Code Review Bot - Complete Example
Build an AI agent that automatically reviews code changes in your GitHub repositories, provides feedback on code quality, suggests improvements, and commits changes when appropriate.
What You'll Build
An automated code reviewer that:
- Monitors GitHub pull requests
- Analyzes code changes for quality and best practices
- Provides inline comments and suggestions
- Can commit fixes for common issues
- Generates review summaries
Time to complete: 30-45 minutes
Prerequisites
Before you begin, you need:
- A TeamDay account with an organization
- A GitHub account with repository access
- An Anthropic API key
- Basic understanding of Git and GitHub
Architecture Overview
graph LR
A[GitHub PR] --> B[Code Review Agent]
B --> C[MCP GitHub Plugin]
C --> D[GitHub API]
B --> E[File Analysis]
E --> F[Review Comments]
F --> G[GitHub PR Comments]
B --> H[Auto-fix Agent]
H --> I[Commits]
Step 1: Setup Your Organization
1.1 Create Organization
First, ensure you have an organization set up in TeamDay:
# Using the CLI
teamday auth login
teamday orgs create "My Dev Team"
Or via the UI:
- Navigate to Settings → Organizations
- Click "New Organization"
- Name it and save
1.2 Add Anthropic API Key
Navigate to your organization settings and add your API key:
Via UI:
- Settings → API Keys
- Click "Add API Key"
- Select "Anthropic"
- Paste your key:
sk-ant-api03-... - Save
Via CLI:
teamday secrets set ANTHROPIC_API_KEY "sk-ant-api03-..."
The key is encrypted with AES-256-GCM before storage.
1.3 Connect GitHub
You'll need GitHub OAuth to access private repositories:
Via UI:
- Settings → Integrations
- Click "Connect GitHub"
- Authorize TeamDay application
- Grant repository access
Required Scopes:
repo(full repository access)read:user(user information)read:org(organization information)
Step 2: Create Your Space
2.1 Create Development Space
Create a space for your code review work:
# Create space
teamday spaces create "Code Review Workspace"
# Get space ID (you'll need this)
teamday spaces list
# Output: cs_abc123def456...
Or via API:
curl -X POST https://api.teamday.app/api/v1/spaces \
-H "Authorization: Bearer $TEAMDAY_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Code Review Workspace",
"organizationId": "org_xxx"
}'
2.2 Clone Your Repository
In the space, clone the repository you want to review:
Via UI:
- Open your space
- Click the "+" button in Files panel
- Paste repo URL:
https://github.com/yourorg/yourrepo.git - Click "Clone Repository"
- Wait for clone to complete
Via Agent Chat:
You: Clone the repository https://github.com/yourorg/yourrepo.git
Agent: I'll clone that repository for you...
The agent will use your GitHub OAuth token automatically.
2.3 Verify Repository Access
Check that the repository was cloned successfully:
# In space chat
ls -la
# Should show your repository directory
cd yourrepo
git status
# Should show clean working tree
Step 3: Create the Code Review Agent
3.1 Create Primary Agent
Create the main code review agent:
Via UI:
- Agents → New Agent
- Name: "Code Reviewer"
- Model:
claude-3-5-sonnet-20241022 - Visibility:
organization
Via API:
curl -X POST https://api.teamday.app/api/v1/agents \
-H "Authorization: Bearer $TEAMDAY_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Code Reviewer",
"systemPrompt": "You are an expert code reviewer...",
"model": "claude-3-5-sonnet-20241022",
"visibility": "organization",
"organizationId": "org_xxx"
}'
Save the agent ID: ag_abc123...
3.2 Configure System Prompt
Set up the agent's instructions for code review:
# Code Review Agent System Prompt
You are an expert code reviewer with deep knowledge of:
- Software architecture and design patterns
- Code quality and maintainability
- Security best practices
- Performance optimization
- Testing strategies
## Your Responsibilities
1. **Analyze Code Changes**
- Review pull request diffs
- Identify potential bugs and issues
- Check for security vulnerabilities
- Assess code readability and maintainability
2. **Provide Constructive Feedback**
- Be specific and actionable
- Explain the "why" behind suggestions
- Prioritize issues (critical, important, minor)
- Suggest concrete improvements
3. **Auto-Fix When Appropriate**
- Fix formatting issues automatically
- Correct simple bugs (typos, missing semicolons)
- Update outdated patterns
- Commit fixes with clear messages
4. **Generate Review Summary**
- Overall assessment (approve/request changes)
- Key issues found
- Suggestions for improvement
- Security or performance concerns
## Review Checklist
For each PR, check:
- ✅ Code follows project style guide
- ✅ No obvious bugs or logic errors
- ✅ Error handling is appropriate
- ✅ No security vulnerabilities
- ✅ Performance is acceptable
- ✅ Tests are included/updated
- ✅ Documentation is updated
- ✅ No commented-out code
- ✅ No hardcoded secrets or credentials
## Response Format
Structure your reviews as:
1. **Summary**: Overall assessment (1-2 sentences)
2. **Critical Issues**: Must fix before merge
3. **Important Issues**: Should fix
4. **Minor Issues**: Nice to have
5. **Positive Notes**: What's done well
6. **Recommendation**: Approve, Request Changes, or Comment
Be thorough but efficient. Focus on meaningful feedback.
