Back to Details

when-reviewing-pull-request-orchestrate-comprehensive-code-revie

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Code Review Orchestration Workflow

代码审查编排工作流

Comprehensive code review workflow orchestrating 12-15 specialized reviewers across automated checks, parallel expert reviews, integration analysis, and final approval recommendation. Designed for thorough quality validation across security, performance, architecture, testing, and documentation dimensions in a systematic 4-hour process.
这是一套全面的代码审查工作流,通过自动化检查、并行专家评审、集成分析以及最终批准建议等环节,编排12-15名专业评审人员开展工作。旨在通过系统化的4小时流程,从安全、性能、架构、测试和文档等维度进行全面的质量验证。

LIBRARY-FIRST PROTOCOL (MANDATORY)

库优先协议(强制要求)

Before writing ANY code, you MUST check:
在编写任何代码之前,您必须检查以下内容:

Step 1: Library Catalog

步骤1:库目录

  • Location: 
    .claude/library/catalog.json
  • If match >70%: REUSE or ADAPT
  • 位置:
    .claude/library/catalog.json
  • 匹配度>70%:复用或适配现有代码

Step 2: Patterns Guide

步骤2:模式指南

  • Location: 
    .claude/docs/inventories/LIBRARY-PATTERNS-GUIDE.md
  • If pattern exists: FOLLOW documented approach
  • 位置:
    .claude/docs/inventories/LIBRARY-PATTERNS-GUIDE.md
  • 若存在对应模式:遵循文档中记录的实现方式

Step 3: Existing Projects

步骤3:现有项目

  • Location: 
    D:\Projects\*
  • If found: EXTRACT and adapt
  • 位置:
    D:\Projects\*
  • 若找到类似实现:提取并适配

Decision Matrix

决策矩阵

MatchAction
Library >90%REUSE directly
Library 70-90%ADAPT minimally
Pattern existsFOLLOW pattern
In projectEXTRACT
No matchBUILD (add to library after)
匹配度操作
库匹配>90%直接复用
库匹配70-90%最小程度适配
存在对应模式遵循模式实现
现有项目中有实现提取适配
无匹配项重新构建(完成后添加到库中)

Overview

概述

This SOP implements a multi-dimensional code review process using star topology coordination where a central PR manager orchestrates specialized reviewers operating in parallel. The workflow emphasizes both thoroughness and efficiency by running automated checks first (gate 1), then parallelizing specialized human-centric reviews, followed by integration impact analysis, and finally synthesizing all findings into actionable recommendations.
The star pattern enables each specialist to focus deeply on their domain while the coordinator ensures comprehensive coverage and prevents conflicting feedback. Memory coordination allows reviewers to reference findings from other specialists, creating a holistic review experience.
本标准操作流程(SOP)采用星型拓扑协调机制实现多维度代码审查流程,由中央PR管理器编排多个专业评审人员并行开展工作。工作流先运行自动化检查(第一关),再并行开展以人为中心的专项评审,接着进行集成影响分析,最后综合所有发现形成可执行建议,兼顾审查的全面性与效率。
星型模式让每位专家能够专注于各自领域,同时协调者确保审查覆盖所有维度,避免出现冲突反馈。内存协调机制允许评审人员参考其他专家的发现,形成全面的审查结论。

Trigger Conditions

触发条件

Use this workflow when:
  • Reviewing pull requests requiring comprehensive quality validation
  • Changes span multiple quality dimensions (code, security, performance, architecture)
  • Need systematic review from multiple specialist perspectives
  • PR introduces significant functionality or architectural changes
  • Merge decision requires evidence-based go/no-go recommendation
  • Team wants consistent, repeatable review process
  • Code review SLA is within 4 hours (business hours)
在以下场景中使用本工作流:
  • 对拉取请求(Pull Request)进行全面质量验证时
  • 变更涉及多个质量维度(代码、安全、性能、架构)时
  • 需要从多个专业视角进行系统化评审时
  • PR引入重大功能或架构变更时
  • 合并决策需要基于证据的批准/拒绝建议时
  • 团队需要一致、可重复的审查流程时
  • 代码审查服务水平协议(SLA)要求在4小时内完成(工作时间内)

Orchestrated Agents (15 Total)

编排的Agent(共15个)

Coordination Agent

协调Agent

  • pr-manager
     - PR coordination, review orchestration, findings aggregation, author notification
  • pr-manager
     - PR协调、审查编排、发现结果汇总、通知提交者

Automated Check Agents (Phase 1)

自动化检查Agent(第一阶段)

  • code-analyzer
     - Linting, static analysis, code complexity metrics
  • tester
     - Test execution, test suite validation
  • qa-engineer
     - Coverage analysis, test quality assessment
  • code-analyzer
     - 代码风格检查、静态分析、代码复杂度指标
  • tester
     - 测试执行、测试套件验证
  • qa-engineer
     - 覆盖率分析、测试质量评估

Specialized Review Agents (Phase 2)

专项评审Agent(第二阶段)

  • code-analyzer
     - Code quality, readability, maintainability, DRY, SOLID principles
  • security-manager
     - Security vulnerabilities, OWASP compliance, secrets scanning, auth/auth
  • performance-analyzer
     - Performance regressions, algorithmic efficiency, resource optimization
  • system-architect
     - Architectural consistency, design patterns, scalability, integration fit
  • api-documentation-specialist
     - Code documentation, API docs, comments, examples
  • style-auditor
     - Code style consistency, formatting standards
  • dependency-analyzer
     - Dependency audit, outdated packages, security vulnerabilities
  • test-coverage-reviewer
     - Coverage metrics, uncovered code paths, edge case testing
  • documentation-reviewer
     - README updates, changelog, migration guides
  • code-analyzer
     - 代码质量、可读性、可维护性、DRY原则、SOLID原则
  • security-manager
     - 安全漏洞、OWASP合规性、密钥扫描、身份认证与授权
  • performance-analyzer
     - 性能退化、算法效率、资源优化
  • system-architect
     - 架构一致性、设计模式、可扩展性、集成适配性
  • api-documentation-specialist
     - 代码文档、API文档、注释、示例
  • style-auditor
     - 代码风格一致性、格式标准合规性
  • dependency-analyzer
     - 依赖审计、过时包检查、依赖安全漏洞
  • test-coverage-reviewer
     - 覆盖率指标、未覆盖代码路径、边缘情况测试
  • documentation-reviewer
     - README更新、变更日志、迁移指南

Integration Analysis Agents (Phase 3)

集成分析Agent(第三阶段)

  • system-integrator
     - Integration impact, breaking changes, backward compatibility
  • devops-engineer
     - Deployment impact, infrastructure changes, rollback planning
  • code-reviewer
     - Risk assessment, blast radius analysis
  • system-integrator
     - 集成影响、破坏性变更、向后兼容性
  • devops-engineer
     - 部署影响、基础设施变更、回滚计划
  • code-reviewer
     - 风险评估、影响范围分析

Workflow Phases

工作流阶段

Phase 1: Automated Checks (30 Minutes, Parallel Gate)

第一阶段:自动化检查(30分钟,并行关卡)

Duration: 30 minutes Execution Mode: Parallel automated validation (fast fail-fast gate) Agents: 
code-analyzer
, 
tester
, 
qa-engineer
, 
pr-manager
Process:
  1. Initialize Review Swarm
    bash
    PR_ID="$1"  # e.g., "repo-name/pulls/123"
PR_NUMBER=$(echo $PR_ID | cut -d'/' -f3)

npx claude-flow hooks pre-task --description "Code review: PR #${PR_NUMBER}"
npx claude-flow swarm init --topology star --max-agents 15 --strategy specialized
npx claude-flow agent spawn --type pr-manager
    PR Manager retrieves PR metadata:
    • Changed files and line counts
    • Commit history and messages
    • Branch comparison (base vs head)
    • PR description and labels
    • Author and reviewers assigned
    Memory Storage:
    bash
    npx claude-flow memory store --key "code-review/${PR_ID}/metadata" \
  --value '{"pr_number": "'"${PR_NUMBER}"'", "files_changed": 15, "lines_added": 342, "lines_deleted": 78}'
  2. Run Automated Checks in Parallel
    bash
    npx claude-flow task orchestrate --strategy parallel --max-agents 4
    Spawn all automated check agents concurrently:
    Linting Check (Code Analyzer):
    bash
    npx claude-flow agent spawn --type code-analyzer --focus "linting"

# Run linting
npm run lint  # ESLint for JS/TS
# or
pylint src/  # Python
# or
rubocop  # Ruby
    Checks:
    • Code style violations (max line length, indentation)
    • Unused variables and imports
    • Type errors (TypeScript)
    • Deprecated API usage
    • Code complexity warnings
    Memory Pattern: 
    code-review/${PR_ID}/phase-1/code-analyzer/lint-results
    Test Execution (Tester):
    bash
    npx claude-flow agent spawn --type tester --focus "test-execution"

# Run test suite
npm test  # Jest/Mocha
# or
pytest  # Python
# or
rspec  # Ruby
    Validates:
    • All unit tests passing
    • All integration tests passing
    • All E2E tests passing (if applicable)
    • No flaky test failures
    • Test execution time within limits
    Memory Pattern: 
    code-review/${PR_ID}/phase-1/tester/test-results
    Coverage Analysis (QA Engineer):
    bash
    npx claude-flow agent spawn --type tester --focus "coverage"

# Generate coverage report
npm run test:coverage
    Checks:
    • Overall coverage > 80%
    • New code coverage > 90%
    • No critical paths uncovered
    • Coverage delta (did coverage decrease?)
    • Untested branches and conditions
    Memory Pattern: 
    code-review/${PR_ID}/phase-1/qa-engineer/coverage-report
    Build Validation (Code Analyzer):
    bash
    # Clean build validation
npm run build
# or
python setup.py build
    Validates:
    • Clean build (no errors, no warnings)
    • Type checking passes (TypeScript, mypy)
    • No broken dependencies
    • Bundle size within limits (for frontend)
    • No circular dependencies
    Memory Pattern: 
    code-review/${PR_ID}/phase-1/code-analyzer/build-status
  3. Evaluate Gate 1 Results
    bash
    npx claude-flow memory retrieve --pattern "code-review/${PR_ID}/phase-1/*/results"
    PR Manager aggregates automated results:
    • Lint: PASS/FAIL (violations count)
    • Tests: PASS/FAIL (passed/failed/skipped)
    • Coverage: PASS/FAIL (percentage, delta)
    • Build: PASS/FAIL (errors/warnings)
    Decision Logic:
    javascript
    if (lintFailed || testsFailed || buildFailed) {
  // Request fixes from author
  await notifyAuthor({
    status: 'CHANGES_REQUESTED',
    message: 'Automated checks failed. Please fix before review continues.',
    details: summarizeFailures()
  });

  // Store feedback and stop review
  await memory_store(`code-review/${PR_ID}/phase-1/automated-feedback`);
  return; // Stop review until fixed
}

