Review Agent Setup

Name: Review Agent Setup
Author: wshobson

wshobson/agents

Gate Claude Code agent actions on PRs, CI, releases, and protected branches behind human approval with Cedar policies and signed receipts.

Overview

Review Agent Setup is an agent skill most often used in Ship (also Build agent-tooling) that configures human-in-the-loop Cedar gates and signed receipts for AI review and GitHub actions.

Install

npx skills add https://github.com/wshobson/agents --skill review-agent-setup

What is this skill?

Human-in-the-loop gating for gh pr review, merge, issue triage, releases, and CI file edits
Ed25519-signed receipt for every approved or denied agent attempt
Cedar policy file copied to project for customizable review-agent-governance rules
Explicit guidance: skip when agents only edit local files and run tests—use protect-mcp instead

Compatible agents: Claude Code

Adoption & trust: 1.5k installs on skills.sh; 36.5k GitHub stars; 2/3 security scanners passed (skills.sh audits).

What problem does it solve?

Your coding agent can merge PRs and edit CI, but you have no auditable human approval path before those high-impact commands run.

Who is it for?

Repos where Claude Code agents use gh for reviews, merges, releases, or workflow edits on protected branches.

Skip if: Projects where the agent only does local edits and tests—the skill itself recommends protect-mcp and skipping this plugin.

When should I use this skill?

Setting up a project where an agent may post PR reviews, comments, merges, edit CI, push protected branches, or notify Slack/Discord and you want Cedar gates plus signed receipts.

What do I get? / Deliverables

Agent review, merge, release, and CI mutations are denied or allowed per Cedar policy with Ed25519-signed receipts for every attempt.

review-governance.cedar policy in the repo
Configured review-agent-governance plugin
Documented approval and receipt workflow for denied/allowed attempts

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Governance for agent review and merge actions is a shipping safeguard before autonomous agents touch production repos. Cedar-enforced gates, Ed25519 receipts, and protected-branch rules are security and compliance controls, not feature coding.

Also useful

BuildAgent skills & templates

Where it fits

Example use

ShipSecurity

Block gh pr merge on main until a human approves via Cedar gate and a signed receipt is recorded.

Example use

BuildAgent skills & templates

Install review-agent-governance before enabling an agent that triages issues with gh issue comment.

Example use

ShipCode review

Allow staged PR reviews but deny CI workflow edits unless policy permits the specific path.

How it compares

Governance plugin for GitHub-facing agent actions—not a substitute for code review quality skills or generic MCP tool blocking alone.

Common Questions / FAQ

Who is review-agent-setup for?

Solo and indie builders who let Claude Code agents run gh PR, issue, release, or CI commands and need enforceable human approval plus audit receipts.

When should I use review-agent-setup?

In Ship when hardening agent access to merges and workflows; in Build agent-tooling when you first wire an agent to GitHub write operations.

Is review-agent-setup safe to install?

Review the Security Audits panel on this Prism page; the skill installs a governance plugin and policy files—verify plugin source and Cedar rules before enabling in production orgs.

SKILL.md

READMESKILL.md - Review Agent Setup

# review-agent-governance — Setup

Gate AI agent review actions (PR reviews, comments, merges, CI edits) behind
explicit human approval. Every attempt, approved or denied, produces an
Ed25519-signed receipt.

## When to use this plugin

Install it in projects where a Claude Code agent:

- Reviews, comments on, or merges pull requests (`gh pr review`, `gh pr merge`)
- Triages issues (`gh issue comment`, `gh issue close`)
- Publishes releases (`gh release create`)
- Modifies CI configuration (`.github/workflows/`, `.gitlab-ci.yml`)
- Pushes to protected branches (`main`, `master`, `release`, `production`)
- Posts to external notification surfaces (Slack webhooks, Discord)

If the agent is only doing local file edits and running tests, this plugin is
overkill. Use `protect-mcp` for general tool-call policy enforcement and skip
this one.

## One-time setup

### 1. Install the plugin

```bash
claude plugin install wshobson/agents/review-agent-governance
```

### 2. Copy the default policy to your project

```bash
cp .claude/plugins/review-agent-governance/policies/review-agent-governance.cedar \
   ./review-governance.cedar
```

You can edit this file to match your project's specific rules. See
`../agents/review-policy-author.md` for guidance on authoring review
policies.

### 3. Create a receipts directory and sign key

```bash
mkdir -p ./review-receipts
echo "./review-receipts/" >> .gitignore
echo "./review-governance.key" >> .gitignore
echo "./.review-approved" >> .gitignore
```

The first invocation of `protect-mcp sign` will create the key. Commit the
public key from the first receipt so auditors can verify later.

## Per-session workflow

The Cedar policy denies review-surface actions unconditionally. To approve
a specific action, open an approval window before it and close it after.

### Flag file (simplest)

```bash
# Before the action you want to approve
touch ./.review-approved

# Let Claude Code run the review / comment / merge

# Immediately after
rm ./.review-approved
```

### Slash command (from within Claude Code)

```
/approve-review "Reviewing PR #123 authored by contributor X"
```

This creates `./.review-approved` with the given reason embedded as a note,
and writes a human-approved receipt to the chain. A follow-up `rm` is still
needed to close the window.

### Dry-run everything (force full policy evaluation)

If you want every tool call to go through Cedar with no approval bypass:

```bash
export REVIEW_APPROVAL_FLAG=./.never-approve
```

Any tool call matching a forbid rule will be denied; approved windows have
no effect. Useful for CI or for a locked-down audit run.

