Review MCP Server

# Review MCP Server Get expert code reviews from multiple AI models integrated into Claude Code. Catches bugs, security issues, and design problems automatically. ## Quick Start ```bash git clone https://github.com/je4550/review-mcp.git cd review-mcp npm install npm run build ``` **Configure Claude Code** - Add to `~/.config/claude-code/mcp.json`: ```json { "mcpServers": { "review-mcp": { "command": "node", "args": ["/absolute/path/to/review-mcp/dist/index.js"] } } } ``` **Set up a reviewer CLI** (at least one): ```bash # Option 1: Codex CLI (recommended) codex --version # If you already have it # Option 2: OpenAI CLI npm install -g openai # No API key needed if logged in with ChatGPT subscription # Otherwise: export OPENAI_API_KEY="sk-..." # Option 3: Gemini CLI npm install -g @google/gemini-cli # No API key needed if logged in with Google account # Otherwise: export GOOGLE_API_KEY="..." ``` **Restart Claude Code** and you're ready! ## Usage Just ask Claude naturally: ``` "Review this authentication function" "Get a second opinion on src/auth.ts" "Check the payment processing code for security issues" "Review all files in the api/ directory" ``` Claude will get reviews from Codex/Gemini, analyze them, and present comprehensive feedback. ## What You Get ### Real Results from Testing **100-line authentication service:** - Found: 6 critical security issues - SQL injection (5 locations), hardcoded secrets, insecure random, missing JWT expiration - Time: ~5 seconds **Payment processing module:** - Found: 5 issues (2 critical, 2 high, 1 medium) - Hardcoded API keys, SQL injection, missing transactions, floating point errors - Time: ~4 seconds **React component (90 lines):** - Found: 5 bugs - Null pointer crash, XSS vulnerability, state mutation bugs, missing dependencies - Time: ~5 seconds **Utility functions:** - Found: 4 security flaws - Weak password hashing, insecure tokens, insufficient sanitization - Time: ~4 seconds ### Example Review **Your code:** ```javascript function auth(user, pass) { if (user === "admin" && pass === "12345") { return true; } return false; } ``` **Codex review:** ``` - High: auth hard-codes "admin" and "12345" (auth.js:2). Anyone with source access gains full access, credentials can't be rotated without redeploying, and password is stored in clear text. - High: Plain string comparison leaks timing information (auth.js:2). An attacker can measure response times to infer correct characters; use constant-time comparison. - Medium: No hashing or KDF applied to password before comparison. Even if you moved the secret out of source control, you'd still want to hash user-supplied passwords. Next steps: Replace hardcoded credential with configurable secret store, hash/verify using a KDF, add constant-time compare helper. ``` **Claude's synthesis:** > Both reviewers identified critical security issues. The hardcoded credentials and timing attacks need immediate attention. I also notice there's no rate limiting or audit logging. Let me help you fix these... ## Features ✅ **Senior-level reviews** - Catches security, bugs, performance issues ✅ **Multiple perspectives** - Get Codex + Gemini + Claude's analysis ✅ **Auto-detection** - Works with whichever CLIs you have installed ✅ **Smart validation** - Filters out code rewrites and unhelpful responses ✅ **Fast** - ~5 seconds per 100 lines of code ✅ **Comprehensive** - Reviews snippets, files, or entire directories ✅ **Prioritized** - Issues marked as Critical/High/Medium/Low ## Available Tools | Tool | Use Case | |------|----------| | `check_cli_status` | Check which review CLIs are installed | | `review_code` | Review a code snippet directly | | `review_file` | Review a specific file | | `review_directory` | Review all code files in a directory | You don't need to remember these - Claude calls them automatically when you ask for reviews. ## Supported Languages `.js` `.ts` `.jsx` `.tsx` `.py` `.rb` `.go` `.java` `.c` `.cpp` `.cs` `.php` `.swift` `.kt` `.rs` ## How It Works 1. **You write code** and ask Claude for a review 2. **MCP server detects** which CLIs are available (Codex/Gemini) 3. **Sends your code** with a simple prompt: "You are a senior software engineer. Code review the changes and implementation. Don't change anything, just review." 4. **Reviewers analyze** in parallel (5-minute timeout each) 5. **Validation filters** out invalid responses (code rewrites, errors, off-topic) 6. **Claude receives feedback** and adds its own expert analysis 7. **You get comprehensive results** with multiple AI perspectives ## Troubleshooting **"No review CLIs available"** - Run `"Check CLI status"` in Claude Code - Install at least one: `codex`, `openai`, or `gemini` CLI **Reviews timing out** - 5-minute timeout should be plenty - Check internet connection and API keys **API keys not working** ```bash # Note: API keys not needed if you're logged in with: # - ChatGPT subscription (for OpenAI CLI) # - Google account (for Gemini CLI) # If you need to set API keys manually: # Check if keys are set echo $OPENAI_API_KEY echo $GOOGLE_API_KEY # Add to ~/.bashrc or ~/.zshrc export OPENAI_API_KEY="sk-..." export GOOGLE_API_KEY="..." ``` ## Performance Based on real testing: - **Speed:** ~5 seconds per 100 lines - **Accuracy:** Zero false positives in testing - **Coverage:** Finds security, bugs, performance, design issues - **Cost:** ~$0.10 per review at GPT-4 rates - **Tokens:** ~3,000 per 100-line file ## Architecture ``` You write code ↓ Claude Code asks for review ↓ Review MCP Server ├─→ Detects available CLIs ├─→ Sends code to Codex/Gemini (parallel) ├─→ Validates responses └─→ Returns formatted feedback ↓ Claude analyzes and synthesizes ↓ You get expert recommendations ``` ## Development ```bash npm run watch # Auto-rebuild on changes ``` ## License MIT ## Contributing Issues and PRs welcome at https://github.com/je4550/review-mcp