Merge 195664029d into 4c65f3a006

External agents find ALL possible issues, but not all are relevant.
This new step 4 evaluates findings against project context:
- Actually Important: AC violations, bugs, real security issues
- Context-Dependent: Performance, validation strictness (asks user)
- Theoretical/Nitpicking: Micro-optimizations, style preferences (skips)

This enables pragmatic code review that focuses on what matters.

src/core/tasks/workflow.xml

@@ -63,6 +63,8 @@
           <tag>invoke-workflow xml tag → Execute another workflow with given inputs and the workflow.xml runner</tag>
           <tag>invoke-task xml tag → Execute specified task</tag>
           <tag>invoke-protocol name="protocol_name" xml tag → Execute reusable protocol from protocols section</tag>
+          <tag>invoke-bash cmd="command" → Execute shell command, capture stdout/stderr, set {{bash_exit_code}}, {{bash_stdout}}, {{bash_stderr}}</tag>
+          <tag>set-var name="varname" value="..." → Set runtime variable {{varname}} to specified value (supports expressions)</tag>
           <tag>goto step="x" → Jump to specified step</tag>
         </execute-tags>
       </substep>
@@ -126,6 +128,8 @@
       <tag>invoke-workflow - Call another workflow</tag>
       <tag>invoke-task - Call a task</tag>
       <tag>invoke-protocol - Execute a reusable protocol (e.g., discover_inputs)</tag>
+      <tag>invoke-bash cmd="..." - Execute shell command, results in {{bash_exit_code}}, {{bash_stdout}}, {{bash_stderr}}</tag>
+      <tag>set-var name="..." value="..." - Set runtime variable dynamically</tag>
     </execution>
     <output>
       <tag>template-output - Save content checkpoint</tag>

src/modules/bmm/module.yaml

@@ -55,3 +55,23 @@ tea_use_playwright_utils:
     - "Are you using playwright-utils (@seontechnologies/playwright-utils) in your project?\nYou must install packages yourself, or use test architect's *framework command."
   default: false
   result: "{value}"
+
+# External Code Review Agent Selection
+# Allows delegating code reviews to an external AI agent CLI for independent, unbiased reviews
+# Useful when using a different AI as primary IDE agent (e.g., Codex/Gemini users can use Claude for reviews)
+external_review_agent:
+  prompt:
+    - "Which external agent should perform code reviews?"
+    - "External agents provide independent, unbiased reviews separate from your primary IDE agent."
+    - "The selected CLI must be installed and configured on your system."
+  default: "none"
+  result: "{value}"
+  single-select:
+    - value: "codex"
+      label: "Codex (OpenAI) - Code review using OpenAI Codex CLI"
+    - value: "gemini"
+      label: "Gemini (Google) - Code review using Google Gemini CLI"
+    - value: "claude"
+      label: "Claude Code (Anthropic) - Code review using Claude Code CLI"
+    - value: "none"
+      label: "None - Use built-in review (no external agent)"

src/modules/bmm/workflows/4-implementation/code-review/checklist.md

@@ -1,5 +1,7 @@
 # Senior Developer Review - Validation Checklist
 
+## Story Setup
+
 - [ ] Story file loaded from `{{story_path}}`
 - [ ] Story Status verified as reviewable (review)
 - [ ] Epic and Story IDs resolved ({{epic_num}}.{{story_num}})
@@ -7,12 +9,33 @@
 - [ ] Epic Tech Spec located or warning recorded
 - [ ] Architecture/standards docs loaded (as available)
 - [ ] Tech stack detected and documented
-- [ ] MCP doc search performed (or web fallback) and references captured
+
+## External Agent Detection (Runtime)
+
+- [ ] `invoke-bash cmd="command -v codex"` executed → {{codex_available}}
+- [ ] `invoke-bash cmd="command -v gemini"` executed → {{gemini_available}}
+- [ ] `invoke-bash cmd="command -v claude"` executed → {{claude_available}}
+- [ ] Review method determined: {{use_external_agent}} = true/false
+- [ ] If external: {{external_agent_cmd}} = codex OR gemini OR claude
+- [ ] Config updated with detection results and timestamp
+
+## Code Review Execution
+
+- [ ] Git vs Story discrepancies identified ({{git_findings}})
+- [ ] If external agent available: Prompt written to /tmp/code-review-prompt.txt
+- [ ] If external agent available: CLI invoked via `invoke-bash` (MANDATORY - NO EXCEPTIONS)
+- [ ] External agent output captured in {{bash_stdout}}
+- [ ] If external agent CLI failed (non-zero exit): Fallback to built-in review
+- [ ] ⚠️ VIOLATION CHECK: Did you skip external agent with a rationalization? If yes, RE-RUN with external agent.
 - [ ] Acceptance Criteria cross-checked against implementation
 - [ ] File List reviewed and validated for completeness
 - [ ] Tests identified and mapped to ACs; gaps noted
-- [ ] Code quality review performed on changed files
+- [ ] Code quality review performed (security, performance, maintainability)
-- [ ] Security review performed on changed files and dependencies
+- [ ] Minimum 3 issues found (adversarial review requirement)
+
+## Finalization
+
+- [ ] Findings categorized: HIGH/MEDIUM/LOW severity
 - [ ] Outcome decided (Approve/Changes Requested/Blocked)
 - [ ] Review notes appended under "Senior Developer Review (AI)"
 - [ ] Change Log updated with review entry
@@ -21,3 +44,4 @@
 - [ ] Story saved successfully
 
