From b78e723653cf05fb2e9a8432010e81439be2f91f Mon Sep 17 00:00:00 2001 From: Matt Bishop Date: Thu, 18 Jun 2026 15:20:12 -0400 Subject: [PATCH] feat(code-review): route Claude config changes to claude-config-validator When a diff touches Claude configuration files (CLAUDE.md, AGENT.md, SKILL.md, hooks, slash commands, .claude/ settings, MCP config), both review paths now invoke the claude-config-validator skill: - Single-agent reviewer (bitwarden-code-reviewer): detects config files in Step 1 and invokes Skill(reviewing-claude-config) during Cross-Plugin Enrichment, folding findings into classification/validation. - performing-multi-agent-code-review: conditional Step 3 "Agent 4" (source_agent: "config") whose findings flow through validation, severity audit, and the report. Extended the source_agent enum and report label table accordingly. The dependency on claude-config-validator is optional in both paths; if it is not installed the review falls back to existing knowledge. Bumps bitwarden-code-review to 1.13.0 (past PR #146's 1.12.0). --- .claude-plugin/marketplace.json | 2 +- README.md | 2 +- .../.claude-plugin/plugin.json | 2 +- plugins/bitwarden-code-review/CHANGELOG.md | 6 +++++ .../agents/bitwarden-code-reviewer/AGENT.md | 8 ++++++- .../SKILL.md | 6 ++++- .../references/finding-shape.md | 22 +++++++++---------- .../references/report-template.md | 1 + 8 files changed, 33 insertions(+), 16 deletions(-) diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json index 63902851..24eef856 100644 --- a/.claude-plugin/marketplace.json +++ b/.claude-plugin/marketplace.json @@ -24,7 +24,7 @@ { "name": "bitwarden-code-review", "source": "./plugins/bitwarden-code-review", - "version": "1.11.0", + "version": "1.13.0", "description": "Comprehensive code review system with organization-wide standards." }, { diff --git a/README.md b/README.md index 3597c415..55bfd279 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ A curated collection of plugins for AI-assisted development at Bitwarden. Enable | [bitwarden-tech-lead](plugins/bitwarden-tech-lead/) | 2.3.0 | Tech lead for technical planning, architecture coherence, and surfacing patterns to Technical Strategy Ideas | | [bitwarden-shepherd](plugins/bitwarden-shepherd/) | 1.0.0 | Champion of a technical strategy — shepherds a TSI through evaluation into the funnel, then through to adoption | | [bitwarden-atlassian-tools](plugins/bitwarden-atlassian-tools/) | 2.2.7 | Read-only Atlassian access via MCP server with deep Jira issue research skill | -| [bitwarden-code-review](plugins/bitwarden-code-review/) | 1.11.0 | Autonomous code review agent following Bitwarden engineering standards with GitHub integration | +| [bitwarden-code-review](plugins/bitwarden-code-review/) | 1.13.0 | Autonomous code review agent following Bitwarden engineering standards with GitHub integration | | [bitwarden-delivery-tools](plugins/bitwarden-delivery-tools/) | 1.4.0 | Delivery lifecycle skills: initiative funnel navigation, work transitions, tech breakdowns and cross-team signoffs, commits, PRs, preflight, labeling | | [bitwarden-designer](plugins/bitwarden-designer/) | 0.1.0 | Product designer persona: Code of Conduct and 30/60/90 critique, critique facilitation; dispatches into bitwarden-design-tools | | [bitwarden-design-tools](plugins/bitwarden-design-tools/) | 0.1.0 | Design toolkit: content style guide, Figma Dev Mode MCP, Bitwarden brand application, handoff prep, Design System governance, Product and Design Jira | diff --git a/plugins/bitwarden-code-review/.claude-plugin/plugin.json b/plugins/bitwarden-code-review/.claude-plugin/plugin.json index 51349959..5d15707e 100644 --- a/plugins/bitwarden-code-review/.claude-plugin/plugin.json +++ b/plugins/bitwarden-code-review/.claude-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "bitwarden-code-review", - "version": "1.11.0", + "version": "1.13.0", "description": "Comprehensive code review system with organization-wide standards.", "author": { "name": "Bitwarden", diff --git a/plugins/bitwarden-code-review/CHANGELOG.md