review-agent-setup
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chinesereview-agent-governance — Setup
review-agent-governance — 安装配置
Gate AI agent review actions (PR reviews, comments, merges, CI edits) behind
explicit human approval. Every attempt, approved or denied, produces an
Ed25519-signed receipt.
将AI代理的审核操作(PR审核、评论、合并、CI编辑)置于明确的人工审批之后。无论操作被批准还是拒绝,都会生成一份Ed25519签名的回执。
When to use this plugin
何时使用此插件
Install it in projects where a Claude Code agent:
- Reviews, comments on, or merges pull requests (,
gh pr review)gh pr merge - Triages issues (,
gh issue comment)gh issue close - Publishes releases ()
gh release create - Modifies CI configuration (,
.github/workflows/).gitlab-ci.yml - Pushes to protected branches (,
main,master,release)production - Posts to external notification surfaces (Slack webhooks, Discord)
If the agent is only doing local file edits and running tests, this plugin is
overkill. Use for general tool-call policy enforcement and skip
this one.
protect-mcp在以下场景的项目中安装此插件:Claude Code代理需要:
- 审核、评论或合并拉取请求(、
gh pr review)gh pr merge - 分类处理议题(、
gh issue comment)gh issue close - 发布版本()
gh release create - 修改CI配置(、
.github/workflows/).gitlab-ci.yml - 推送到受保护分支(、
main、master、release)production - 向外部通知渠道发送内容(Slack webhooks、Discord)
如果代理仅进行本地文件编辑和运行测试,此插件则过于冗余。可使用进行通用工具调用策略管控,无需安装此插件。
protect-mcpOne-time setup
一次性配置步骤
1. Install the plugin
1. 安装插件
bash
claude plugin install wshobson/agents/review-agent-governancebash
claude plugin install wshobson/agents/review-agent-governance2. Copy the default policy to your project
2. 将默认策略复制到你的项目中
bash
cp .claude/plugins/review-agent-governance/policies/review-agent-governance.cedar \
./review-governance.cedarYou can edit this file to match your project's specific rules. See
for guidance on authoring review
policies.
../agents/review-policy-author.mdbash
cp .claude/plugins/review-agent-governance/policies/review-agent-governance.cedar \
./review-governance.cedar你可以编辑此文件以匹配项目的特定规则。请查看获取审核策略编写指南。
../agents/review-policy-author.md3. Create a receipts directory and sign key
3. 创建回执目录和签名密钥
bash
mkdir -p ./review-receipts
echo "./review-receipts/" >> .gitignore
echo "./review-governance.key" >> .gitignore
echo "./.review-approved" >> .gitignoreThe first invocation of will create the key. Commit the
public key from the first receipt so auditors can verify later.
protect-mcp signbash
mkdir -p ./review-receipts
echo "./review-receipts/" >> .gitignore
echo "./review-governance.key" >> .gitignore
echo "./.review-approved" >> .gitignore首次调用时会自动创建密钥。请提交首个回执中的公钥,以便审计人员后续验证。
protect-mcp signPer-session workflow
每会话工作流程
The Cedar policy denies review-surface actions unconditionally. To approve
a specific action, open an approval window before it and close it after.
Cedar策略会无条件拒绝审核类操作。要批准特定操作,需在操作前开启审批窗口,并在操作后关闭。
Flag file (simplest)
标记文件(最简方式)
bash
undefinedbash
undefinedBefore the action you want to approve
在你要批准的操作前执行
touch ./.review-approved
touch ./.review-approved
Let Claude Code run the review / comment / merge
让Claude Code执行审核/评论/合并操作
Immediately after
操作完成后立即执行
rm ./.review-approved
undefinedrm ./.review-approved
undefinedSlash command (from within Claude Code)
斜杠命令(在Claude Code内执行)
/approve-review "Reviewing PR #123 authored by contributor X"This creates with the given reason embedded as a note,
and writes a human-approved receipt to the chain. A follow-up is still
needed to close the window.
./.review-approvedrm/approve-review "Reviewing PR #123 authored by contributor X"此命令会创建文件,并将指定理由作为备注嵌入其中,同时在链中写入人工批准的回执。仍需后续执行命令关闭审批窗口。
./.review-approvedrmDry-run everything (force full policy evaluation)
全流程试运行(强制完整策略评估)
If you want every tool call to go through Cedar with no approval bypass:
bash
export REVIEW_APPROVAL_FLAG=./.never-approveAny tool call matching a forbid rule will be denied; approved windows have
no effect. Useful for CI or for a locked-down audit run.
如果你希望所有工具调用都通过Cedar验证且不允许绕过审批:
bash
export REVIEW_APPROVAL_FLAG=./.never-approve任何匹配禁止规则的工具调用都会被拒绝;审批窗口将失效。适用于CI环境或严格锁定的审计运行场景。
Verifying the chain
验证回执链
List all receipts:
bash
ls -la ./review-receipts/Verify the entire chain offline:
bash
npx @veritasacta/verify ./review-receipts/*.jsonExit 0 means every receipt is authentic and the chain is intact. Exit 1
means one receipt has been tampered with. Exit 2 means a receipt is
malformed.
