Report Format
pr-review generates a structured Markdown report saved to the current directory. The filename includes the PR number when detected via the gh CLI.
Output filename
| Condition | Filename |
|---|---|
| PR detected (e.g. #42) | pr-42-review.md |
| No PR detected | pr-review-review.md (from config) |
Custom via --output | Your specified filename |
Report sections
| Section | Description |
|---|---|
| Header | PR number, date, provider/model, files changed stats |
| Summary | High-level overview of the PR changes |
| Critical Issues | Bugs and security issues that must be fixed |
| Suggested Improvements | Non-blocking improvements and best practices |
| Security Analysis | Security-specific findings with ✅/❌ markers |
| Performance Notes | Performance observations and recommendations |
| Final Verdict | Approve / Request Changes / Comment with reasoning |
Sample report
pr-42-review.md
# PR Review Report
**PR:** #42 — feature/auth → main
**Date:** 2025-01-15
**Provider:** claude (claude-sonnet-4-5)
**Files reviewed:** 3 files, 142 insertions, 28 deletions
---
## Summary
This PR introduces JWT-based authentication middleware. The overall structure is solid,
but there are two critical security issues and several minor improvements recommended.
---
## Critical Issues
### 🔴 Missing token expiry validation
`src/middleware/auth.js:42`
The JWT is decoded but the `exp` claim is never checked...
---
## Suggested Improvements
### 🟡 Extract magic numbers to constants
`src/config/jwt.js`
The 3600 second expiry should be a named constant...
---
## Security Analysis
- ✅ No secrets hardcoded in source
- ❌ JWT secret falls back to empty string if env var missing
- ✅ bcrypt used for password hashing (cost factor 12)
---
## Performance Notes
- ✅ DB queries are properly indexed
- 🟡 Consider caching user lookup in Redis for hot paths
---
## Final Verdict
**Approve with changes.** Fix the two critical security issues before merging.