feat(agents): Functional Code Review Agent — pre-PR functional correctness reviewer

[seekdavidlee]

Pull Request

Description

Pre-PR branch diff reviewer for functional correctness, error handling, edge cases, and testing gaps

Related Issue(s)

Closes #646

Type of Change

Select all that apply:

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration
• DevContainer configuration
• Dependency update

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)
• Copilot skill (.github/skills/*/SKILL.md)

Note for AI Artifact Contributors:

• Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review .github/agents/ before creating new ones.
• Skills: Must include both bash and PowerShell scripts. See Skills.
• Model Versions: Only contributions targeting the latest Anthropic and OpenAI models will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected.
• See Agents Not Accepted and Model Version Requirements.

Other:

• Script/automation (.ps1, .sh, .py)
• Other (please describe):

Sample Prompts (for AI Artifact Contributions)

User Request:

Pls code review

Execution Flow:

Output Artifacts:

---
title: "Functional Code Review: first-time-login-error"
description: "Pre-PR functional code review for first-time-login-error against origin/main"
ms.date: 2026-02-22
branch: first-time-login-error
base: origin/main
total_issues: 2
severity_counts:
  critical: 1
  high: 0
  medium: 1
  low: 0
---

# Functional Code Review: `first-time-login-error` → `origin/main`

## Executive Summary

| Metric | Value |
|---|---|
| Files changed | 3 |
| Lines added | 41 |
| Lines removed | 59 |
| Critical issues | 1 |
| High issues | 0 |
| Medium issues | 1 |
| Low issues | 0 |

## Changed Files Overview

| File | Lines Changed | Risk Level | Issues Found |
|---|---|---|---|
| `Eklee.KeyVault.UI/src/auth/useAuthToken.ts` | –36 (deleted) | Low | 0 |
| `Eklee.KeyVault.UI/src/main.tsx` | +22 / –12 | High | 0 |
| `Eklee.KeyVault.UI/src/services/apiClient.ts` | +19 / –3 | High | 2 |

---

## Critical Issues

### Issue 1: `acquireTokenSilent` failure in the interceptor is unhandled — every API call will throw an unrecoverable error

**Severity**: Critical
**Category**: Error Handling
**File**: `Eklee.KeyVault.UI/src/services/apiClient.ts`
**Lines**: 26-36

#### Problem

`acquireTokenSilent` can reject with an `InteractionRequiredAuthError` (expired refresh token, revoked consent, new MFA requirement, etc.). The deleted `useAuthToken.ts` hook handled this by falling back to `acquireTokenRedirect`. The new interceptor has no error handling at all — a silent-token failure will bubble as an unhandled promise rejection and fail **every** subsequent API call with a cryptic MSAL error instead of redirecting the user to re-authenticate.
...

Success Indicators:

A summary of code review changes should be generated.

For detailed contribution requirements, see:

• Common Standards: docs/contributing/ai-artifacts-common.md - Shared standards for XML blocks, markdown quality, RFC 2119, validation, and testing
• Agents: docs/contributing/custom-agents.md - Agent configurations with tools and behavior patterns
• Prompts: docs/contributing/prompts.md - Workflow-specific guidance with template variables
• Instructions: docs/contributing/instructions.md - Technology-specific standards with glob patterns
• Skills: docs/contributing/skills.md - Task execution utilities with cross-platform scripts

Testing

I used this for running code reviews in these 2 PRs

• Remove old arch refs in README seekdavidlee/eklee-keyvault#12
• First time login error seekdavidlee/eklee-keyvault#13

Checklist

Required Checks

• Documentation is updated (if applicable)
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable)
• Tests added for new functionality (if applicable)

AI Artifact Contributions

• Used /prompt-analyze to review contribution
• Addressed all feedback from prompt-builder review
• Verified contribution follows common standards and type-specific requirements

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check
• Frontmatter validation: npm run lint:frontmatter
• Skill structure validation: npm run validate:skills
• Link validation: npm run lint:md-links
• PowerShell analysis: npm run lint:ps
• Plugin freshness: npm run plugin:generate

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues
• Security-related scripts follow the principle of least privilege

Additional Notes

[WilliamBerryiii]

Updated the PR title to match the conventional commit format from issue #646: feat(agents): Functional Code Review Agent — pre-PR functional correctness reviewer.