// All automated checks passed, proceed to Phase 2
await notifyAuthor({
  status: 'IN_REVIEW',
  message: 'Automated checks passed. Proceeding with specialized reviews.'
});
Outputs:
  • Automated check results (pass/fail for each)
  • Test execution report
  • Coverage report with delta
  • Build status
Success Criteria:
  • All linting checks passing
  • All tests passing (100% of test suite)
  • Code coverage meets thresholds
  • Build successful with no errors
时长:30分钟 执行模式:并行自动化验证(快速失败关卡) 涉及Agent
code-analyzer
, 
tester
, 
qa-engineer
, 
pr-manager
流程
  1. 初始化评审集群
    bash
    PR_ID="$1"  # 示例:"repo-name/pulls/123"
PR_NUMBER=$(echo $PR_ID | cut -d'/' -f3)

npx claude-flow hooks pre-task --description "Code review: PR #${PR_NUMBER}"
npx claude-flow swarm init --topology star --max-agents 15 --strategy specialized
npx claude-flow agent spawn --type pr-manager
    PR管理器获取PR元数据:
    • 变更文件和行数
    • 提交历史和消息
    • 分支对比(基准分支 vs 目标分支)
    • PR描述和标签
    • 分配的提交者和评审人员
    内存存储
    bash
    npx claude-flow memory store --key "code-review/${PR_ID}/metadata" \
  --value '{"pr_number": "'"${PR_NUMBER}"'", "files_changed": 15, "lines_added": 342, "lines_deleted": 78}'
  2. 并行运行自动化检查
    bash
    npx claude-flow task orchestrate --strategy parallel --max-agents 4
    同时启动所有自动化检查Agent:
    代码风格检查(Code Analyzer):
    bash
    npx claude-flow agent spawn --type code-analyzer --focus "linting"

# 运行代码风格检查
npm run lint  # JS/TS使用ESLint
# 或
pylint src/  # Python使用pylint
# 或
rubocop  # Ruby使用rubocop
    检查内容:
    • 代码风格违规(最大行长度、缩进)
    • 未使用的变量和导入
    • 类型错误(TypeScript)
    • 已废弃API的使用
    • 代码复杂度警告
    内存存储路径
    code-review/${PR_ID}/phase-1/code-analyzer/lint-results
    测试执行(Tester):
    bash
    npx claude-flow agent spawn --type tester --focus "test-execution"

# 运行测试套件
npm test  # 使用Jest/Mocha
# 或
pytest  # Python使用pytest
# 或
rspec  # Ruby使用rspec
    验证内容:
    • 所有单元测试通过
    • 所有集成测试通过
    • 所有端到端(E2E)测试通过(若适用)
    • 无不稳定测试失败
    • 测试执行时间在限制范围内
    内存存储路径
    code-review/${PR_ID}/phase-1/tester/test-results
    覆盖率分析(QA Engineer):
    bash
    npx claude-flow agent spawn --type tester --focus "coverage"

# 生成覆盖率报告
npm run test:coverage
    检查内容:
    • 整体覆盖率>80%
    • 新代码覆盖率>90%
    • 无关键路径未覆盖
    • 覆盖率变化(覆盖率是否下降)
    • 未测试的分支和条件
    内存存储路径
    code-review/${PR_ID}/phase-1/qa-engineer/coverage-report
    构建验证(Code Analyzer):
    bash
    # 清理构建验证
npm run build
# 或
python setup.py build
    验证内容:
    • 构建无错误、无警告
    • 类型检查通过(TypeScript、mypy)
    • 无损坏的依赖
    • 包大小在限制范围内(前端项目)
    • 无循环依赖
    内存存储路径
    code-review/${PR_ID}/phase-1/code-analyzer/build-status
  3. 评估第一关结果
    bash
    npx claude-flow memory retrieve --pattern "code-review/${PR_ID}/phase-1/*/results"
    PR管理器汇总自动化检查结果:
    • 代码风格检查:通过/失败(违规数量)
    • 测试:通过/失败(通过/失败/跳过数量)
    • 覆盖率:通过/失败(百分比、变化量)
    • 构建:通过/失败(错误/警告数量)
    决策逻辑
    javascript
    if (lintFailed || testsFailed || buildFailed) {
  // 请求提交者修复问题
  await notifyAuthor({
    status: 'CHANGES_REQUESTED',
    message: '自动化检查失败。请修复后再继续审查。',
    details: summarizeFailures()
  });

  // 存储反馈并终止审查
  await memory_store(`code-review/${PR_ID}/phase-1/automated-feedback`);
  return; // 终止审查,直到问题修复
}

// 所有自动化检查通过,进入第二阶段
await notifyAuthor({
  status: 'IN_REVIEW',
  message: '自动化检查通过。开始专项评审。'
});
输出
  • 自动化检查结果(每项检查的通过/失败状态)
  • 测试执行报告
  • 包含变化量的覆盖率报告
  • 构建状态
成功标准
  • 所有代码风格检查通过
  • 所有测试通过(测试套件100%通过)
  • 代码覆盖率达到阈值要求
  • 构建成功且无错误

Phase 2: Specialized Reviews (2 Hours, Parallel Expert Analysis)

第二阶段:专项评审(2小时,并行专家分析)

