review-by-opp
skill
Basarisiz
Health Uyari
- License — License: MIT
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 6 GitHub stars
Code Basarisiz
- rm -rf — Recursive force deletion command in package.json
- fs module — File system access in scripts/stop-gate.sh
- execSync — Synchronous shell command execution in src/codex/detector.ts
- execSync — Synchronous shell command execution in src/codex/reviewer.ts
- exec() — Shell command execution in src/codex/reviewer.ts
Permissions Gecti
- Permissions — No dangerous permissions requested
Purpose
This tool is a Claude Code plugin that integrates Codex as an automated, independent code reviewer. It enforces a strict issue-tracking loop to ensure Claude cannot falsely claim it has fixed all code review findings.
Security Assessment
The overall risk is High. The tool explicitly executes shell commands to run external processes, utilizing both `exec()` and synchronous `execSync()` calls in its core files (`detector.ts` and `reviewer.ts`). It also contains a recursive force deletion command (`rm -rf`) inside its `package.json`, which is a potentially destructive operation. While the plugin does not request dangerous broad permissions or contain hardcoded secrets, the mechanism it uses to launch external tools and manage files relies heavily on direct, unprotected system access. A user should thoroughly verify exactly what shell commands are being constructed and executed before running it.
Quality Assessment
The project is brand new and currently has very low community visibility with only 6 GitHub stars. However, it is actively maintained, as indicated by recent repository pushes. The project includes a clear README with usage instructions, utilizes TypeScript, and is properly licensed under the standard MIT license.
Verdict
Use with caution: the underlying concept is useful and the code is recent, but the presence of direct shell execution and recursive deletion commands requires a manual code review before integrating into your workflow.
This tool is a Claude Code plugin that integrates Codex as an automated, independent code reviewer. It enforces a strict issue-tracking loop to ensure Claude cannot falsely claim it has fixed all code review findings.
Security Assessment
The overall risk is High. The tool explicitly executes shell commands to run external processes, utilizing both `exec()` and synchronous `execSync()` calls in its core files (`detector.ts` and `reviewer.ts`). It also contains a recursive force deletion command (`rm -rf`) inside its `package.json`, which is a potentially destructive operation. While the plugin does not request dangerous broad permissions or contain hardcoded secrets, the mechanism it uses to launch external tools and manage files relies heavily on direct, unprotected system access. A user should thoroughly verify exactly what shell commands are being constructed and executed before running it.
Quality Assessment
The project is brand new and currently has very low community visibility with only 6 GitHub stars. However, it is actively maintained, as indicated by recent repository pushes. The project includes a clear README with usage instructions, utilizes TypeScript, and is properly licensed under the standard MIT license.
Verdict
Use with caution: the underlying concept is useful and the code is recent, but the presence of direct shell execution and recursive deletion commands requires a manual code review before integrating into your workflow.
A Claude Code plugin that uses your signed-in Codex account as an independent reviewer, so Claude cannot claim 'all fixed' until every review finding is actually closed.
README.md
review-by-opp
A Claude Code plugin that uses your signed-in Codex account as an independent reviewer and keeps a strict issue ledger, so Claude cannot claim "all fixed" until every review finding is actually closed.
Why this exists
I use Claude Code for heavy coding and Codex CLI to review the output. In my experience, Claude Code is better at building and Codex is better at catching issues. Using both together has worked really well for me.
But the workflow was painful. Copy-paste findings from Codex into Claude. Watch Claude fix some of them and claim "all done" when half are still open. Manually track what was actually resolved. Repeat. I got fed up.
So I built review-by-opp. It automates the Claude + Codex review loop and enforces item-by-item closure tracking with a stop gate that blocks completion while findings remain unresolved. Codex audits. The plugin prevents fake completion.
How it works
flowchart TD
A["Claude builds changes"] --> B["Run review"]
B --> C["Codex exec --sandbox read-only"]
C --> D["Findings saved to reviews/current.json"]
D --> E{"Blocking findings open?"}
E -- Yes --> F["Fix findings"]
F --> B
E -- No --> G["Finalize"]
G --> H["Stop gate checks session state"]
H --> I["Final verdict"]
Key principle: Claude builds. Codex audits. The plugin prevents fake completion.
Quick start
Prerequisites
- Claude Code installed and signed in
- Codex CLI installed and signed in
- A git repository
- macOS, Linux, or WSL
Install
# Sign into Codex first (one-time, uses your ChatGPT account, no API key needed)
npx @openai/codex login
# Option 1: Add plugin in Claude Code chat
/plugins # then "Add from local path" or "Add marketplace"
# Option 2: Clone and load
git clone https://github.com/akshan-main/review-by-opp.git
claude --plugin-dir ./review-by-opp
# Option 3: Development / test
cd review-by-opp
npm install && npm run build
claude --plugin-dir .
Usage
All commands are typed in Claude Code's chat (VS Code panel or CLI). No API keys required for either agent.
