AI-powered multi-agent code review system for Claude Code
Get intelligent, evidence-based code reviews from 5 specialized AI agents working in parallel. Catch security issues, enforce DRY principles, protect your APIs, and maintain architectural consistencyβall before you commit.
Claude Code Council is a multi-agent code review system that analyzes your code changes through multiple expert lenses:
- π‘οΈ Security Guardian - Detects vulnerabilities (SQL injection, XSS, exposed secrets)
- π Reuse Hunter - Finds code duplication and suggests refactoring
- π API Sentinel - Catches breaking changes in public APIs
- ποΈ Evolution Guardian - Enforces architectural patterns and budgets
- βοΈ Synthesizer - Combines all findings into actionable decisions
Think of it as having 5 expert developers review your code simultaneously, each focusing on their specialty.
Watch agents work in real-time:
π Launching 4 agents in parallel...
Progress:
[ β³ ] security-guardian - Scanning for vulnerabilities...
[ β
] reuse-hunter - Complete! Found 3 duplications
[ β³ ] api-sentinel - Checking public APIs...
[ β³ ] evolution-guardian - Validating architecture...
Parallel execution means multiple agents analyze code simultaneously instead of sequentially.
Create custom agents for your specific needs:
- React/Vue component reviewers
- Database query optimizers
- Accessibility checkers
- Performance analyzers
- Clone this repository
git clone https://github.com/646826/claude-code-council.git
cd claude-code-council- Set up as a local marketplace
# Create marketplace directory
mkdir -p ~/.claude-marketplaces/local
cp -r . ~/.claude-marketplaces/local/claude-code-council
# Create marketplace.json
cat > ~/.claude-marketplaces/local/.claude-plugin/marketplace.json << 'EOF'
{
"name": "local-marketplace",
"owner": {
"name": "Local User"
},
"metadata": {
"description": "Local Claude Code Council marketplace",
"version": "1.0.0"
},
"plugins": [
{
"name": "claude-code-council",
"source": "./claude-code-council",
"description": "AI Code Review Council - Multi-agent code review system",
"version": "1.0.0"
}
]
}
EOF- Install in Claude Code
cd /your/project
claudeIn the Claude Code chat:
/plugin marketplace add ~/.claude-marketplaces/local
/plugin install claude-code-council@local-marketplace
Choose "Install now", then restart Claude Code.
- Verify installation
/ai-council:council-config
You should see the plugin configuration!
All commands use the ai-council: namespace. Tip: Type /council and press Tab for autocomplete!
/ai-council:councilThe system automatically classifies your changes and runs the appropriate review tier.
/ai-council:council-trivial src/utils/validation.tsBest for:
- Bug fixes
- Small utility functions
- Minor changes (β€3 files)
Agents: Security Guardian + Reuse Hunter
/ai-council:council-feature src/services/Best for:
- New features
- Service layer changes
- Multiple file changes (4-15 files)
Agents: Security Guardian + Reuse Hunter + API Sentinel + Evolution Guardian
/ai-council:council-architecturalBest for:
- Major refactoring
- Architecture changes
- Breaking changes (>15 files)
Agents: All 5 agents + ADR (Architecture Decision Record) generation
Scenario: You just added email validation to your user registration
# Review your changes
/ai-council:council-feature src/auth/
# Output (example):
π€ AI Council - FEATURE Review β¨
Progress:
[ β
] security-guardian - Complete (95%)
[ β
] reuse-hunter - Complete (85%)
[ β
] api-sentinel - Complete (92%)
[ β
] evolution-guardian - Complete (88%)
Decision: β οΈ CONDITIONAL APPROVAL
Score: 3.1 / 4.29 (72%)
π‘οΈ Security Findings:
- β οΈ Email validation uses simple regex - vulnerable to bypass
- β
Password hashing is secure (bcrypt with salt)
π Code Duplication:
- β οΈ Email validation logic duplicated in 2 files:
- src/auth/register.ts:45
- src/auth/profile.ts:78
Suggestion: Extract to src/utils/validators.ts
π API Impact:
- β
No breaking changes to public API
- π New endpoint: POST /auth/validate-email (backward compatible)
Requirements before merging:
1. Use industry-standard email regex or library like validator.js
2. Extract duplicate email validation to shared utility
3. Add tests for edge cases (unicode emails, etc.)
Ready to fix? Address the 2 issues above, then commit! β¨What you learned:
- Your email validation has security issues
- Code is duplicated
- API changes are safe
- Clear action items to fix before merging
Scenario: You have a 1,200-line dashboard.tsx that's become unmaintainable
/ai-council:council-refactor-plan src/dashboard.tsx
# Output (example):
π¨ AI Council - Refactoring Plan Generator
π Target: src/dashboard.tsx (1,247 lines)
π Launching 5 specialized agents...
