PSPDFKit-labs
diff --git a/‎.claude/commands/code-review.md‎ ‎.claude/commands/review.md‎.claude/commands/code-review.md renamed to .claude/commands/review.md
Lines changed: 17 additions & 14 deletions b/‎.claude/commands/code-review.md‎ ‎.claude/commands/review.md‎.claude/commands/code-review.md renamed to .claude/commands/review.md
Lines changed: 17 additions & 14 deletions
diff --git a/‎.claude/commands/security-review.md‎
Lines changed: 0 additions & 106 deletions b/‎.claude/commands/security-review.md‎
Lines changed: 0 additions & 106 deletions
diff --git a/‎README.md‎
Lines changed: 7 additions & 9 deletions b/‎README.md‎
Lines changed: 7 additions & 9 deletions
@@ -1,9 +1,9 @@
 ---
 allowed-tools: Bash(gh issue view:*), Bash(gh search:*), Bash(gh issue list:*), Bash(gh pr comment:*), Bash(gh pr diff:*), Bash(gh pr view:*), Bash(gh pr list:*), Bash(gh api:*), mcp__github_inline_comment__create_inline_comment
-description: Code review a pull request
+description: Unified code and security review for a pull request
 ---
 
-Provide a code review for the given pull request.
+Provide a comprehensive code review for the given pull request, covering both code quality and security.
 
 Create a todo list before starting.
 
@@ -16,7 +16,7 @@ To do this, follow these steps precisely:
 1. Launch a haiku agent to check if any of the following are true:
    - The pull request is closed
    - The pull request is a draft
-   - The pull request does not need code review (e.g. automated PR, trivial change that is obviously correct)
+   - The pull request does not need review (e.g. automated PR, trivial change that is obviously correct)
    - Claude has already commented on this PR (check `gh pr view <PR> --comments` for comments left by claude)
 
    If any condition is true, stop and do not proceed.
@@ -29,39 +29,42 @@ To do this, follow these steps precisely:
 
 3. Launch a sonnet agent to view the pull request and return a summary of the changes.
 
-4. Launch 4 agents in parallel to independently review the changes. Each agent should return the list of issues, where each issue includes a description and the reason it was flagged (e.g. "CLAUDE.md adherence", "bug"). The agents should do the following:
+4. Launch 4 agents in parallel to independently review the changes. Each agent should return the list of issues, where each issue includes a description and the reason it was flagged. The agents should do the following:
 
    Agents 1 + 2: CLAUDE.md compliance sonnet agents
-   Audit changes for CLAUDE.md compliance in parallel. Note: When evaluating CLAUDE.md compliance for a file, you should only consider CLAUDE.md files that share a file path with the file or parents.
+   Audit changes for CLAUDE.md compliance in parallel, including both general and security-specific rules. Note: When evaluating CLAUDE.md compliance for a file, you should only consider CLAUDE.md files that share a file path with the file or parents.
 
-   Agent 3: Opus bug agent (parallel subagent with agent 4)
-   Scan for obvious bugs. Focus only on the diff itself without reading extra context. Flag only significant bugs; ignore nitpicks and likely false positives. Do not flag issues that you cannot validate without looking at context outside of the git diff.
+   Agent 3: Opus code quality agent
+   Scan for obvious bugs and code quality issues. Focus only on the diff itself without reading extra context. Flag only significant bugs; ignore nitpicks and likely false positives. Do not flag issues that you cannot validate without looking at context outside of the git diff.
 
-   Agent 4: Opus bug agent (parallel subagent with agent 3)
-   Look for problems that exist in the introduced code. This could be security issues, incorrect logic, etc. Only look for issues that fall within the changed code.
+   Agent 4: Opus security agent
+   Look for security vulnerabilities in the introduced code. This includes injection, auth bypass, data exposure, unsafe deserialization, or other exploitable issues. Only look for issues that fall within the changed code.
 
    **CRITICAL: We only want HIGH SIGNAL issues.** Flag issues where:
    - The code will fail to compile or parse (syntax errors, type errors, missing imports, unresolved references)
    - The code will definitely produce wrong results regardless of inputs (clear logic errors)
+   - There is a clear, exploitable security vulnerability (e.g., injection, auth bypass, RCE, sensitive data exposure)
    - Clear, unambiguous CLAUDE.md violations where you can quote the exact rule being broken
 
    Do NOT flag:
-   - Code style or quality concerns
+   - Code style or quality concerns that don't affect correctness
    - Potential issues that depend on specific inputs or state
    - Subjective suggestions or improvements
+   - Security issues that depend on speculative inputs or unverified assumptions
+   - Denial of Service (DoS) or rate limiting issues without concrete exploitability
 
    If you are not certain an issue is real, do not flag it. False positives erode trust and waste reviewer time.
 
    In addition to the above, each subagent should be told the PR title and description. This will help provide context regarding the author's intent.
 
-5. For each issue found in the previous step by agents 3 and 4, launch parallel subagents to validate the issue. These subagents should get the PR title and description along with a description of the issue. The agent's job is to review the issue to validate that the stated issue is truly an issue with high confidence. For example, if an issue such as "variable is not defined" was flagged, the subagent's job would be to validate that is actually true in the code. Another example would be CLAUDE.md issues. The agent should validate that the CLAUDE.md rule that was violated is scoped for this file and is actually violated. Use Opus subagents for bugs and logic issues, and sonnet agents for CLAUDE.md violations.
+5. For each issue found in the previous step by agents 3 and 4, launch parallel subagents to validate the issue. These subagents should get the PR title and description along with a description of the issue. The agent's job is to review the issue to validate that the stated issue is truly an issue with high confidence. Use Opus subagents for bugs and security issues, and sonnet agents for CLAUDE.md violations.
 
