PM-33385 - Craft a multi-agent code review

[theMickster]

🎟️ Tracking

PM-33385 - Create multi-agent code review skill

📔 Objective

Adds a new performing-multi-agent-code-review skill. Intentionally a different lens from the existing bitwarden-code-reviewer agent — that agent reviews code the way a human reviewer would; this skill has Claude evaluate code as Claude, with output constraints a human can read. The pipeline runs 6 subagents per review each with a specific purpose and well-defined prompt.

Nitty-gritty skill details

Expand

• Four invocation modes: PR, local changes, branch comparison, and commit-range (e.g. "last week of commits", "last 20 commits", "since 2026-04-23").
• Configurable model — opus by default; tunable via --model to dial cost vs. depth.
• Pipeline: architecture compliance pass → 3 parallel diff reviewers (quality, bug, security) → per-finding validation → severity audit.
• Confidence threshold ≥ 80; everything below is dropped silently.
• The architecture agent is the only codebase-aware lens — the 3 parallel reviewers are deliberately constrained to the diff to avoid context contamination. The architecture agent counterweights by loading full files, sibling code, and project docs, catching pattern violations, boundary violations, and doc/code drift the diff-only reviewers cannot.
• Severity-bucketed local markdown report written to the repo root.
• Findings render in 🛑 Blocker / ⚠️ Important / ♻️ Refactor with a collapsed "dismissed findings" block showing what was caught and rejected, with rejection reasons.
• Each finding includes a Caught by sub-agent attribution (Architecture, Code quality, Bug analysis, Security & logic, Validation).

Use cases

Expand

- At the end of a [Claude Code Agent Teams](https://code.claude.com/docs/en/agent-teams) coding session — slots into an agent feedback loop where teammates work, address findings, and refactor. - When an engineer is approaching the end of local development work and needs depth of review. - When an engineer has completed work on a draft PR and needs depth of review prior to publish. - When an engineer is peer-reviewing a high-density, cross-team, or very complex pull request.

Field test results on live PRs

1. PM-26250 Explore options to enable direct importer for mac app store build clients#17479 (comment)
2. [PM-32016] - make at-risk banner dismissable clients#20505 (comment)
3. [PM-34165] Introduce InviteKeyBundle for supporting future AC auto-confirm workflow sdk-internal#1021 (comment)
4. Add missing functions to Send API calls sdk-internal#961 (comment)
5. [PM-32211] fix private key before key rotation sdk-internal#994 (comment)

Cost estimates

Expand

Cost comparison sdk-internal/pull/1020

multi-agent review

single-agent /bitwarden-code-review:code-review-local

Cost comparison misc/pull/348

multi-agent review

single-agent review

🧪 Testing

Expand for reviewer steps to try the four modes locally

Step 1: Install the required sibling plugins

The skill aborts without bitwarden-tech-lead and bitwarden-security-engineer available in the same marketplace. Confirm both are installed before invoking.

Step 2: Trigger each mode and confirm the report shape

In a Bitwarden repo checkout, invoke each form below and confirm a code-review-*.md lands at the repo root with severity-bucketed findings and a Caught by: line on every finding:

• PR mode — /performing-multi-agent-code-review 12345 (substitute a real PR number)
• Local mode — make an uncommitted change, then /perform-multi-agent-code-review
• Branch comparison — on a clean feature branch, /perform-multi-agent-code-review
• Commit-range — /performing-multi-agent-code-review on the last 5 commits

Step 3: Confirm the dismissed-findings block

Each report should include a collapsed "dismissed findings" section listing findings that didn't survive Step 4 validation or Step 5 severity audit, with the rejection reason.

[github-actions]

Checkmarx One – Scan Summary & Details – 2438330f-9677-47c0-b21d-888091cf8e04

Great job! No new security vulnerabilities introduced in this pull request

[theMickster]

I have been experimenting with cross agent configuration (namely Github Copilot) and I found that this configuration is incorrect. It should only be used it all plugins below did not have the ./plugins/ prefix in the source property. However, since all of them do, this should be removed.

[theMickster]

When working locally against fellow teammate's feature branches, I have found this particular subagent to be very useful. It has pointed out where a teammate has unintentionally violated a CLAUDE.md or a README.md rule. The agents that only scan the diffs aren't finding those.

[theMickster]

I spent the most time working to refine and clearly tell the main agent (the orchestrator for lack of a better name) what context is must gather and pass to subagents because they work independently with their own context window.
Claude Glossary

[theMickster]

The first few iterations of the skill saw Claude Code deliver some funky line numbers; therefore, I added this brief direct instruction to help guide it and I have seen much better results.

[theMickster]

As noted in the pull request description, these standards are intentionally different because of the depth of work being done by the subagents. The intention is that we don't surface noise to engineers, but real signals of problems. I feel strongly that humans should be relied upon for suggestions and nit-picks. Claude should stay in this lane IMO.

[theMickster]

I have found good success with providing Claude with a scale that has concrete descriptions of what is and is not considered a confident finding.

[theMickster]

Arguably the best suggestion from the /skill-creator was this markdown. Given the subagents a concrete messaging format has drastically improved consistency of findings and being able to track what agent came up with what finding is also very helpful.

[theMickster]

Given that the skill is designed to be very flexible; keeping it in the main SKILL.md became overwhelming.

[theMickster]

Another clear distinction from the single agent reviews and commands. I don't want inline comments and I don't want a second file. I want to see a single, clear report with collapsed sections as needed so that engineers can work the report top-to-bottom.

Adding the Caught by and the Original.. fields were instrumental in working with the /skill-creator skill to diagnose inconsistencies and tune the subagent prompts.

[theMickster]

One of my favorite parts of the skill is this addition.
When creating the Seeder Utility in the server repo and refining the skill itself, it was very helpful to keep these around in a simple expander/collapse to better understand what was going on in the process. Must keep IMO.

[github-actions]

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

Reviewed the addition of the new performing-multi-agent-code-review skill to the bitwarden-code-review plugin. The change ships a new SKILL.md plus five references/*.md files describing modes, finding shape, evaluation standards, discovery standards, and the report template. Version bump (1.10.0 → 1.11.0) is correctly mirrored across marketplace.json, plugin.json, the root README.md table, and the plugin CHANGELOG.md under a properly formatted ### Added entry. Subagent type references resolve against the installed bitwarden-tech-lead and bitwarden-security-engineer plugins, and the allowed-tools declaration follows YAML conventions used by sibling skills.

Code Review Details

No new findings. Previously raised review comments (changelog cruft, README typo, AskUserQuestion missing from allowed-tools, prereq-check markdown indentation, changelog ### Added heading) are addressed and marked resolved. The open pluginRoot discussion on marketplace.json:10 and the resolved README.md link-target thread are already tracked and do not need duplication here.

[theMickster]

Note: I am intentionally putting the actions/workflows/review-code.yml through it's paces. I am testing my recent change that triggers the workflow via applying the ai-review label.