Look at recent denials:
/list-pendingWithin Claude Code this slash command walks the receipt chain and prints
any recent entries with the tool name, command pattern,
and timestamp.
decision: deny列出所有回执:
bash
ls -la ./review-receipts/离线验证整个回执链:
bash
npx @veritasacta/verify ./review-receipts/*.json返回码0表示所有回执均真实有效且链完整;返回码1表示存在被篡改的回执;返回码2表示回执格式错误。
查看近期拒绝记录:
/list-pending在Claude Code中执行此斜杠命令会遍历回执链,并打印近期条目,包含工具名称、命令模式和时间戳。
decision: denyExample: approving a PR review
示例:批准PR审核
bash
undefinedbash
undefined1. Human reviews the agent's proposed comment
1. 人工查看代理提议的评论
$ /list-pending
Recent denials:
- 2026-04-17T14:23:01Z Bash "gh pr review 42 --approve --body 'LGTM'"
- 2026-04-17T14:23:02Z Bash "gh pr comment 42 --body 'Looking good'"
$ /list-pending
Recent denials:
- 2026-04-17T14:23:01Z Bash "gh pr review 42 --approve --body 'LGTM'"
- 2026-04-17T14:23:02Z Bash "gh pr comment 42 --body 'Looking good'"
2. Human decides the first one is appropriate, approves it
2. 人工判定第一条操作合适,批准执行
$ /approve-review "Approving LGTM on PR 42 after visual inspection"
./.review-approved created
$ /approve-review "Approving LGTM on PR 42 after visual inspection"
./.review-approved created
3. Agent retries the action; this time it succeeds
3. 代理重试操作;此次执行成功
$ agent: gh pr review 42 --approve --body "LGTM"
[receipt: rec_XXX, decision=allow, reason=human_approved]
$ agent: gh pr review 42 --approve --body "LGTM"
[receipt: rec_XXX, decision=allow, reason=human_approved]
4. Human closes the window
4. 人工关闭审批窗口
$ rm ./.review-approved
Every step is in the receipt chain. The chain is offline-verifiable for
regulators, counterparties, or downstream auditors who want to confirm
that no review action bypassed the human gate.$ rm ./.review-approved
每一步操作都会记录在回执链中。该回执链可离线验证,供监管机构、合作方或下游审计人员确认所有审核操作均未绕过人工门控。Composing with protect-mcp
与protect-mcp组合使用
If both plugins are installed, run them side by side:
json
{
"hooks": {
"PreToolUse": [
{
"matcher": ".*",
"hooks": [
{
"type": "command",
"command": "npx protect-mcp@0.5.5 evaluate --policy ./protect.cedar --tool \"$TOOL_NAME\" --input \"$TOOL_INPUT\" --fail-on-missing-policy false"
}
]
},
{
"matcher": ".*",
"hooks": [
{
"type": "command",
"command": "if [ -f ./.review-approved ]; then exit 0; fi; npx protect-mcp@0.5.5 evaluate --policy ./review-governance.cedar --tool \"$TOOL_NAME\" --input \"$TOOL_INPUT\" --fail-on-missing-policy false"
}
]
}
]
}
}Both hooks must pass for the tool call to proceed. Cedar deny in either
policy blocks it.
如果同时安装了两个插件,可并行运行:
json
{
"hooks": {
"PreToolUse": [
{
"matcher": ".*",
"hooks": [
{
"type": "command",
"command": "npx protect-mcp@0.5.5 evaluate --policy ./protect.cedar --tool \"$TOOL_NAME\" --input \"$TOOL_INPUT\" --fail-on-missing-policy false"
}
]
},
{
"matcher": ".*",
"hooks": [
{
"type": "command",
"command": "if [ -f ./.review-approved ]; then exit 0; fi; npx protect-mcp@0.5.5 evaluate --policy ./review-governance.cedar --tool \"$TOOL_NAME\" --input \"$TOOL_INPUT\" --fail-on-missing-policy false"
}
]
}
]
}
}两个钩子均需通过,工具调用才能继续执行。任一策略中的Cedar拒绝规则都会阻止操作。
Standards
遵循标准
- Ed25519 — RFC 8032 (digital signatures)
- JCS — RFC 8785 (deterministic JSON canonicalization)
- Cedar — AWS's open authorization policy language
- IETF draft — draft-farley-acta-signed-receipts
- Ed25519 — RFC 8032(数字签名)
- JCS — RFC 8785(确定性JSON规范化)
- Cedar — AWS开源授权策略语言
- IETF草案 — draft-farley-acta-signed-receipts