Skip to content

[Feature]: Integrate Code Reviewer Agent for Security Validation During Development #93

New issue
New issue
Open
Open
[Feature]: Integrate Code Reviewer Agent for Security Validation During Development#93
Labels
needs-triage
@niksacdev

Description

@niksacdev
niksacdev
opened on Nov 24, 2025

Issue Description

Labels: enhancement, agents, security, code-quality, size: large

Epic: #63 - Engineering Agents Integration
Related Issues: Part of breaking down #63 into focused implementation tasks

Epic Context

This issue is part of the larger Engineering Agents Integration epic (#63), which aims to integrate 6 collaborative engineering agents from the engineering-team-agents repository into HVE Core. The epic provides multi-platform support (GitHub Copilot + Claude Code + AGENTS.md) while enhancing the existing research → plan → implement workflow with quality gates at strategic points.

This specific issue focuses on the during-implementation security validation phase, adding the Code Reviewer agent that catches OWASP vulnerabilities early with specific fixes before reaching @pr-review final gate.

Overview

Integrate the Code Reviewer agent to provide OWASP security pattern validation and code quality checks during development, with consideration for integration into existing PR workflows or as a new command.

User Story

As a developer on the HVE Core team, I want security validation during development with specific code fixes, so that I catch OWASP vulnerabilities early when fixes are small rather than during final PR review when context is lost.

Context

  • Current Gap: Security issues found too late (during @pr-review = large refactors)
  • Problem: Late security discovery = expensive fixes, delayed releases, context loss
  • Value Add: 80% faster security fixes, caught early with fresh context
  • Integration Point: During implementation, before @pr-review final gate
  • Integration Decision: May integrate into existing PR workflow, become new command, or merge with existing command (requires analysis)

Source Repository

Acceptance Criteria

  • Code Reviewer agent works in Claude Code (.claude/agents/)
  • Code Reviewer agent works in GitHub Copilot (.github/agents/ and .github/chatmodes/)
  • AGENTS.md includes agent in universal format
  • Agent creates code review reports in docs/code-review/
  • Code review report template added to docs/templates/
  • Agent applies OWASP Top 10 security patterns
  • Agent applies OWASP LLM Top 10 (AI systems)
  • Agent applies OWASP ML Security Top 10 (ML systems)
  • Agent implements Zero Trust security verification
  • Agent provides specific code fixes (not just problems)
  • Agent can consult Architecture, DevOps, and Responsible AI
  • Integration analysis completed: Command vs PR workflow vs merge with existing
  • Agent follows HVE Core conventions
  • All existing HVE Core tests pass

Technical Requirements

  • Platform Support: Claude Code, GitHub Copilot (native + chatmodes), universal AGENTS.md
  • Documentation Structure:
    • docs/code-review/[date]-[component]-review.md
    • docs/templates/code-review-report-template.md
  • Security Frameworks:
    • OWASP Top 10 (A01-A10)
    • OWASP LLM Top 10 (LLM01-LLM10)
    • OWASP ML Security Top 10 (ML01-ML10)
    • Zero Trust principles
  • Review Categories: Security (priority), Reliability, Performance (>1K users), Maintainability
  • Output Format: Specific code fixes with before/after examples, not just problem identification

Implementation Phases

Phase 1: Analysis & Design

  1. Analyze existing HVE Core PR workflow and commands
  2. Determine optimal integration approach:
    • Option A: New standalone command (@code-review)
    • Option B: Integrate into existing PR workflow
    • Option C: Merge/enhance existing command
  3. Document decision rationale (create ADR)

Phase 2: Port Agent

  1. Adapt code-reviewer.md from source repository
  2. Modify based on integration decision from Phase 1
  3. Create Claude version (.claude/agents/)
  4. Create GitHub native version (.github/agents/)
  5. Create GitHub chatmode version (.github/chatmodes/)
  6. Add agent to AGENTS.md

Phase 3: Documentation Setup

  1. Create docs/code-review/ directory
  2. Port code review report template
  3. Add OWASP framework references
  4. Add cross-references to existing instructions

Phase 4: Integration & Testing

  1. Test agent in Claude Code
  2. Test agent in GitHub Copilot
  3. Validate code review report workflow
  4. Test OWASP pattern detection
  5. Test cross-agent collaboration (Code Reviewer → Architecture)
  6. Validate backward compatibility
  7. Test integration with existing PR workflow/commands

Definition of Done

  • Integration approach analyzed and documented (ADR created)
  • Agent works in all three formats
  • Code review report template functional
  • OWASP security checks working (Top 10, LLM, ML)
  • Specific code fixes provided (before/after examples)
  • Cross-agent collaboration working
  • Integration with HVE Core workflow complete
  • README.md updated with security workflow
  • All existing tests pass
  • No breaking changes to existing workflow

Dependencies

Related Documentation

Notes

  • Backward Compatibility: Must not break existing PR review workflow
  • Maintainer Consultation: Recommend discussing integration approach in issue comments before implementation

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    needs-triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions