Guides

Code Review

After a phase is built, PP Core can audit the changes for bugs, security problems, and quality issues, and optionally fix what it finds. This guide covers the review command and its companion audit gates, how they slot into the workflow, and the --fix options that turn findings into commits.

Where review fits

Code review runs after execution and before you treat a phase as done. It examines the source files that changed during the phase, classifies what it finds by severity, and gives you a clear picture before verification and shipping. Pairing review with the verification gate keeps both correctness and quality in the loop rather than leaving either to chance.

Reviewing a phase

/pp-code-review N

This reviews the phase's changes and writes findings to {phase}-REVIEW.md, each tagged by severity.

You can choose how deep the review goes:

Depth	Behavior
`--depth=quick`	Pattern-matching pass, roughly two minutes.
`--depth=standard`	Per-file analysis, five to fifteen minutes. This is the default.
`--depth=deep`	Cross-file analysis, fifteen to thirty minutes.

To scope a review to specific files, pass them explicitly:

/pp-code-review N --files src/auth.ts,src/session.ts

Letting it fix findings

Add --fix and PP Core resolves the findings rather than just reporting them, recording the work in {phase}-REVIEW-FIX.md:

/pp-code-review N --fix

By default this addresses Critical and Warning findings. The fix behavior scales:

--fix --all extends fixes down to Info-level findings as well.
--fix --auto runs an iterative fix-and-review loop, re-reviewing after each pass, capped at three cycles.

The wider audit pipeline

Code review is one of several gates. PP Core offers focused audit commands for completed phases:

Command	Purpose
`/pp-audit-fix`	Autonomous audit-to-fix pipeline: find issues, classify them, fix, test, commit.
`/pp-add-tests N`	Generate a test suite for a completed phase, committed alongside the code.
`/pp-secure-phase N`	Verify threat mitigations retroactively, writing `{phase}-SECURITY.md`.
`/pp-validate-phase N`	Run a Nyquist coverage audit and produce a coverage mapping report.

The audit-fix pipeline is configurable on the command line:

--source <audit> picks the audit type to draw from; it defaults to audit-uat.
--severity high|medium|all sets the minimum severity to act on; the default is medium.
--max N caps how many fixes run per invocation; the default is 5.
--dry-run previews the classification without applying anything.

/pp-audit-fix --severity high --max 3 --dry-run

Setting defaults in config

Rather than passing the same flags every time, you can encode preferences in config.json:

workflow.code_review_depth sets the default review depth.
code_quality.fallow.enabled toggles structural analysis.
workflow.security_enforcement, security_asvs_level, and security_block_on govern how security gating behaves.
workflow.tdd_mode turns on test-first sequencing.

With these set, the review and audit commands inherit your standards automatically, so every phase passes through the same quality bar without extra typing.

← Previous

Autonomous Mode

Next →

Cross-AI Review