From 93db605d66a2a55fc48df81f3957a7fead6e6bb0 Mon Sep 17 00:00:00 2001
From: jrenaldi <jrenaldi79@gmail.com>
Date: Thu, 26 Mar 2026 07:20:17 +0900
Subject: [PATCH 1/3] ci: replace Code Rabbit with Claude auto-review workflow

Split single claude job into two:
- auto-review: fires on PR open/push/ready_for_review (skips drafts)
- claude-assist: fires on @claude mentions (existing behavior)

Plugin changes based on research:
- Kept pr-review-toolkit (6-agent review suite)
- Dropped security-guidance (PreToolUse hook, not useful in Actions)
- Dropped code-review (overlaps with pr-review-toolkit)
- Dropped semgrep (does not exist in any marketplace)

Also bumps contents permission to write on both jobs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/claude-review.yml | 30 +++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml
index dd08322..03f09fa 100644
--- a/.github/workflows/claude-review.yml
+++ b/.github/workflows/claude-review.yml
@@ -1,6 +1,8 @@
 name: Claude Code
 
 on:
+  pull_request:
+    types: [opened, synchronize, ready_for_review]
   issue_comment:
     types: [created]
   pull_request_review_comment:
@@ -9,18 +11,39 @@ on:
     types: [opened, assigned]
 
 concurrency:
-  group: claude-${{ github.event.issue.number || github.event.pull_request.number }}
+  group: claude-${{ github.event.pull_request.number || github.event.issue.number }}
   cancel-in-progress: true
 
 jobs:
-  claude:
+  auto-review:
+    if: github.event_name == 'pull_request' && !github.event.pull_request.draft
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+
+          plugin_marketplaces: |
+            https://github.com/anthropics/claude-code.git
+
+          plugins: |
+            pr-review-toolkit@claude-code-plugins
+
+  claude-assist:
     if: >
       (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
       (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
       (github.event_name == 'issues' && contains(github.event.issue.body, '@claude'))
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      contents: write
       pull-requests: write
       issues: write
       id-token: write
@@ -36,4 +59,3 @@ jobs:
 
           plugins: |
             pr-review-toolkit@claude-code-plugins
-            security-guidance@claude-code-plugins

From 5a3ecb08a521b03c61fd2dcb9932e257199cf393 Mon Sep 17 00:00:00 2001
From: jrenaldi <jrenaldi79@gmail.com>
Date: Thu, 26 Mar 2026 07:29:27 +0900
Subject: [PATCH 2/3] ci: add Claude security review job

Adds security-review job using anthropics/claude-code-security-review
action. Runs on every non-draft PR alongside auto-review. Analyzes
diffs for injection attacks, auth flaws, data exposure, crypto
weaknesses, and other security vulnerabilities.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/claude-review.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml
index 03f09fa..813bea8 100644
--- a/.github/workflows/claude-review.yml
+++ b/.github/workflows/claude-review.yml
@@ -36,6 +36,22 @@ jobs:
           plugins: |
             pr-review-toolkit@claude-code-plugins
 
+  security-review:
+    if: github.event_name == 'pull_request' && !github.event.pull_request.draft
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 2
+
+      - uses: anthropics/claude-code-security-review@main
+        with:
+          claude-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
+
   claude-assist:
     if: >
       (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||

From a3e3648bee71dcb09c2aadc73afd7bc3038d1550 Mon Sep 17 00:00:00 2001
From: jrenaldi <jrenaldi79@gmail.com>
Date: Thu, 26 Mar 2026 07:58:52 +0900
Subject: [PATCH 3/3] ci: add Codex audit job to review workflow

After Claude's auto-review completes, a new codex-audit job triggers
the Codex GitHub App with @codex review. A purpose-built AGENTS.md
is copied into the workspace so Codex acts as an auditor of Claude's
review rather than performing an independent review.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/codex-audit-agents.md       | 38 +++++++++++++++++++++++++++++
 .github/workflows/claude-review.yml | 20 +++++++++++++++
 2 files changed, 58 insertions(+)
 create mode 100644 .github/codex-audit-agents.md

diff --git a/.github/codex-audit-agents.md b/.github/codex-audit-agents.md
new file mode 100644
index 0000000..1ccca3c
--- /dev/null
+++ b/.github/codex-audit-agents.md
@@ -0,0 +1,38 @@
+# AGENTS.md - Codex Audit Role
+
+You are acting as a second-opinion auditor of an automated PR review produced by Claude Code.
+
+## Your Role
+
+Audit the existing review comments on this PR. Do NOT perform a fresh, independent code review.
+
+## What To Do
+
+1. Read all existing review comments left by Claude Code (the `github-actions[bot]` user)
+2. For each finding: confirm if valid, or flag as a false positive with reasoning
+3. Identify meaningful gaps: security issues, logic errors, or missed edge cases that the review overlooked
+4. If you agree with the review and find no gaps, say so briefly
+
+## What NOT To Do
+
+- Do not nitpick style, formatting, naming, or whitespace
+- Do not repeat findings already covered by the existing review
+- Do not perform a general code review of the entire diff
+- Do not comment on test coverage unless a critical path is untested
+- Keep your response concise: only comment when you have substantive input
+
+## Output Format
+
+Structure your review as:
+
+### Confirmed Findings
+- List any findings from Claude's review that you agree with (brief)
+
+### Disputed Findings
+- Any findings you believe are false positives, with reasoning
+
+### Gaps Found
+- Substantive issues the original review missed (security, logic, edge cases)
+
+### Verdict
+One line: "Review looks solid" or "Review has gaps that should be addressed"
diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml
index 813bea8..06598f7 100644
--- a/.github/workflows/claude-review.yml
+++ b/.github/workflows/claude-review.yml
@@ -52,6 +52,26 @@ jobs:
         with:
           claude-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
 
+  codex-audit:
+    needs: auto-review
+    if: github.event_name == 'pull_request' && !github.event.pull_request.draft
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Override AGENTS.md with audit-scoped instructions
+        run: cp .github/codex-audit-agents.md AGENTS.md
+
+      - name: Trigger Codex review
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh pr comment ${{ github.event.pull_request.number }} \
+            --body "@codex review"
+
   claude-assist:
     if: >
       (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||