awslabs · ayushtr-aws · May 18, 2026 · May 18, 2026
@@ -0,0 +1,45 @@
+# OS
+.DS_Store
+Thumbs.db
+
+# IDEs
+.idea/
+.vscode/
+*.swp
+*.swo
+*~
+
+# Dev tooling
+.claude/
+.kiro/
+
+# Environment
+.env
+.env.*
+!.env.example
+
+# Python
+__pycache__/
+*.py[cod]
+*.egg-info/
+.mypy_cache/
+.ruff_cache/
+dist/
+build/
+.venv/
+venv/
+
+# Node
+node_modules/
+npm-debug.log*
+
+# Logs
+*.log
+
+# Generated reports and test output
+reports/
+
+# Tool wrappers (auto-generated by the agent at runtime)
+src/code_reviewer/tools/*.py
+!src/code_reviewer/tools/__init__.py
+!src/code_reviewer/tools/registry.py
@@ -0,0 +1,17 @@
+# Changelog
+
+## 0.2.0 (2026-05-18)
+
+### Changed
+
+- Repackaged into `src/` layout matching aidlc-workflows conventions
+- Externalized config files to `config/` directory (agent-config.yaml, review-config.yaml, prompts)
+- Switched build backend from setuptools to hatchling
+- Added `uv.lock` for reproducible installs
+- Added NOTICE file with third-party attributions
+
+### Features
+
+- Technical report: static analysis tools + AI-powered critical findings + structure critique
+- Business logic report: AI-driven domain review with consistency checking
+- Auto-generation of tool wrappers via Amazon Bedrock
@@ -0,0 +1,16 @@
+MIT No Attribution
+
+Copyright 2026 Amazon.com, Inc. or its affiliates
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this
+software and associated documentation files (the "Software"), to deal in the Software
+without restriction, including without limitation the rights to use, copy, modify,
+merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@@ -0,0 +1,14 @@
+AIDLC Code Reviewer
+Copyright 2026 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+This project uses the following third-party tools (installed separately by the user):
+- Bandit (Apache 2.0) — Python security linter
+- Ruff (MIT) — Python linter
+- Mypy (MIT) — Python type checker
+- Semgrep (LGPL 2.1) — Multi-language static analysis
+- PMD (BSD-style) — Java static analysis
+- Checkstyle (LGPL 2.1) — Java style checker
+- ESLint (MIT) — JavaScript/TypeScript linter
+- Gitleaks (MIT) — Secret detection
+
+This project uses Amazon Bedrock for AI-powered analysis.
@@ -0,0 +1,159 @@
+# AIDLC Code Reviewer
+
+Automated, language-agnostic code quality analysis for code assets generated
+through the AI Development Lifecycle (AIDLC). Runs static analysis tools,
+AI-powered critical code analysis, and business logic review — then produces
+structured HTML and Markdown reports.
+
+## Quick Start
+
+```bash
+cd scripts/aidlc-codereview
+
+# Install with uv (recommended)
+uv sync
+
+# Or install with pip
+pip install -e .
+
+# Run a review
+aidlc-code-reviewer ./path/to/code
+```
+
+## Prerequisites
+
+- **Python 3.11+**
+- **AWS credentials** with Amazon Bedrock access (for AI-powered analysis)
+- **Java JDK 17+** (optional, for Java tools)
+
+See [docs/SETUP.md](docs/SETUP.md) for full installation and configuration details.
+
+## What It Does
+
+The tool runs in two parallel tracks:
+
+**Technical Analysis** — static tools + AI critique:
+
+- Security scanning (bandit, semgrep, gitleaks)
+- Linting and type checking (ruff, mypy, checkstyle, eslint)
+- Complexity, duplication, and dead code analysis
+- AI-powered critical code findings (COMPUTATION, CONTROL_FLOW, DATA_TRANSFORM)
+- Code structure critique across 6 dimensions (logging, scalability, efficiency,
+  complexity, measurability, structure)
+
+**Business Logic Analysis** — AI-driven domain review:
+
+- Identifies business rules, formulas, pricing logic, state machines, and 10 other
+  domain categories
+- Flags every finding for human review regardless of tool results
+- Cross-checks for self-consistency (constant drift, logic divergence, naming
+  mismatches)
+
+## Reports
+
+Three report files are generated:
+
+| Report                             | Format          | Purpose                                                             |
+| ---------------------------------- | --------------- | ------------------------------------------------------------------- |
+| `code_review_summary_*.html`       | HTML            | Entry point — two cards linking to detailed reports                 |
+| `code_review_technical_*.html/.md` | HTML + Markdown | Static tool findings, critical code sections, structure critique    |
+| `code_review_business_*.html/.md`  | HTML + Markdown | Business logic findings, consistency issues                         |
+
+Open the summary HTML first — it tells you where to start.