PR titles should use the conventional commit format (type(scope): description) rather than the branch name. This keeps the merge commit history consistent and readable.

[WilliamBerryiii]

Great contribution — the functional correctness focus is valuable. A question on how this fits with the existing pre-PR tooling:

The /pull-request prompt already runs parallel subagent reviews on branch diffs (via the pr-reference skill) and produces a pr-reference-log.md with merged findings before generating the PR body. There's also the pr-review agent that does comprehensive post-PR review across multiple dimensions including functional correctness.

How do you see this agent interfacing with those existing workflows?

A few specific questions:

1. Sequencing — Is the intent for developers to run this agent before invoking /pull-request, as a standalone pre-flight check? Or could it be integrated as one of the parallel subagents that /pull-request dispatches in Step 4?
2. Overlap with pr-review — The pr-review.agent.md already covers functional correctness as one of its expert review dimensions. How does this agent differentiate — is it the narrower focus and pre-PR timing that's the value add?
3. Output consumption — The output format (numbered severity-ordered issues with file/line/fix) is clean. Have you considered whether the /pull-request prompt could consume this output to auto-populate findings in the PR description, or is the intent to keep it as a separate developer-facing report?

Understanding the intended integration points would help evaluate the contribution and plan for any coordination across these tools.

[seekdavidlee]

Great contribution — the functional correctness focus is valuable. A question on how this fits with the existing pre-PR tooling:

The /pull-request prompt already runs parallel subagent reviews on branch diffs (via the pr-reference skill) and produces a pr-reference-log.md with merged findings before generating the PR body. There's also the pr-review agent that does comprehensive post-PR review across multiple dimensions including functional correctness.

How do you see this agent interfacing with those existing workflows?

A few specific questions:

1. Sequencing — Is the intent for developers to run this agent before invoking /pull-request, as a standalone pre-flight check? Or could it be integrated as one of the parallel subagents that /pull-request dispatches in Step 4?
2. Overlap with pr-review — The pr-review.agent.md already covers functional correctness as one of its expert review dimensions. How does this agent differentiate — is it the narrower focus and pre-PR timing that's the value add?
3. Output consumption — The output format (numbered severity-ordered issues with file/line/fix) is clean. Have you considered whether the /pull-request prompt could consume this output to auto-populate findings in the PR description, or is the intent to keep it as a separate developer-facing report?

Understanding the intended integration points would help evaluate the contribution and plan for any coordination across these tools.

Hi @WilliamBerryiii, please see below:

1. Sequencing — The intent is for a developer to run this locally as opposed to when they are ready for PR. A developer might also need to run this a few times, as the agent is making changes.
2. Overlap with pr-review — The PR agent as I understand it is working on several areas all at once. My hypothesis is that a narrow focus will produce a more targeted result. A developer might also just need to focus on one specific area as part of the local dev workflow.
3. Output consumption — My thought right now is to keep it as a separate developer-facing report. A developer can review the list of issue and then tell the AI agent to resolve only the ones that matter. My hypothesis is that this agent will reduce the high/critical issues found by the PR review agent.

[WilliamBerryiii]

@seekdavidlee - hang tight on this ... we will get it merged ... just need to finish up some stuff for the design thinking port first ... appreciate your patience and thanks for contributing.

[WilliamBerryiii]

Hey @seekdavidlee 👋

We just merged main into your branch to bring it up to date. There was a minor conflict in plugins/hve-core-all/README.md where your new functional-code-review prompt row overlapped with a description update to dt-handoff-implementation-space that landed on main — resolved by keeping both your addition and the updated description.

Now that the Design Thinking changes have merged, we'll get this reviewed early next week. Thanks for your patience and the contribution! 🙏