kind: WavePipeline metadata: name: code-review description: "Comprehensive code review for pull requests" release: true input: source: cli example: "review the authentication module" steps: - id: diff-analysis persona: navigator workspace: mount: - source: ./ target: /project mode: readonly exec: type: prompt source: | Analyze the code changes for: {{ input }} 1. Identify all modified files and their purposes 2. Map the change scope (which modules/packages affected) 3. Find related tests that should be updated 4. Check for breaking API changes Produce a structured result matching the contract schema. output_artifacts: - name: diff path: .wave/output/diff-analysis.json type: json handover: contract: type: json_schema source: .wave/output/diff-analysis.json schema_path: .wave/contracts/diff-analysis.schema.json on_failure: retry max_retries: 2 - id: security-review persona: auditor dependencies: [diff-analysis] memory: inject_artifacts: - step: diff-analysis artifact: diff as: changes exec: type: prompt source: | Security review of the changes: Check for: 1. SQL injection, XSS, CSRF vulnerabilities 2. Hardcoded secrets or credentials 3. Insecure deserialization 4. Missing input validation 5. Authentication/authorization gaps 6. Sensitive data exposure Output findings with severity (CRITICAL/HIGH/MEDIUM/LOW). output_artifacts: - name: security path: .wave/output/security-review.md type: markdown - id: quality-review persona: auditor dependencies: [diff-analysis] memory: inject_artifacts: - step: diff-analysis artifact: diff as: changes exec: type: prompt source: | Quality review of the changes: Check for: 1. Error handling completeness 2. Edge cases not covered 3. Code duplication 4. Naming consistency 5. Missing or inadequate tests 6. Performance implications 7. Documentation gaps Output findings with severity and suggestions. output_artifacts: - name: quality path: .wave/output/quality-review.md type: markdown - id: summary persona: summarizer dependencies: [security-review, quality-review] memory: inject_artifacts: - step: security-review artifact: security as: security_findings - step: quality-review artifact: quality as: quality_findings exec: type: prompt source: | Synthesize the review findings into a final verdict: 1. Overall assessment (APPROVE / REQUEST_CHANGES / NEEDS_DISCUSSION) 2. Critical issues that must be fixed 3. Suggested improvements (optional but recommended) 4. Positive observations Format as a PR review comment ready to post. Do NOT include a title/header line — the publish step adds one. output_artifacts: - name: verdict path: .wave/output/review-summary.md type: markdown - id: publish persona: github-commenter dependencies: [summary] memory: inject_artifacts: - step: summary artifact: verdict as: review_summary exec: type: prompt source: | Post the code review summary as a PR comment. The original input was: {{ input }} Extract the PR number or URL from the input. 1. Post the review as a PR comment using: gh pr comment --body "## Code Review (Wave Pipeline) --- *Generated by [Wave](https://github.com/re-cinq/wave) code-review pipeline*" output_artifacts: - name: publish-result path: .wave/output/publish-result.json type: json handover: contract: type: json_schema source: .wave/output/publish-result.json schema_path: .wave/contracts/publish-result.schema.json must_pass: true on_failure: retry max_retries: 2 outcomes: - type: url extract_from: .wave/output/publish-result.json json_path: .comment_url label: "Review Comment"