+
+## Usage
+
+```bash
+# Default: both reports
+aidlc-code-reviewer <target>
+
+# Technical report only
+aidlc-code-reviewer <target> --technical-report
+
+# Business logic report only
+aidlc-code-reviewer <target> --business-report
+
+# Custom output directory
+aidlc-code-reviewer <target> -o ./my-reports
+
+# Skip auto-generation of missing tool wrappers
+aidlc-code-reviewer <target> --no-generate
+
+# Pre-flight check (verify AWS credentials and Bedrock access)
+aidlc-code-reviewer --preflight
+
+# Verbose output
+aidlc-code-reviewer <target> -v
+```
+
+## Configuration
+
+### config/review-config.yaml
+
+Defines which tools to run. Just list tool names:
+
+```yaml
+tools:
+  - bandit
+  - ruff
+  - mypy
+  - semgrep
+```
+
+The agent auto-generates a wrapper for each tool on first run (requires Amazon
+Bedrock access). Generated wrappers are cached in `src/code_reviewer/tools/` for
+subsequent runs.
+
+### config/agent-config.yaml
+
+Controls the Amazon Bedrock model and AWS settings:
+
+```yaml
+agent:
+  model_id: "us.anthropic.claude-sonnet-4-6"
+  max_tokens: 16384
+
+aws:
+  region: "us-east-1"
+```
+
+Environment variables `AWS_REGION`, `AWS_PROFILE`, and `BEDROCK_MODEL_ID` override
+the YAML values.
+
+## Project Structure
+
+```text
+scripts/aidlc-codereview/
+├── src/
+│   └── code_reviewer/
+│       ├── __init__.py             # Package init, project root constants
+│       ├── runner.py               # CLI orchestration
+│       ├── agent/                  # AI agents (critical findings, structure, business logic)
+│       ├── common/                 # Shared utilities, models, report generation
+│       └── tools/                  # Tool registry and auto-generated wrappers
+├── config/
+│   ├── agent-config.yaml           # Agent/Bedrock configuration
+│   ├── review-config.yaml          # Tool configuration
+│   └── prompts/                    # System prompts for AI agents
+├── docs/
+│   └── SETUP.md                    # Detailed setup guide
+├── pyproject.toml
+├── README.md
+├── CHANGELOG.md
+├── LICENSE
+└── NOTICE
+```
+
+## Documentation
+
+See [docs/SETUP.md](docs/SETUP.md) for:
+
+- AWS credential configuration (IAM roles, SSO, profiles)
+- Amazon Bedrock model access setup
+- CLI usage and flags
+- How auto-generation works
+- Troubleshooting
+
+## License
+
+MIT-0 (MIT No Attribution)
@@ -0,0 +1,52 @@
+# AIDLC Code Reviewer — Agent Configuration
+#
+# Controls the AI-powered features: critical findings analysis,
+# code structure critique, and auto-generation of tool wrappers.
+#
+# Requires: pip install -e .
+#
+# All settings here can be overridden by environment variables
+# (see "Environment overrides" comments below).
+
+# Security Considerations: Select an AWS region that meets your 
+# data residency and compliance requirements. Code analyzed by 
+# this tool is transmitted to Amazon Bedrock endpoints in the 
+# configured region. Customers are responsible for ensuring this 
+# aligns with their data governance policies. AWS secures data in 
+# transit and at rest within Bedrock; customers must classify data 
+# appropriately before analysis.
+
+agent:
+  # Amazon Bedrock model ID or inference profile ID.
+  # Must have model access enabled in the Amazon Bedrock console.
+  # Override with: export BEDROCK_MODEL_ID=<model-id>
+  model_id: "us.anthropic.claude-sonnet-4-6"
+
+  # Maximum response tokens for LLM calls.
+  max_tokens: 16384
+
+  # How many times to retry wrapper generation if verification fails.
+  # Each retry feeds the errors back to the LLM for self-correction.
+  max_retries: 2
+
+aws:
+  # AWS region where Amazon Bedrock is available.
+  # Override with: export AWS_REGION=<region>
+  region: "us-east-1"
+
+  # Named AWS CLI profile (from ~/.aws/credentials or ~/.aws/config).
+  # Set to null to use the default credential chain (env vars, IAM role, SSO).
+  # Override with: export AWS_PROFILE=<profile-name>
+  profile_name: null
+
+doc_fetch:
+  # When generating a wrapper for an unknown tool, the agent can fetch
+  # the tool's documentation to improve the quality of the generated code.
+  enabled: true
+
+  # HTTP timeout (seconds) for fetching tool documentation pages.
+  timeout_seconds: 10
+
+  # Max characters of documentation text to include in the prompt.
+  # Larger values give the LLM more context but increase token usage.
+  max_doc_length: 8000