Progress:
[ β
] Architecture Analyst - Complete! (12 components identified)
[ β
] Dependency Mapper - Complete! (45 dependencies)
[ β
] Risk Assessor - Complete! (8 risks, 3 critical)
[ β
] UX Continuity Guardian - Complete! (5 workflows protected)
[ β
] Complexity Analyzer - Complete! (MI: 42 β 79)
β
Analysis Complete! (12 minutes)
π Key Findings:
Components: 12 identified
βββ Phase 1 (Low Risk): UserProfile, ThemeToggle, Breadcrumbs
βββ Phase 2 (Med Risk): DataTable, FilterPanel, SearchBar
βββ Phase 3 (High Risk): ChartWidget, ThemeModal, Layout
Effort: 134 hours (3.3 weeks)
ROI: 178% in year 1
Risks: 8 identified, 3 critical (all mitigated)
π― Recommendation: PROCEED WITH CAUTION
β
Proceed if:
1. Write 30 missing tests first (coverage: 23% β 85%)
2. Set up visual regression baseline
3. Allocate 4 weeks (with buffer for unknowns)
π§ Next Steps:
1. Review full plan: ~/.claude/ai-council/refactoring-plans/dashboard-refactoring-plan-20251009.md
2. Share with team for approval
3. Start Week 0: Preparation (write tests, baselines)
4. Begin Phase 1: Low-risk extractions
π Full 47-page plan saved with:
- Component extraction order
- Test requirements for each phase
- Risk mitigation strategies
- Rollback procedures
- Week-by-week roadmapWhat you learned:
- Clear breakdown of 12 components to extract
- 3-phase plan from low to high risk
- Need 30 tests before starting
- Realistic timeline: 3.3 weeks
- ROI calculation: 178% in first year
Scenario: You're refactoring an internal function, but it's actually part of your public API
/ai-council:council-feature src/api/users.ts
# Output (example):
π€ AI Council - FEATURE Review
Progress:
[ β
] security-guardian - Complete (100%)
[ β
] reuse-hunter - Complete (95%)
[ β
] api-sentinel - Complete (70%)
[ β
] evolution-guardian - Complete (92%)
Decision: π« REJECT
Score: 2.1 / 4.29 (49%)
π CRITICAL API ISSUE:
β BREAKING CHANGE DETECTED in src/api/users.ts:
Line 45:
- export function getUser(id: string): Promise<User>
+ export function getUser(id: number): Promise<User>
Impact:
- Function: getUser (PUBLIC API)
- Change: Parameter type changed from string β number
- Severity: BREAKING CHANGE
- Consumers affected: 12 files across 3 packages
This change will break:
1. Frontend app (src/components/UserProfile.tsx)
2. Admin dashboard (admin/src/users/UserList.tsx)
3. Mobile API client (mobile-sdk/src/api.ts)
... and 9 more files
Recommended solutions:
1. Deprecate old signature, add new one:
getUser(id: string | number): Promise<User>
2. Create new function, mark old as deprecated:
getUserById(id: number): Promise<User>
@deprecated Use getUserById instead
getUser(id: string): Promise<User>
3. Use semver MAJOR bump (v2.0.0) and document migration
Decision: REJECT until breaking change is resolved
This change CANNOT be merged without a deprecation strategy.What you learned:
- You were about to break 12 files across 3 packages
- API Sentinel caught this before merge
- Clear migration strategies provided
- Prevented a production incident!
