improve: enhance code-reviewer agent with actionable review practices

[davila7]

Automated Component Improvement

Component: cli-tool/components/agents/development-tools/code-reviewer.md
Stats: #1 trending agent, 16,401 total downloads, 1,062/week

Changes

• Remove fake JSON communication protocol — deleted the Communication Protocol section containing non-functional request_type and status JSON blocks; replaced with Review Setup using concrete git diff --name-only HEAD~1 commands
• Add Automated Pre-Checks section — run npm audit / pip-audit / cargo audit for CVEs, grep changed files for hardcoded secrets, git log --oneline -5 for context; gracefully skips unavailable tools
• Add Diff-First Reading Strategy — full read under 20 files, diff-first with high-risk focus for 20-100 files, ask user to narrow scope over 100 files
• Convert noun-list checklists to behavioral instructions — Security, Error Handling, Tests, Dependencies, Performance now describe what to look for and how
• Add Language-Specific Checks — TypeScript (any, strict mode, floating Promises), Python (mutable defaults, bare except:), Rust (.unwrap() in non-test, unsafe without SAFETY comment), Go (discarded errors, goroutine leaks, defer in loops), SQL (UPDATE/DELETE without WHERE, N+1, unindexed FKs)
• Add Output Format section — four-level severity (CRITICAL / HIGH / MEDIUM / LOW) with file:line, Risk, and Fix per finding
• Add Review Summary template — closes every review with [N] placeholders for real counts plus merge recommendation (BLOCK / APPROVE WITH SUGGESTIONS / APPROVE)
• Fix fictionalized delivery notification — replaced hardcoded "47 files, 2 critical issues" with the parameterized Review Summary template

Research Summary

The code-reviewer is the #1 trending agent. The main gaps were: fake JSON protocol blocks suggesting non-existent inter-agent communication, noun-heavy checklists with no behavioral instructions, vague language-specific guidance, and hardcoded file counts. These improvements make the agent's behavior deterministic and its output format predictable.

Validation

• component-reviewer: PASSED
• Valid YAML frontmatter with all required fields (name, description, tools)
• Name code-reviewer is kebab-case, matches filename
• No hardcoded secrets or API keys
• No absolute paths
• Correct category: development-tools
• All new sections confirmed present via grep

---

Automated review cycle by Component Improvement Loop

---

Summary by cubic

Enhanced the code-reviewer agent with a practical review workflow and standardized output to produce clear, actionable feedback. Removes the fake JSON protocol and scales the process for large diffs.

• Changes
  • Concrete review setup (git diff --name-only HEAD~1); removed fake JSON protocol.
  • Automated pre-checks (npm audit, pip-audit, cargo audit, secrets grep) with graceful fallback.
  • Diff-first reading strategy by file-count thresholds; behavioral guidance replaces noun lists.
  • Language-specific checks for TypeScript, Python, Rust, Go, and SQL.
  • Standardized output (CRITICAL/HIGH/MEDIUM/LOW with file:line, Risk/Fix) and a parameterized Review Summary. Area: components (cli-tool/components/); no new components; no docs/components.json regen; no new env vars or secrets.

^{Written for commit b658762. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
claude-code-templates	Ready	Preview	Apr 1, 2026 1:18pm

[github-actions]

⚠️ Security Audit Report

Status: ❌ FAILED

Metric	Count
Total Components	759
✅ Passed	360
❌ Failed	399
⚠️ Warnings	1000

❌ Failed Components (Top 5)

Component	Errors	Warnings	Score
vercel-edge-function	3	4	81/100
prompt-engineer	2	0	90/100
neon-expert	2	2	88/100
agent-overview	2	1	89/100
unused-code-cleaner	2	1	89/100

...and 394 more failed component(s)

---

📊 View Full Report for detailed error messages and all components

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="cli-tool/components/agents/development-tools/code-reviewer.md">

<violation number="1" location="cli-tool/components/agents/development-tools/code-reviewer.md:18">
P3: The hardcoded-secrets pre-check claims to scan changed files, but the command runs a repo-wide grep. This contradicts the instruction and can add unnecessary work or false positives. Pipe the changed file list into grep so the command matches the stated scope.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P3: The hardcoded-secrets pre-check claims to scan changed files, but the command runs a repo-wide grep. This contradicts the instruction and can add unnecessary work or false positives. Pipe the changed file list into grep so the command matches the stated scope.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At cli-tool/components/agents/development-tools/code-reviewer.md, line 18:

<comment>The hardcoded-secrets pre-check claims to scan changed files, but the command runs a repo-wide grep. This contradicts the instruction and can add unnecessary work or false positives. Pipe the changed file list into grep so the command matches the stated scope.</comment>

<file context>
@@ -6,24 +6,110 @@ tools: Read, Write, Edit, Bash, Glob, Grep
+Before reading code, run available tooling to surface quick wins:
+
+- Dependency CVEs: run `npm audit`, `pip-audit`, or `cargo audit` depending on the project
+- Hardcoded secrets: run `grep -rE "(api_key|secret|password|token)\s*=\s*['\"][^'\"]{8,}" --include="*.py" --include="*.ts" --include="*.js"` on changed files
+- Recent commit context: run `git log --oneline -5` to understand what changed and why
+
</file context>