Duration: 2 hours Execution Mode: Parallel specialized reviews coordinated by PR manager Agents: 10 specialist reviewers
Process:
  1. Initialize Specialist Review Swarm
    bash
    npx claude-flow task orchestrate --strategy parallel --max-agents 10 --priority high
  2. Spawn All Specialist Reviewers Concurrently
    Each specialist reviews the PR from their domain expertise:
    Code Quality Review (Code Analyzer):
    bash
    npx claude-flow agent spawn --type code-analyzer --focus "code-quality"
    Reviews:
    • Readability: Clear names, appropriate function length, logical organization, cognitive complexity
    • Maintainability: DRY principle, SOLID principles, separation of concerns, error handling
    • Best Practices: Language idioms, design patterns, appropriate comments, no code smells
    Rating: 1-5 stars
    Findings Format:
    json
    {
  "category": "code_quality",
  "findings": [
    {
      "severity": "MEDIUM",
      "file": "src/utils/parser.ts",
      "line": 45,
      "issue": "Function 'parseData' has cognitive complexity of 15 (max 10)",
      "suggestion": "Extract nested conditionals into separate validation functions"
    }
  ],
  "rating": 4,
  "overall_assessment": "Good code quality with minor improvements needed"
}
    Memory Pattern: 
    code-review/${PR_ID}/phase-2/code-analyzer/quality-review
    Security Review (Security Manager):
    bash
    npx claude-flow agent spawn --type security-manager --focus "security-comprehensive"
    Reviews:
    • Authentication & Authorization: Proper auth checks, no privilege escalation, secure sessions
    • Data Security: Input validation (injection prevention), output encoding (XSS prevention), sensitive data encryption, no hardcoded secrets
    • OWASP Top 10: SQL Injection, XSS, CSRF, insecure dependencies, security misconfigurations
    Severity: CRITICAL/HIGH/MEDIUM/LOW
    Findings Format:
    json
    {
  "category": "security",
  "findings": [
    {
      "severity": "HIGH",
      "file": "src/api/users.ts",
      "line": 78,
      "issue": "User input not sanitized before database query (SQL Injection risk)",
      "owasp_category": "A03:2021 – Injection",
      "suggestion": "Use parameterized queries or ORM with proper escaping"
    },
    {
      "severity": "MEDIUM",
      "file": "src/config/secrets.ts",
      "line": 12,
      "issue": "API key appears to be hardcoded (potential secret leak)",
      "suggestion": "Move to environment variables and add to .env.example"
    }
  ],
  "critical_count": 0,
  "high_count": 1,
  "medium_count": 1,
  "overall_assessment": "1 high-severity issue must be fixed before merge"
}
    Memory Pattern: 
    code-review/${PR_ID}/phase-2/security-manager/security-review
    Performance Review (Performance Analyzer):
    bash
    npx claude-flow agent spawn --type perf-analyzer --focus "performance-optimization"
    Reviews:
    • Algorithmic Efficiency: Time complexity (no unnecessary O(n²)), efficient data structures, no redundant iterations
    • Resource Usage: No memory leaks, proper cleanup (connections, files, timers), efficient queries (avoid N+1)
    • Optimization Opportunities: Caching potential, parallelization, database indexes, API call reduction
    Impact: HIGH/MEDIUM/LOW
    Findings Format:
    json
    {
  "category": "performance",
  "findings": [
    {
      "impact": "HIGH",
      "file": "src/services/user-service.ts",
      "line": 125,
      "issue": "N+1 query problem: Loading user roles in loop (1 + N queries)",
      "performance_cost": "10x slower for 100 users",
      "suggestion": "Use eager loading with JOIN or batch query with IN clause"
    }
  ],
  "high_impact_count": 1,
  "estimated_improvement": "10x faster with suggested optimizations",
  "overall_assessment": "Significant performance regression without optimization"
}
    Memory Pattern: 
    code-review/${PR_ID}/phase-2/performance-analyzer/performance-review
    Architecture Review (System Architect):
    bash
    npx claude-flow agent spawn --type system-architect --focus "architecture-consistency"
    Reviews:
    • Design Patterns: Follows established patterns, appropriate abstraction, dependency injection, clean architecture
    • Integration: Fits with existing code, no unexpected side effects, backward compatibility, API contracts respected
    • Scalability: Supports future growth, no hardcoded limits, stateless design, horizontally scalable
    Concerns: BLOCKER/MAJOR/MINOR
    Findings Format:
    json
    {
  "category": "architecture",
  "findings": [
    {
      "concern": "MAJOR",
      "file": "src/services/payment-service.ts",
      "issue": "Payment service directly couples to Stripe SDK (violates adapter pattern)",
      "impact": "Difficult to switch payment providers in future",
      "suggestion": "Create PaymentProvider interface and StripeAdapter implementation"
    }
  ],
  "blocker_count": 0,
  "major_count": 1,
  "overall_assessment": "Architecture mostly consistent with 1 major design concern"
}
    Memory Pattern: 
    code-review/${PR_ID}/phase-2/system-architect/architecture-review
    Documentation Review (API Documentation Specialist):
    bash
    npx claude-flow agent spawn --type api-docs --focus "documentation-comprehensive"
    Reviews:
    • Code Documentation: Public APIs documented (JSDoc/docstring), complex logic explained, non-obvious behavior noted
    • External Documentation: README updated, API docs updated, migration guide (if breaking), changelog updated
    • Tests as Documentation: Descriptive test names, test coverage demonstrates usage, edge cases documented
    Completeness: 0-100%
    Findings Format:
    json
    {
  "category": "documentation",
  "findings": [
    {
      "severity": "MEDIUM",
      "file": "src/api/webhooks.ts",
      "issue": "New webhook endpoint /api/webhooks/stripe missing API documentation",
      "suggestion": "Add JSDoc with parameters, responses, and usage example"
    }
  ],
  "code_doc_coverage": 75,
  "external_doc_updated": false,
  "overall_assessment": "75% complete, missing API docs and changelog update"
}
    Memory Pattern: 
    code-review/${PR_ID}/phase-2/api-documentation-specialist/docs-review
    Additional Specialist Reviews (run in parallel):
    • Style Audit (Style Auditor): Code style consistency, formatting compliance
    • Dependency Audit (Dependency Analyzer): Outdated packages, security vulnerabilities in deps
    • Test Coverage (Test Coverage Reviewer): Coverage gaps, missing edge cases
    • Documentation Completeness (Documentation Reviewer): README, changelog, migration guides
    Each follows similar format with findings, severity, and recommendations.
  3. Aggregate Specialist Reviews
    bash
    npx claude-flow memory retrieve --pattern "code-review/${PR_ID}/phase-2/*/review"
npx claude-flow agent spawn --type pr-manager --focus "aggregation"
    PR Manager synthesizes all reviews:
    • Total findings: 15 issues (0 critical, 1 high, 8 medium, 6 low)
    • Quality rating: 4/5 stars
    • Security: 1 high-severity issue
    • Performance: 1 high-impact issue
    • Architecture: 1 major concern
    • Documentation: 75% complete
    Categorize issues:
    • Blocking Issues (must fix before merge): High-severity security issue, high-impact performance regression
    • High-Priority (should fix): Major architecture concern, medium security issues
    • Nice-to-Have (can fix later): Low-severity code quality improvements
    Memory Storage:
    bash
    npx claude-flow memory store --key "code-review/${PR_ID}/phase-2/aggregated-review" \
  --value "${AGGREGATED_FINDINGS_JSON}"
Outputs:
  • 10 specialized review reports
  • Aggregated findings with severity prioritization
  • Blocking issues list
  • Recommendations summary
Success Criteria:
  • All specialist reviews completed
  • Findings categorized by severity
  • Blocking issues clearly identified
  • Recommendations actionable and specific
时长:2小时 执行模式:由PR管理器协调的并行专项评审 涉及Agent:10名专业评审人员
流程
  1. 初始化专项评审集群
    bash
    npx claude-flow task orchestrate --strategy parallel --max-agents 10 --priority high
  2. 同时启动所有专项评审Agent
    每位专家从各自领域视角评审PR:
    代码质量评审(Code Analyzer):
    bash
    npx claude-flow agent spawn --type code-analyzer --focus "code-quality"
    评审内容:
    • 可读性:清晰的命名、合适的函数长度、逻辑组织、认知复杂度
    • 可维护性:DRY原则、SOLID原则、关注点分离、错误处理
    • 最佳实践:语言惯用写法、设计模式、恰当的注释、无代码异味
    评分:1-5星
    发现结果格式
    json
    {
  "category": "code_quality",
  "findings": [
    {
      "severity": "MEDIUM",
      "file": "src/utils/parser.ts",
      "line": 45,
      "issue": "函数'parseData'的认知复杂度为15(最大值为10)",
      "suggestion": "将嵌套条件提取为独立的验证函数"
    }
  ],
  "rating": 4,
  "overall_assessment": "代码质量良好,需要少量改进"
}
    内存存储路径
    code-review/${PR_ID}/phase-2/code-analyzer/quality-review
    安全评审(Security Manager):
    bash
    npx claude-flow agent spawn --type security-manager --focus "security-comprehensive"
    评审内容:
    • 身份认证与授权:正确的权限检查、无权限提升风险、安全会话管理
    • 数据安全:输入验证(防止注入攻击)、输出编码(防止XSS攻击)、敏感数据加密、无硬编码密钥
    • OWASP Top 10:SQL注入、XSS、CSRF、不安全依赖、安全配置错误
    严重程度:CRITICAL/HIGH/MEDIUM/LOW
    发现结果格式
    json
    {
  "category": "security",
  "findings": [
    {
      "severity": "HIGH",
      "file": "src/api/users.ts",
      "line": 78,
      "issue": "用户输入在数据库查询前未经过清理(存在SQL注入风险)",
      "owasp_category": "A03:2021 – 注入攻击",
      "suggestion": "使用参数化查询或带有正确转义的ORM"
    },
    {
      "severity": "MEDIUM",
      "file": "src/config/secrets.ts",
      "line": 12,
      "issue": "API密钥似乎是硬编码的(存在密钥泄露风险)",
      "suggestion": "将密钥移至环境变量,并添加到.env.example中"
    }
  ],
  "critical_count": 0,
  "high_count": 1,
  "medium_count": 1,
  "overall_assessment": "合并前必须修复1个高严重程度问题"
}
    内存存储路径
    code-review/${PR_ID}/phase-2/security-manager/security-review
    性能评审(Performance Analyzer):
    bash
    npx claude-flow agent spawn --type perf-analyzer --focus "performance-optimization"
    评审内容:
    • 算法效率:时间复杂度(无不必要的O(n²)操作)、高效的数据结构、无冗余迭代
    • 资源使用:无内存泄漏、正确的资源清理(连接、文件、定时器)、高效查询(避免N+1查询问题)
    • 优化机会:缓存潜力、并行化、数据库索引、减少API调用
    影响程度:HIGH/MEDIUM/LOW
    发现结果格式
    json
    {
  "category": "performance",
  "findings": [
    {
      "impact": "HIGH",
      "file": "src/services/user-service.ts",
      "line": 125,
      "issue": "N+1查询问题:在循环中加载用户角色(1 + N次查询)",
      "performance_cost": "对于100个用户,速度慢10倍",
      "suggestion": "使用JOIN预加载或IN子句批量查询"
    }
  ],
  "high_impact_count": 1,
  "estimated_improvement": "采用建议的优化方案后,速度提升10倍",
  "overall_assessment": "不进行优化会导致显著的性能退化"
}
    内存存储路径
    code-review/${PR_ID}/phase-2/performance-analyzer/performance-review
    架构评审(System Architect):
    bash
    npx claude-flow agent spawn --type system-architect --focus "architecture-consistency"
    评审内容:
    • 设计模式:遵循已确立的模式、恰当的抽象、依赖注入、整洁架构
    • 集成适配:与现有代码兼容、无意外副作用、向后兼容、遵循API契约
    • 可扩展性:支持未来增长、无硬编码限制、无状态设计、可水平扩展
    问题等级:BLOCKER/MAJOR/MINOR
    发现结果格式
    json
    {
  "category": "architecture",
  "findings": [
    {
      "concern": "MAJOR",
      "file": "src/services/payment-service.ts",
      "issue": "支付服务直接耦合到Stripe SDK(违反适配器模式)",
      "impact": "未来难以切换支付提供商",
      "suggestion": "创建PaymentProvider接口和StripeAdapter实现"
    }
  ],
  "blocker_count": 0,
  "major_count": 1,
  "overall_assessment": "架构整体一致,存在1个主要设计问题"
}
    内存存储路径
    code-review/${PR_ID}/phase-2/system-architect/architecture-review
    文档评审(API Documentation Specialist):
    bash
    npx claude-flow agent spawn --type api-docs --focus "documentation-comprehensive"
    评审内容:
    • 代码文档:公共API已文档化(JSDoc/docstring)、复杂逻辑已说明、非直观行为已标注
    • 外部文档:README已更新、API文档已更新、迁移指南(若有破坏性变更)、变更日志已更新
    • 测试作为文档:描述性的测试名称、测试覆盖率展示用法、边缘情况已文档化
    完整性:0-100%
    发现结果格式
    json
    {
  "category": "documentation",
  "findings": [
    {
      "severity": "MEDIUM",
      "file": "src/api/webhooks.ts",
      "issue": "新的Webhook端点/api/webhooks/stripe缺少API文档",
      "suggestion": "添加包含参数、响应和使用示例的JSDoc"
    }
  ],
  "code_doc_coverage": 75,
  "external_doc_updated": false,
  "overall_assessment": "完成度75%,缺少API文档和变更日志更新"
}
    内存存储路径
    code-review/${PR_ID}/phase-2/api-documentation-specialist/docs-review
    其他专项评审(并行运行):
    • 风格审计(Style Auditor):代码风格一致性、格式合规性
    • 依赖审计(Dependency Analyzer):过时包、依赖中的安全漏洞
    • 测试覆盖率(Test Coverage Reviewer):覆盖率缺口、缺失的边缘情况
    • 文档完整性(Documentation Reviewer):README、变更日志、迁移指南
    每个评审都遵循类似的格式,包含发现结果、严重程度和建议。
  3. 汇总专项评审结果
    bash
    npx claude-flow memory retrieve --pattern "code-review/${PR_ID}/phase-2/*/review"
npx claude-flow agent spawn --type pr-manager --focus "aggregation"
    PR管理器综合所有评审结果:
    • 总发现问题:15个(0个严重、1个高、8个中、6个低)
    • 质量评分:4/5星
    • 安全:1个高严重程度问题
    • 性能:1个高影响问题
    • 架构:1个主要问题
    • 文档:完成度75%
    问题分类:
    • 阻塞问题(合并前必须修复):高严重程度安全问题、高影响性能退化
    • 高优先级(应该修复):主要架构问题、中等严重程度安全问题
    • 建议改进(可后续修复):低严重程度代码质量改进
    内存存储
    bash
    npx claude-flow memory store --key "code-review/${PR_ID}/phase-2/aggregated-review" \
  --value "${AGGREGATED_FINDINGS_JSON}"
输出
  • 10份专项评审报告
  • 按严重程度优先级排序的汇总发现结果
  • 阻塞问题列表
  • 建议总结
成功标准
  • 所有专项评审完成
  • 发现结果按严重程度分类
  • 阻塞问题已明确识别
  • 建议可执行且具体

Phase 3: Integration Analysis (1 Hour, Sequential Impact Assessment)

第三阶段:集成分析(1小时,顺序影响评估)

