Review MCP Server

Get expert code reviews from multiple AI models integrated into Claude Code. Catches bugs, security issues, and design problems automatically.

Quick Start

git clone https://github.com/je4550/review-mcp.git cd review-mcp npm install npm run build

Configure Claude Code - Add to ~/.config/claude-code/mcp.json:

{ "mcpServers": { "review-mcp": { "command": "node", "args": ["/absolute/path/to/review-mcp/dist/index.js"] } } }

Set up a reviewer CLI (at least one):

# Option 1: Codex CLI (recommended) codex --version # If you already have it # Option 2: OpenAI CLI npm install -g openai # No API key needed if logged in with ChatGPT subscription # Otherwise: export OPENAI_API_KEY="sk-..." # Option 3: Gemini CLI npm install -g @google/gemini-cli # No API key needed if logged in with Google account # Otherwise: export GOOGLE_API_KEY="..."

Restart Claude Code and you're ready!

Usage

Just ask Claude naturally:

"Review this authentication function" "Get a second opinion on src/auth.ts" "Check the payment processing code for security issues" "Review all files in the api/ directory"

Claude will get reviews from Codex/Gemini, analyze them, and present comprehensive feedback.

What You Get

Real Results from Testing

100-line authentication service:

Found: 6 critical security issues
SQL injection (5 locations), hardcoded secrets, insecure random, missing JWT expiration
Time: ~5 seconds

Payment processing module:

Found: 5 issues (2 critical, 2 high, 1 medium)
Hardcoded API keys, SQL injection, missing transactions, floating point errors
Time: ~4 seconds

React component (90 lines):

Found: 5 bugs
Null pointer crash, XSS vulnerability, state mutation bugs, missing dependencies
Time: ~5 seconds

Utility functions:

Found: 4 security flaws
Weak password hashing, insecure tokens, insufficient sanitization
Time: ~4 seconds

Example Review

Your code:

function auth(user, pass) { if (user === "admin" && pass === "12345") { return true; } return false; }

Codex review:

- High: auth hard-codes "admin" and "12345" (auth.js:2). Anyone with source access gains full access, credentials can't be rotated without redeploying, and password is stored in clear text. - High: Plain string comparison leaks timing information (auth.js:2). An attacker can measure response times to infer correct characters; use constant-time comparison. - Medium: No hashing or KDF applied to password before comparison. Even if you moved the secret out of source control, you'd still want to hash user-supplied passwords. Next steps: Replace hardcoded credential with configurable secret store, hash/verify using a KDF, add constant-time compare helper.

Claude's synthesis:

Both reviewers identified critical security issues. The hardcoded credentials and timing attacks need immediate attention. I also notice there's no rate limiting or audit logging. Let me help you fix these...

Features

✅ Senior-level reviews - Catches security, bugs, performance issues ✅ Multiple perspectives - Get Codex + Gemini + Claude's analysis ✅ Auto-detection - Works with whichever CLIs you have installed ✅ Smart validation - Filters out code rewrites and unhelpful responses ✅ Fast - ~5 seconds per 100 lines of code ✅ Comprehensive - Reviews snippets, files, or entire directories ✅ Prioritized - Issues marked as Critical/High/Medium/Low

Available Tools

Tool	Use Case
`check_cli_status`	Check which review CLIs are installed
`review_code`	Review a code snippet directly
`review_file`	Review a specific file
`review_directory`	Review all code files in a directory

You don't need to remember these - Claude calls them automatically when you ask for reviews.

Supported Languages

.js .ts .jsx .tsx .py .rb .go .java .c .cpp .cs .php .swift .kt .rs

How It Works

You write code and ask Claude for a review
MCP server detects which CLIs are available (Codex/Gemini)
Sends your code with a simple prompt: "You are a senior software engineer. Code review the changes and implementation. Don't change anything, just review."
Reviewers analyze in parallel (5-minute timeout each)
Validation filters out invalid responses (code rewrites, errors, off-topic)
Claude receives feedback and adds its own expert analysis
You get comprehensive results with multiple AI perspectives

Troubleshooting

"No review CLIs available"

Run "Check CLI status" in Claude Code
Install at least one: codex, openai, or gemini CLI

Reviews timing out

5-minute timeout should be plenty
Check internet connection and API keys

API keys not working

# Note: API keys not needed if you're logged in with: # - ChatGPT subscription (for OpenAI CLI) # - Google account (for Gemini CLI) # If you need to set API keys manually: # Check if keys are set echo $OPENAI_API_KEY echo $GOOGLE_API_KEY # Add to ~/.bashrc or ~/.zshrc export OPENAI_API_KEY="sk-..." export GOOGLE_API_KEY="..."

Performance

Based on real testing:

Speed: ~5 seconds per 100 lines
Accuracy: Zero false positives in testing
Coverage: Finds security, bugs, performance, design issues
Cost: ~$0.10 per review at GPT-4 rates
Tokens: ~3,000 per 100-line file

Architecture

You write code ↓ Claude Code asks for review ↓ Review MCP Server ├─→ Detects available CLIs ├─→ Sends code to Codex/Gemini (parallel) ├─→ Validates responses └─→ Returns formatted feedback ↓ Claude analyzes and synthesizes ↓ You get expert recommendations

Development

npm run watch # Auto-rebuild on changes

License

MIT

Contributing

Issues and PRs welcome at https://github.com/je4550/review-mcp

Review MCP Server

Review MCP Server

Quick Start

Usage

What You Get

Real Results from Testing

Example Review

Features

Available Tools

Supported Languages

How It Works

Troubleshooting

Performance

Architecture

Development

License

Contributing

Related Resources

Tools

Appeared in Searches

New MCP Servers

MCP directory API