 6. Filter out any issues that were not validated in step 5. This step will give us our list of high signal issues for our review.
 
 7. If issues were found, skip to step 8 to post inline comments directly.
 
    If NO issues were found, post a summary comment using `gh pr comment` (if `--comment` argument is provided):
-   "No issues found. Checked for bugs and CLAUDE.md compliance."
+   "No issues found. Checked for bugs, security vulnerabilities, and CLAUDE.md compliance."
 
 8. Create a list of all comments that you plan on leaving. This is only for you to make sure you are comfortable with the comments. Do not post this list anywhere.
 
@@ -79,7 +82,7 @@ Use this list when evaluating issues in Steps 4 and 5 (these are false positives
 - Something that appears to be a bug but is actually correct
 - Pedantic nitpicks that a senior engineer would not flag
 - Issues that a linter will catch (do not run the linter to verify)
-- General code quality concerns (e.g., lack of test coverage, general security issues) unless explicitly required in CLAUDE.md
+- General code quality concerns (e.g., lack of test coverage) unless explicitly required in CLAUDE.md
 - Issues mentioned in CLAUDE.md but explicitly silenced in the code (e.g., via a lint ignore comment)
 
 Notes:
@@ -92,7 +95,7 @@ Notes:
 
 ## Code review
 
-No issues found. Checked for bugs and CLAUDE.md compliance.
+No issues found. Checked for bugs, security vulnerabilities, and CLAUDE.md compliance.
 
 ---
 
 
@@ -1,6 +1,6 @@
 # Claude Code Reviewer
 
-An AI-powered code review GitHub Action using Claude to analyze code changes. Runs two focused passes: a code quality review (correctness, reliability, performance, maintainability, testing) and a dedicated security review. This action provides intelligent, context-aware review for pull requests using Anthropic's Claude Code tool for deep semantic analysis.
+An AI-powered code review GitHub Action using Claude to analyze code changes. Uses a unified multi-agent approach for both code quality (correctness, reliability, performance, maintainability, testing) and security in a single pass. This action provides intelligent, context-aware review for pull requests using Anthropic's Claude Code tool for deep semantic analysis.
 
 Based on the original work from [anthropics/claude-code-security-review](https://github.com/anthropics/claude-code-security-review).
 
@@ -12,7 +12,7 @@ Based on the original work from [anthropics/claude-code-security-review](https:/
 - **Contextual Understanding**: Goes beyond pattern matching to understand code semantics and intent
 - **Language Agnostic**: Works with any programming language
 - **False Positive Filtering**: Advanced filtering to reduce noise and focus on real issues
-- **Dual-Pass Review**: Runs focused code quality and security passes separately for better signal
+- **Unified Multi-Agent Review**: Combines code quality and security analysis in a single efficient pass
 
 ## Quick Start
 
@@ -63,8 +63,6 @@ This action is not hardened against prompt injection attacks and should only be
 | `false-positive-filtering-instructions` | Path to custom false positive filtering instructions text file | None | No |
 | `custom-review-instructions` | Path to custom code review instructions text file to append to the audit prompt | None | No |
 | `custom-security-scan-instructions` | Path to custom security scan instructions text file to append to the security section | None | No |
-| `run-general-review` | Whether to run the code quality review pass (correctness, reliability, performance, maintainability, testing) | `true` | No |
-| `run-security-review` | Whether to run the dedicated security review pass | `true` | No |
 
 ### Action Outputs
 
@@ -135,17 +133,17 @@ Follow the Quick Start guide above. The action handles all dependencies automati
 
 To run the reviewer locally against a specific PR, see the [evaluation framework documentation](claudecode/evals/README.md).
 
-<a id="security-review-slash-command"></a>
+<a id="review-slash-command"></a>
 
-## Claude Code Integration: /code-review Command
+## Claude Code Integration: /review Command
 
-This repository includes `/code-review` and `/security-review` [slash commands](https://docs.anthropic.com/en/docs/claude-code/slash-commands) that provide the same review capabilities as the GitHub Action workflow. Use `/code-review` for a broad review (correctness, reliability, performance, maintainability, testing, and security), and `/security-review` for a security-focused review.
+This repository includes a `/review` [slash command](https://docs.anthropic.com/en/docs/claude-code/slash-commands) that provides the same review capabilities as the GitHub Action workflow. The command performs a comprehensive review covering code quality (correctness, reliability, performance, maintainability, testing) and security using a multi-agent approach.
 
 ### Customizing the Command
 
-The default commands are designed to work well in most cases, but they can also be customized based on your specific requirements. To do so:
+The default command is designed to work well in most cases, but it can also be customized based on your specific requirements. To do so:
 
-1. Copy the [`code-review.md`](https://github.com/PSPDFKit-labs/claude-code-review/blob/main/.claude/commands/code-review.md?plain=1) or [`security-review.md`](https://github.com/PSPDFKit-labs/claude-code-review/blob/main/.claude/commands/security-review.md?plain=1) file from this repository to your project's `.claude/commands/` folder.
+1. Copy the [`review.md`](https://github.com/PSPDFKit-labs/claude-code-review/blob/main/.claude/commands/review.md?plain=1) file from this repository to your project's `.claude/commands/` folder.
 2. Edit the copied file to customize the review instructions.
 
 ## Custom Scanning Configuration