ci: auto-review every PR with Claude

.github/workflows/claude-review.yaml

@@ -0,0 +1,79 @@
+name: Claude PR Review
+
+# Runs an automated Claude code review on every pull request targeting main or
+# develop. Findings are posted as PR comments (top-level summary + inline notes).
+#
+# Prerequisites (one-time, set by a maintainer):
+#   1. Install the Claude GitHub App on the Poly-pay/polypay_app repo:
+#        https://github.com/apps/claude
+#   2. Generate a token from a Claude Pro/Max subscription (`claude setup-token`)
+#      and add it as the repo/Actions secret CLAUDE_CODE_OAUTH_TOKEN (Settings →
+#      Secrets and variables → Actions).
+# Until both are in place the job runs but cannot authenticate.
+# Note: subscription-token usage counts against the account's Claude usage
+# limits. For a high-PR repo, an ANTHROPIC_API_KEY (API billing) avoids that.
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    branches:
+      - main
+      - develop
+
+# Keep only the latest review per PR; cancel superseded runs on new pushes.
+concurrency:
+  group: claude-review-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  review:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Claude review
+        uses: anthropics/claude-code-action@v1
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          track_progress: true
+          prompt: |
+            REPO: ${{ github.repository }}
+            PR NUMBER: ${{ github.event.pull_request.number }}
+
+            Review this pull request's diff. Report correctness bugs first, then
+            reuse / simplification / efficiency cleanups. The PR branch is
+            already checked out in the working directory; read CLAUDE.md for the
+            repo's conventions.
+
+            PolyPay is a privacy-preserving payroll & multisig platform
+            (Next.js 15 + NestJS 11 + Hardhat + Prisma + Noir/ZK). Weight the
+            review toward:
+            - Security: this app moves USDC and handles multisig approvals, ZK
+              proofs, JWT auth, and x402 / EIP-3009 signatures. Scrutinise any
+              change touching signatures, key material, auth, access control, or
+              fund movement. Never approve committed secrets.
+            - Convention adherence (per CLAUDE.md): API contracts via
+              @polypay/shared DTOs, all HTTP through apiClient, Zod schemas for
+              forms, useAuthenticatedQuery for authed queries, no hardcoded API
+              URLs, business logic in hooks not components.
+            - Bugs a careful reviewer catches in one sitting: inverted/wrong
+              conditions, missing await, null/undefined derefs, off-by-one,
+              swallowed errors in catch, copy-paste of the wrong variable, call
+              sites broken by a changed signature or return shape.
+
+            Be specific and actionable; cite file:line. If the diff is clean,
+            say so briefly rather than inventing issues.
+
+            Use `gh pr comment` for the top-level summary.
+            Use `mcp__github_inline_comment__create_inline_comment` (with
+            `confirmed: true`) for line-level issues.
+            Only post GitHub comments — do not return review text as messages.
+          claude_args: |
+            --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)"