b/plugins/bitwarden-code-review/CHANGELOG.md index 0e9c590c..2e426c73 100644 --- a/plugins/bitwarden-code-review/CHANGELOG.md +++ b/plugins/bitwarden-code-review/CHANGELOG.md @@ -5,6 +5,12 @@ All notable changes to the Bitwarden Code Review Plugin will be documented in th The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.13.0] - 2026-06-18 + +### Added + +- Claude-configuration review enrichment in both review paths. When the diff touches Claude config files (`CLAUDE.md`, agent `AGENT.md`, skill `SKILL.md`, hook definitions, slash commands, `.claude/` settings, or MCP config), the single-agent reviewer (`bitwarden-code-reviewer`) now invokes `Skill(reviewing-claude-config)` during Cross-Plugin Enrichment, and the `performing-multi-agent-code-review` pipeline launches a conditional Claude-configuration agent (`source_agent: "config"`) in Step 3 whose findings flow through validation, severity audit, and the report. The dependency on the `claude-config-validator` plugin is optional in both paths — if it is not installed, the review falls back to existing review knowledge. + ## [1.11.0] - 2026-05-12 ### Added diff --git a/plugins/bitwarden-code-review/agents/bitwarden-code-reviewer/AGENT.md b/plugins/bitwarden-code-review/agents/bitwarden-code-reviewer/AGENT.md index db1c2c13..8701419a 100644 --- a/plugins/bitwarden-code-review/agents/bitwarden-code-reviewer/AGENT.md +++ b/plugins/bitwarden-code-review/agents/bitwarden-code-reviewer/AGENT.md @@ -1,6 +1,6 @@ --- name: bitwarden-code-reviewer -version: 1.10.1 +version: 1.13.0 description: Conducts thorough code reviews following Bitwarden standards. Finds all issues first pass, avoids false positives, respects codebase conventions. Invoke when user mentions "code review", "review code", "review", "PR", or "pull request". model: opus skills: avoiding-false-positives, classifying-review-findings, posting-bitwarden-review-comments, posting-review-summary, reviewing-dependency-changes @@ -39,6 +39,8 @@ Then gather the remaining data: - Whether the PR author is an automated bot (Renovate, Dependabot) - Whether the PR description references AppSec approval (VULN task, explicit mention of the dependency review process) +**If Claude configuration files are in the diff** (`CLAUDE.md`, agent `AGENT.md`, skill `SKILL.md`, hook definitions, slash commands, `.claude/` settings, or MCP config), note them for the Claude-configuration review in Step 2. + **Tailor your review approach based on what you observe:** - Consider which risks are most relevant to this specific change @@ -76,6 +78,10 @@ When sibling Bitwarden plugins are installed, activate specialist skills during - **Angular/TypeScript client changes** → invoke `Skill(writing-client-code)` to verify `tw-` prefix, `inject()` usage, standalone components, signal vs RxJS patterns - **Database changes** → invoke `Skill(writing-database-queries)` to verify dual-ORM parity, migration naming, and EDD phasing +**Claude configuration changes** (`CLAUDE.md`, agent `AGENT.md`, skill `SKILL.md`, hook definitions, slash commands, `.claude/` settings, or MCP config): + +- invoke `Skill(reviewing-claude-config)` to validate YAML frontmatter, progressive-disclosure structure, prompt-engineering quality, and config-specific security issues (committed `settings.local.json`, hardcoded secrets, broken file references, overly broad agent tool access). Fold its findings into your own classification and validation in Steps 3–4. + These skills are optional. If unavailable, apply existing review knowledge. **Before moving to Step 3**, confirm you've examined all changed code for the above issues. diff --git a/plugins/bitwarden-code-review/skills/performing-multi-agent-code-review/SKILL.md b/plugins/bitwarden-code-review/skills/performing-multi-agent-code-review/SKILL.md index 8412ccd4..d46e5ec0 100644 --- a/plugins/bitwarden-code-review/skills/performing-multi-agent-code-review/SKILL.md +++ b/plugins/bitwarden-code-review/skills/performing-multi-agent-code-review/SKILL.md @@ -116,6 +116,7 @@ Execute these steps in order. Do not skip, reorder, or combine steps. 