Duration: 1 hour Execution Mode: Sequential end-to-end impact analysis Agents: 
tester
, 
devops-engineer
, 
product-manager
, 
code-reviewer
Process:
  1. Integration Testing
    bash
    npx claude-flow agent spawn --type tester --focus "integration-impact"
    QA Engineer tests:
    • Does this change break existing functionality?
    • Are all integration tests passing?
    • Does it integrate properly with related modules?
    • Any unexpected side effects or regressions?
    Run integration test suite:
    bash
    npm run test:integration
    Findings:
    • Integration tests: 45/45 passing
    • No regressions detected
    • New functionality integrates cleanly
    Memory Pattern: 
    code-review/${PR_ID}/phase-3/tester/integration-tests
  2. Deployment Impact Assessment
    bash
    npx claude-flow memory retrieve --key "code-review/${PR_ID}/metadata"
npx claude-flow agent spawn --type cicd-engineer --focus "deployment-impact"
    DevOps Engineer evaluates:
    • Infrastructure changes needed? (new services, scaling)
    • Database migrations required? (schema changes)
    • Configuration updates needed? (env vars, secrets)
    • Backward compatibility maintained? (can rollback safely)
    • Rollback plan clear and tested?
    Findings:
    json
    {
  "infrastructure_changes": ["Add Redis cache for session storage"],
  "database_migrations": ["Add index on users.email for faster lookups"],
  "config_updates": ["Add REDIS_URL environment variable"],
  "backward_compatible": true,
  "rollback_complexity": "LOW",
  "deployment_risk": "MEDIUM"
}
    Memory Pattern: 
    code-review/${PR_ID}/phase-3/devops-engineer/deployment-impact
  3. User Impact Assessment
    bash
    npx claude-flow agent spawn --type planner --focus "user-impact"
    Product Manager assesses:
    • Does this improve user experience?
    • Any user-facing changes? (UI/UX)
    • Consistent with design system?
    • Analytics/tracking updated?
    • Feature flags needed?
    Findings:
    json
    {
  "user_facing_changes": ["New export functionality in dashboard"],
  "ux_impact": "POSITIVE",
  "design_system_compliant": true,
  "analytics_updated": false,
  "feature_flag_recommended": true
}
    Memory Pattern: 
    code-review/${PR_ID}/phase-3/product-manager/user-impact
  4. Risk Assessment
    bash
    npx claude-flow memory retrieve --pattern "code-review/${PR_ID}/phase-3/*"
npx claude-flow agent spawn --type reviewer --focus "risk-analysis"
    Code Reviewer analyzes:
    • What's the blast radius of this change? (how many users/services affected)
    • Worst-case failure scenario? (data loss, downtime, security breach)
    • Do we have rollback procedures? (tested and documented)
    • Should this be feature-flagged? (gradual rollout)
    • Is monitoring and alerting adequate? (can detect issues quickly)
    Risk Matrix:
    json
    {
  "blast_radius": "MEDIUM (affects 30% of users)",
  "worst_case_scenario": "Temporary export failures (no data loss)",
  "rollback_available": true,
  "rollback_tested": false,
  "feature_flag_needed": true,
  "monitoring_adequate": true,
  "overall_risk": "MEDIUM",
  "recommendation": "CONDITIONAL_APPROVE (add feature flag + test rollback)"
}
    Memory Pattern: 
    code-review/${PR_ID}/phase-3/code-reviewer/risk-analysis
Outputs:
  • Integration test results
  • Deployment impact report
  • User impact assessment
  • Risk analysis with mitigation recommendations
Success Criteria:
  • Integration tests passing
  • Deployment plan documented
  • User impact understood
  • Risk assessment complete with mitigation
时长:1小时 执行模式:顺序端到端影响分析 涉及Agent
tester
, 
devops-engineer
, 
product-manager
, 
code-reviewer
流程
  1. 集成测试
    bash
    npx claude-flow agent spawn --type tester --focus "integration-impact"
    QA工程师测试内容:
    • 此变更是否破坏现有功能?
    • 所有集成测试是否通过?
    • 是否与相关模块正确集成?
    • 是否有意外副作用或退化?
    运行集成测试套件:
    bash
    npm run test:integration
    发现结果
    • 集成测试:45/45通过
    • 未检测到退化
    • 新功能集成顺畅
    内存存储路径
    code-review/${PR_ID}/phase-3/tester/integration-tests
  2. 部署影响评估
    bash
    npx claude-flow memory retrieve --key "code-review/${PR_ID}/metadata"
npx claude-flow agent spawn --type cicd-engineer --focus "deployment-impact"
    DevOps工程师评估内容:
    • 是否需要基础设施变更?(新服务、扩容)
    • 是否需要数据库迁移?( schema变更)
    • 是否需要配置更新?(环境变量、密钥)
    • 是否保持向后兼容?(能否安全回滚)
    • 回滚计划是否清晰且经过测试?
    发现结果
    json
    {
  "infrastructure_changes": ["为会话存储添加Redis缓存"],
  "database_migrations": ["为users.email添加索引以加快查询"],
  "config_updates": ["添加REDIS_URL环境变量"],
  "backward_compatible": true,
  "rollback_complexity": "LOW",
  "deployment_risk": "MEDIUM"
}
    内存存储路径
    code-review/${PR_ID}/phase-3/devops-engineer/deployment-impact
  3. 用户影响评估
    bash
    npx claude-flow agent spawn --type planner --focus "user-impact"
    产品经理评估内容:
    • 此变更是否提升用户体验?
    • 是否有面向用户的变更?(UI/UX)
    • 是否符合设计系统?
    • 分析/跟踪是否已更新?
    • 是否需要功能开关?
    发现结果
    json
    {
  "user_facing_changes": ["仪表板添加新的导出功能"],
  "ux_impact": "POSITIVE",
  "design_system_compliant": true,
  "analytics_updated": false,
  "feature_flag_recommended": true
}
    内存存储路径
    code-review/${PR_ID}/phase-3/product-manager/user-impact
  4. 风险评估
    bash
    npx claude-flow memory retrieve --pattern "code-review/${PR_ID}/phase-3/*"
npx claude-flow agent spawn --type reviewer --focus "risk-analysis"
    代码评审人员分析内容:
    • 此变更的影响范围有多大?(影响多少用户/服务)
    • 最坏故障场景是什么?(数据丢失、停机、安全漏洞)
    • 是否有回滚流程?(已测试且文档化)
    • 是否需要功能开关?(逐步发布)
    • 监控和告警是否足够?(能否快速检测问题)
    风险矩阵
    json
    {
  "blast_radius": "MEDIUM (影响30%的用户)",
  "worst_case_scenario": "临时导出失败(无数据丢失)",
  "rollback_available": true,
  "rollback_tested": false,
  "feature_flag_needed": true,
  "monitoring_adequate": true,
  "overall_risk": "MEDIUM",
  "recommendation": "CONDITIONAL_APPROVE (添加功能开关 + 测试回滚)"
}
    内存存储路径
    code-review/${PR_ID}/phase-3/code-reviewer/risk-analysis
输出
  • 集成测试结果
  • 部署影响报告
  • 用户影响评估
  • 包含缓解建议的风险分析
成功标准
  • 集成测试通过
  • 部署计划已文档化
  • 用户影响已明确
  • 风险评估完成且包含缓解措施

Phase 4: Final Approval (30 Minutes, Decision & Notification)

第四阶段:最终批准(30分钟,决策与通知)

Duration: 30 minutes Execution Mode: Sequential synthesis and decision Agents: 
pr-manager
Process:
  1. Generate Final Review Summary
    bash
    npx claude-flow memory retrieve --pattern "code-review/${PR_ID}/**"
npx claude-flow agent spawn --type pr-manager --focus "final-summary"
    PR Manager synthesizes all phases:
    Summary Report:
    markdown
    # Code Review Summary: PR #${PR_NUMBER}

## Automated Checks ✅
- Linting: ✅ PASS (0 violations)
- Tests: ✅ PASS (142/142 passing)
- Coverage: ✅ PASS (93.5%, +2.3% delta)
- Build: ✅ PASS (clean build, no warnings)

## Specialized Reviews
- **Code Quality**: 4/5 stars (Good quality, minor improvements suggested)
- **Security**: ⚠️ 1 HIGH issue (SQL injection risk in user query)
- **Performance**: ⚠️ 1 HIGH impact (N+1 query problem)
- **Architecture**: ⚠️ 1 MAJOR concern (tight coupling to payment provider)
- **Documentation**: 75% complete (missing API docs + changelog)

## Integration Analysis
- **Integration Tests**: ✅ All passing (45/45)
- **Deployment Impact**: MEDIUM risk (requires Redis + DB migration)
- **User Impact**: POSITIVE (new export feature)
- **Risk Level**: MEDIUM (feature flag recommended)

## Blocking Issues (MUST FIX)
1. [HIGH/SECURITY] SQL injection risk in src/api/users.ts:78
2. [HIGH/PERFORMANCE] N+1 query in src/services/user-service.ts:125

## High-Priority Recommendations (SHOULD FIX)
3. [MAJOR/ARCHITECTURE] Decouple payment service from Stripe SDK
4. [MEDIUM/DOCUMENTATION] Add API documentation for webhook endpoint
5. [MEDIUM/DEPLOYMENT] Add feature flag for gradual rollout

## Overall Decision: ⏸️ REQUEST CHANGES

**Rationale**: Code is high quality overall, but 2 blocking issues (security + performance) must be addressed before merge. Once fixed, this PR will be ready for production.

**Next Steps**:
1. Author fixes blocking issues (estimated 2-4 hours)
2. Re-run automated checks + security/performance reviews
3. Once green, approve for merge with feature flag enabled
    Memory Storage:
    bash
    npx claude-flow memory store --key "code-review/${PR_ID}/phase-4/final-summary" \
  --value "${FINAL_SUMMARY_MARKDOWN}"
  2. Determine Decision
    Decision Logic:
    javascript
    function determineDecision(aggregatedReview) {
  const { blocking, highPriority, security, performance } = aggregatedReview;

  // REJECT: Fundamental architectural problems or severe quality issues
  if (blocking.length > 5 || security.critical > 0) {
    return {
      decision: 'REJECT',
      message: 'Too many critical issues or fundamental architectural problems. Consider alternative approach.'
    };
  }

  // REQUEST CHANGES: Blocking issues that must be fixed
  if (blocking.length > 0 || security.high > 0 || performance.high > 0) {
    return {
      decision: 'REQUEST_CHANGES',
      message: `${blocking.length} blocking issue(s) must be fixed before merge.`
    };
  }

  // CONDITIONAL APPROVE: High-priority items should be addressed
  if (highPriority.length > 0) {
    return {
      decision: 'CONDITIONAL_APPROVE',
      message: `Approved with ${highPriority.length} recommendations to address before or after merge.`
    };
  }

  // APPROVE: All quality gates passed
  return {
    decision: 'APPROVE',
    message: 'All quality checks passed. Ready to merge.'
  };
}
  3. Notify Author
    bash
    npx claude-flow agent spawn --type pr-manager --focus "author-notification"
    PR Manager sends notification:
    • GitHub PR comment with full review summary
    • Label PR appropriately ("changes-requested", "approved", "rejected")
    • Assign back to author (if changes needed)
    • Tag relevant reviewers for specific issues
    GitHub PR Comment (example for REQUEST_CHANGES):
    markdown
    ## 🔍 Comprehensive Code Review Complete

Thank you for your contribution! Our automated review system has completed a thorough analysis.

### ✅ What Went Well
- All automated checks passing (tests, coverage, linting)
- Clean code architecture overall
- Good test coverage (93.5%)

### ⚠️ Issues Requiring Attention

#### Blocking Issues (Must Fix Before Merge)

1. **[HIGH/SECURITY]** SQL Injection Risk
   - **File**: `src/api/users.ts:78`
   - **Issue**: User input not sanitized before database query
   - **Fix**: Use parameterized queries or ORM with proper escaping
   - **Priority**: CRITICAL

2. **[HIGH/PERFORMANCE]** N+1 Query Problem
   - **File**: `src/services/user-service.ts:125`
   - **Issue**: Loading user roles in loop (10x slower for 100 users)
   - **Fix**: Use eager loading with JOIN or batch query
   - **Priority**: HIGH

#### Recommendations (Should Address)

3. **[MAJOR/ARCHITECTURE]** Payment Service Coupling
   - Create PaymentProvider interface for future flexibility
   - See: [Architecture Best Practices](link)

4. **[MEDIUM/DOCUMENTATION]** Missing API Documentation
   - Add JSDoc for webhook endpoint
   - Update changelog with this new feature

### 🔄 Next Steps

1. Address the 2 blocking issues above
2. Push updates to this PR branch
3. Automated checks will re-run automatically
4. We'll re-review security and performance aspects
5. Once green, we'll approve for merge!

