diff --git a/docs/users/features/code-review.md b/docs/users/features/code-review.md index 046bb1ad2..bed8f2152 100644 --- a/docs/users/features/code-review.md +++ b/docs/users/features/code-review.md @@ -31,6 +31,7 @@ Step 1.1: Load project review rules Step 1.5: Run deterministic analysis (linters, type checkers) Step 2: 5 parallel review agents (correctness, quality, performance, undirected, build/test) Step 2.5: Deduplicate → verify → aggregate findings +Step 2.6: Reverse audit — find issues all agents missed Step 3: Present findings with verdict Step 3.5: Offer autofix for fixable issues Step 4: Post PR inline comments (if requested) @@ -48,7 +49,7 @@ Step 5: Restore environment | Agent 4: Undirected Audit | Business logic, boundary interactions, hidden coupling | | Agent 5: Build & Test | Runs build and test commands, reports failures | -All agents run in parallel. Each finding is independently verified by a separate verification agent to reduce false positives. +All agents run in parallel. Each finding is independently verified by a separate verification agent to reduce false positives. After verification, a **reverse audit agent** reviews the diff with knowledge of all confirmed findings to catch issues that every other agent missed. ## Deterministic Analysis diff --git a/packages/core/src/skills/bundled/review/SKILL.md b/packages/core/src/skills/bundled/review/SKILL.md index c94e8baae..a8f4d9f41 100644 --- a/packages/core/src/skills/bundled/review/SKILL.md +++ b/packages/core/src/skills/bundled/review/SKILL.md @@ -244,7 +244,29 @@ After verification, identify **confirmed** findings that describe the **same typ - **Severity:** 3. If the same pattern has more than 5 occurrences and severity is **not** Critical, list the first 3 locations plus "and N more locations". For **Critical** patterns, always list all locations — every instance matters. -All confirmed findings (aggregated or standalone) proceed to Step 3. +All confirmed findings (aggregated or standalone) proceed to Step 2.6. + +### Reverse audit + +After aggregation, launch a **single reverse audit agent** to find issues that all previous agents missed. This agent receives: + +- The list of all confirmed findings so far (so it knows what's already covered) +- The command to obtain the diff +- Access to read files and search the codebase + +The reverse audit agent must: + +1. Review the diff with full knowledge of what was already found +2. Focus exclusively on **gaps** — important issues that no other agent caught +3. Only report **Critical** or **Suggestion** level findings — do not report Nice to have +4. Apply the same **Exclusion Criteria** as other agents +5. Return findings in the same structured format (with `Source: [review]`) + +Any findings from the reverse audit go through the same independent verification as Step 2.5 (one verification agent per finding, same confidence levels). Verified findings are merged into the final findings list. + +If the reverse audit finds nothing, that is a good outcome — it means the initial review had strong coverage. + +All confirmed findings (from aggregation + reverse audit) proceed to Step 3. ## Step 3: Present findings