Review MCP Server

Get expert code reviews from multiple AI models integrated into Claude Code. Catches bugs, security issues, and design problems automatically.

Quick Start

git clone https://github.com/je4550/review-mcp.git
cd review-mcp
npm install
npm run build

Configure Claude Code - Add to ~/.config/claude-code/mcp.json:

{
  "mcpServers": {
    "review-mcp": {
      "command": "node",
      "args": ["/absolute/path/to/review-mcp/dist/index.js"]
    }
  }
}

Set up a reviewer CLI (at least one):

# Option 1: Codex CLI (recommended)
codex --version  # If you already have it

# Option 2: OpenAI CLI
npm install -g openai
# No API key needed if logged in with ChatGPT subscription
# Otherwise: export OPENAI_API_KEY="sk-..."

# Option 3: Gemini CLI
npm install -g @google/gemini-cli
# No API key needed if logged in with Google account
# Otherwise: export GOOGLE_API_KEY="..."

Restart Claude Code and you're ready!

Usage

Just ask Claude naturally:

"Review this authentication function"
"Get a second opinion on src/auth.ts"
"Check the payment processing code for security issues"
"Review all files in the api/ directory"

Claude will get reviews from Codex/Gemini, analyze them, and present comprehensive feedback.

What You Get

Real Results from Testing

100-line authentication service:

• Found: 6 critical security issues
• SQL injection (5 locations), hardcoded secrets, insecure random, missing JWT expiration
• Time: ~5 seconds

Payment processing module:

• Found: 5 issues (2 critical, 2 high, 1 medium)
• Hardcoded API keys, SQL injection, missing transactions, floating point errors
• Time: ~4 seconds

React component (90 lines):

• Found: 5 bugs
• Null pointer crash, XSS vulnerability, state mutation bugs, missing dependencies
• Time: ~5 seconds

Utility functions:

• Found: 4 security flaws
• Weak password hashing, insecure tokens, insufficient sanitization
• Time: ~4 seconds

Example Review

Your code:

function auth(user, pass) {
  if (user === "admin" && pass === "12345") {
    return true;
  }
  return false;
}

Codex review:

- High: auth hard-codes "admin" and "12345" (auth.js:2). Anyone with
  source access gains full access, credentials can't be rotated without
  redeploying, and password is stored in clear text.

- High: Plain string comparison leaks timing information (auth.js:2).
  An attacker can measure response times to infer correct characters;
  use constant-time comparison.

- Medium: No hashing or KDF applied to password before comparison.
  Even if you moved the secret out of source control, you'd still want
  to hash user-supplied passwords.

Next steps: Replace hardcoded credential with configurable secret store,
hash/verify using a KDF, add constant-time compare helper.

Claude's synthesis:

Both reviewers identified critical security issues. The hardcoded credentials and timing attacks need immediate attention. I also notice there's no rate limiting or audit logging. Let me help you fix these...

Features

✅ Senior-level reviews - Catches security, bugs, performance issues ✅ Multiple perspectives - Get Codex + Gemini + Claude's analysis ✅ Auto-detection - Works with whichever CLIs you have installed ✅ Smart validation - Filters out code rewrites and unhelpful responses ✅ Fast - ~5 seconds per 100 lines of code ✅ Comprehensive - Reviews snippets, files, or entire directories ✅ Prioritized - Issues marked as Critical/High/Medium/Low

Available Tools

Tool	Use Case
check_cli_status	Check which review CLIs are installed
review_code	Review a code snippet directly
review_file	Review a specific file
review_directory	Review all code files in a directory

You don't need to remember these - Claude calls them automatically when you ask for reviews.

Supported Languages

.js .ts .jsx .tsx .py .rb .go .java .c .cpp .cs .php .swift .kt .rs

How It Works

1. You write code and ask Claude for a review
2. MCP server detects which CLIs are available (Codex/Gemini)
3. Sends your code with a simple prompt: "You are a senior software engineer. Code review the changes and implementation. Don't change anything, just review."
4. Reviewers analyze in parallel (5-minute timeout each)
5. Validation filters out invalid responses (code rewrites, errors, off-topic)
6. Claude receives feedback and adds its own expert analysis
7. You get comprehensive results with multiple AI perspectives

Troubleshooting

"No review CLIs available"

• Run "Check CLI status" in Claude Code
• Install at least one: codex, openai, or gemini CLI

Reviews timing out

• 5-minute timeout should be plenty
• Check internet connection and API keys

API keys not working

# Note: API keys not needed if you're logged in with:
# - ChatGPT subscription (for OpenAI CLI)
# - Google account (for Gemini CLI)

# If you need to set API keys manually:
# Check if keys are set
echo $OPENAI_API_KEY
echo $GOOGLE_API_KEY

# Add to ~/.bashrc or ~/.zshrc
export OPENAI_API_KEY="sk-..."
export GOOGLE_API_KEY="..."

Performance

Based on real testing:

• Speed: ~5 seconds per 100 lines
• Accuracy: Zero false positives in testing
• Coverage: Finds security, bugs, performance, design issues
• Cost: ~$0.10 per review at GPT-4 rates
• Tokens: ~3,000 per 100-line file

Architecture

You write code
     ↓
Claude Code asks for review
     ↓
Review MCP Server
     ├─→ Detects available CLIs
     ├─→ Sends code to Codex/Gemini (parallel)
     ├─→ Validates responses
     └─→ Returns formatted feedback
          ↓
Claude analyzes and synthesizes
     ↓
You get expert recommendations

Development

npm run watch  # Auto-rebuild on changes

License

MIT

Contributing

Issues and PRs welcome at https://github.com/je4550/review-mcp