ci: replace Code Rabbit with Claude auto-review workflow

.github/codex-audit-agents.md

@@ -0,0 +1,38 @@
+# AGENTS.md - Codex Audit Role
+
+You are acting as a second-opinion auditor of an automated PR review produced by Claude Code.
+
+## Your Role
+
+Audit the existing review comments on this PR. Do NOT perform a fresh, independent code review.
+
+## What To Do
+
+1. Read all existing review comments left by Claude Code (the `github-actions[bot]` user)
+2. For each finding: confirm if valid, or flag as a false positive with reasoning
+3. Identify meaningful gaps: security issues, logic errors, or missed edge cases that the review overlooked
+4. If you agree with the review and find no gaps, say so briefly
+
+## What NOT To Do
+
+- Do not nitpick style, formatting, naming, or whitespace
+- Do not repeat findings already covered by the existing review
+- Do not perform a general code review of the entire diff
+- Do not comment on test coverage unless a critical path is untested
+- Keep your response concise: only comment when you have substantive input
+
+## Output Format
+
+Structure your review as:
+
+### Confirmed Findings
+- List any findings from Claude's review that you agree with (brief)
+
+### Disputed Findings
+- Any findings you believe are false positives, with reasoning
+
+### Gaps Found
+- Substantive issues the original review missed (security, logic, edge cases)
+
+### Verdict
+One line: "Review looks solid" or "Review has gaps that should be addressed"

.github/workflows/claude-review.yml

@@ -1,6 +1,8 @@
 name: Claude Code
 
 on:
+  pull_request:
+    types: [opened, synchronize, ready_for_review]
   issue_comment:
     types: [created]
   pull_request_review_comment:
@@ -9,18 +11,75 @@ on:
     types: [opened, assigned]
 
 concurrency:
-  group: claude-${{ github.event.issue.number || github.event.pull_request.number }}
+  group: claude-${{ github.event.pull_request.number || github.event.issue.number }}
   cancel-in-progress: true
 
 jobs:
-  claude:
+  auto-review:
+    if: github.event_name == 'pull_request' && !github.event.pull_request.draft
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+
+          plugin_marketplaces: |
+            https://github.com/anthropics/claude-code.git
+
+          plugins: |
+            pr-review-toolkit@claude-code-plugins
+
+  security-review:
+    if: github.event_name == 'pull_request' && !github.event.pull_request.draft
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 2
+
+      - uses: anthropics/claude-code-security-review@main
+        with:
+          claude-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
+
+  codex-audit:
+    needs: auto-review
+    if: github.event_name == 'pull_request' && !github.event.pull_request.draft
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Override AGENTS.md with audit-scoped instructions
+        run: cp .github/codex-audit-agents.md AGENTS.md
+
+      - name: Trigger Codex review
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh pr comment ${{ github.event.pull_request.number }} \
+            --body "@codex review"
+
+  claude-assist:
     if: >
       (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
       (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
       (github.event_name == 'issues' && contains(github.event.issue.body, '@claude'))
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      contents: write
       pull-requests: write
       issues: write
       id-token: write
@@ -36,4 +95,3 @@ jobs:
 
           plugins: |
             pr-review-toolkit@claude-code-plugins
-            security-guidance@claude-code-plugins