**Estimated time to fix**: 2-4 hours

---
🤖 Generated by Claude Code Review System | [View Full Report](link)
    Memory Storage:
    bash
    npx claude-flow memory store --key "code-review/${PR_ID}/phase-4/author-notification"
npx claude-flow hooks post-task --task-id "code-review-${PR_ID}" --export-report true
  4. Execute Decision Actions
    Based on decision, take appropriate GitHub actions:
    If APPROVE:
    bash
    # Add approval label
gh pr edit ${PR_NUMBER} --add-label "approved"

# Add approval review
gh pr review ${PR_NUMBER} --approve --body "✅ All quality checks passed. Ready to merge."

# Queue for merge (if auto-merge enabled)
gh pr merge ${PR_NUMBER} --auto --squash
    If REQUEST_CHANGES:
    bash
    # Add changes-requested label
gh pr edit ${PR_NUMBER} --add-label "changes-requested" --remove-label "approved"

# Request changes
gh pr review ${PR_NUMBER} --request-changes --body "${REVIEW_COMMENT_MARKDOWN}"

# Assign back to author
gh pr edit ${PR_NUMBER} --add-assignee ${AUTHOR_USERNAME}

# Schedule follow-up review
npx claude-flow memory store --key "code-review/${PR_ID}/follow-up/scheduled" --value "true"
    If REJECT:
    bash
    # Add rejected label
gh pr edit ${PR_NUMBER} --add-label "rejected"

# Provide detailed explanation
gh pr review ${PR_NUMBER} --request-changes --body "${DETAILED_REJECTION_REASON}"

# Suggest alternative approaches
gh pr comment ${PR_NUMBER} --body "Consider these alternative approaches: ${ALTERNATIVES}"
  5. Finalize Review Session
    bash
    npx claude-flow hooks session-end --export-metrics true
npx claude-flow hooks post-task --task-id "pr-${PR_ID}"
Outputs:
  • Final review summary (comprehensive report)
  • Merge decision (Approve/Request Changes/Reject)
  • Author notification (GitHub comment)
  • GitHub labels and status updated
Success Criteria:
  • Final summary generated and comprehensive
  • Decision clear and justified
  • Author notified with actionable feedback
  • GitHub PR status updated appropriately
时长:30分钟 执行模式:顺序综合与决策 涉及Agent
pr-manager
流程
  1. 生成最终评审总结
    bash
    npx claude-flow memory retrieve --pattern "code-review/${PR_ID}/**"
npx claude-flow agent spawn --type pr-manager --focus "final-summary"
    PR管理器综合所有阶段结果:
    总结报告
    markdown
    # 代码审查总结:PR #${PR_NUMBER}

## 自动化检查 ✅
- 代码风格检查:✅ 通过(0违规)
- 测试:✅ 通过(142/142通过)
- 覆盖率:✅ 通过(93.5%,提升2.3%)
- 构建:✅ 通过(构建干净,无警告)

## 专项评审
- **代码质量**:4/5星(质量良好,建议少量改进)
- **安全**:⚠️ 1个高严重程度问题(用户查询中的SQL注入风险)
- **性能**:⚠️ 1个高影响问题(N+1查询问题)
- **架构**:⚠️ 1个主要问题(与支付提供商紧耦合)
- **文档**:完成度75%(缺少API文档 + 变更日志)

## 集成分析
- **集成测试**:✅ 全部通过(45/45)
- **部署影响**:中等风险(需要Redis + 数据库迁移)
- **用户影响**:积极(新增导出功能)
- **风险等级**:中等(建议使用功能开关)

## 阻塞问题(必须修复)
1. [高/安全] src/api/users.ts:78中的SQL注入风险
2. [高/性能] src/services/user-service.ts:125中的N+1查询问题

## 高优先级建议(应该修复)
3. [主要/架构] 将支付服务与Stripe SDK解耦
4. [中等/文档] 为Webhook端点添加API文档
5. [中等/部署] 添加功能开关以逐步发布

## 总体决策:⏸️ 请求变更

**理由**:代码整体质量较高,但存在2个阻塞问题(安全 + 性能),必须在合并前解决。修复后,此PR即可投入生产。

**下一步**1. 提交者修复阻塞问题(预计2-4小时)
2. 重新运行自动化检查 + 安全/性能评审
3. 全部通过后,启用功能开关并批准合并
    内存存储
    bash
    npx claude-flow memory store --key "code-review/${PR_ID}/phase-4/final-summary" \
  --value "${FINAL_SUMMARY_MARKDOWN}"
  2. 确定决策
    决策逻辑
    javascript
    function determineDecision(aggregatedReview) {
  const { blocking, highPriority, security, performance } = aggregatedReview;

  // 拒绝:存在根本性架构问题或严重质量问题
  if (blocking.length > 5 || security.critical > 0) {
    return {
      decision: 'REJECT',
      message: '存在过多关键问题或根本性架构问题。请考虑替代方案。'
    };
  }

  // 请求变更:存在必须修复的阻塞问题
  if (blocking.length > 0 || security.high > 0 || performance.high > 0) {
    return {
      decision: 'REQUEST_CHANGES',
      message: `${blocking.length}个阻塞问题必须在合并前修复。`
    };
  }

  // 有条件批准:应解决高优先级问题
  if (highPriority.length > 0) {
    return {
      decision: 'CONDITIONAL_APPROVE',
      message: `已批准,合并前或合并后需解决${highPriority.length}个建议问题。`
    };
  }

  // 批准:所有质量关卡通过
  return {
    decision: 'APPROVE',
    message: '所有质量检查通过。可合并。'
  };
}
  3. 通知提交者
    bash
    npx claude-flow agent spawn --type pr-manager --focus "author-notification"
    PR管理器发送通知:
    • 在GitHub PR中添加包含完整评审总结的评论
    • 为PR添加适当标签("changes-requested", "approved", "rejected")
    • (若需要变更)重新分配给提交者
    • 为特定问题标记相关评审人员
    GitHub PR评论示例(请求变更)
    markdown
    ## 🔍 全面代码审查完成

感谢您的贡献!我们的自动化评审系统已完成全面分析。

### ✅ 亮点
- 所有自动化检查通过(测试、覆盖率、代码风格)
- 代码架构整体整洁
- 测试覆盖率良好(93.5%)

### ⚠️ 需要关注的问题

#### 阻塞问题(合并前必须修复)

1. **[高/安全]** SQL注入风险
   - **文件**`src/api/users.ts:78`
   - **问题**:用户输入在数据库查询前未经过清理
   - **修复方案**:使用参数化查询或带有正确转义的ORM
   - **优先级**:CRITICAL

2. **[高/性能]** N+1查询问题
   - **文件**`src/services/user-service.ts:125`
   - **问题**:在循环中加载用户角色(对于100个用户,速度慢10倍)
   - **修复方案**:使用JOIN预加载或IN子句批量查询
   - **优先级**:HIGH

#### 建议(应该解决)

3. **[主要/架构]** 支付服务耦合
   - 创建PaymentProvider接口以提升未来灵活性
   - 参考:[架构最佳实践](链接)

4. **[中等/文档]** 缺少API文档
   - 为Webhook端点添加JSDoc
   - 更新变更日志以包含此新功能

### 🔄 下一步

1. 解决上述2个阻塞问题
2. 将更新推送到此PR分支
3. 自动化检查将自动重新运行
4. 我们将重新评审安全和性能方面
5. 全部通过后,我们将批准合并!

**预计修复时间**:2-4小时

---
🤖 由Claude代码评审系统生成 | [查看完整报告](链接)
    内存存储
    bash
    npx claude-flow memory store --key "code-review/${PR_ID}/phase-4/author-notification"
npx claude-flow hooks post-task --task-id "code-review-${PR_ID}" --export-report true
  4. 执行决策操作
    根据决策,执行相应的GitHub操作:
    若批准
    bash
    # 添加批准标签
gh pr edit ${PR_NUMBER} --add-label "approved"

# 添加批准评审
gh pr review ${PR_NUMBER} --approve --body "✅ 所有质量检查通过。可合并。"

# 排入合并队列(若启用自动合并)
gh pr merge ${PR_NUMBER} --auto --squash
    若请求变更
    bash
    # 添加需要变更标签
gh pr edit ${PR_NUMBER} --add-label "changes-requested" --remove-label "approved"

# 请求变更
gh pr review ${PR_NUMBER} --request-changes --body "${REVIEW_COMMENT_MARKDOWN}"

# 重新分配给提交者
gh pr edit ${PR_NUMBER} --add-assignee ${AUTHOR_USERNAME}

# 安排后续评审
npx claude-flow memory store --key "code-review/${PR_ID}/follow-up/scheduled" --value "true"
    若拒绝
    bash
    # 添加拒绝标签
gh pr edit ${PR_NUMBER} --add-label "rejected"

# 提供详细解释
gh pr review ${PR_NUMBER} --request-changes --body "${DETAILED_REJECTION_REASON}"

# 建议替代方案
gh pr comment ${PR_NUMBER} --body "考虑以下替代方案:${ALTERNATIVES}"
  5. 完成评审会话
    bash
    npx claude-flow hooks session-end --export-metrics true
npx claude-flow hooks post-task --task-id "pr-${PR_ID}"
输出
  • 最终评审总结(全面报告)
  • 合并决策(批准/请求变更/拒绝)
  • 提交者通知(GitHub评论)
  • GitHub标签和状态已更新
成功标准
  • 最终总结已生成且全面
  • 决策清晰且有依据
  • 提交者已收到可执行的反馈
  • GitHub PR状态已适当更新

Memory Coordination

内存协调

Namespace Convention

命名空间约定

All review data follows this hierarchical pattern:
code-review/{pr-id}/phase-{N}/{reviewer-type}/{findings-type}
Examples:
  • code-review/repo/pulls/123/metadata
  • code-review/repo/pulls/123/phase-1/code-analyzer/lint-results
  • code-review/repo/pulls/123/phase-2/security-manager/security-review
  • code-review/repo/pulls/123/phase-3/devops-engineer/deployment-impact
  • code-review/repo/pulls/123/phase-4/final-summary
所有评审数据遵循以下分层模式:
code-review/{pr-id}/phase-{N}/{reviewer-type}/{findings-type}
示例
  • code-review/repo/pulls/123/metadata
  • code-review/repo/pulls/123/phase-1/code-analyzer/lint-results
  • code-review/repo/pulls/123/phase-2/security-manager/security-review
  • code-review/repo/pulls/123/phase-3/devops-engineer/deployment-impact
  • code-review/repo/pulls/123/phase-4/final-summary

Cross-Phase Data Flow

跨阶段数据流

Phase 1 → Phase 2:
bash
undefined
第一阶段 → 第二阶段
bash
undefined

Phase 2 reviewers check if Phase 1 passed

第二阶段评审人员检查第一阶段是否通过

npx claude-flow memory retrieve --pattern "code-review/${PR_ID}/phase-1/*/results"
npx claude-flow memory retrieve --pattern "code-review/${PR_ID}/phase-1/*/results"

Only proceed if all automated checks passed

仅当所有自动化检查通过时才继续

if [ "$(jq '.all_passed' < phase1_results.json)" = "true" ]; then

Spawn specialist reviewers

npx claude-flow task orchestrate --strategy parallel fi

**Phase 2 → Phase 3**:
```bash
if [ "$(jq '.all_passed' < phase1_results.json)" = "true" ]; then

启动专项评审Agent

npx claude-flow task orchestrate --strategy parallel fi

**第二阶段 → 第三阶段**:
```bash

Phase 3 integration analysis references specialist findings

第三阶段集成分析参考专项评审发现结果

npx claude-flow memory retrieve --pattern "code-review/${PR_ID}/phase-2/security-manager/security-review" npx claude-flow memory retrieve --pattern "code-review/${PR_ID}/phase-2/performance-analyzer/performance-review"
npx claude-flow memory retrieve --pattern "code-review/${PR_ID}/phase-2/security-manager/security-review" npx claude-flow memory retrieve --pattern "code-review/${PR_ID}/phase-2/performance-analyzer/performance-review"

Risk analysis considers all specialist findings

风险分析考虑所有专项评审发现结果


**Phase 3 → Phase 4**:
```bash

**第三阶段 → 第四阶段**:
```bash

Phase 4 final decision aggregates all prior phases

第四阶段最终决策汇总所有前期阶段结果

npx claude-flow memory retrieve --pattern "code-review/${PR_ID}/**"
npx claude-flow memory retrieve --pattern "code-review/${PR_ID}/**"

Generate comprehensive summary

生成全面总结


---

---

Scripts & Automation

脚本与自动化

Pre-Review Initialization

评审前初始化

bash
#!/bin/bash
bash
#!/bin/bash

Initialize code review workflow

初始化代码审查工作流

PR_NUMBER="$1" REPO="$2" # e.g., "owner/repo" PR_ID="${REPO}/pulls/${PR_NUMBER}"
PR_NUMBER="$1" REPO="$2" # 示例:"owner/repo" PR_ID="${REPO}/pulls/${PR_NUMBER}"

Fetch PR metadata via GitHub API

通过GitHub API获取PR元数据

PR_DATA=$(gh pr view ${PR_NUMBER} --json number,title,author,files,additions,deletions)
PR_DATA=$(gh pr view ${PR_NUMBER} --json number,title,author,files,additions,deletions)

Setup coordination

设置协调

npx claude-flow hooks pre-task --description "Code review: PR #${PR_NUMBER}"
npx claude-flow hooks pre-task --description "Code review: PR #${PR_NUMBER}"

Initialize star topology swarm (central coordinator + specialists)

初始化星型拓扑集群(中央协调者 + 专家)

npx claude-flow swarm init --topology star --max-agents 15 --strategy specialized
npx claude-flow swarm init --topology star --max-agents 15 --strategy specialized

Store PR metadata

存储PR元数据

npx claude-flow memory store --key "code-review/${PR_ID}/metadata" --value "${PR_DATA}"
echo "✅ Code review initialized: PR #${PR_NUMBER}"
undefined
npx claude-flow memory store --key "code-review/${PR_ID}/metadata" --value "${PR_DATA}"
echo "✅ 代码审查已初始化:PR #${PR_NUMBER}"
undefined

Automated Check Gate

自动化检查关卡

bash
#!/bin/bash
bash
#!/bin/bash

Execute Phase 1 automated checks (gate)

执行第一阶段自动化检查(关卡)

PR_ID="$1"
echo "🤖 Running automated checks..."
PR_ID="$1"
echo "🤖 运行自动化检查..."