3.3 Set Agent Permissions
Configure what the agent can do:
Via UI:
- Edit agent → Permissions
- Enable:
- ✅ Read files
- ✅ Write files
- ✅ Execute code
- ✅ Commit to git
- ❌ Access secrets (not needed)
Via API:
curl -X PATCH https://api.teamday.app/api/v1/agents/ag_abc123 \
-H "Authorization: Bearer $TEAMDAY_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"permissions": {
"readFiles": true,
"writeFiles": true,
"executeCode": true,
"commitToGit": true,
"accessSecrets": false
}
}'
Step 4: Install MCP Plugins
4.1 Install GitHub MCP Plugin
The GitHub MCP plugin enables your agent to interact with GitHub:
Configuration:
{
"mcpServers": {
"github": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-github"],
"env": {
"GITHUB_TOKEN": "${GITHUB_OAUTH_TOKEN}"
}
}
}
}
Install via UI:
- Space Settings → MCP Plugins
- Click "Install Plugin"
- Select "GitHub" from marketplace
- Configuration auto-populated
- Click "Install"
Install via API:
curl -X POST https://api.teamday.app/api/plugins/install \
-H "Authorization: Bearer $TEAMDAY_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"spaceId": "cs_abc123",
"plugin": "github",
"config": {
"mcpServers": {
"github": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-github"],
"env": {
"GITHUB_TOKEN": "${GITHUB_OAUTH_TOKEN}"
}
}
}
}
}'
4.2 Verify Plugin Installation
Test that the plugin works:
# In space chat
You: List my GitHub repositories
Agent: I'll use the GitHub MCP to fetch your repositories...
[Lists repositories]
You: Get pull requests for yourorg/yourrepo
Agent: Here are the open pull requests:
1. PR #42: Add user authentication (by @alice)
2. PR #43: Fix bug in payment processing (by @bob)
...
4.3 Install Sequential Thinking Plugin (Optional)
For complex analysis, add the sequential thinking plugin:
{
"mcpServers": {
"sequential-thinking": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-sequential-thinking"]
}
}
}
This helps the agent break down complex code analysis into structured steps.
Step 5: Create Auto-Fix Sub-Agent (Optional)
For automatic fixes, create a specialized sub-agent:
5.1 Create Sub-Agent
curl -X POST https://api.teamday.app/api/v1/agents \
-H "Authorization: Bearer $TEAMDAY_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Auto-Fix Bot",
"systemPrompt": "You fix simple code issues automatically...",
"model": "claude-3-5-sonnet-20241022",
"visibility": "organization",
"organizationId": "org_xxx",
"type": "subagent"
}'
5.2 Auto-Fix System Prompt
# Auto-Fix Bot System Prompt
You automatically fix simple code issues:
- Formatting and style violations
- Missing semicolons
- Unused imports
- Simple typos in variable names
- Outdated API usage patterns
## Rules
- Only fix obvious, safe changes
- Never change business logic
- Always commit with descriptive messages
- Run tests if available before committing
- If unsure, report back instead of fixing
## Commit Message Format
fix:
- Fixed
- Applied <formatter/linter> recommendations
Auto-generated by Code Review Bot
5.3 Link to Primary Agent
Update the primary agent to delegate to the sub-agent:
curl -X PATCH https://api.teamday.app/api/v1/agents/ag_abc123 \
-H "Authorization: Bearer $TEAMDAY_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"subAgents": ["ag_autofix456"]
}'
Step 6: Usage Examples
6.1 Review a Pull Request
Basic Review:
You: Review pull request #42
Agent: I'll analyze PR #42: "Add user authentication"
[Agent reads the diff using GitHub MCP]
## Code Review Summary
**Overall Assessment:** Request Changes
**Critical Issues:**
1. Line 45: Password stored in plaintext
- Risk: Security vulnerability
- Fix: Use bcrypt or similar hashing
```javascript
// Instead of:
user.password = password;
// Use:
user.password = await bcrypt.hash(password, 10);
- Line 78: SQL injection vulnerability
- Risk: Database compromise
- Fix: Use parameterized queries
// Instead of: db.query(`SELECT * FROM users WHERE id = ${userId}`);
// Use: db.query('SELECT * FROM users WHERE id = ?', userId);
**Important Issues:**
1. Line 23: Missing error handling for async operation
2. Line 56: JWT secret should be in environment variable
**Minor Issues:**
1. Line 12: Inconsistent indentation
2. Line 34: Unused import statement
**Positive Notes:**
- Good test coverage
- Clear function names
- Well-structured code
**Recommendation:** Request Changes
Critical security issues must be addressed before merging.
