AI Agent Code Review Workflow: Pre-Review Your Own PRs

Use Claude Code, Codex, or Cursor agents to pre-review your PRs before a human sees them. Exact prompt, loop, and tool pricing for June 2026.

Solo devs and small teams ship code with no second pair of eyes, and the diff shows it. The fix is not “wait for AI to replace the reviewer.” It is to run an agent as a pre-filter so the human reviewer (or future-you) opens a cleaner PR. This is the exact prompt, the review loop, and the June 2026 tooling that earn their keep on every PR over 50 lines.

TL;DR

  • Run an agent over git diff main...HEAD with a one-sentence intent line before any human sees the PR. No intent line means a generic “could be more modular” review instead of a useful one.
  • For Claude Code, you do not need a custom command: /review runs Anthropic’s PR checklist and /security-review audits the branch for vulnerabilities. Both ship built in as of June 2026.
  • Keep review and editing in separate prompts and separate commits so the fix is visible and never silently changes behavior.
  • Cost for a manual agent pass on a 200-line diff is roughly $0.10–$0.40 in API tokens. A managed bot (CodeRabbit, Copilot code review) runs $15–$48 per seat per month for always-on PR coverage.
  • Re-run the review after applying fixes. One pass is rarely enough; the patch usually introduces a new nit.

Why pre-review beats reviewing AI output

Most “AI code review” advice is about checking AI-generated output. The reverse play, having an agent review YOUR human-written code before a teammate sees it, is higher leverage. A 5-minute agent pass catches the obvious stuff (missed edge cases, leaked abstractions, broken naming, missing tests) so the human reviewer spends their limited attention on real judgment calls instead of style nits.

It also fixes the trust problem on small teams: senior PRs get rubber-stamped because the team trusts the author, which is exactly when bugs slip through. An agent does not rubber-stamp.

Who this is for

Developers shipping code through PR review, especially:

  • Solo devs and consultants with no teammate to bounce a diff off.
  • Senior engineers whose PRs are approved on reputation and therefore under-scrutinized.
  • Small teams with slow review queues, where authors want to ship faster without skipping review.
  • Open-source maintainers who land their own PRs and want a second signal before merging.

When to reach for it (and when not to)

Reach for it before any PR over roughly 50 lines, after a big refactor, and before merging changes that touch shared interfaces, public APIs, or auth/billing code. Anywhere the cost of a missed bug beats 10 minutes of agent time.

Skip it for hotfixes that must ship in the next 15 minutes, trivial typo fixes, and PRs where you are still learning the codebase (the agent hands you the answer instead of letting you understand the code). Security-critical changes still need a named human reviewer regardless of what the agent says.

Pick your review path (June 2026)

You have three real options. They differ in where the review runs, who pays, and whether it is one-off or always-on.

PathToolCost (June 2026)Best for
Built-in commandsClaude Code /review, /security-reviewAPI tokens only (~$0.10–$0.40 per 200-line diff)Solo devs, any paid Claude plan
Cloud deep reviewClaude Code /ultrareview (research preview)~$5–$20 per run; Pro/Max plansHardest bugs, only-verified findings
Always-on PR botCodeRabbit / GitHub Copilot code reviewCodeRabbit $24 Pro / $48 Pro+ per seat/mo; Copilot from $10/mo (also burns Actions minutes since June 1, 2026)Teams wanting every PR reviewed automatically

Notes on the numbers, all as of June 2026:

  • Claude Code /review and /security-review are built-in slash commands on any paid plan (Claude Pro is $20/mo, $17/mo billed annually, and now bundles Claude Code). /review applies Anthropic’s PR checklist; /security-review audits the current branch. See the official slash-command reference.
  • /ultrareview is a cloud multi-agent bug hunter for Pro/Max users that only reports bugs it has independently reproduced, which cuts false positives. Budget $5–$20 per run.
  • CodeRabbit is free for public open-source repos; private repos are $24/seat/mo (Pro) or $48/seat/mo (Pro+), billed annually, and only contributors who open PRs count as seats. See coderabbit.ai/pricing.
  • GitHub Copilot code review starts at the Pro plan ($10/mo). Since June 1, 2026, each review bills twice: AI credits for tokens plus GitHub Actions minutes for the agentic infrastructure that runs it. Factor that in before turning it on org-wide.

For a hands-on, no-bot loop you control, the rest of this guide uses Claude Code, Codex, or Cursor Composer locally.