 _Reviewer: {{user_name}} on {{date}}_
+_External Agent: {{external_agent_cmd}} (codex:{{codex_available}} / gemini:{{gemini_available}} / claude:{{claude_available}})_

src/modules/bmm/workflows/4-implementation/code-review/external-agent-prompt.md

@@ -0,0 +1,35 @@
+You are an ADVERSARIAL code reviewer. Your job is to find problems, not approve code.
+
+VERY IMPORTANT!
+
+- This is a READ ONLY operation. You are not to change anything in this code.
+- You are FORBIDDEN to write to any files.
+- You are FORBIDDEN to change any files.
+- You are FORBIDDEN to delete any files.
+
+REQUIREMENTS:
+
+- Find 3-10 specific issues minimum - no lazy looks good reviews
+- Categorize as HIGH (must fix), MEDIUM (should fix), LOW (nice to fix)
+- For each issue: specify file:line, describe problem, suggest fix
+- Check: Security vulnerabilities, performance issues, error handling, test quality
+- Verify: Tasks marked [x] are actually done, ACs are actually implemented
+
+STORY CONTEXT: {{story_path}}
+FILES TO REVIEW: {{comprehensive_file_list}}
+ACCEPTANCE CRITERIA: {{acceptance_criteria_list}}
+TASKS: {{task_list}}
+
+OUTPUT FORMAT:
+
+## HIGH SEVERITY
+
+- [file:line] Issue description | Suggested fix
+
+## MEDIUM SEVERITY
+
+- [file:line] Issue description | Suggested fix
+
+## LOW SEVERITY
+
+- [file:line] Issue description | Suggested fix

src/modules/bmm/workflows/4-implementation/code-review/instructions.xml

@@ -4,16 +4,56 @@
   <critical>Communicate all responses in {communication_language} and language MUST be tailored to {user_skill_level}</critical>
   <critical>Generate all documents in {document_output_language}</critical>
 