Scenario: Final security check before deploying payment processing
/ai-council:council-trivial src/payments/stripe.ts
# Output (example):
π€ AI Council - TRIVIAL Review β‘
Progress:
[ β
] security-guardian - Complete (100%)
[ β
] reuse-hunter - Complete (92%)
Decision: π« VETO (Security Guardian used VETO power)
π‘οΈ CRITICAL SECURITY VULNERABILITIES:
β SEVERITY: CRITICAL - Exposed Secret
Line 12:
const stripeKey = "sk_live_abc123def456...";
Issue: Stripe secret key hardcoded in source code
Risk: Key will be committed to Git, exposed in repo
Impact: CRITICAL - Full account access, financial fraud
Required fix:
1. Move to environment variable:
const stripeKey = process.env.STRIPE_SECRET_KEY;
2. Add to .env (NOT committed):
STRIPE_SECRET_KEY=sk_live_abc123def456...
3. Add .env to .gitignore
4. Rotate the exposed key immediately:
https://dashboard.stripe.com/apikeys
---
β SEVERITY: HIGH - SQL Injection Risk
Line 45:
const query = `SELECT * FROM orders WHERE user_id = ${userId}`;
Issue: Direct string interpolation in SQL query
Risk: SQL injection attack
Impact: HIGH - Database breach, data exposure
Required fix:
Use parameterized queries:
const query = 'SELECT * FROM orders WHERE user_id = ?';
db.query(query, [userId]);
---
This code MUST NOT be deployed until these issues are fixed.
Security Guardian has VETOED this change.What you learned:
- Caught hardcoded Stripe key before it hit Git
- Found SQL injection vulnerability
- Security Guardian used VETO power (cannot override)
- Prevented a major security incident
Focus: Vulnerability detection
Catches:
- SQL injection, XSS, CSRF attacks
- Exposed secrets (API keys, passwords)
- Insecure crypto, weak hashing
- Authentication/authorization flaws
Special power: VETO - Can block critical security issues
Example finding:
β SQL Injection in src/users.ts:34
db.query(`SELECT * FROM users WHERE id = ${id}`)
Fix: Use parameterized queries
Focus: DRY (Don't Repeat Yourself) principle
Catches:
- Code duplication (β₯5 lines)
- Similar logic in multiple files
- Reinventing existing utilities
Suggests:
- Extract to shared functions
- Use existing libraries
- Create abstractions
Example finding:
π Duplication detected (12 lines):
- src/auth/login.ts:45-57
- src/auth/signup.ts:78-90
Extract to: src/utils/validators.ts
Focus: Public API compatibility
Catches:
- Breaking changes (removed/renamed exports)
- Parameter type changes
- Return type changes
- Signature modifications
Tracks:
- API surface budget
- Semver compliance
- Deprecation policies
Example finding:
π Breaking change in src/api.ts:
- export function getUser(id: string)
+ export function getUser(id: number)
Affects: 12 files across 3 packages
Suggest: Add overload or deprecate
Focus: Architectural consistency
Catches:
- LOC budget violations (files > 500 lines)
- Pattern inconsistencies
- Layer violations (e.g., UI calling DB directly)
- Missing documentation
Enforces:
- Code organization standards
- Codebase health metrics
- Architectural patterns
Example finding:
ποΈ LOC budget exceeded:
src/dashboard.tsx: 1,247 lines (budget: 500)
Suggest: Split into components:
- DashboardLayout (200 LOC)
- DataTable (300 LOC)
- Filters (150 LOC)
Focus: Final decision making
Responsibilities:
- Combine findings from all agents
- Calculate weighted scores
- Resolve conflicts
- Generate ADRs (architectural tier only)
- Provide actionable recommendations
Decisions:
- β APPROVE - Ready to merge
β οΈ CONDITIONAL - Fix issues first- π« REJECT - Major problems, cannot merge
Example output:
βοΈ Synthesis:
Score: 3.2 / 4.29 (75%)
Decision: β οΈ CONDITIONAL APPROVAL
Must fix before merge:
1. Security: Use env vars for API keys
2. DRY: Extract duplicate validation logic
Optional improvements:
3. Add tests for edge cases
4. Update API documentation
When: β€3 files changed, simple fixes
Agents: 2 (Security + Reuse)
Example scenarios:
- Bug fix in a utility function
- Typo correction
- Small refactoring
Command:
/ai-council:council-trivial src/utils/helpers.tsWhen: 4-15 files, new features
Agents: 4 (Security + Reuse + API + Evolution)
Example scenarios:
- New API endpoint
- Feature addition
- Service layer changes
Command:
/ai-council:council-feature src/services/When: >15 files, major changes
Agents: 5 (All agents + ADR generation)
Example scenarios:
- Large refactoring
- Architecture changes
- Breaking changes
- Database migrations
Command:
/ai-council:council-architecturalExtra output: Architecture Decision Record (ADR) documenting the changes
Want a React performance reviewer? GraphQL query optimizer? Accessibility checker? Create your own!