1. Gather context (no subagents). All `references/...` paths below resolve relative to `${CLAUDE_SKILL_DIR}` — do not search elsewhere. - **READ** `references/modes.md`. The orchestrator follows it to determine the review mode and the matching diff-source commands. - Determine the mode per `references/modes.md`. Fetch the list of changed files with the mode's command: `gh pr diff {number} --name-only` (PR), `git diff HEAD --name-only` (local), `git diff origin/HEAD...HEAD --name-only` (branch comparison), or `git diff .. --name-only` (commit range). In PR mode, also fetch the title and description with `gh pr view`. + - **Detect Claude configuration files** in the changed-file list: `CLAUDE.md`, agent `AGENT.md`, skill `SKILL.md` (and skill support files), hook definitions, slash commands, `.claude/` settings, or MCP config. If any are present, the conditional Claude-configuration agent in Step 3 applies. - **READ** CLAUDE.md, README.md, and any other relevant .md files in or near the directories containing modified files. - **READ** `references/report-template.md` for formatting the final report in Step 7. - **READ** `references/finding-shape.md`. Its contents are pasted verbatim into every Step 2–5 subagent prompt. @@ -136,7 +137,7 @@ Execute these steps in order. Do not skip, reorder, or combine steps. Apply the Review Rules. Threshold ≥ 80. Emit findings as a JSON array per the Finding Shape schema. -3. Launch 3 agents as instructed below. Each receives the diff and the Review Rules; each emits findings as a JSON array per the Finding Shape schema. Confidence Scoring from `references/evaluation-standards.md` applies to all three — threshold ≥ 80. In PR mode, pass the PR title and description only to Agent 3 per Context Partitioning — Agents 1 and 2 receive diff + Review Rules only. Send all 3 Agent tool calls in a single message (do NOT use run_in_background). +3. Launch 3 agents as instructed below — plus a conditional 4th (Agent 4) when Claude configuration files were detected in Step 1 and the `claude-config-validator` plugin is installed. Each receives the diff and the Review Rules; each emits findings as a JSON array per the Finding Shape schema. Confidence Scoring from `references/evaluation-standards.md` applies to all of them — threshold ≥ 80. In PR mode, pass the PR title and description only to Agent 3 per Context Partitioning — Agents 1, 2, and 4 receive diff + Review Rules only. Send all Agent tool calls for this step in a single message (do NOT use run_in_background). **Agent 1: Code quality agent** Use the `general-purpose` subagent type. Read the diff as a senior engineer seeing it for the first time — surface anything that hurts correctness, clarity, or long-term maintainability, including code duplication, missing critical error handling, and inadequate test coverage. @@ -155,6 +156,9 @@ Execute these steps in order. Do not skip, reorder, or combine steps. - **Consent gates** — are authorization actions clearly labeled with sufficient context? - **Output authenticity** — are responses distinguishable from attacker-forged messages? + **Agent 4 (conditional): Claude configuration agent** + Launch this agent ONLY when Claude configuration files were detected in Step 1 AND the `claude-config-validator` plugin is installed; otherwise skip it silently — it is not a prerequisite. Use the `general-purpose` subagent type and instruct it to invoke `Skill(reviewing-claude-config)`, scoped to the detected Claude configuration files, to validate YAML frontmatter, progressive-disclosure structure, prompt-engineering quality, and config-specific security issues (committed `settings.local.json`, hardcoded secrets, broken file references, overly broad agent tool access). Emit findings with `source_agent: "config"` and `id` prefix `cfg` per the Finding Shape schema. + 4. Launch a single `general-purpose` validation subagent for all findings from Steps 2 and 3. The subagent receives the diff fetched with the mode's diff command from Step 1, the full array of finding objects, the Review Rules, and — in PR mode only — the PR title and description. The subagent returns an array of Step 4 objects (one per input finding) per the Finding Shape schema. **Chunking escape hatch.