## Verifying the chain

List all receipts:

```bash
ls -la ./review-receipts/
```

Verify the entire chain offline:

```bash
npx @veritasacta/verify ./review-receipts/*.json
```

Exit 0 means every receipt is authentic and the chain is intact. Exit 1
means one receipt has been tampered with. Exit 2 means a receipt is
malformed.

Look at recent denials:

```
/list-pending
```

Within Claude Code this slash command walks the receipt chain and prints
any recent `decision: deny` entries with the tool name, command pattern,
and timestamp.

## Example: approving a PR review

```bash
# 1. Human reviews the agent's proposed comment
$ /list-pending
  Recent denials:
  - 2026-04-17T14:23:01Z  Bash "gh pr review 42 --approve --body 'LGTM'"
  - 2026-04-17T14:23:02Z  Bash "gh pr comment 42 --body 'Looking good'"

# 2. Human decides the first one is appropriate, approves it
$ /approve-review "Approving LGTM on PR 42 after visual inspection"
  ./.review-approved created

# 3. Agent retries the action; this time it succeeds
$ agent: gh pr review

What is this skill?

Human-in-the-loop gating for gh pr review, merge, issue triage, releases, and CI file edits

Ed25519-signed receipt for every approved or denied agent attempt

Cedar policy file copied to project for customizable review-agent-governance rules

Explicit guidance: skip when agents only edit local files and run tests—use protect-mcp instead

Compatible agents: Claude Code

Adoption & trust: 1.5k installs on skills.sh; 36.5k GitHub stars; 2/3 security scanners passed (skills.sh audits).

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Also useful

BuildAgent skills & templates

Where it fits

Example use

ShipSecurity

Block gh pr merge on main until a human approves via Cedar gate and a signed receipt is recorded.

Example use

BuildAgent skills & templates

Install review-agent-governance before enabling an agent that triages issues with gh issue comment.

Example use

ShipCode review

Allow staged PR reviews but deny CI workflow edits unless policy permits the specific path.

SKILL.md

READMESKILL.md - Review Agent Setup

# review-agent-governance — Setup

Gate AI agent review actions (PR reviews, comments, merges, CI edits) behind
explicit human approval. Every attempt, approved or denied, produces an
Ed25519-signed receipt.

## When to use this plugin

Install it in projects where a Claude Code agent:

- Reviews, comments on, or merges pull requests (`gh pr review`, `gh pr merge`)
- Triages issues (`gh issue comment`, `gh issue close`)
- Publishes releases (`gh release create`)
- Modifies CI configuration (`.github/workflows/`, `.gitlab-ci.yml`)
- Pushes to protected branches (`main`, `master`, `release`, `production`)
- Posts to external notification surfaces (Slack webhooks, Discord)

If the agent is only doing local file edits and running tests, this plugin is
overkill. Use `protect-mcp` for general tool-call policy enforcement and skip
this one.

## One-time setup

### 1. Install the plugin

```bash
claude plugin install wshobson/agents/review-agent-governance
```

### 2. Copy the default policy to your project

```bash
cp .claude/plugins/review-agent-governance/policies/review-agent-governance.cedar \
   ./review-governance.cedar
```

You can edit this file to match your project's specific rules. See
`../agents/review-policy-author.md` for guidance on authoring review
policies.

### 3. Create a receipts directory and sign key

```bash
mkdir -p ./review-receipts
echo "./review-receipts/" >> .gitignore
echo "./review-governance.key" >> .gitignore
echo "./.review-approved" >> .gitignore
```

The first invocation of `protect-mcp sign` will create the key. Commit the
public key from the first receipt so auditors can verify later.

## Per-session workflow

The Cedar policy denies review-surface actions unconditionally. To approve
a specific action, open an approval window before it and close it after.

### Flag file (simplest)

```bash
# Before the action you want to approve
touch ./.review-approved

# Let Claude Code run the review / comment / merge

# Immediately after
rm ./.review-approved
```

### Slash command (from within Claude Code)

```
/approve-review "Reviewing PR #123 authored by contributor X"
```

This creates `./.review-approved` with the given reason embedded as a note,
and writes a human-approved receipt to the chain. A follow-up `rm` is still
needed to close the window.

### Dry-run everything (force full policy evaluation)

If you want every tool call to go through Cedar with no approval bypass:

```bash
export REVIEW_APPROVAL_FLAG=./.never-approve
```

Any tool call matching a forbid rule will be denied; approved windows have
no effect. Useful for CI or for a locked-down audit run.

## Verifying the chain

List all receipts:

```bash
ls -la ./review-receipts/
```

Verify the entire chain offline:

```bash
npx @veritasacta/verify ./review-receipts/*.json
```

Exit 0 means every receipt is authentic and the chain is intact. Exit 1
means one receipt has been tampered with. Exit 2 means a receipt is
malformed.

Look at recent denials:

```
/list-pending
```

Within Claude Code this slash command walks the receipt chain and prints
any recent `decision: deny` entries with the tool name, command pattern,
and timestamp.

## Example: approving a PR review

```bash
# 1. Human reviews the agent's proposed comment
$ /list-pending
  Recent denials:
  - 2026-04-17T14:23:01Z  Bash "gh pr review 42 --approve --body 'LGTM'"
  - 2026-04-17T14:23:02Z  Bash "gh pr comment 42 --body 'Looking good'"

# 2. Human decides the first one is appropriate, approves it
$ /approve-review "Approving LGTM on PR 42 after visual inspection"
  ./.review-approved created

# 3. Agent retries the action; this time it succeeds
$ agent: gh pr review

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is review-agent-setup for?

When should I use review-agent-setup?

Is review-agent-setup safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is review-agent-setup for?

When should I use review-agent-setup?

Is review-agent-setup safe to install?

SKILL.md