Stats

Actions

Available In

Tags

super-review

A multi-agent PR review plugin for Claude Code. Ships an orchestrator plus 7 framework/security sub-skills, loaded on-demand based on the diff's stack.

Dispatches N specialist reviewers in parallel (cybersecurity, supply-chain, correctness, design / blast-radius, migration, performance, frontend, observability, tests), gates findings through an evidence-quoting false-positive filter, runs cross-reviewer collision + Opus meta-verification, and produces a bounded, actionable report scoped strictly to the PR diff.

Tuned for senior reviewers who want signal, not noise.

Why this plugin exists

Off-the-shelf AI PR review fails the same way every time:

Noise volume — flags every "could be problematic" and "consider extracting", drowning real bugs

Hallucinated lines — cites code that isn't there

Scope creep — comments on pre-existing bugs the PR merely touched, burning reviewer trust

Intent laundering — reads the commit message and downgrades real security regressions

Verification theatre — a "verifier" agent that re-reads the same diff without fresh evidence

Generic knowledge — same review for a Next.js PR and a Spring Boot PR; misses framework-specific footguns

This plugin is opinionated about each of those failure modes. Findings ship only if twice-confirmed with quoted code evidence, and the output is hard-capped (≤3 BLOCK, ≤5 fix-before-merge, ≤5 follow-up, ≤3 nits + overflow summary). Framework-specific anti-patterns are loaded only when the stack triggers fire.

Architecture

Phase 0: SCOPE-LOCK & GROUND single agent — defines diff bounds + detects stack + loads matching sub-skills Phase 1: PARALLEL REVIEW N path-filtered specialist subagents (single message, parallel dispatch) Phase 2: FALSE-POSITIVE GATE fresh agent re-opens each file, byte-matches the quoted code, drops hallucinations Phase 3: COLLIDE cross-reviewer contradictions + negative space + forced contrarian Phase 4: OPUS META-VERIFICATION catches Sonnet compounding-pessimism + missed positives + shared-prior blind spots Phase 5: SYNTHESIZE & POST bounded report → GitHub comment + local summary

Three modes:

Full (default) — all 5 phases. ~6-12 min on a non-trivial PR

Fast — Phase 0 → Phase 1 (≤3 reviewers) → Phase 2 → Phase 5. Use for PRs <200 LOC

Security-only — cybersec + supply-chain reviewers only, full gate. For auth/crypto/IAM-heavy PRs

Pack contents

The orchestrator + 7 sub-skills:

Skill

What it brings

Auto-loads when

super-review:run

Orchestrator: 5-phase pipeline, OWASP/CWE/LLM Top 10 reference, severity taxonomy, evidence contract, posting protocol

Always — this is the entrypoint

super-review:react

React 18.3 → 19+ anti-patterns: useEffect races, hydration, key prop, use(), useActionState, Compiler interactions

react in deps, *.tsx/*.jsx in diff

super-review:nextjs

Next.js 15/16: Server Actions security, RSC boundary, use cache directive, async request APIs, parallel routes

next in deps, app//middleware.ts in diff

super-review:postgres

PG 16/17/18: lock escalation, deadlocks, JSONB indexing, MVCC, pgBouncer, PG17 MERGE, PG18 virtual generated cols

pg/postgres in deps, *.sql/migrations/ in diff

super-review:orm

Prisma 5/6, MikroORM, TypeORM, Drizzle: N+1, transaction propagation, raw SQL escape, Prisma 6 breaking changes

ORM in deps

super-review:crypto

Application crypto: RNG, AES-GCM IV reuse, padding oracles, JWT, password hashing, RSA, TLS, key separation

crypto/jose/jsonwebtoken/bcrypt/argon2 in diff

super-review:web-headers

CSP / HSTS / CORS / COOP+COEP / Permissions-Policy / SRI / cookies / CHIPS

Middleware / header setters / next.config headers

super-review:llm-sec

LLM app security depth: indirect prompt injection, output-as-executor, slopsquatting, excessive agency, vector store risks

openai/@anthropic-ai/sdk/@ai-sdk/*/langchain etc. in diff

super-review:i18n

Internationalization: key parity, ICU pluralization, locale-naive formatting, RTL, error-message localization, test discipline

next-intl/react-intl/react-i18next/i18next/lingui/@formatjs/*/vue-i18n in deps, OR locales//messages/ dirs

super-review:code-smells

Fowler / refactoring.guru catalog: Bloaters, OO Abusers, Change Preventers, Dispensables, Couplers, plus Flag Arguments, Stringly Typed, Magic Numbers

Single-file diff >150 LOC, new class >5 methods, function moves across files, or explicit smells mode

super-review:typescript

TS 5.x: any vs unknown, as vs guards, satisfies, using, branded types, assertNever, const type params, NoInfer

*.ts/*.tsx in diff or tsconfig.json modified

super-review

A multi-agent PR review plugin for Claude Code. Ships an orchestrator plus 7 framework/security sub-skills, loaded on-demand based on the diff's stack.