6.2 Auto-Fix Simple Issues
You: Review PR #43 and auto-fix any simple issues
Agent: Analyzing PR #43...
Found 5 fixable issues:
1. Formatting inconsistencies
2. Unused imports
3. Missing semicolons
4. Outdated API usage
Delegating to Auto-Fix Bot...
Auto-Fix Bot: Fixed 5 issues and committed:
- Removed 3 unused imports
- Added missing semicolons (7 locations)
- Reformatted code with prettier
- Updated deprecated API calls
Commit: abc123def "fix: code style and API updates"
Agent: Auto-fixes applied. Remaining review:
**Important Issues:**
1. Line 67: Error not properly handled
[details...]
Would you like me to post this review to GitHub?
6.3 Post Review to GitHub
You: Yes, post the review to GitHub
Agent: Posting review to PR #43...
✅ Review posted successfully
✅ Added 3 inline comments
✅ Set status to "Request Changes"
View on GitHub: https://github.com/yourorg/yourrepo/pull/43
6.4 Review Multiple Files
You: Review all TypeScript files changed in the last commit
Agent: Analyzing changed files from commit abc123...
Files reviewed:
1. src/auth/login.ts - ✅ Looks good
2. src/auth/register.ts - ⚠️ 2 issues
3. src/utils/validation.ts - ❌ 1 critical issue
**src/auth/register.ts**
- Line 34: Missing input validation
- Line 56: Potential race condition
**src/utils/validation.ts**
- Line 12: ReDoS vulnerability in regex
Pattern: /^(a+)+$/
Fix: Use simpler pattern or timeout
Detailed analysis attached.
Step 7: Automation with Scheduled Reviews
7.1 Create Daily Review Mission
Set up automatic daily reviews:
curl -X POST https://api.teamday.app/api/missions \
-H "Authorization: Bearer $TEAMDAY_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Daily PR Review",
"schedule": "0 9 * * *",
"agentId": "ag_abc123",
"action": {
"type": "execute",
"prompt": "Review all open pull requests and post feedback to GitHub"
},
"organizationId": "org_xxx",
"spaceId": "cs_abc123"
}'
Schedule format (cron):
0 9 * * *= Every day at 9 AM UTC0 */4 * * *= Every 4 hours0 9 * * 1-5= Weekdays at 9 AM
7.2 Review on New PR (Webhook)
Set up automatic review when PRs are created:
GitHub Webhook Configuration:
- GitHub Repo → Settings → Webhooks
- Add webhook URL:
https://api.teamday.app/webhooks/github - Select events: Pull Requests
- Add secret (from TeamDay settings)
TeamDay Mission:
{
"name": "Auto Review New PRs",
"trigger": "webhook",
"webhookSource": "github",
"eventType": "pull_request.opened",
"agentId": "ag_abc123",
"action": {
"type": "execute",
"prompt": "Review the pull request that triggered this webhook"
}
}
Expected Outputs
Sample Review Comment
## Code Review by TeamDay Bot
**PR #42: Add user authentication**
### Summary
This PR adds basic user authentication with login and registration.
Overall good structure, but has critical security issues that must be addressed.
### Critical Issues 🔴
**1. Password Security Vulnerability (src/auth/register.ts:45)**
```javascript
// Current code:
user.password = password;
// Recommended:
const bcrypt = require('bcrypt');
user.password = await bcrypt.hash(password, 10);
Passwords must never be stored in plaintext.
