feat(multi-agent-review): spin sub-agents to review specific aspects

[Cali93]

Summary

• Update the auto-review prompt to use a parallel multi‑agent flow (bugs, security, patterns) with consolidation and deduplication rules.
• Extend findings parsing to infer agent source from ID prefixes and support multi‑agent output fixtures.
• Add tests and fixtures for multi‑agent parsing, and allow Task tool usage in the Claude run.

Changes

• Revamp the auto-review prompt to spawn three specialized sub‑agents in parallel, then consolidate issues into a single unified <details> list with severity ordering.
• Enhance parseClaudeComment to map bug-, sec-, pat- ID prefixes to agent names.
• Add multi‑agent output fixture and tests validating agent extraction and prefix handling.
• Expand allowed tools to include Task for parallel sub‑agent execution.

Notes

• Domain‑specific checks remain owned by the patterns agent per updated prompt.

Test run example here https://github.com/WalletConnect/gha-playground/pull/3#issuecomment-3772901080

[claude]

Claude finished @Cali93's task in 1m 53s —— View job

---

Code Review

• Read changed files
• Review action.yml multi-agent orchestration
• Review agent specification files
• Review parsing logic changes
• Review test coverage
• Check for security issues
• Provide final feedback

---

Found 3 issue(s)

Issue 1: Agent specification files are unused

ID: pat-action-unused-agent-files-a1b2
File: claude/auto-review/action.yml:111
Severity: HIGH
Category: architecture
Context: The PR adds three agent specification files (review-bugs.md, review-patterns.md, review-security.md) with YAML frontmatter defining tools and model preferences, but action.yml never references or uses these files. The action.yml instead embeds all agent instructions directly in the prompt text at lines 111-143. This means the frontmatter metadata (tools, model, description) serves no purpose.
Recommendation: Either:

1. Remove the frontmatter from agent files and use them as pure documentation/reference, OR
2. Modify action.yml to read and use these agent specification files instead of embedding instructions inline

The current implementation creates maintenance burden - agent instructions exist in two places and can drift out of sync.

Issue 2: Missing instruction to read agent specification files

ID: pat-action-missing-file-refs-c3d4
File: claude/auto-review/action.yml:135
Severity: MEDIUM
Category: code_quality
Context: The prompt instructs Claude to spawn agents with embedded instructions but doesn't reference the agent specification files in claude/auto-review/agents/. If these files are meant to be used by spawned agents (which have Read access), the main prompt should instruct Claude to read and use them.
Recommendation: Add instruction to read agent specification files:

**For EACH agent prompt, include:**
- Read the agent specification from claude/auto-review/agents/review-{type}.md
- This preamble: \"You are a code reviewer...\"

Or document that the .md files are reference material only, not runtime specifications.

Issue 3: Test fixture doesn't match actual multi-agent output format

ID: bug-multi-agent-fixture-mismatch-8b91
File: claude/auto-review/scripts/tests/fixtures/claude-comments/multi-agent-output.md:1
Severity: MEDIUM
Category: bug
Context: The multi-agent-output.md fixture shows a consolidated output format (lines 1-4: "I've conducted a comprehensive review using specialized agents for bugs, security, and patterns. Here are the consolidated findings:"), but the action.yml prompt at line 162 instructs to "Produce a SINGLE consolidated summary containing all unique issues in the standard collapsed <details> format." The fixture should match what the actual prompt will produce. The test validates agent prefix extraction (lines 226-254) which is good, but doesn't validate the consolidation flow described in action.yml lines 150-162.
Recommendation: Update test fixture to match the actual expected output format from action.yml, or add a test case that validates the consolidation instructions are correctly followed.

---

Summary

Multi-agent architecture implementation with agent-specific ID prefixes and parsing logic. Main concerns:

1. Unused files: Agent specification .md files with frontmatter aren't referenced or used by action.yml
2. Unclear architecture: Is action.yml meant to embed all instructions, or read from agent files?
3. Test coverage gap: Fixture doesn't fully validate the consolidation flow described in the prompt

Recommend clarifying whether agent .md files are runtime specs or documentation, and aligning implementation accordingly.

[bkrem]

FYI - think you will need to rebase due to this base prompt compression I just got over the line, apologies 🙏 #56

[bkrem]

I see this was moved into review-patterns, but let's ensure these checks are preserved in the main prompt if agents only trigger on heuristics like PR size? 🙏 We need them to happen for sure on every PR.

[bkrem]

We already have this in the main prompt now based on your prior advice: https://github.com/WalletConnect/actions/pull/64/changes#diff-742c4c628098679724a584600295de6d9bba6d01b7d7b5c0cb60f03ce427288fR61

[bkrem]

It already has lots of explicit guidance on how to generate the IDs for inline commenting deduplication: https://github.com/WalletConnect/actions/pull/64/changes#diff-742c4c628098679724a584600295de6d9bba6d01b7d7b5c0cb60f03ce427288fR142

I don't think we need the ID prefix: specifications here and it doesn't seem to follow them anyways based on what I'm seeing in https://github.com/WalletConnect/gha-playground/pull/12#issuecomment-3774813787

[bkrem]

Maybe we retire the usage of https://github.com/anthropics/claude-code-security-review/ in favour of this long term and use Opus for this agent, somewhat duplicative if we have both in some repos.