/review-by-opp:start Start a guarded implementation + review session
/review-by-opp:review Run Codex review against current diff
/review-by-opp:fix Address findings one by one
/review-by-opp:status Show round count, findings, and exit gate status
/review-by-opp:resume Resume an existing session
/review-by-opp:finalize Close the session (blocked if findings remain)
/review-by-opp:help Learn about the plugin and available commands
Demo walkthrough
In Claude Code chat (VS Code or CLI):
> /review-by-opp:start
# Write your code as usual with Claude
> Implement the user authentication module
# When ready, run the Codex review
> /review-by-opp:review
# Claude receives structured findings - fix them
> /review-by-opp:fix
# Check progress
> /review-by-opp:status
# Repeat review/fix until clean
> /review-by-opp:review
> /review-by-opp:fix
# Finalize when all findings are resolved
> /review-by-opp:finalize
Configuration
Create .review-by-opp.json in your project root:
{
"reviewLedger": {
"maxRounds": 4,
"reviewScope": "full-repo",
"blockingSeverities": ["critical", "high", "medium"],
"rerunChecks": true,
"allowedUnresolvedCategories": [],
"stalledThreshold": 2,
"debug": false
},
"codex": {
"role": "auditor_only",
"modelStrategy": "best_available",
"model": "",
"reasoningEffort": "",
"deepAuditReasoningEffort": "xhigh",
"auditMode": "standard",
"commandOverride": ""
},
"claude": {
"role": "builder",
"modelControl": "user_managed",
"effortControl": "user_managed"
}
}
Key config fields
| Field | Default | Description |
|---|---|---|
maxRounds |
4 |
Maximum review rounds before forced stop |
reviewScope |
"full-repo" |
What to review: full-repo, diff, changed-files, changed-files-plus-tests |
blockingSeverities |
["critical","high","medium"] |
Severities that block finalization |
codex.modelStrategy |
"best_available" |
best_available, fixed, inherit_if_possible |
codex.reasoningEffort |
"" (inherit) |
Optional Codex reasoning effort override for standard audits |
codex.deepAuditReasoningEffort |
"xhigh" |
Reasoning effort for deep audit mode |
claude.modelControl |
"user_managed" |
Claude model is always user-controlled |
Model and reasoning control
- Claude model and effort are always user-controlled through Claude Code's own UI and config. This plugin does not override your Claude settings.
- Codex defaults to inherited user config (model/profile/reasoning) and is fully configurable. Deep audits can opt into
xhigh. - The plugin does not hardcode both agents aggressively - it enforces review completeness, not agent settings.
How it differs from a generic review loop
| Feature | Generic loop | review-by-opp |
|---|---|---|
| Finding tracking | None or ad-hoc | Structured ledger with IDs and states |
| Resolution states | Pass/fail | 7 explicit states per finding |
| Exit gate | None | Deterministic stop gate |
| False completion | Possible | Blocked by the plugin |
| Duplicate detection | No | Automatic deduplication |
| Convergence detection | No | Stall and stability detection |
| Audit trail | No | Full round-by-round history |
Resolution states
Every finding ends in exactly one state:
| State | Meaning |
|---|---|
open |
Not yet addressed |
fixed |
Fixed with code changes (requires resolution note) |
not_reproducible |
Cannot reproduce the issue |
wont_fix |
Intentional or acceptable |
needs_context |
More information needed |
duplicate |
Duplicates another finding |
superseded |
Replaced by a newer finding |
Final verdicts
| Verdict | Meaning |
|---|---|
clean |
All findings resolved |
clean_with_accepted_exceptions |
Only non-blocking findings remain |
unresolved |
Blocking findings remain (stalled or stable) |
max_rounds_reached |
Hit the round limit |
Local data model
All state is stored locally in reviews/:
reviews/
current.json # Active session state
rounds/
round-1.json # Round snapshots
round-2.json
summaries/
summary-1.json # Round summaries
summary-2.json
artifacts/
round-1-*.txt # Raw command/check artifacts
All files are JSON, easy to inspect and diff.
Troubleshooting
| Problem | Solution |
|---|---|
| Codex not installed | npm install -g @openai/codex |
| Codex not signed in | npx @openai/codex login (uses ChatGPT account, no API key needed) |
| Plugin not loaded | claude --plugin-dir /path/to/review-by-opp |
| No git repo | git init in your project |
| No diff to review | Make code changes first |
| No tests configured | Add a test script to package.json |
Security and privacy
- Local-first. All data stays in your repo's
reviews/directory. - No cloud backend. No data is transmitted anywhere except through Claude and Codex, which the user explicitly invokes.
- No API keys required. Users bring their own signed-in Claude and Codex accounts.
- No UI scraping. The plugin uses Codex CLI's documented non-interactive
execcommand. - Trust model: You trust Claude (Anthropic) and Codex (OpenAI) as much as you already do by having them installed and signed in. This plugin adds no new trust requirements.
Contributing
See CONTRIBUTING.md.
Yorumlar (0)
Yorum birakmak icin giris yap.
Yorum birakSonuc bulunamadi