fix: reviewer agent must verify findings against actual code

[rohitg00]

Summary

• Reviewer agent now requires reading actual code and quoting file:line for every finding
• /develop Phase 4 requires grep-based checks and drops unverified findings
• Bans assumption language: "ensure", "consider", "might"

Problem

When /develop is given a code review task, it provides unvalidated findings. The reviewer assumes issues exist without reading the code, using vague language like "ensure X handles Y" or "consider adding validation" without checking whether validation already exists.

Fix

reviewer.md:

• Added verification protocol: every finding must cite file:line and quote the problematic code
• Defined what "verified" vs "unverified" means with concrete examples
• Added "Verified Clean" section so clean code doesn't get fake findings
• Rules now explicitly ban assumption-based findings

develop.md Phase 4:

• Re-read every changed file (not just skim)
• Use grep for console.log/TODO/secrets (don't guess)
• Drop any finding that can't cite a specific line
• "Never report unverified findings"

Test plan

• Run /develop with a code review task and verify all findings cite file:line
• Check that no findings use "ensure", "consider", "might" language
• Verify that clean code gets a "Verified Clean" report, not invented issues

Summary by CodeRabbit

• Documentation
  • Enhanced code review and development workflow documentation with stricter verification protocols, requiring evidence-backed findings and explicit code references for all reported issues.

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes tighten code review and development processes by enforcing verification-driven practices. agents/reviewer.md now mandates verifying every finding against actual code with exact line citations. commands/develop.md updates the review phase to require re-reading files and using grep to validate findings before committing.

Changes

Cohort / File(s)	Summary
Code Review Verification agents/reviewer.md	Added "Verification Protocol" section with hard rules requiring exact code line citations, quoted confirmation of issues, and feasible fixes. Expanded checklist to mandate logic tracing, edge case checks, error path following, input sanitization verification, and performance analysis. Replaced generic output format with evidence-based format requiring file:line references and concrete fixes.
Development Phase Update commands/develop.md	Updated Phase 4 "Review & Commit" instructions to replace brief self-review checklist with stricter verification-based workflow. Now requires re-reading each changed file in full, verifying issues via exact line quotes, and using grep to validate findings before committing.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~8 minutes

Poem

🐰 Twitching whiskers with delight,
Verification now shines bright,
No claim without the proof to show,
Grep it, quote it, let truth flow!
Better code reviews hopping true,
This rabbit's proud of me and you! 🐾

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: reviewer agent must verify findings against actual code' directly and concisely describes the main change: enforcing code verification for the reviewer agent with citation requirements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/review-verification

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

commands/develop.md (1)

73-75: Align Phase 4 verification rules with post-edit automation output.

Line 73-Line 75 require strictly verified reporting, but scripts/post-edit-check.js still emits heuristic findings and advisory wording (Consider: ...), which conflicts with this policy and can cause unverified findings to leak into reviews.

Suggested wording adjustment in this section

-3. **Grep for problems** — run `grep` for console.log, TODO, hardcoded secrets, debug statements. Report only what grep finds.
-4. **Never report unverified findings** — don't say "ensure X" or "consider Y". Either it's a confirmed problem with a file:line citation, or it's not worth reporting.
+3. **Grep for problems** — run `grep` for console.log, TODO, hardcoded secrets, debug statements. Treat matches as leads, then verify in-file before reporting.
+4. **Never report unverified findings** — automated checks are advisory only. Report an issue only after confirming it in code with a file:line citation and quoted line.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@commands/develop.md` around lines 73 - 75, The develop.md Phase 4 rule
requires only strictly verified findings, but scripts/post-edit-check.js
currently emits heuristic/advisory messages (e.g., lines prefixed with
"Consider: ...") that can leak unverified guidance into reviews; update
scripts/post-edit-check.js to stop emitting advisory phrasing and instead output
only confirmed findings with precise file:line citations (or add a strict
verification mode flag the script honors), remove or reword any "Consider:"
tokens, and ensure the report generator/formatter in that script produces the
exact verified-only wording required by develop.md.

agents/reviewer.md (1)

15-82: Sync this new reviewer contract with public docs to avoid conflicting instructions.

This file now mandates evidence-based file:line + quoted findings, but skills/pro-workflow/SKILL.md (Line 372-Line 427) and README.md (Line 178) still describe the older checklist/severity model. Please update those docs in the same PR (or immediately after) so users don’t follow contradictory reviewer behavior.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@agents/reviewer.md` around lines 15 - 82, The reviewer contract in
"agents/reviewer.md" introduced an evidence-first verification protocol but the
other docs still describe the older checklist/severity model; update the other
docs (SKILL.md and README.md) to match the new "Verification Protocol" wording
and behavior by replacing the legacy checklist/severity guidance (the block
describing checklist/severity model) with the new rules: require quoting exact
code, file:line evidence, and the prohibition on speculative language, and
ensure examples and output format sections reflect the new evidence-based format
and wording used in "Verification Protocol" so all three documents are
consistent.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@agents/reviewer.md`:
- Line 55: The fenced code block opener in agents/reviewer.md uses "```" with no
language tag which triggers MD040; update the block opener to include a language
identifier (for example change "```" to "```text" or "```markdown") so the
fenced code block has a language (e.g., modify the "```" token surrounding the
review snippet to "```text").

---

Nitpick comments:
In `@agents/reviewer.md`:
- Around line 15-82: The reviewer contract in "agents/reviewer.md" introduced an
evidence-first verification protocol but the other docs still describe the older
checklist/severity model; update the other docs (SKILL.md and README.md) to
match the new "Verification Protocol" wording and behavior by replacing the
legacy checklist/severity guidance (the block describing checklist/severity
model) with the new rules: require quoting exact code, file:line evidence, and
the prohibition on speculative language, and ensure examples and output format
sections reflect the new evidence-based format and wording used in "Verification
Protocol" so all three documents are consistent.

In `@commands/develop.md`:
- Around line 73-75: The develop.md Phase 4 rule requires only strictly verified
findings, but scripts/post-edit-check.js currently emits heuristic/advisory
messages (e.g., lines prefixed with "Consider: ...") that can leak unverified
guidance into reviews; update scripts/post-edit-check.js to stop emitting
advisory phrasing and instead output only confirmed findings with precise
file:line citations (or add a strict verification mode flag the script honors),
remove or reword any "Consider:" tokens, and ensure the report
generator/formatter in that script produces the exact verified-only wording
required by develop.md.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 13d84399-8696-45d4-ada5-1c86e41647c1

📥 Commits

Reviewing files that changed from the base of the PR and between 9d1bd15 and d44b267.

📒 Files selected for processing (2)

• agents/reviewer.md
• commands/develop.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add a language identifier to the fenced code block.

Line 55 opens a fenced block without a language, which triggers MD040. Use a language tag (e.g., text) for lint compliance.

Proposed fix

-```
+```text
 ## Review: [Files/PR]
 ...

</details>

<!-- suggestion_start -->

<details>
<summary>📝 Committable suggestion</summary>

> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

```suggestion

🧰 Tools

🪛 markdownlint-cli2 (0.22.0)

[warning] 55-55: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@agents/reviewer.md` at line 55, The fenced code block opener in
agents/reviewer.md uses "```" with no language tag which triggers MD040; update
the block opener to include a language identifier (for example change "```" to
"```text" or "```markdown") so the fenced code block has a language (e.g.,
modify the "```" token surrounding the review snippet to "```text").