Run checks in parallel

并行运行检查

npx claude-flow task orchestrate --strategy parallel --max-agents 4 << EOF lint: npm run lint test: npm test coverage: npm run test:coverage build: npm run build EOF
npx claude-flow task orchestrate --strategy parallel --max-agents 4 << EOF lint: npm run lint test: npm test coverage: npm run test:coverage build: npm run build EOF

Aggregate results

汇总结果

LINT_STATUS=$(npx claude-flow memory retrieve --key "code-review/${PR_ID}/phase-1/code-analyzer/lint-results" | jq -r '.status') TEST_STATUS=$(npx claude-flow memory retrieve --key "code-review/${PR_ID}/phase-1/tester/test-results" | jq -r '.status') COVERAGE_OK=$(npx claude-flow memory retrieve --key "code-review/${PR_ID}/phase-1/qa-engineer/coverage-report" | jq -r '.meets_threshold') BUILD_STATUS=$(npx claude-flow memory retrieve --key "code-review/${PR_ID}/phase-1/code-analyzer/build-status" | jq -r '.status')
LINT_STATUS=$(npx claude-flow memory retrieve --key "code-review/${PR_ID}/phase-1/code-analyzer/lint-results" | jq -r '.status') TEST_STATUS=$(npx claude-flow memory retrieve --key "code-review/${PR_ID}/phase-1/tester/test-results" | jq -r '.status') COVERAGE_OK=$(npx claude-flow memory retrieve --key "code-review/${PR_ID}/phase-1/qa-engineer/coverage-report" | jq -r '.meets_threshold') BUILD_STATUS=$(npx claude-flow memory retrieve --key "code-review/${PR_ID}/phase-1/code-analyzer/build-status" | jq -r '.status')

Check if all passed

检查是否全部通过

if [ "$LINT_STATUS" = "PASS" ] && [ "$TEST_STATUS" = "PASS" ] && [ "$COVERAGE_OK" = "true" ] && [ "$BUILD_STATUS" = "PASS" ]; then echo "✅ All automated checks passed. Proceeding to specialist reviews." exit 0 else echo "❌ Automated checks failed. Requesting fixes from author." gh pr review ${PR_NUMBER} --request-changes --body "Automated checks failed. Please fix before review continues." exit 1 fi
undefined
if [ "$LINT_STATUS" = "PASS" ] && [ "$TEST_STATUS" = "PASS" ] && [ "$COVERAGE_OK" = "true" ] && [ "$BUILD_STATUS" = "PASS" ]; then echo "✅ 所有自动化检查通过。开始专项评审。" exit 0 else echo "❌ 自动化检查失败。请求提交者修复。" gh pr review ${PR_NUMBER} --request-changes --body "自动化检查失败。请修复后再继续审查。" exit 1 fi
undefined

Parallel Specialist Review

并行专项评审

bash
#!/bin/bash
bash
#!/bin/bash

Execute Phase 2 specialist reviews in parallel

并行执行第二阶段专项评审

PR_ID="$1"
echo "👥 Spawning specialist reviewers..."
PR_ID="$1"
echo "👥 启动专项评审Agent..."

Spawn all reviewers concurrently via Claude Flow

通过Claude Flow同时启动所有评审Agent

npx claude-flow task orchestrate --strategy parallel --max-agents 10 << EOF code_quality: Review code quality (readability, maintainability, best practices) security: Review security vulnerabilities (OWASP Top 10, secrets, auth) performance: Review performance (algorithms, resource usage, optimizations) architecture: Review architecture consistency (patterns, integration, scalability) documentation: Review documentation completeness (code docs, API docs, changelog) style: Review code style consistency dependencies: Review dependency security and updates test_coverage: Review test coverage gaps external_docs: Review README and migration guides integration: Review integration fit with existing codebase EOF
npx claude-flow task orchestrate --strategy parallel --max-agents 10 << EOF code_quality: 评审代码质量(可读性、可维护性、最佳实践) security: 评审安全漏洞(OWASP Top 10、密钥、身份认证) performance: 评审性能(算法、资源使用、优化) architecture: 评审架构一致性(模式、集成、可扩展性) documentation: 评审文档完整性(代码文档、API文档、变更日志) style: 评审代码风格一致性 dependencies: 评审依赖安全和更新 test_coverage: 评审测试覆盖率缺口 external_docs: 评审README和迁移指南 integration: 评审与现有代码库的集成适配性 EOF

Wait for all reviews to complete

等待所有评审完成

npx claude-flow task status --wait
echo "✅ All specialist reviews complete."
undefined
npx claude-flow task status --wait
echo "✅ 所有专项评审完成。"
undefined

Final Decision Script

最终决策脚本

bash
#!/bin/bash
bash
#!/bin/bash

Generate final decision and notify author

生成最终决策并通知提交者

PR_ID="$1" PR_NUMBER=$(echo $PR_ID | cut -d'/' -f3)
PR_ID="$1" PR_NUMBER=$(echo $PR_ID | cut -d'/' -f3)

Retrieve all review data

获取所有评审数据

npx claude-flow memory retrieve --pattern "code-review/${PR_ID}/**" > "/tmp/${PR_ID}-reviews.json"
npx claude-flow memory retrieve --pattern "code-review/${PR_ID}/**" > "/tmp/${PR_ID}-reviews.json"

Count issues by severity

按严重程度统计问题数量

CRITICAL_COUNT=$(jq '[.. | .severity? | select(. == "CRITICAL")] | length' /tmp/${PR_ID}-reviews.json) HIGH_COUNT=$(jq '[.. | .severity? | select(. == "HIGH")] | length' /tmp/${PR_ID}-reviews.json) BLOCKING_COUNT=$((CRITICAL_COUNT + HIGH_COUNT))
CRITICAL_COUNT=$(jq '[.. | .severity? | select(. == "CRITICAL")] | length' /tmp/${PR_ID}-reviews.json) HIGH_COUNT=$(jq '[.. | .severity? | select(. == "HIGH")] | length' /tmp/${PR_ID}-reviews.json) BLOCKING_COUNT=$((CRITICAL_COUNT + HIGH_COUNT))

Determine decision

确定决策

if [ $CRITICAL_COUNT -gt 0 ] || [ $BLOCKING_COUNT -gt 5 ]; then DECISION="REJECT" elif [ $BLOCKING_COUNT -gt 0 ]; then DECISION="REQUEST_CHANGES" else DECISION="APPROVE" fi
echo "📊 Review Decision: ${DECISION}" echo " Critical Issues: ${CRITICAL_COUNT}" echo " High-Severity Issues: ${HIGH_COUNT}"
if [ $CRITICAL_COUNT -gt 0 ] || [ $BLOCKING_COUNT -gt 5 ]; then DECISION="REJECT" elif [ $BLOCKING_COUNT -gt 0 ]; then DECISION="REQUEST_CHANGES" else DECISION="APPROVE" fi
echo "📊 评审决策:${DECISION}" echo " 关键问题数量:${CRITICAL_COUNT}" echo " 高严重程度问题数量:${HIGH_COUNT}"

Notify author via GitHub

通过GitHub通知提交者

case $DECISION in APPROVE) gh pr review ${PR_NUMBER} --approve --body "✅ All quality checks passed. Ready to merge." gh pr edit ${PR_NUMBER} --add-label "approved" ;; REQUEST_CHANGES) gh pr review ${PR_NUMBER} --request-changes --body-file "/tmp/${PR_ID}-summary.md" gh pr edit ${PR_NUMBER} --add-label "changes-requested" ;; REJECT) gh pr review ${PR_NUMBER} --request-changes --body-file "/tmp/${PR_ID}-rejection.md" gh pr edit ${PR_NUMBER} --add-label "rejected" ;; esac
case $DECISION in APPROVE) gh pr review ${PR_NUMBER} --approve --body "✅ 所有质量检查通过。可合并。" gh pr edit ${PR_NUMBER} --add-label "approved" ;; REQUEST_CHANGES) gh pr review ${PR_NUMBER} --request-changes --body-file "/tmp/${PR_ID}-summary.md" gh pr edit ${PR_NUMBER} --add-label "changes-requested" ;; REJECT) gh pr review ${PR_NUMBER} --request-changes --body-file "/tmp/${PR_ID}-rejection.md" gh pr edit ${PR_NUMBER} --add-label "rejected" ;; esac

Finalize session

完成会话

npx claude-flow hooks post-task --task-id "code-review-${PR_ID}" --export-metrics true

---
npx claude-flow hooks post-task --task-id "code-review-${PR_ID}" --export-metrics true

---

Success Criteria

成功标准

Review Quality Metrics

评审质量指标

  • Coverage: All quality dimensions reviewed (code, security, performance, architecture, docs)
  • Consistency: Reviews follow established guidelines and standards
  • Actionability: All feedback is specific, constructive, and actionable
  • Timeliness: Reviews completed within 4 hours (business hours)
  • 覆盖率:所有质量维度均已评审(代码、安全、性能、架构、文档)
  • 一致性:评审遵循已确立的指南和标准
  • 可执行性:所有反馈均具体、有建设性且可执行
  • 及时性:评审在4小时内完成(工作时间内)

Code Quality Gates

代码质量关卡

  • Automated Tests: 100% passing (no failing tests)
  • Code Coverage: > 80% overall, > 90% for new code
  • Linting: 0 violations (all style rules followed)
  • Security: 0 critical issues, 0 high-severity issues
  • Performance: No high-impact performance regressions
  • Documentation: 100% of public APIs documented
  • 自动化测试:100%通过(无失败测试)
  • 代码覆盖率:整体>80%,新代码>90%
  • 代码风格检查:0违规(遵循所有风格规则)
  • 安全:0个关键问题,0个高严重程度问题
  • 性能:无高影响性能退化
  • 文档:100%的公共API已文档化

Process Metrics

流程指标

  • Review Turnaround: < 4 hours (from PR creation to decision)
  • Author Satisfaction: > 4/5 (feedback is helpful and constructive)
  • Defect Escape Rate: < 1% (issues found in production that should have been caught)
  • False Positive Rate: < 5% (flagged issues that weren't actually problems)
  • 评审周转时间:<4小时(从PR创建到决策)
  • 提交者满意度:>4/5(反馈有帮助且有建设性)
  • 缺陷逃逸率:<1%(生产环境中发现的本应在审查中发现的问题)
  • 误报率:<5%(标记的问题实际并非问题)