/ai-council:council-agent-createInteractive wizard walks you through:
- Choose a template (5 available)
- Define agent's focus
- Set review criteria
- Configure scoring
1. Basic Reviewer - Simple yes/no checks
Example: "Does component have PropTypes?"
- Yes β +1 point
- No β -1 point2. Evidence-Based Reviewer - Metrics-driven
Example: Bundle size analyzer
- < 100KB β +2 points
- 100-200KB β +1 point
- > 200KB β -2 points3. Specialized Domain - Tech-specific
Example: React best practices
- No inline functions in JSX β +1
- Uses React.memo for heavy components β +1
- Proper key props β +14. Budget Tracker - Enforce limits
Example: Performance budgets
- Lighthouse score β₯ 90 β +2
- Bundle size < 200KB β +1
- LOC per component < 300 β +15. Hybrid Reviewer - Multi-concern
Example: Full-stack API reviewer
- Security: No secrets in code
- Performance: Response time < 200ms
- Quality: Error handling present/ai-council:council-agent-create
> Template: specialized-domain
> Name: react-performance-guardian
> Focus: React component performance
Agent created! Now reviews:
β Heavy component memoization
β Expensive render optimization
β useCallback/useMemo usage
β Prop drilling vs context
β Bundle size impactNow use it:
/ai-council:council-feature src/components/
# Your custom agent runs automatically!Fine-tune agent behavior in ~/.claude/ai-council/agents-config.yaml:
agents:
security-guardian:
enabled: true
weight: 1.5 # Higher priority (default: 1.0)
tiers: ["TRIVIAL", "FEATURE", "ARCHITECTURAL"]
reuse-hunter:
enabled: true
weight: 1.0
min_duplication_lines: 5 # Minimum lines to flag as duplicate
api-sentinel:
enabled: true
weight: 1.2
strict_mode: true # Flag even minor API changes
custom_agents:
react-performance-guardian:
enabled: true
file: "~/.claude/ai-council/custom-agents/react-perf.md"
weight: 1.0
tiers: ["FEATURE", "ARCHITECTURAL"]/ai-council:council-configShows:
- Installed agents
- Agent weights
- Tier configuration
- Custom agents
/ai-council:council-dashboardShows:
- Review history
- Success/rejection rate
- Most common issues
- Agent performance metrics
/ai-council:council-historyShows:
- Past reviews
- Decisions made
- ADRs generated
- Trend analysis
/ai-council:council-agent-configInteractive wizard to:
- Enable/disable agents
- Adjust weights
- Set budgets
- Configure tiers
Problem: Council finds no staged changes
Solution:
# Stage your changes first
git add .
# Then run review
/ai-council:councilProblem: Slash command not recognized
Solution: Use full namespace:
/ai-council:council-trivial test.tsOr use Tab autocomplete:
/council<Tab>Problem: Agent takes too long (>2 minutes)
Causes:
- Very large files
- Slow network
- High token usage
Solution:
- Review smaller chunks
- Use TRIVIAL tier for quick checks
- Split large files first
- Installation Guide - Detailed setup
- Contributing Guide - How to contribute
- Agent Templates - Custom agent examples
- Issue Tracker - Report bugs
Contributions welcome! Please read CONTRIBUTING.md for:
- Code of conduct
- Development setup
- Pull request process
- Creating custom agents
This project is licensed under the MIT License - see the LICENSE file for details.
- Built for Claude Code
- Inspired by multi-agent systems and code review best practices
- Thanks to all contributors!
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Web dashboard for review history
- Integration with GitHub Actions
- Custom agent marketplace
- Team collaboration features
- Multi-language support
- VS Code extension
- Slack/Discord notifications
Made with β€οΈ for the Claude Code community
Version: 1.0.0 Last Updated: 2025-10-09