2. SQL Injection Risk (src/auth/login.ts:78)
// Current code:
const user = await db.query(`SELECT * FROM users WHERE email = '${email}'`);
// Recommended:
const user = await db.query('SELECT * FROM users WHERE email = ?', [email]);
Important Issues 🟡
1. Missing Error Handling (src/auth/register.ts:23) The async email validation should have try-catch.
2. JWT Secret in Code (src/auth/token.ts:12)
Move JWT_SECRET to environment variables.
Minor Issues 🟢
- Inconsistent formatting in register.ts
- Unused imports in login.ts
Positive Notes ✨
- Excellent test coverage (95%)
- Clear function naming
- Good separation of concerns
Recommendation: Request Changes
Please address the critical security issues before merging.
Generated by TeamDay Code Review Bot
### Sample Commit Message (Auto-Fix)
fix: code style and linting issues in auth module
- Removed unused imports from login.ts and register.ts
- Fixed indentation inconsistencies
- Added missing semicolons (7 locations)
- Updated deprecated bcrypt.hashSync to async version
- Reformatted with prettier
Auto-generated by Code Review Bot 🤖 Generated with TeamDay (https://teamday.app)
## Troubleshooting
### GitHub Authentication Failed
**Error:**
Error: GitHub authentication failed (401 Unauthorized)
**Solution:**
1. Verify GitHub is connected: Settings → Integrations
2. Check token scopes include `repo`
3. Disconnect and reconnect GitHub
4. Ensure repository access is granted
### Agent Can't Access Repository
**Error:**
Error: Repository not found or access denied
**Solution:**
1. Verify repo is cloned in space: `ls -la`
2. Check GitHub token has access to repo
3. For private repos, ensure OAuth is connected
4. Clone again with correct permissions
### MCP Plugin Not Working
**Error:**
Error: GitHub MCP server not responding
**Solution:**
1. Check plugin is installed: Space Settings → MCP Plugins
2. Verify environment variables are set
3. Check plugin logs in space
4. Restart space dev environment
5. Reinstall plugin if needed
### Review Not Posted to GitHub
**Error:**
Error: Failed to post review to GitHub
**Solution:**
1. Check agent has GitHub MCP access
2. Verify PR exists and is open
3. Check rate limits (GitHub API)
4. Ensure proper review permissions
### Auto-Fix Commits Failing
**Error:**
Error: Git commit failed (permission denied)
**Solution:**
1. Verify agent has `commitToGit` permission
2. Check git is configured in space
3. Ensure GitHub OAuth has write access
4. Check git user.name and user.email are set
## Advanced Configuration
### Custom Review Rules
Create a `.reviewrc` file in your repository:
```json
{
"rules": {
"maxFileSize": 500,
"maxFunctionLength": 50,
"requireTests": true,
"blockPatterns": [
"console.log",
"debugger",
"TODO",
"FIXME"
],
"securityPatterns": [
"eval(",
"exec(",
"password\\s*=",
"api_key\\s*="
]
},
"autoFix": {
"enabled": true,
"rules": ["formatting", "imports", "semicolons"],
"runTests": true
}
}
Language-Specific Configuration
TypeScript/JavaScript:
{
"languages": {
"typescript": {
"linter": "eslint",
"formatter": "prettier",
"checkTypes": true
}
}
}
Integration with CI/CD
GitHub Actions integration:
name: AI Code Review
on: [pull_request]
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run TeamDay Review
env:
TEAMDAY_TOKEN: ${{ secrets.TEAMDAY_TOKEN }}
run: |
curl -X POST https://api.teamday.app/api/v1/agents/ag_abc123/execute \
-H "Authorization: Bearer $TEAMDAY_TOKEN" \
-H "Content-Type: application/json" \
-d '{"prompt": "Review PR #${{ github.event.pull_request.number }}"}'
Next Steps
Now that you have a working code review bot, explore:
- Analytics Reporter Example - Track code quality metrics
- BigQuery Insights Example - Analyze historical code data
- Custom MCP Servers - Build custom code analysis tools
- Automation Guide - Set up more complex missions
Cost Estimation
Typical costs for code review agent:
Per PR Review (average):
- Input tokens: ~10,000 (reading code + context)
- Output tokens: ~2,000 (review comments)
- Cost: ~$0.15 per review
Daily automated reviews (10 PRs):
- Monthly cost: ~$45
Tips to reduce costs:
- Use
claude-3-5-haikufor simple reviews - Review only changed files, not entire codebase
- Cache common patterns and rules
- Set token limits for reviews