Before you start

  • Have a clean working commit. Agents review diffs; uncommitted noise pollutes the review.
  • Be able to state the PR’s intent in one sentence. Without intent the review is generic (“could be more modular”) instead of useful (“the rate limiter accepts a negative window, intentional?”).
  • Pick an agent with file and diff access: Claude Code, Codex, or Cursor Composer. Pure-chat agents force copy-paste, which loses fidelity.

The review loop, step by step

  1. Branch and commit. The agent reads git diff main...HEAD, so the commit boundary matters.
  2. Run the review. In Claude Code, type /review for the built-in checklist, or paste the template below for a focused, intent-driven pass:
Review the diff from main...HEAD against this codebase.
Intent: [one sentence: what this PR does and why]
Focus on: missed edge cases, leaked abstractions, naming,
test coverage for the new behavior, and any place the
diff conflicts with patterns in the rest of the repo.
Do NOT rewrite. Comment only.
  1. Triage every comment into three buckets: clearly right, stylistic noise, and “needs more context” (re-ask with the missing context).
  2. Fix one thing at a time. For each clearly-right comment, ask: “Show me the smallest patch, no behavior change beyond fixing this.” Apply and commit separately so the fix is visible in history.
  3. Push back on noise. For stylistic flags, ask “Why does this matter for the stated intent?” Agents back down fast on real noise; if it holds its ground, listen.
  4. Re-review the updated diff. Stop only when the agent surfaces nothing but nits.
  5. Hand off to a human with a “pre-reviewed by agent” note so the reviewer can focus on judgment calls, not the obvious.

Calibrate it on a real PR first

Before you trust the loop, run it once against a PR you already know the answer to:

  1. Pick a ~200-line PR you shipped this week that got real comments from a human reviewer.
  2. Run the agent review on it and compare the findings to the human’s comments.
  3. Count: how many human comments did the agent also catch, how many did it miss, and what did it find that the human missed?
  4. That ratio is the agent’s value on YOUR codebase. Community testing of a parallel-subagent setup found roughly 75% of suggestions were actionable versus under 50% for a single naive agent, so a single-pass agent catching 70%+ of the human comments is already pulling its weight.

Common mistakes

  • Reviewing without stating intent. The agent flags non-issues because it does not know what “good” looks like for this change.
  • Accepting every suggestion. Agents over-engineer and will happily refactor working code into something more abstract and worse.
  • Letting it rewrite while reviewing. Review and edit must be separate prompts and separate commits, or behavior changes hide inside “fixes.”
  • Reviewing AI output with the model that wrote it. It tends to approve its own work. Cross-check with a different model.
  • Skipping the re-review. Fixes introduce new issues; one pass is rarely enough.
  • Treating “nice to refactor” as a blocker. Those are post-merge tickets, not PR blockers.

Advanced tips

  • Cross-check models. Review with one model, then ask a different one (say, Claude Opus 4.7 against GPT-5.5) to disagree with the first review. Different training surfaces different blind spots.
  • Encode project anti-patterns in CLAUDE.md (or AGENTS.md) at the repo root, e.g. “never call db.exec outside the repository layer.” The agent respects it across every review, and a slash command at .claude/commands/review.md makes your custom prompt reusable with zero friction.
  • For security-sensitive code, run /security-review or ask explicitly: “List the inputs that could become attack vectors and trace how each is validated.” Generic security reviews miss the specifics.
  • Use commit-level reviews for stacked PRs so feedback maps to one cohesive change, not the whole stack.
  • Watch for repeating finding categories. If “missing tests” shows up across eight PRs, the fix is a pre-commit hook, not a stronger review prompt.

FAQ

  • Will this make me a worse reviewer?: Only if you accept blindly. Reading the comments and pushing back actively teaches you patterns you did not see before.
  • How is this different from CI linting?: Linters catch syntax and known patterns. Agents catch logic errors, missing tests, and leaked abstractions, which is the higher-level review humans usually do.
  • Which model should I use?: Claude Sonnet 4.6 and Opus 4.7, and GPT-5.5-class models, are all strong reviewers as of June 2026. Opus 4.7 leads SWE-bench Verified at 87.6%. Use whichever your editor integrates with; switching cost is real.
  • What does a review cost?: A manual 200-line pass is roughly $0.10–$0.40 in API tokens. A cloud /ultrareview run is $5–$20. An always-on bot is $24–$48 per seat per month. All cheaper than one missed production bug.
  • Can the agent merge for me?: No, and do not let it. Agent review is one signal; tests and a human are the other two. Ship only when all three agree.

Tags: #AI coding #Tutorial #Workflow #Claude Code