Usage Examples

使用示例

Example 1: Small Feature PR (Simple)

示例1:小型功能PR(简单)

bash
undefined
bash
undefined

Feature: Add email validation to registration form

功能:为注册表单添加邮箱验证

PR_NUMBER=245 PR_ID="acme-app/pulls/245"
PR_NUMBER=245 PR_ID="acme-app/pulls/245"

Initialize review

初始化评审

./init-review.sh ${PR_NUMBER} "acme/acme-app"
./init-review.sh ${PR_NUMBER} "acme/acme-app"

Phase 1: Automated checks (5 minutes)

第一阶段:自动化检查(5分钟)

./automated-checks.sh ${PR_ID}
./automated-checks.sh ${PR_ID}

Output: All checks passed

输出:所有检查通过

Phase 2: Specialist reviews (30 minutes - small PR)

第二阶段:专项评审(30分钟 - 小型PR)

./specialist-reviews.sh ${PR_ID}
./specialist-reviews.sh ${PR_ID}

Output: 3 minor issues (all LOW severity)

输出:3个次要问题(全部为低严重程度)

Phase 3: Integration analysis (10 minutes)

第三阶段:集成分析(10分钟)

Output: No integration concerns, backward compatible

输出:无集成问题,向后兼容

Phase 4: Final decision

第四阶段:最终决策

./final-decision.sh ${PR_ID}
./final-decision.sh ${PR_ID}

Decision: ✅ APPROVE

决策:✅ 批准

Output: "All quality checks passed. 3 minor suggestions for future consideration."

输出:"所有质量检查通过。3个次要建议供未来参考。"

undefined
undefined

Example 2: Large Refactoring PR (Complex)

示例2:大型重构PR(复杂)

bash
undefined
bash
undefined

Refactoring: Migrate from REST to GraphQL

重构:从REST迁移到GraphQL

PR_NUMBER=312 PR_ID="acme-app/pulls/312"
PR_NUMBER=312 PR_ID="acme-app/pulls/312"

Initialize review

初始化评审

./init-review.sh ${PR_NUMBER} "acme/acme-app"
./init-review.sh ${PR_NUMBER} "acme/acme-app"

Phase 1: Automated checks (10 minutes)

第一阶段:自动化检查(10分钟)

./automated-checks.sh ${PR_ID}
./automated-checks.sh ${PR_ID}

Output: All checks passed, coverage 94%

输出:所有检查通过,覆盖率94%

Phase 2: Specialist reviews (2 hours)

第二阶段:专项评审(2小时)

./specialist-reviews.sh ${PR_ID}
./specialist-reviews.sh ${PR_ID}

Output: 15 findings

输出:15个发现结果

- 1 HIGH/SECURITY (authentication flow changed, needs verification)

- 1个高/安全问题(身份认证流程变更,需要验证)

- 2 HIGH/PERFORMANCE (N+1 queries in new resolvers)

- 2个高/性能问题(新解析器中的N+1查询)

- 3 MAJOR/ARCHITECTURE (GraphQL schema design concerns)

- 3个主要/架构问题(GraphQL schema设计问题)

- 9 MEDIUM/LOW (documentation, minor improvements)

- 9个中等/低问题(文档、次要改进)

Phase 3: Integration analysis (1 hour)

第三阶段:集成分析(1小时)

Output: Breaking changes for API clients, migration guide needed

输出:对API客户端有破坏性变更,需要迁移指南

Risk: HIGH (affects all API consumers)

风险:高(影响所有API消费者)

Phase 4: Final decision

第四阶段:最终决策

./final-decision.sh ${PR_ID}
./final-decision.sh ${PR_ID}

Decision: ⏸️ REQUEST CHANGES

决策:⏸️ 请求变更

Output: "3 blocking issues (security + performance). Add feature flag for gradual rollout. Provide migration guide for API clients."

输出:"3个阻塞问题(安全 + 性能)。添加功能开关以逐步发布。为API客户端提供迁移指南。"

undefined
undefined

Example 3: Security Patch PR (Critical)

示例3:安全补丁PR(关键)

bash
undefined
bash
undefined

Security: Fix SQL injection vulnerability

安全:修复SQL注入漏洞

PR_NUMBER=418 PR_ID="acme-app/pulls/418"
PR_NUMBER=418 PR_ID="acme-app/pulls/418"

Initialize expedited review

初始化快速评审

./init-review.sh ${PR_NUMBER} "acme/acme-app"
./init-review.sh ${PR_NUMBER} "acme/acme-app"

Phase 1: Automated checks (5 minutes)

第一阶段:自动化检查(5分钟)

./automated-checks.sh ${PR_ID}
./automated-checks.sh ${PR_ID}

Output: All checks passed

输出:所有检查通过

Phase 2: Focus on security review (30 minutes)

第二阶段:重点安全评审(30分钟)

npx claude-flow agent spawn --type security-manager --focus "comprehensive-audit"
npx claude-flow agent spawn --type security-manager --focus "comprehensive-audit"

Output: Vulnerability fixed correctly, no new issues introduced

输出:漏洞已正确修复,未引入新问题

Phase 3: Integration analysis (15 minutes)

第三阶段:集成分析(15分钟)

Output: Backward compatible, zero downtime deployment

输出:向后兼容,可零停机部署

Phase 4: Fast-track approval

第四阶段:快速批准

./final-decision.sh ${PR_ID}
./final-decision.sh ${PR_ID}

Decision: ✅ APPROVE (EXPEDITED)

决策:✅ 批准(快速通道)

Output: "Security fix verified. No regressions. Approved for immediate merge and deployment."

输出:"安全修复已验证。无退化。批准立即合并和部署。"

Deploy immediately

立即部署

gh pr merge ${PR_NUMBER} --admin --squash

---
gh pr merge ${PR_NUMBER} --admin --squash

---

GraphViz Process Diagram

GraphViz流程图表

See 
when-reviewing-pull-request-orchestrate-comprehensive-code-review-process.dot
for visual workflow representation showing:
  • 4 phases with star topology coordination
  • 15 specialist reviewer interactions
  • Automated gate (Phase 1) preventing bad code from entering review
  • Parallel specialist reviews (Phase 2) for efficiency
  • Integration analysis (Phase 3) for deployment safety
  • Final decision logic with author notification
查看
when-reviewing-pull-request-orchestrate-comprehensive-code-review-process.dot
文件获取可视化工作流表示,包含:
  • 4个阶段的星型拓扑协调
  • 15个专业评审人员的交互
  • 自动化关卡(第一阶段)防止不良代码进入评审
  • 并行专项评审(第二阶段)提升效率
  • 集成分析(第三阶段)保障部署安全
  • 最终决策逻辑与提交者通知

Quality Checklist

质量检查清单

Before considering code review complete, verify:
  • Phase 1: All automated checks passing (lint, tests, coverage, build)
  • Phase 2: All specialist reviews completed, findings categorized
  • Phase 3: Integration impact analyzed, deployment plan documented
  • Phase 4: Final decision made, author notified, GitHub status updated
Memory Verification:
  • code-review/${PR_ID}/metadata
    - PR information
  • code-review/${PR_ID}/phase-1/*
    - Automated check results
  • code-review/${PR_ID}/phase-2/*
    - Specialist review findings
  • code-review/${PR_ID}/phase-3/*
    - Integration analysis
  • code-review/${PR_ID}/phase-4/final-summary
    - Comprehensive report
Feedback Quality:
  • All feedback is specific (file, line, issue clearly identified)
  • All feedback is actionable (how to fix provided)
  • All feedback is constructive (not just criticism, but improvement suggestions)
  • Severity is appropriate (not overstating or understating issues)
Workflow Complexity: Medium (15 agents, 4 hours, 4 phases) Coordination Pattern: Star topology with parallel specialist reviews Memory Footprint: ~20-30 memory entries per PR review Typical Use Case: Comprehensive PR review requiring validation across multiple quality dimensions
在认为代码审查完成前,验证以下内容:
  • 第一阶段:所有自动化检查通过(代码风格、测试、覆盖率、构建)
  • 第二阶段:所有专项评审完成,发现结果已分类
  • 第三阶段:集成影响已分析,部署计划已文档化
  • 第四阶段:已做出最终决策,通知提交者,GitHub状态已更新
内存验证
  • code-review/${PR_ID}/metadata
    - PR信息
  • code-review/${PR_ID}/phase-1/*
    - 自动化检查结果
  • code-review/${PR_ID}/phase-2/*
    - 专项评审发现结果
  • code-review/${PR_ID}/phase-3/*
    - 集成分析结果
  • code-review/${PR_ID}/phase-4/final-summary
    - 全面报告
反馈质量
  • 所有反馈均具体(明确文件、行号、问题)
  • 所有反馈均可执行(提供修复方法)
  • 所有反馈均有建设性(不仅批评,还提供改进建议)
  • 严重程度划分适当(既不夸大也不低估问题)
工作流复杂度:中等(15个Agent,4小时,4个阶段) 协调模式:星型拓扑 + 并行专项评审 内存占用:每个PR评审约20-30个内存条目 典型使用场景:需要跨多个质量维度验证的全面PR评审

!! SKILL COMPLETION VERIFICATION (MANDATORY) !!

!! 技能完成验证(强制要求) !!

After invoking this skill, you MUST complete ALL items below before proceeding:
调用此技能后,在继续之前必须完成以下所有项:

Completion Checklist

完成检查清单

  • Agent Spawning: Did you spawn at least 1 agent via Task()?
    • Example: 
      Task("Agent Name", "Task description", "agent-type-from-registry")
  • Agent Registry Validation: Is your agent from the registry?
    • Registry location: 
      claude-code-plugins/ruv-sparc-three-loop-system/agents/
    • Valid categories: delivery, foundry, operations, orchestration, platforms, quality, research, security, specialists, tooling
    • NOT valid: Made-up agent names
  • TodoWrite Called: Did you call TodoWrite with 5+ todos?
    • Example: 
      TodoWrite({ todos: [8-10 items covering all work] })
  • Work Delegation: Did you delegate to agents (not do work yourself)?
    • CORRECT: Agents do the implementation via Task()
    • WRONG: You write the code directly after reading skill
  • Agent启动:是否通过Task()启动了至少1个Agent?
    • 示例:
      Task("Agent Name", "Task description", "agent-type-from-registry")
  • Agent注册表验证:你的Agent是否来自注册表?
    • 注册表位置:
      claude-code-plugins/ruv-sparc-three-loop-system/agents/
    • 有效类别:delivery, foundry, operations, orchestration, platforms, quality, research, security, specialists, tooling
    • 无效:虚构的Agent名称
  • TodoWrite调用:是否调用了TodoWrite并包含5个以上待办事项?
    • 示例:
      TodoWrite({ todos: [8-10项涵盖所有工作] })
  • 工作委派:是否将工作委派给Agent(而非自己完成)?
    • 正确:Agent通过Task()完成实现
    • 错误:阅读技能后自己直接编写代码

