Make claude-review.yml reusable and configurable (#23)

- Add `extra_prompt` input so callers can append repo-specific review
  rules without forking the workflow
- Add `timeout_minutes` input so callers can override the job timeout
  (default: 15) and now using that instead of the hardcoded 15
- Make `claude_args` use `${{ inputs.model }}` and
  `${{ inputs.max_turns }}` consistently
- Add `use_sticky_comment: true` so subsequent PR pushes update the
  existing review comment, instead of creating new ones
- Remove `github_token` so comments are posted by the Claude bot, not
  the GitHub Actions bot
- Embed the full review rubric directly in the prompt (security,
  compliance, data/migrations, performance, testing, APIs, dependencies)
  so callers inherit it automatically
- Strip all platform/framework-specific content from the base rubric (no
  iOS/Android, no specific linter names, no mobile-only bullet points)
  to keep it generic for all repos

To adopt in any repo (replacing an existing standalone claude.yml):

  # .github/workflows/claude.yml
  name: Claude Code – PR Review
  on:
    pull_request:
      types: [opened, synchronize, reopened, ready_for_review]
  jobs:
    review:
      uses: isapp/.github/.github/workflows/claude-review.yml@main
      secrets:
        ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
      with:
        # Optional — only specify what differs from the defaults:
        max_turns: 25        # default: 15
        timeout_minutes: 25  # default: 15
        extra_prompt: |      # default: "" (nothing appended)
          ## Repo-Specific Rules
          - Example rule A
          - Example rule B

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: gobetti

.github/workflows/claude-review.yml

@@ -12,6 +12,16 @@ on:
         required: false
         type: number
         default: 15
+      timeout_minutes:
+        description: "Job timeout in minutes"
+        required: false
+        type: number
+        default: 15
+      extra_prompt:
+        description: "Additional prompt content appended after the base review prompt"
+        required: false
+        type: string
+        default: ""
     secrets:
       ANTHROPIC_API_KEY:
         required: true
@@ -30,7 +40,7 @@ concurrency:
 jobs:
   review:
     runs-on: ubuntu-latest
-    timeout-minutes: 15
+    timeout-minutes: ${{ inputs.timeout_minutes }}
     steps:
       - name: Checkout PR
         uses: actions/checkout@v5
@@ -43,17 +53,103 @@ jobs:
         env:
           GITHUB_EVENT_NAME: pull_request
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           allowed_bots: "renovate,devin-ai-integration"
+          use_sticky_comment: true
           prompt: |
             /review
 
             IMPORTANT: Also reference and apply the organization-wide code review guidelines available at:
             https://github.com/isapp/.github/blob/main/CLAUDE.md
 
             These org-level guidelines cover security (OWASP, SQL injection, auth), compliance (HIPAA, SOC2, FedRAMP),
-            data handling, mobile development, infrastructure, performance, testing, APIs, and dependencies.
+            data handling, infrastructure, performance, testing, APIs, and dependencies.
             Apply these standards IN ADDITION to any repository-specific CLAUDE.md guidelines.
+
+            # Review rubric (Claude)
+
+            ## Must-fix
+
+            ### Security
+            - OWASP Top 10 issues: SQL injection, XSS, CSRF, broken authentication, insecure deserialization
+            - AuthN/Z: verify JWT validation, session management, proper OAuth flows, role-based access
+            - API security: rate limiting, input validation, API key rotation, proper CORS configuration
+            - Secrets: no hardcoded credentials, use environment variables or secrets management
+            - PII handling: encrypt PII at rest and in transit, redact PII in logs and error messages
+            - FedRAMP/HIPAA compliance requirements
+
+            ### Compliance (HIPAA/SOC2/FedRAMP)
+            - Logging: no PHI/PII in logs, logs encrypted, proper retention policies
+            - Encryption: use approved algorithms (AES-256, TLS 1.2+), proper key management
+            - Access control: least-privilege, MFA for admin access, proper role separation
+            - Audit trails: log access to sensitive data, retain audit logs per compliance requirements
+            - Data deletion: implement proper data lifecycle, support user data deletion requests
+
+            ### Data & Migrations
+            - Migrations: safe, rollbackable, tested in staging before production
+            - Schema changes: backward compatible, no breaking changes without version bump
+            - Indexes: add indexes for foreign keys and frequently queried columns
+            - Data validation: constraints at database level, not just application level
+            - PHI/PII: ensure proper encryption, audit trails for sensitive data access
+
+            ## Should-fix
+
+            ### Performance
+            - Database: N+1 queries, missing indexes, unbounded result sets
+            - API: missing pagination for list endpoints, slow queries without caching
+            - Memory: large allocations, memory leaks, inefficient data structures
+
+            ### Testing
+            - Unit tests: cover edge cases, error conditions, security validations
+            - Integration tests: test API contracts, database interactions, mock external services
+            - Security tests: authentication failures, authorization boundaries, input validation
+
+            ### APIs/Services
+            - API design: RESTful conventions, proper HTTP status codes, versioning strategy
+            - Error handling: consistent error response format, proper logging without PII
+            - Service-to-service: proper authentication tokens, circuit breakers, timeouts
+            - Pagination: implement for list endpoints to prevent large responses
+            - Documentation: ensure API changes include updated Swagger/OpenAPI docs
+
+            ### Dependencies
+            - Security: flag outdated dependencies with known CVEs
+            - Version pinning: use specific versions in production dependencies
+            - Licensing: ensure licenses are compatible with your usage
+            - Deprecations: flag usage of deprecated APIs or libraries
+
+            ## Nice-to-have (optional suggestions)
+
+            - Code clarity: simplify complex logic, extract helper functions, add explanatory comments
+            - Documentation: update README for significant features, add inline docs for complex logic
+            - Performance optimizations: suggest caching opportunities, query optimizations (non-critical)
+
+            ## Style
+
+            - Follow the repo's linters and formatters
+            - Keep suggestions concise and actionable
+            - Show patch-style diffs for proposed changes
+            - Group related issues together
+
+            ## Behavior
+
+            - Be terse and direct in comments
+            - Prefer inline comments on specific diff lines when possible
+            - Prioritize must-fix issues over nice-to-have suggestions
+            - When reviewing code for issues, if you initially find an issue but then determine no fix is needed, do not comment on it in the findings summary.
+            - Skip review for:
+              - Pure whitespace/formatting changes (if linters pass)
+              - Documentation-only updates (unless security/compliance docs)
+              - Configuration changes without code impact
+              - Minor dependency bumps (unless security-related)
+            - If skipping, comment: "No significant code changes to review" and explain why
+
+            ## Instructions
+            1. Review the PR based on review rubric and focus on must-fix items, security, HIPAA, and compliance issues. Be concise.
+            2. If issues found, post specific inline comments on the problematic lines
+            3. If no issues, comment "LGTM - no security/compliance issues detected"
+            4. Be concise and actionable
+            5. Provide detailed feedback on code review
+
+            ${{ inputs.extra_prompt }}
           claude_args: "--model ${{ inputs.model }} --max-turns ${{ inputs.max_turns }} --allowedTools 'Read,Glob,Grep,Bash(git log:*),Bash(git diff:*),Bash(git show:*)'"
           track_progress: true