-  <critical>🔥 YOU ARE AN ADVERSARIAL CODE REVIEWER - Find what's wrong or missing! 🔥</critical>
+  <!-- ================================================================ -->
+  <!-- SHELL CLEANUP - MANDATORY KILL OF ALL BACKGROUND SHELLS         -->
+  <!-- ================================================================ -->
+  <!-- CRITICAL: Stale external agent processes cause context pollution.
+       You MUST kill ALL background shells BEFORE doing ANYTHING else.
+       DO NOT read their output. DO NOT check what they're doing.
+       Just KILL them unconditionally. -->
+  <critical>🚨 FIRST ACTION REQUIRED: Kill all background shells 🚨</critical>
+  <critical>Before ANY other workflow step, you MUST terminate all background processes.</critical>
+  <critical>DO NOT use BashOutput to read from stale shells - this causes context pollution.</critical>
+  <critical>DO NOT try to "check what they're doing" - just kill them.</critical>
+
+  <check if="BMAD is running as Claude Code (KillShell tool is available)">
+    <action>IMMEDIATELY use KillShell to terminate ALL background shells - no exceptions</action>
+    <action>Do NOT read output from these shells first - kill them blind</action>
+    <action>Do NOT rationalize keeping them alive - they contain stale data</action>
+    <action>If multiple shells exist, kill ALL of them one by one</action>
+    <output>🔪 Killed all background shells to prevent stale data contamination</output>
+  </check>
+  <critical>Only proceed to Step 1 AFTER all background shells are terminated.</critical>
+
+  <!-- ================================================================ -->
+  <!-- EXTERNAL AGENT MANDATE - THIS IS THE MOST IMPORTANT RULE        -->
+  <!-- ================================================================ -->
+  <critical>🚨 MANDATORY EXTERNAL AGENT RULE - NO EXCEPTIONS 🚨</critical>
+  <critical>If an external agent CLI (codex, gemini, or claude) is detected as available, you MUST delegate the code review to that agent.</critical>
+  <critical>You are FORBIDDEN from performing your own code review analysis if an external agent is available.</critical>
+  <critical>The external agent provides an independent, unbiased review. Your job is to INVOKE it, not replace it.</critical>
+  <critical>Only perform built-in review if ALL external agents fail detection OR the CLI invocation actually fails with a non-zero exit code.</critical>
+  <critical>DO NOT SKIP the invoke-bash commands for detection and invocation - they are MANDATORY.</critical>
+
+  <!-- PROHIBITED EXCUSES - DO NOT USE THESE TO SKIP EXTERNAL AGENT -->
+  <critical>🚫 PROHIBITED RATIONALIZATIONS - You may NOT skip the external agent for ANY of these reasons:</critical>
+  <critical>❌ "The prompt is too long" - Long prompts are expected and supported. Invoke anyway.</critical>
+  <critical>❌ "CLI is meant for simple operations" - FALSE. The CLI handles complex prompts. Invoke anyway.</critical>
+  <critical>❌ "This is a re-review" - Re-reviews MUST use external agent. No exception.</critical>
+  <critical>❌ "I can do this myself" - You are FORBIDDEN from self-review when external agent is available.</critical>
+  <critical>❌ "It would be faster/better if I do it" - Irrelevant. External agent is MANDATORY.</critical>
+  <critical>❌ "The context is too complex" - The external agent handles complexity. Invoke anyway.</critical>
+  <critical>If you find yourself rationalizing why to skip the external agent, STOP and invoke it anyway.</critical>
+
+  <critical>🔥 ADVERSARIAL CODE REVIEW REQUIREMENTS 🔥</critical>
   <critical>Your purpose: Validate story file claims against actual implementation</critical>
   <critical>Challenge everything: Are tasks marked [x] actually done? Are ACs really implemented?</critical>
-  <critical>Find 3-10 specific issues in every review minimum - no lazy "looks good" reviews - YOU are so much better than the dev agent
+  <critical>Find 3-10 specific issues in every review minimum - no lazy "looks good" reviews</critical>
-    that wrote this slop</critical>
   <critical>Read EVERY file in the File List - verify implementation against story requirements</critical>
   <critical>Tasks marked complete but not done = CRITICAL finding</critical>
   <critical>Acceptance Criteria not implemented = HIGH severity finding</critical>
 
-  <step n="1" goal="Load story and discover changes">
+  <step n="1" goal="Load story and detect external agents">
     <action>Use provided {{story_path}} or ask user which story file to review</action>
     <action>Read COMPLETE story file</action>
     <action>Set {{story_key}} = extracted key from filename (e.g., "1-2-user-authentication.md" → "1-2-user-authentication") or story
@@ -39,6 +79,86 @@
 