Correct Pattern After Skill Invocation

调用技能后的正确模式

javascript
// After Skill("<skill-name>") is invoked:
[Single Message - ALL in parallel]:
  Task("Agent 1", "Description of task 1...", "agent-type-1")
  Task("Agent 2", "Description of task 2...", "agent-type-2")
  Task("Agent 3", "Description of task 3...", "agent-type-3")
  TodoWrite({ todos: [
    {content: "Task 1 description", status: "in_progress", activeForm: "Working on task 1"},
    {content: "Task 2 description", status: "pending", activeForm: "Working on task 2"},
    {content: "Task 3 description", status: "pending", activeForm: "Working on task 3"},
  ]})
javascript
// 调用Skill("<skill-name>")后:
[单条消息 - 全部并行执行]:
  Task("Agent 1", "任务描述1...", "agent-type-1")
  Task("Agent 2", "任务描述2...", "agent-type-2")
  Task("Agent 3", "任务描述3...", "agent-type-3")
  TodoWrite({ todos: [
    {content: "任务1描述", status: "in_progress", activeForm: "处理任务1"},
    {content: "任务2描述", status: "pending", activeForm: "处理任务2"},
    {content: "任务3描述", status: "pending", activeForm: "处理任务3"},
  ]})

Wrong Pattern (DO NOT DO THIS)

错误模式(禁止)

javascript
// WRONG - Reading skill and then doing work yourself:
Skill("<skill-name>")
// Then you write all the code yourself without Task() calls
// This defeats the purpose of the skill system!
The skill is NOT complete until all checklist items are checked.
Remember the pattern: Skill() -> Task() -> TodoWrite() - ALWAYS
javascript
// 错误 - 阅读技能后自己完成工作:
Skill("<skill-name>")
// 然后不调用Task()直接自己编写所有代码
// 这违背了技能系统的目的!
所有检查清单项均已勾选后,技能才算完成。
记住模式:Skill() -> Task() -> TodoWrite() - 始终遵循

Core Principles

核心原则

1. Automated Gates Before Human Review

1. 人工评审前先通过自动化关卡

Principle: Fast-failing automated checks (linting, tests, coverage, build) must pass before expensive specialist reviews begin. No human should review code that fails basic quality gates.
In practice:
  • Phase 1 runs automated checks in parallel completing within 30 minutes
  • Linting violations, test failures, or build errors trigger immediate author notification
  • Phase 2 specialist reviews only begin after all Phase 1 checks pass green
  • Automated gate prevents wasted reviewer time analyzing code with obvious defects
  • Author fixes issues and re-submits triggering fresh Phase 1 run before review resumes
原则:在启动昂贵的专项评审前,必须先通过快速失败的自动化检查(代码风格、测试、覆盖率、构建)。不应让人工评审存在明显缺陷的代码。
实践
  • 第一阶段并行运行自动化检查,30分钟内完成
  • 代码风格违规、测试失败或构建错误会立即通知提交者
  • 只有第一阶段所有检查通过后,才会启动第二阶段专项评审
  • 自动化关卡避免评审人员浪费时间分析存在明显缺陷的代码
  • 提交者修复问题后重新提交,会触发新的第一阶段检查,然后才会恢复评审

2. Parallel Specialist Reviews for Comprehensive Coverage

2. 并行专项评审实现全面覆盖

Principle: Code quality requires evaluation across multiple dimensions (security, performance, architecture, documentation) by domain experts reviewing concurrently.
In practice:
  • Star topology spawns 10 specialist reviewers in parallel during Phase 2
  • Each specialist focuses deeply on their domain without distraction from other concerns
  • Security reviewer analyzes OWASP Top 10 vulnerabilities and auth/auth correctness
  • Performance reviewer identifies algorithmic inefficiencies and resource leaks
  • Architecture reviewer validates design patterns and integration consistency
  • Findings from all specialists aggregate into comprehensive assessment
原则:代码质量需要从多个维度(安全、性能、架构、文档)由领域专家并行评估。
实践
  • 星型拓扑在第二阶段同时启动10个专项评审Agent
  • 每位专家专注于各自领域,不受其他问题干扰
  • 安全评审人员分析OWASP Top 10漏洞和身份认证/授权正确性
  • 性能评审人员识别算法低效和内存泄漏
  • 架构评审人员验证设计模式和集成一致性
  • 所有专家的发现结果汇总为全面评估

3. Risk-Based Decision Making with Evidence

3. 基于证据的风险驱动决策

Principle: Merge decisions must be deterministic based on severity-weighted findings, not subjective gut feel. Evidence drives recommendations.
In practice:
  • Critical severity issues automatically block merge requiring fixes before approval
  • High severity issues (security, performance regressions) request changes with specific remediation
  • Medium severity issues conditionally approve with recommendations to address
  • Low severity issues approve with suggestions for future improvement
  • Decision logic codified in deterministic algorithm ensuring consistency across PRs
原则:合并决策必须基于按严重程度加权的发现结果,而非主观直觉。证据驱动建议。
实践
  • 严重程度为Critical的问题自动阻止合并,必须修复后才能批准
  • 高严重程度问题(安全、性能退化)要求变更并提供具体修复方案
  • 中等严重程度问题有条件批准并提供建议
  • 低严重程度问题批准并提供未来改进建议
  • 决策逻辑以确定性算法编码,确保所有PR的评审一致性

Anti-Patterns

反模式

Anti-PatternProblemSolution
Skipping Automated ChecksProceeding directly to human review without automated validation wastes specialist time reviewing code with linting violations, failing tests, or broken builds.Implement mandatory Phase 1 automated gate. No specialist reviews begin until all automated checks pass. Author must fix issues before review proceeds. Enforce with CI/CD pipeline checks.
Single Reviewer BottleneckOne generalist reviewer attempts to evaluate all quality dimensions (code, security, performance, architecture) resulting in shallow review missing domain-specific issues.Deploy star topology with 10 specialist reviewers operating in parallel. Each reviewer focuses deeply on their domain expertise. Aggregate findings into comprehensive assessment covering all dimensions.
Merge Without Risk AssessmentApproving PRs based solely on code quality without analyzing deployment impact, integration risk, or rollback complexity leads to production incidents.Add Phase 3 integration analysis evaluating deployment impact, database migrations, backward compatibility, and rollback procedures. Risk assessment informs merge decision and deployment strategy (feature flags, gradual rollout).
反模式问题解决方案
跳过自动化检查直接进入人工评审而不进行自动化验证,浪费专家时间评审存在代码风格违规、测试失败或构建错误的代码。实现强制的第一阶段自动化关卡。只有所有自动化检查通过后,才会启动专项评审。提交者必须修复问题后才能继续评审。通过CI/CD流水线检查强制执行。
单一评审人员瓶颈由一名通才评审人员尝试评估所有质量维度(代码、安全、性能、架构),导致评审不深入,遗漏领域特定问题。采用星型拓扑,同时启动10名专项评审Agent。每位评审人员专注于各自领域专业知识。汇总所有专家的发现结果形成全面评估。
无风险评估即合并仅基于代码质量批准PR,未分析部署影响、集成风险或回滚复杂度,导致生产事故。添加第三阶段集成分析,评估部署影响、数据库迁移、向后兼容性和回滚流程。风险评估为合并决策和部署策略(功能开关、逐步发布)提供依据。

Common Anti-Patterns

常见反模式

Anti-PatternProblemSolution
Skipping Automated ChecksProceeding directly to human review without automated validation wastes specialist time reviewing code with linting violations, failing tests, or broken builds.Implement mandatory Phase 1 automated gate. No specialist reviews begin until all automated checks pass. Author must fix issues before review proceeds. Enforce with CI/CD pipeline checks.
Single Reviewer BottleneckOne generalist reviewer attempts to evaluate all quality dimensions (code, security, performance, architecture) resulting in shallow review missing domain-specific issues.Deploy star topology with 10 specialist reviewers operating in parallel. Each reviewer focuses deeply on their domain expertise. Aggregate findings into comprehensive assessment covering all dimensions.
Merge Without Risk AssessmentApproving PRs based solely on code quality without analyzing deployment impact, integration risk, or rollback complexity leads to production incidents.Add Phase 3 integration analysis evaluating deployment impact, database migrations, backward compatibility, and rollback procedures. Risk assessment informs merge decision and deployment strategy (feature flags, gradual rollout).
反模式问题解决方案
跳过自动化检查直接进入人工评审而不进行自动化验证,浪费专家时间评审存在代码风格违规、测试失败或构建错误的代码。实现强制的第一阶段自动化关卡。只有所有自动化检查通过后,才会启动专项评审。提交者必须修复问题后才能继续评审。通过CI/CD流水线检查强制执行。
单一评审人员瓶颈由一名通才评审人员尝试评估所有质量维度(代码、安全、性能、架构),导致评审不深入,遗漏领域特定问题。采用星型拓扑,同时启动10名专项评审Agent。每位评审人员专注于各自领域专业知识。汇总所有专家的发现结果形成全面评估。
无风险评估即合并仅基于代码质量批准PR,未分析部署影响、集成风险或回滚复杂度,导致生产事故。添加第三阶段集成分析,评估部署影响、数据库迁移、向后兼容性和回滚流程。风险评估为合并决策和部署策略(功能开关、逐步发布)提供依据。

Conclusion

结论

Comprehensive code review orchestration transforms manual, inconsistent review processes into systematic workflows that evaluate PRs across security, performance, architecture, documentation, and integration dimensions within 4 hours. The star topology coordination pattern enables 10+ specialists to review concurrently while maintaining coherence through centralized PR manager aggregation. Automated gates prevent wasted human effort by fast-failing obvious defects before expensive specialist reviews begin.
The workflow's effectiveness stems from balancing speed with thoroughness - Phase 1 automated checks complete in 30 minutes providing immediate feedback, while Phase 2 parallel specialist reviews achieve comprehensive coverage without sequential bottlenecks. The deterministic decision logic in Phase 4 eliminates subjective merge decisions, basing recommendations on severity-weighted findings rather than gut feel. This consistency builds team confidence that review quality remains high regardless of which specialists are available.
Memory coordination enables specialists to reference findings from other reviewers, preventing duplicate work and creating holistic assessments. The security reviewer can reference performance issues when evaluating authentication flows, while the architecture reviewer considers deployment complexity identified by DevOps analysis. This cross-referencing elevates individual specialist insights into collective intelligence greater than sum of parts. Teams implementing this workflow should resist the temptation to skip phases or compress timelines during crunch periods - the 4-hour duration reflects realistic minimum time for thorough multi-dimensional analysis. Rushing reviews surfaces as production incidents that cost far more than modest PR review delays.
全面代码审查编排将手动、不一致的评审流程转变为系统化工作流,在4小时内从安全、性能、架构、文档和集成维度评估PR。星型拓扑协调机制使10+名专家能够并行评审,同时通过中央PR管理器汇总结果保持一致性。自动化关卡通过在启动昂贵的专项评审前快速失败明显缺陷,避免浪费人工精力。
工作流的有效性源于平衡速度与全面性 - 第一阶段自动化检查在30分钟内完成,提供即时反馈,而第二阶段并行专项评审在无顺序瓶颈的情况下实现全面覆盖。第四阶段的确定性决策逻辑消除了主观合并决策,基于按严重程度加权的发现结果而非直觉提供建议。这种一致性建立了团队信心,无论哪些专家可用,评审质量都保持较高水平。
内存协调机制使专家能够参考其他评审人员的发现结果,避免重复工作并形成全面评估。安全评审人员在评估身份认证流程时可以参考性能问题,而架构评审人员会考虑DevOps分析中发现的部署复杂度。这种交叉引用将单个专家的见解提升为大于各部分之和的集体智慧。实施此工作流的团队应避免在紧张时期跳过阶段或压缩时间 - 4小时的时长反映了全面多维度分析的现实最短时间。仓促评审会导致生产事故,其成本远高于PR评审的适度延迟。