash
env:
GH_TOKEN: ${{ github.token }}
run: |
echo "::notice::Skipping review: $AGENT_REASON"

# Post a comment to the PR
gh pr comment "${{ github.event.pull_request.number }}" \
--repo "${{ github.repository }}" \
--body "✅ **Auto Review Skipped**: $AGENT_REASON

_No code review needed for this PR. Add the \`full-review\` label to force a full review._"

- name: Automatic PR Review
if: env.SKIP_REVIEW != 'true'
uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ inputs.anthropic_api_key }}
prompt: ${{ env.REVIEW_PROMPT }}
track_progress: true
claude_args: --model ${{ inputs.model }}
claude_args: --model ${{ inputs.model }} --allowedTools "Read,Glob,Grep,Task,WebFetch"
allowed_bots: devin-ai-integration[bot]

- name: Extract findings from Claude's comment
if: inputs.comment_pr_findings == 'true'
if: inputs.comment_pr_findings == 'true' && env.SKIP_REVIEW != 'true'
shell: bash
env:
GH_TOKEN: ${{ github.token }}
Expand All @@ -225,7 +329,7 @@ runs:
node "$SCRIPT_PATH"

- name: Ensure GitHub CLI and jq for inline comments
if: inputs.comment_pr_findings == 'true'
if: inputs.comment_pr_findings == 'true' && env.SKIP_REVIEW != 'true'
shell: bash
run: |
# Install GitHub CLI if needed
Expand Down Expand Up @@ -259,7 +363,7 @@ runs:
fi

- name: Post inline findings comments
if: inputs.comment_pr_findings == 'true'
if: inputs.comment_pr_findings == 'true' && env.SKIP_REVIEW != 'true'
shell: bash
env:
GH_TOKEN: ${{ github.token }}
Expand Down
106 changes: 106 additions & 0 deletions claude/auto-review/agents/review-bugs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
# Bug Review Agent

You are a code reviewer. Provide actionable feedback on code changes.

**Diffs alone are not enough.** Read the full file(s) being modified to understand context. Code that looks wrong in isolation may be correct given surrounding logic.
Copy link
Member

@bkrem bkrem Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already have this in the main prompt now based on your prior advice: https://github.com/WalletConnect/actions/pull/64/changes#diff-742c4c628098679724a584600295de6d9bba6d01b7d7b5c0cb60f03ce427288fR61


Your specialization: finding bugs and functional issues.

**Scope:** Your review is not limited strictly to the focus areas below. Within the bug/correctness domain, also proactively recommend missing best practices - even when no explicit bug exists.

## Your Focus Areas

Analyze the PR changes for:

1. **Logic Errors**
- Incorrect conditionals or boolean logic
- Off-by-one errors in loops or array access
- Wrong comparison operators (< vs <=, == vs ===)
- Inverted conditions or negation mistakes

2. **Null/Undefined Handling**
- Missing null checks before dereferencing
- Optional chaining gaps
- Unhandled undefined returns from functions
- Incorrect default values

3. **Race Conditions & Concurrency**
- Shared state modifications without synchronization
- Missing await on async operations
- Promise handling issues (unhandled rejections)
- State updates that could be overwritten

4. **Error Handling**
- Missing try-catch blocks around fallible operations
- Swallowed errors (empty catch blocks)
- Incorrect error propagation
- Resource cleanup in error paths

5. **Resource Leaks**
- Unclosed file handles, connections, or streams
- Missing cleanup in finally blocks
- Event listeners not removed
- Timers/intervals not cleared

6. **Type Mismatches**
- Implicit type coercion issues
- Incorrect type assertions
- Function signature mismatches
- Incompatible type assignments

## Best Practices to Recommend

Beyond finding bugs, suggest improvements when you notice:
- Missing defensive coding patterns (guard clauses, assertions)
- Opportunities for better error handling structure
- Input validation that could prevent future bugs
- Null safety improvements (optional chaining, nullish coalescing)
- Missing type narrowing or runtime checks

Use **LOW** severity for best practice recommendations (vs actual bugs).

## Review Process

1. Read the full file content for each changed file to understand context
2. Focus on the changed lines but consider how they interact with surrounding code
3. Look for edge cases the code doesn't handle
4. Verify error paths are properly handled

## Before Flagging Anything

- **Be certain** - Don't flag something as a bug if you're unsure. Investigate first.
- **Don't invent hypothetical problems** - If an edge case matters, explain the realistic scenario where it occurs.
- **Only review the changes** - Don't flag pre-existing code that wasn't modified in this PR.
- **Communicate severity honestly** - Don't overstate. A minor issue is not HIGH severity.

## Severity Levels

- **CRITICAL**: Will cause crashes, data corruption, or major functionality breakage
- **HIGH**: Likely to cause bugs in production under normal usage
- **MEDIUM**: Could cause issues in edge cases or specific conditions
- **LOW**: Minor issues that are unlikely to cause problems

## Output Format

Report each issue using this exact format:

```
#### Issue N: Brief description
**ID:** bug-{filename}-{2-4-key-terms}-{hash}
**File:** path/to/file.ext:lineNumber
**Severity:** CRITICAL/HIGH/MEDIUM/LOW
**Category:** bug

**Context:**
- **Pattern:** What the problematic code pattern is
- **Risk:** Why it's a problem technically
- **Impact:** Potential consequences (crash, data corruption, etc.)
- **Trigger:** Under what conditions this bug manifests

**Recommendation:** Fix with minimal code snippet (1-10 lines).
```

**ID Generation:** bug-{filename}-{2-4-key-terms}-{SHA256(path+desc).substr(0,4)}
Example: bug-cache-race-condition-a1b2

If no bugs found: "No bug issues found."
Loading