     <invoke-protocol name="discover_inputs" />
     <action>Load {project_context} for coding standards (if exists)</action>
+
+    <!-- ============================================================== -->
+    <!-- EXTERNAL AGENT DETECTION - CHECK CONFIG FIRST, THEN DETECT     -->
+    <!-- ============================================================== -->
+    <set-var name="use_external_agent" value="false" />
+    <set-var name="external_agent_cmd" value="" />
+    <set-var name="codex_available" value="false" />
+    <set-var name="gemini_available" value="false" />
+    <set-var name="claude_available" value="false" />
+    <set-var name="external_agent_failed" value="false" />
+    <set-var name="preferred_agent" value="{external_review_agent}" />
+
+    <!-- Check if user has disabled external agents -->
+    <check if="{{preferred_agent}} == 'none'">
+      <output>📋 External agent disabled in config - will use built-in adversarial review</output>
+    </check>
+
+    <!-- Only detect and use external agents if not set to "none" -->
+    <check if="{{preferred_agent}} != 'none'">
+      <output>🔍 Detecting external agent availability...</output>
+
+      <!-- Detect Codex CLI availability -->
+      <invoke-bash cmd="command -v codex &amp;&amp; codex --version 2>/dev/null || echo 'NOT_FOUND'" />
+      <check if="{{bash_exit_code}} == 0 AND {{bash_stdout}} does not contain 'NOT_FOUND'">
+        <set-var name="codex_available" value="true" />
+        <output>✓ Codex CLI detected</output>
+      </check>
+
+      <!-- Detect Gemini CLI availability -->
+      <invoke-bash cmd="command -v gemini &amp;&amp; gemini --version 2>/dev/null || echo 'NOT_FOUND'" />
+      <check if="{{bash_exit_code}} == 0 AND {{bash_stdout}} does not contain 'NOT_FOUND'">
+        <set-var name="gemini_available" value="true" />
+        <output>✓ Gemini CLI detected</output>
+      </check>
+
+      <!-- Detect Claude CLI availability -->
+      <invoke-bash cmd="command -v claude &amp;&amp; claude --version 2>/dev/null || echo 'NOT_FOUND'" />
+      <check if="{{bash_exit_code}} == 0 AND {{bash_stdout}} does not contain 'NOT_FOUND'">
+        <set-var name="claude_available" value="true" />
+        <output>✓ Claude CLI detected</output>
+      </check>
+
+      <!-- Select which external agent to use based on availability and preference -->
+      <check if="{{preferred_agent}} == 'codex' AND {{codex_available}} == true">
+        <set-var name="use_external_agent" value="true" />
+        <set-var name="external_agent_cmd" value="codex" />
+      </check>
+      <check if="{{preferred_agent}} == 'gemini' AND {{gemini_available}} == true">
+        <set-var name="use_external_agent" value="true" />
+        <set-var name="external_agent_cmd" value="gemini" />
+      </check>
+      <check if="{{preferred_agent}} == 'claude' AND {{claude_available}} == true">
+        <set-var name="use_external_agent" value="true" />
+        <set-var name="external_agent_cmd" value="claude" />
+      </check>
+
+      <!-- Fallback selection if preferred agent not available -->
+      <check if="{{use_external_agent}} == false AND {{codex_available}} == true">
+        <set-var name="use_external_agent" value="true" />
+        <set-var name="external_agent_cmd" value="codex" />
+        <output>⚠️ Preferred agent ({{preferred_agent}}) not available, falling back to Codex</output>
+      </check>
+      <check if="{{use_external_agent}} == false AND {{gemini_available}} == true">
+        <set-var name="use_external_agent" value="true" />
+        <set-var name="external_agent_cmd" value="gemini" />
+        <output>⚠️ Preferred agent ({{preferred_agent}}) not available, falling back to Gemini</output>
+      </check>
+      <check if="{{use_external_agent}} == false AND {{claude_available}} == true">
+        <set-var name="use_external_agent" value="true" />
+        <set-var name="external_agent_cmd" value="claude" />
+        <output>⚠️ Preferred agent ({{preferred_agent}}) not available, falling back to Claude</output>
+      </check>
+
+      <check if="{{use_external_agent}} == true">
+        <output>🤖 External agent selected: {{external_agent_cmd}} - will delegate code review</output>
+      </check>
+      <check if="{{use_external_agent}} == false">
+        <output>📋 No external agent available - will use built-in adversarial review</output>
+      </check>
+    </check>
   </step>
 
   <step n="2" goal="Build review attack plan">
@@ -57,15 +177,74 @@
   <step n="3" goal="Execute adversarial review">
     <critical>VALIDATE EVERY CLAIM - Check git reality vs story claims</critical>
 