** If raw findings from Steps 2 and 3 number more than 25, partition them into chunks of ≤ 15 (preserving collateral context within each chunk; do not split a `source_agent` group across chunks if it would put related findings on opposite sides) and launch one validation subagent per chunk in a single message (do NOT use run_in_background). diff --git a/plugins/bitwarden-code-review/skills/performing-multi-agent-code-review/references/finding-shape.md b/plugins/bitwarden-code-review/skills/performing-multi-agent-code-review/references/finding-shape.md index f6e77c32..1cd97b59 100644 --- a/plugins/bitwarden-code-review/skills/performing-multi-agent-code-review/references/finding-shape.md +++ b/plugins/bitwarden-code-review/skills/performing-multi-agent-code-review/references/finding-shape.md @@ -6,20 +6,20 @@ Every finding and every Step 4/5 return object follows the JSON schema below. Su Emit as a JSON array. Each finding: -| field | type | notes | -| -------------- | ------- | -------------------------------------------------------------------------------- | -| `id` | string | `{source}-{n}`, e.g. `"bug-3"`. Source ∈ `arch`, `quality`, `bug`, `sec`, `val`. | -| `file` | string | Repo-relative path. | -| `line` | string | `"42"` or `"42-50"`. Derived per Line Number Accuracy. | -| `severity` | string | `"blocker"` \| `"important"` \| `"refactor"`. | -| `confidence` | integer | 0–100. Only findings ≥ 80 are emitted. | -| `title` | string | < 100 chars. Renders as the section header in the final report. | -| `detail` | string | Markdown. Explanation, why it matters, suggested fix. | -| `source_agent` | string | `"architect"` \| `"quality"` \| `"bug"` \| `"security"` \| `"validation"`. | +| field | type | notes | +| -------------- | ------- | ---------------------------------------------------------------------------------------- | +| `id` | string | `{source}-{n}`, e.g. `"bug-3"`. Source ∈ `arch`, `quality`, `bug`, `sec`, `cfg`, `val`. | +| `file` | string | Repo-relative path. | +| `line` | string | `"42"` or `"42-50"`. Derived per Line Number Accuracy. | +| `severity` | string | `"blocker"` \| `"important"` \| `"refactor"`. | +| `confidence` | integer | 0–100. Only findings ≥ 80 are emitted. | +| `title` | string | < 100 chars. Renders as the section header in the final report. | +| `detail` | string | Markdown. Explanation, why it matters, suggested fix. | +| `source_agent` | string | `"architect"` \| `"quality"` \| `"bug"` \| `"security"` \| `"config"` \| `"validation"`. | If an agent produces no findings, return `[]`. -The orchestrator renders `source_agent` on every finding in the final report — set it accurately. The id-prefix → source_agent mapping is fixed: `arch → architect`, `quality → quality`, `bug → bug`, `sec → security`, `val → validation`. +The orchestrator renders `source_agent` on every finding in the final report — set it accurately. The id-prefix → source_agent mapping is fixed: `arch → architect`, `quality → quality`, `bug → bug`, `sec → security`, `cfg → config`, `val → validation`. ## Step 4 return (validation) diff --git a/plugins/bitwarden-code-review/skills/performing-multi-agent-code-review/references/report-template.md b/plugins/bitwarden-code-review/skills/performing-multi-agent-code-review/references/report-template.md index edfa538f..a730c218 100644 --- a/plugins/bitwarden-code-review/skills/performing-multi-agent-code-review/references/report-template.md +++ b/plugins/bitwarden-code-review/skills/performing-multi-agent-code-review/references/report-template.md @@ -16,6 +16,7 @@ Every finding carries a `source_agent` value (per `finding-shape.md`). Render it | `quality` | Code quality agent | | `bug` | Bug analysis agent | | `security` | Security & logic agent | +| `config` | Claude configuration agent | | `validation` | Validation agent (collateral) | ## Template