June 10, 2026

The Reviewer Agent — QA and Security in One Pass

How Datarim's Reviewer agent combines code review, security compliance checks, and Definition of Done validation into a single QA verdict.

Passing tests is a necessary condition for shipping, not a sufficient one. A test suite can be green while the implementation quietly skips an authentication check, violates the project's error-handling contract, or ships an endpoint the security review would not accept. The Reviewer agent is the checkpoint between implementation and delivery that catches that gap.

This agent runs at the same stage as the Tester, but its lens is different. Where the Tester asks «does the code work», the Reviewer asks «is this code acceptable to ship».

What it does

The Reviewer's work covers three areas. First, code review: it reads the implementation against the project's style guide and looks for patterns that indicate future maintenance problems — overly complex logic, missing error handling, abstractions that leak their internals. Second, security compliance: it checks the implementation against the security skill's checklist, looking for things like unvalidated inputs, credentials in code, or missing access controls. Third, Definition of Done validation: it reads the task's DoD criteria and confirms each one is met, not inferred.

The verdict is not a summary — it is a routing decision. A clean pass sends the task forward — to the compliance stage for complex tasks, or straight to archiving for simple ones. A conditional pass lists what needs to change before the task can progress. A blocked verdict routes the task back to the specific stage where the problem originated — back to /dr-plan if the design is wrong, back to /dr-do if the implementation needs a fix.

One concrete example

An implementation adds a file upload endpoint. The tests pass. The Reviewer, reading the implementation against the security checklist, notes that file type validation happens only on the extension, not on the file content. This is flagged as a security finding, the verdict is BLOCKED, and the task is routed back to /dr-do with a specific description of what needs to change. The developer adds content-type inspection; the Reviewer passes on the next cycle.

Where it sits

The Reviewer runs at /dr-qa, in parallel with the Tester agent. It operates on the strongest model available, because the cost of a missed security issue in production exceeds the cost of a careful review. The routing it produces — pass, conditional, or blocked — determines what happens next in the pipeline.

See the full agent roster on the Reviewer reference card, or read what Datarim is for the bigger picture.