-    <!-- Git vs Story Discrepancies -->
+    <!-- Git vs Story Discrepancies - ALWAYS runs -->
     <action>Review git vs story File List discrepancies:
       1. **Files changed but not in story File List** → MEDIUM finding (incomplete documentation)
       2. **Story lists files but no git changes** → HIGH finding (false claims)
       3. **Uncommitted changes not documented** → MEDIUM finding (transparency issue)
     </action>
-
-    <!-- Use combined file list: story File List + git discovered files -->
     <action>Create comprehensive review file list from story File List and git changes</action>
+    <action>Store git discrepancy findings in {{git_findings}}</action>
+
+    <!-- ============================================================== -->
+    <!-- MANDATORY: INVOKE EXTERNAL AGENT IF AVAILABLE                  -->
+    <!-- ============================================================== -->
+    <critical>If {{use_external_agent}} == true, you MUST invoke the external agent via CLI.</critical>
+    <critical>DO NOT perform your own code review - delegate to the external agent.</critical>
+
+    <check if="{{use_external_agent}} == true">
+      <output>🔄 Invoking {{external_agent_cmd}} CLI for adversarial code review...</output>
+
+      <!-- ============================================================== -->
+      <!-- INVOKE EXTERNAL AGENT - USE EXACT COMMANDS AS WRITTEN          -->
+      <!-- ============================================================== -->
+      <critical>🚨 USE EXACT COMMAND SYNTAX - DO NOT MODIFY OR SIMPLIFY 🚨</critical>
+      <critical>Copy the invoke-bash cmd attribute EXACTLY as written below.</critical>
+      <critical>DO NOT remove flags, reorder arguments, or "improve" the command.</critical>
+
+      <!-- External agent prompt is loaded from external-agent-prompt.md -->
+      <set-var name="external_prompt_file" value="{installed_path}/external-agent-prompt.md" />
+
+      <check if="{{external_agent_cmd}} == 'codex'">
+        <critical>CODEX: Use codex exec with read-only sandbox and full-auto</critical>
+        <invoke-bash cmd="codex exec --sandbox read-only --full-auto &quot;$(cat '{{external_prompt_file}}')&quot;" timeout="600000" />
+      </check>
+      <check if="{{external_agent_cmd}} == 'gemini'">
+        <critical>GEMINI: Use gemini -p with prompt from file and --yolo</critical>
+        <invoke-bash cmd="gemini -p &quot;$(cat '{{external_prompt_file}}')&quot; --yolo" timeout="600000" />
+      </check>
+      <check if="{{external_agent_cmd}} == 'claude'">
+        <critical>CLAUDE: Use claude -p with prompt from file</critical>
+        <invoke-bash cmd="claude -p &quot;$(cat '{{external_prompt_file}}')&quot; --dangerously-skip-permissions" timeout="600000" />
+      </check>
+
+      <check if="{{bash_exit_code}} != 0 OR {{bash_stdout}} is empty">
+        <output>⚠️ External agent CLI failed (exit code: {{bash_exit_code}}), falling back to built-in review</output>
+        <output>Error: {{bash_stderr}}</output>
+        <set-var name="use_external_agent" value="false" />
+        <set-var name="external_agent_failed" value="true" />
+      </check>
+
+      <check if="{{bash_exit_code}} == 0 AND {{bash_stdout}} is not empty">
+        <set-var name="external_findings" value="{{bash_stdout}}" />
+        <action>Parse {{external_findings}} into structured HIGH/MEDIUM/LOW lists</action>
+        <action>Merge {{git_findings}} with {{external_findings}} into {{all_findings}}</action>
+        <output>✅ External review complete - {{external_agent_cmd}} CLI findings received</output>
+      </check>
+    </check>
+
+    <!-- Fallback to built-in if external agent failed -->
+    <check if="{{external_agent_failed}} == true">
+      <set-var name="use_external_agent" value="false" />
+    </check>
+
+    <check if="{{use_external_agent}} == false">
+      <!-- ============================================================== -->
+      <!-- FALLBACK ONLY: Built-in Review (when NO external agent works)  -->
+      <!-- ============================================================== -->
+      <critical>This section should ONLY execute if ALL external agents failed detection or invocation.</critical>
+      <critical>If you are here but an external agent was available, you have violated the workflow rules.</critical>
+      <output>⚠️ No external agent available - performing built-in adversarial review</output>
 
       <!-- AC Validation -->
       <action>For EACH Acceptance Criterion:
@@ -92,6 +271,10 @@
         5. **Test Quality**: Are tests real assertions or placeholders?
       </action>
 
