Ultrareview For Deep Pre-Merge Code Review
Run Claude Code ultrareview with /code-review ultra for multi-agent cloud review, verified findings, PR mode, and optional claude ultrareview CI subcommand.
Open the source and read safety notes before installing.
Safety notes
- Ultrareview uploads repository state or clones PRs in a remote sandbox—scope secrets and tokens.
- Stopping a review archives the session without returning partial findings.
Privacy notes
- Cloud review sandboxes process branch diffs and may include proprietary code.
- Findings appear in session notifications—control log retention accordingly.
Prerequisites
- Claude Code v2.1.86+ with claude.ai login (not API-key-only).
- Usage credits enabled for paid reviews after free runs are consumed.
- Human merge approval after reviewing cloud findings.
Schema details
- Install type
- copy
- Reading time
- 8 min
- Difficulty score
- 54
- Troubleshooting
- Yes
- Breaking changes
- No
Full copyable content
Run /code-review ultra locally or with a PR number, confirm billing dialog, track via /tasks, and fix verified findings before merge.About this resource
TL;DR
Ultrareview runs a multi-agent cloud review via /code-review ultra. Findings
are independently verified in a remote sandbox. Use /review for fast local feedback;
use ultrareview before merging substantial changes.
Prerequisites & Requirements
- {"task": "Login", "description": "Authenticate with claude.ai; run /login if using API key only"}
- {"task": "Credits", "description": "Enable usage credits for paid runs after free allotment"}
- {"task": "Scope", "description": "Choose branch diff or PR number mode intentionally"}
Step-by-Step Workflow
- Run
/code-review ultrafor current branch diff (includes uncommitted changes) or/code-review ultra 1234for a GitHub PR. - Confirm the dialog showing scope, remaining free runs, and estimated cost.
- Track progress with
/tasks; stop early only when willing to lose partial results. - Read verified findings in the session notification; ask Claude to fix issues locally.
- For CI, use
claude ultrarevieworclaude ultrareview 1234with optional--jsonand--timeout.
Source Verification Notes
Verified on 2026-06-16:
- Invoked as
/code-review ultra;/ultrareviewremains an alias. - Requires claude.ai authentication; unavailable on Bedrock, Vertex, Foundry, or ZDR orgs.
- Pro/Max include three one-time free runs; afterward reviews bill as usage credits (typical $5–$20).
- Green infrastructure status does not guarantee the review task succeeded—read findings.
claude ultrareviewsubcommand blocks until completion; progress URLs go to stderr.
Duplicate Check
Distinct from the local /review command entry and open-source-pr-security-review-agent.
This guide covers cloud ultrareview only.
Troubleshooting
Issue: Launch blocked for billing
Fix: Enable usage credits via billing settings or /usage-credits per official docs.
Issue: Repository too large to bundle Fix: Use PR mode after opening a draft PR, as documented.
Source citations
Add this badge to your README
Show that Ultrareview For Deep Pre-Merge Code Review is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/guides/ultrareview-for-deep-pre-merge-code-review)How it compares
Ultrareview For Deep Pre-Merge Code Review side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
| Field | Ultrareview For Deep Pre-Merge Code Review Run Claude Code ultrareview with /code-review ultra for multi-agent cloud review, verified findings, PR mode, and optional claude ultrareview CI subcommand. Open dossier | Security Guidance Plugin Before Merge Install and use the official Claude Code security-guidance plugin before merge: per-edit pattern warnings, end-of-turn and commit git-diff review, and team rollout for command injection, XSS, eval, and dangerous file edits. Open dossier | Claude Code GitHub Actions Review Workflow Set up Claude Code GitHub Actions for pull request review: install the Claude GitHub app, store ANTHROPIC_API_KEY in secrets, use anthropics/claude-code-action@v1 with prompt-based automation, and follow documented security practices. Open dossier | Auditing MCP Client Configuration Before Team Rollout Source-backed checklist for reviewing Claude Code MCP client configuration before a team rollout, covering scopes, transports, commands, secrets, allowlists, denylists, approvals, and rollback. Open dossier |
|---|---|---|---|---|
| Trust | ||||
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Category | guides | guides | guides | guides |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | kiannidev | kiannidev | kiannidev | YB0y |
| Added | 2026-06-16 | 2026-06-16 | 2026-06-16 | 2026-06-10 |
| Platforms | Claude Code | Claude Code | Claude Code | Claude Code |
| Source repo | — | — | — | — |
| Safety notes | ✓Ultrareview uploads repository state or clones PRs in a remote sandbox—scope secrets and tokens. Stopping a review archives the session without returning partial findings. | ✓Hook pattern matching can miss novel attack classes; combine with code review and CI scanners. Stop-time git-diff LLM review adds latency and may produce false positives on refactors. Plugins run with session permissions; compromised plugin sources are a supply-chain risk—pin trusted marketplaces. Security guidance warns about risky patterns but does not block merges automatically unless paired with deny hooks. | ✓The Claude GitHub app requests Contents, Issues, and Pull requests read and write permissions—scope installation to intended repositories. Never commit API keys; use GitHub encrypted secrets such as ANTHROPIC_API_KEY. Review Claude suggestions before merging; automation should not bypass CODEOWNERS. Workflows consume GitHub Actions minutes and Claude API tokens—set timeouts and max-turn limits. | ✓Local stdio MCP servers execute commands with the user's privileges, so review the exact command, arguments, package runner, file paths, and network behavior before sharing a config. Remote MCP servers can expose model-controlled tools for production systems; require least-privilege scopes, explicit approval for write tools, and a rollback path before team rollout. Do not rely on server names alone for enforcement because names are user-assigned labels; use command or URL allowlist entries when policy must control what actually runs. |
| Privacy notes | ✓Cloud review sandboxes process branch diffs and may include proprietary code. Findings appear in session notifications—control log retention accordingly. | ✓Hook scripts inspect edited file paths, diffs, and prompt text that may contain proprietary code. Git-diff review at session stop transmits change summaries to the configured model provider per normal Claude Code data handling. Shared plugin settings in git expose which security patterns your team monitors. | ✓PR diffs and issue comments are sent to the model provider during workflow runs. Logs may retain prompts—align retention with corporate data handling rules. Use repository secrets rather than echoing credentials in workflow YAML. | ✓MCP client configuration can reveal server URLs, internal hostnames, command paths, environment-variable names, header names, OAuth client IDs, and tool availability. Do not store API keys, bearer tokens, client secrets, tenant IDs, or personal credentials in shared `.mcp.json`, managed-mcp.json, PR bodies, issue comments, logs, or screenshots. Tool arguments, tool results, resources, prompts, logs, traces, and OAuth metadata can expose private repositories, tickets, databases, user identities, and workspace data. |
| Prerequisites |
|
|
|
|
| Install | — | — | — | — |
| Config | — | — | — | — |
| Citations | ||||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Signals
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.