Tuned for senior reviewers who want signal, not noise.

Why this plugin exists

Off-the-shelf AI PR review fails the same way every time:

Noise volume — flags every "could be problematic" and "consider extracting", drowning real bugs
Hallucinated lines — cites code that isn't there
Scope creep — comments on pre-existing bugs the PR merely touched, burning reviewer trust
Intent laundering — reads the commit message and downgrades real security regressions
Verification theatre — a "verifier" agent that re-reads the same diff without fresh evidence
Generic knowledge — same review for a Next.js PR and a Spring Boot PR; misses framework-specific footguns

Architecture

Phase 0: SCOPE-LOCK & GROUND      single agent — defines diff bounds + detects stack + loads matching sub-skills
Phase 1: PARALLEL REVIEW          N path-filtered specialist subagents (single message, parallel dispatch)
Phase 2: FALSE-POSITIVE GATE       fresh agent re-opens each file, byte-matches the quoted code, drops hallucinations
Phase 3: COLLIDE                  cross-reviewer contradictions + negative space + forced contrarian
Phase 4: OPUS META-VERIFICATION   catches Sonnet compounding-pessimism + missed positives + shared-prior blind spots
Phase 5: SYNTHESIZE & POST         bounded report → GitHub comment + local summary

Three modes:

Full (default) — all 5 phases. ~6-12 min on a non-trivial PR
Fast — Phase 0 → Phase 1 (≤3 reviewers) → Phase 2 → Phase 5. Use for PRs <200 LOC
Security-only — cybersec + supply-chain reviewers only, full gate. For auth/crypto/IAM-heavy PRs

Pack contents

The orchestrator + 7 sub-skills:

Skill	What it brings	Auto-loads when
`super-review:run`	Orchestrator: 5-phase pipeline, OWASP/CWE/LLM Top 10 reference, severity taxonomy, evidence contract, posting protocol	Always — this is the entrypoint
`super-review:react`	React 18.3 → 19+ anti-patterns: useEffect races, hydration, key prop, `use()`, `useActionState`, Compiler interactions	`react` in deps, `.tsx`/`.jsx` in diff
`super-review:nextjs`	Next.js 15/16: Server Actions security, RSC boundary, `use cache` directive, async request APIs, parallel routes	`next` in deps, `app/`/`middleware.ts` in diff
`super-review:postgres`	PG 16/17/18: lock escalation, deadlocks, JSONB indexing, MVCC, pgBouncer, PG17 MERGE, PG18 virtual generated cols	`pg`/`postgres` in deps, `*.sql`/`migrations/` in diff
`super-review:orm`	Prisma 5/6, MikroORM, TypeORM, Drizzle: N+1, transaction propagation, raw SQL escape, Prisma 6 breaking changes	ORM in deps
`super-review:crypto`	Application crypto: RNG, AES-GCM IV reuse, padding oracles, JWT, password hashing, RSA, TLS, key separation	`crypto`/`jose`/`jsonwebtoken`/`bcrypt`/`argon2` in diff
`super-review:web-headers`	CSP / HSTS / CORS / COOP+COEP / Permissions-Policy / SRI / cookies / CHIPS	Middleware / header setters / `next.config` headers
`super-review:llm-sec`	LLM app security depth: indirect prompt injection, output-as-executor, slopsquatting, excessive agency, vector store risks	`openai`/`@anthropic-ai/sdk`/`@ai-sdk/*`/`langchain` etc. in diff
`super-review:i18n`	Internationalization: key parity, ICU pluralization, locale-naive formatting, RTL, error-message localization, test discipline	`next-intl`/`react-intl`/`react-i18next`/`i18next`/`lingui`/`@formatjs/*`/`vue-i18n` in deps, OR `locales/`/`messages/` dirs
`super-review:code-smells`	Fowler / refactoring.guru catalog: Bloaters, OO Abusers, Change Preventers, Dispensables, Couplers, plus Flag Arguments, Stringly Typed, Magic Numbers	Single-file diff >150 LOC, new class >5 methods, function moves across files, or explicit `smells` mode
`super-review:typescript`	TS 5.x: `any` vs `unknown`, `as` vs guards, `satisfies`, `using`, branded types, `assertNever`, `const` type params, `NoInfer`	`.ts`/`.tsx` in diff or `tsconfig.json` modified

super-review

Popularity

What's Inside

Confidence

README

super-review

Why this plugin exists

Architecture

Pack contents

Similar Plugins

fullstack-dev-skills

octo

nextjs-expert

ecc

ui-ux-pro-max

brainstorming-skill

More by mattnowdev

thinking-partner

super-review

Why this plugin exists

Architecture

Pack contents

Popularity

Health & Quality

More by mattnowdev

thinking-partner

Similar Plugins

fullstack-dev-skills

octo

nextjs-expert

ecc

ui-ux-pro-max

brainstorming-skill