+      <action>Merge {{git_findings}} with built-in findings into {{all_findings}}</action>
+    </check>
+
+    <!-- Minimum issue check - applies to both paths -->
     <check if="total_issues_found lt 3">
       <critical>NOT LOOKING HARD ENOUGH - Find more problems!</critical>
       <action>Re-examine code for:
@@ -106,37 +289,135 @@
     </check>
   </step>
 
-  <step n="4" goal="Present findings and fix them">
+  <!-- ================================================================ -->
-    <action>Categorize findings: HIGH (must fix), MEDIUM (should fix), LOW (nice to fix)</action>
+  <!-- STEP 4: TRIAGE FINDINGS - SEPARATE SIGNAL FROM NOISE            -->
+  <!-- ================================================================ -->
+  <!-- This step evaluates external agent findings with project context.
+       External agents find ALL possible issues - but not all matter.
+       A symlink bypass is critical for a web API, irrelevant for a game.
+       The orchestrating agent applies pragmatic judgment here. -->
+
+  <step n="4" goal="Triage findings - separate signal from noise">
+    <critical>External agents are adversarial by design - they find EVERYTHING.</critical>
+    <critical>Your job: Apply project context to determine what ACTUALLY matters.</critical>
+    <critical>Do NOT blindly accept all findings. Do NOT dismiss valid concerns.</critical>
+
+    <action>For EACH finding from {{all_findings}}, evaluate against these criteria:</action>
+
+    <!-- Evaluation Framework -->
+    <action>**ACTUALLY IMPORTANT** (always fix):
+      - AC violations: Story claims something works but it doesn't
+      - Task fraud: Checkbox marked [x] but code doesn't exist
+      - Contract violations: Method signature doesn't match documented behavior
+      - Real bugs: Code will fail at runtime in normal usage
+      - Security issues for the ACTUAL threat model (game loading own files ≠ public API)
+    </action>
+
+    <action>**CONTEXT-DEPENDENT** (ask user):
+      - Performance: Does it matter at this scale? Game data vs. million-record DB
+      - Validation strictness: Nice-to-have vs. actually needed
+      - Edge cases: Will they ever happen in practice?
+      - Thread safety: Is this actually multi-threaded?
+    </action>
+
+    <action>**THEORETICAL/NITPICKING** (skip unless user insists):
+      - "Could be exploited if attacker controls X" when attacker never controls X
+      - Micro-optimizations that save nanoseconds
+      - Style preferences disguised as bugs
+      - "Best practice" violations that don't cause problems
+      - DoS concerns for trusted internal data
+    </action>
+
+    <!-- Build categorized lists -->
+    <set-var name="important_findings" value="[]" />
+    <set-var name="contextual_findings" value="[]" />
+    <set-var name="theoretical_findings" value="[]" />
+
+    <action>Categorize each finding into one of the three lists with brief reasoning</action>
+
+    <!-- Present triage to user via AskUserQuestion -->
+    <output>**🔍 FINDINGS TRIAGE**
+
+I've reviewed {{external_agent_cmd}}'s findings against your project context.
+Here's what I think actually matters vs. theoretical concerns:
+    </output>
+
+    <!-- Important findings - recommend fixing -->
+    <check if="{{important_findings}} is not empty">
+      <output>
+## ✅ ACTUALLY IMPORTANT (Recommend Fix)
+These are real issues that affect correctness or violate documented contracts:
+
+{{#each important_findings}}
+- **{{this.id}}**: {{this.summary}}
+  - *Why it matters*: {{this.reasoning}}
+{{/each}}
+      </output>
+    </check>
+
+    <!-- Context-dependent - ask user -->
+    <check if="{{contextual_findings}} is not empty">
+      <ask questions="[
+        {
+          'question': 'Which context-dependent issues should we address?',
+          'header': 'Fix these?',
+          'multiSelect': true,
+          'options': [
+            {{#each contextual_findings}}
+            {
+              'label': '{{this.id}}: {{this.short_summary}}',
+              'description': '{{this.reasoning}}'
+            },
+            {{/each}}
+            {
+              'label': 'None of these',
+              'description': 'Skip all context-dependent issues'
+            }
+          ]
+        }
+      ]" />
+      <action>Add user-selected contextual findings to {{important_findings}}</action>
+    </check>
+
+    <!-- Theoretical findings - inform user but don't push -->
+    <check if="{{theoretical_findings}} is not empty">
+      <output>
+## ⏭️ SKIPPING (Theoretical/Nitpicking)
+These findings are technically valid but don't matter for your use case:
+
+{{#each theoretical_findings}}
+- **{{this.id}}**: {{this.summary}} — *{{this.reasoning}}*
+{{/each}}
+
+*(Say "fix all" if you want these addressed anyway)*
+      </output>
+    </check>
+
+    <!-- Final confirmation -->
+    <set-var name="final_fix_list" value="{{important_findings}}" />
+    <output>
+**📋 FINAL FIX LIST: {{final_fix_list.length}} issues**
+    </output>
+  </step>
+
+  <step n="5" goal="Present findings and fix them">
     <action>Set {{fixed_count}} = 0</action>
     <action>Set {{action_count}} = 0</action>
 
