Setup Guide
GitHub PRs, zip uploads, MCP for AI assistants — full usage guide

Hostile Review runs your code through up to 100 specialist AI reviewers that think like attackers, architects, and senior engineers. You can submit code three ways — through the web interface with GitHub or zip uploads, or directly from your AI coding assistant via MCP.

GitHub Reviews (Web UI)

Pull Request Review

Submit a GitHub PR and Hostile Review analyzes the diff. Enter the repository in owner/repo format and the PR number.

Example: facebook/react PR #28000
Agents review the diff, not the entire repo — so reviews are fast and focused on what changed.

Full Repository Scan

Scan an entire repository. Hostile Review fetches the top 60 code files from the specified branch and reviews them all.

Example: myorg/myapp branch main
Best for initial audits or when you want a broad security/quality overview.

Public vs. Private Repositories

Public Repos
Just enter the repo name and PR number. No token needed.
Private Repos
Provide a GitHub Personal Access Token with read access to the repo.
Creating a GitHub Token for Private Repos
2. Click Generate new token
3. Select the specific repository
4. Grant Contents: Read-only and Pull requests: Read-only
5. Paste the token into the "Private repo?" field
Your token is sent securely over HTTPS and never stored. It's used once to fetch the code, then discarded.
Zip Upload (Web UI)

Upload a Zip File

Upload a .zip of your project directly. Max 10 MB, top 60 files analyzed. 

# Example: zip your project excluding noise
cd myproject
zip -r ../myproject.zip . -x "node_modules/*" ".git/*" "dist/*" "*.lock"
MCP (AI Coding Assistants)

What is MCP?

Model Context Protocol (MCP) lets AI coding assistants call external tools directly. With Hostile Review connected via MCP, your AI can submit code for review mid-conversation — no copy-pasting, no browser tabs.

Claude Code
CLI & VS Code
Cursor
IDE
🔌
Any MCP Client
Windsurf, Cline, etc.
1

Get Your API Key

Generate an API key from your Dashboard. Click Generate Key in the API Keys section.

Your key will look like: aplex_uk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Copy it immediately — it won't be shown again.
2

Add the MCP Server

Select an API key to generate ready-to-use configs:
Don't have a key yet? Generate one in your Dashboard

Claude Code

Run this command in your terminal:

claude mcp add codeforge --transport http --url https://hostilereview.com/mcp/codeforge/mcp --header "Authorization: Bearer YOUR_API_KEY"

Add --scope project to scope it to a project. Verify with claude mcp list.

Cursor

Create or edit .cursor/mcp.json in your project root: 

{
  "mcpServers": {
    "codeforge": {
      "type": "streamable-http",
      "url": "https://hostilereview.com/mcp/codeforge/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_API_KEY"
      }
    }
  }
}

Restart Cursor after saving.

Windsurf / Cline / Other

Windsurf: ~/.codeium/windsurf/mcp_config.json
Cline: Settings → MCP Servers → Add Remote
3

Use Hostile Review via MCP

Once connected, your AI assistant has access to 5 tools. Just ask it to review your code naturally.

hostile_review_code
Submit raw source code for review.
hostile_review_diff
Submit a unified diff for review.
hostile_review_pr
Review a GitHub pull request.
hostile_review_repo
Scan a full repo (top 60 files).
hostile_review_status
Check a previous review's status and results.
Example Prompts
"Review this function for security issues"
"Run a hostile review on my current git diff"
"Review PR #42 on myorg/myrepo"
"Do a full repo scan on myorg/myrepo"

Auto-Approve (Skip Prompts)

Add this to .claude/settings.json in your project root: 

{
  "permissions": {
    "allow": [
      "mcp__codeforge__*"
    ]
  }
}

Billing

Same billing for web UI, zip upload, and MCP. First scan of any unique target is free. Re-scans cost credits from your balance.

First scan per target
Free
Re-scans
Credits charged based on agents used

Data & Privacy

Hostile Review never retains your source code. Code is held in memory only during the review (typically under 60 seconds) then fully deleted. Only findings are saved.

Saved: Review findings, severity ratings, billing records. Never saved: Source code, diffs, zip files, GitHub tokens.
← Back to Review