-    <output>**🔥 CODE REVIEW FINDINGS, {user_name}!**
+    <output>**🔥 CODE REVIEW SUMMARY, {user_name}!**
 
       **Story:** {{story_file}}
-      **Git vs Story Discrepancies:** {{git_discrepancy_count}} found
+      **Review Method:** {{#if external_agent_cmd}}{{external_agent_cmd}} CLI{{else}}built-in{{/if}}
-      **Issues Found:** {{high_count}} High, {{medium_count}} Medium, {{low_count}} Low
+      **Raw Findings:** {{all_findings.length}} total
+      **After Triage:** {{final_fix_list.length}} to address, {{theoretical_findings.length}} skipped
 
-      ## 🔴 CRITICAL ISSUES
+      ## Issues to Fix
-      - Tasks marked [x] but not actually implemented
+      {{#each final_fix_list}}
-      - Acceptance Criteria not implemented
+      - [{{this.severity}}] {{this.id}}: {{this.summary}}
-      - Story claims files changed but no git evidence
+      {{/each}}
-      - Security vulnerabilities
-
-      ## 🟡 MEDIUM ISSUES
-      - Files changed but not documented in story File List
-      - Uncommitted changes not tracked
-      - Performance problems
-      - Poor test coverage/quality
-      - Code maintainability issues
-
-      ## 🟢 LOW ISSUES
-      - Code style improvements
-      - Documentation gaps
-      - Git commit message quality
     </output>
 
-    <ask>What should I do with these issues?
+    <ask>What should I do with these {{final_fix_list.length}} issues?
 
       1. **Fix them automatically** - I'll update the code and tests
       2. **Create action items** - Add to story Tasks/Subtasks for later
@@ -166,7 +447,7 @@
     </check>
   </step>
 
-  <step n="5" goal="Update story status and sync sprint tracking">
+  <step n="6" goal="Update story status and sync sprint tracking">
     <!-- Determine new status based on review outcome -->
     <check if="all HIGH and MEDIUM issues fixed AND all ACs implemented">
       <action>Set {{new_status}} = "done"</action>
@@ -186,7 +467,7 @@
       <action>Set {{current_sprint_status}} = "no-sprint-tracking"</action>
     </check>
 
-    <!-- Sync sprint-status.yaml when story status changes (only if sprint tracking enabled) -->
+    <!-- Sync sprint-status.yaml when story status changes -->
     <check if="{{current_sprint_status}} != 'no-sprint-tracking'">
       <action>Load the FULL file: {sprint_status}</action>
       <action>Find development_status key matching {{story_key}}</action>

src/modules/bmm/workflows/4-implementation/code-review/workflow.yaml

@@ -18,6 +18,7 @@ sprint_status: "{sprint_artifacts}/sprint-status.yaml || {output_folder}/sprint-
 installed_path: "{project-root}/_bmad/bmm/workflows/4-implementation/code-review"
 instructions: "{installed_path}/instructions.xml"
 validation: "{installed_path}/checklist.md"
+external_agent_prompt: "{installed_path}/external-agent-prompt.md"
 template: false
 
 variables:
@@ -25,6 +26,11 @@ variables:
   project_context: "**/project-context.md"
   story_dir: "{sprint_artifacts}"
 
+  # External code review agent configuration
+  # User selects preferred agent during install; detection verifies availability at runtime
+  # Supported values: codex, gemini, claude, none
+  external_review_agent: "{config_source}:external_review_agent || 'none'"
+
 # Smart input file references - handles both whole docs and sharded docs
 # Priority: Whole document first, then sharded version
 # Strategy: SELECTIVE LOAD - only load the specific epic needed for this story review