code-review

Code Review Skill

When to Trigger

After verify passed. Before commit-push-pr. Or whenever user asks for a review.

Workflow

Step 1: Identify the change set

git diff --name-only HEAD~1
git diff HEAD~1

Or if working in a worktree, diff against the base branch:

git diff main..HEAD

Step 2: Run multi-perspective review

Review through FOUR independent lenses. Spawn sub-agents in parallel if available, otherwise do them serially.

Lens 1: Correctness

Look for:

• Logic bugs (off-by-one, wrong comparison, wrong default)
• Missing null/empty checks
• Incorrect error handling (swallowed errors, wrong error types)
• Race conditions (shared state, concurrent map access, double-close)
• Incorrect data flow (data transforms in the wrong layer)
• TODO/FIXME left in the code
• Missing handling of acceptance criteria edge cases

Lens 2: Security

Look for:

• Input validation missing (SQL injection, command injection, path traversal)
• Output encoding missing (XSS in HTML, log injection)
• Secrets in code/config/logs
• Auth/authz checks missing on endpoints
• IDOR (insecure direct object reference)
• Sensitive data in error messages
• Insecure defaults (e.g., debug mode left on)
• Dependency CVEs (run npm audit, pip-audit, govulncheck)
• Missing rate limiting on user-facing endpoints
• Missing CSRF protection on state-changing endpoints

Lens 3: Performance

Look for:

• N+1 queries
• Loops that could be vectorized / batched
• Unbounded memory (reading whole file/result-set at once)
• Missing indexes implied by new query patterns
• Hot paths that allocate excessively
• Synchronous I/O on the hot path
• Cache opportunities (and cache invalidation traps)
• Algorithmic concerns (O(n²) when O(n log n) is available)

Lens 4: Maintainability

Look for:

• Functions > 50 lines (split)
• Cyclomatic complexity > 10 (simplify)
• Duplication that should be extracted
• Names that lie (processUser that doesn't process)
• Comments that explain "what" instead of "why"
• Tight coupling (component knows too much about another)
• Anemic domain (data structures with no behavior, all logic in services)
• Wrong layer (business logic in handlers, persistence in domain)
• Tests that are hard to read or fragile

Step 3: Aggregate findings with severity

Each finding gets a severity:

• 🔴 Critical: ship-blocker. Bug, security hole, data loss, broken acceptance criterion.
• 🟠 High: should fix before ship if possible. Performance regression, maintainability cliff, missing important test.
• 🟡 Medium: worth fixing this iteration. Nice-to-have improvements.
• 🟢 Low: style, naming, micro-optimizations. Don't block on these.

Step 4: Output the review

## Code Review - <Feature>

**Reviewed:** <files / line ranges>
**Reviewer:** Claude (multi-perspective)
**Date:** <today>

### 🔴 Critical (must fix)

**1. SQL injection in `pkg/users/repo.go:84`**
```go
query := fmt.Sprintf("SELECT * FROM users WHERE id = '%s'", userID)

Use parameterized query: db.Query("SELECT * FROM users WHERE id = $1", userID). The userID comes from the request body unsanitized.

2. Missing auth check on DELETE /api/posts/:id Handler at internal/handlers/post.go:142 deletes without checking ownership. Any authenticated user can delete any post.

🟠 High (fix this iteration)

1. N+1 in dashboard.go:55 The loop fetches Author per post separately. 50 posts = 51 queries. Use .Preload("Author") (Django ORM) or join in raw query. Expected savings: ~250ms on a 50-post page.

2. ...

🟡 Medium (consider)

1. Function validateAndSaveOrder is 87 lines, 4 responsibilities. Split into validate, enrich, persist, emitEvents. Each is independently testable.

🟢 Low (style)

1. userId vs userID casing inconsistent across the file. Pick one, apply everywhere. Linter rule: revive with var-naming.

Summary

• 🔴 Critical: 2
• 🟠 High: 3
• 🟡 Medium: 5
• 🟢 Low: 4

Verdict: ❌ NOT READY TO MERGE. Critical issues must be addressed first.

### Step 5: If critical issues - go fix

DO NOT MERGE. Fix the criticals. Re-run `verify`. Re-run `code-review`. Repeat until clean.

### Step 6: For agreed fixes - apply them

If the user accepts the recommendations, apply them in the same PR. If they should be deferred, create a follow-up issue and link it in the PR description.

### Step 7: Hand off

When clean (or only Lows remain), trigger `commit-push-pr` command.

## Specific Stack Rules

### Python
- Type hints expected, `mypy` clean
- Dataclasses or Pydantic for structured data
- No bare `except:` or `except Exception:` without re-raise
- No mutable default args
- `with` for resource management
- Use `pathlib`, not `os.path`

### Go
- `errors.Is` / `errors.As` for error checking
- Wrap errors with `fmt.Errorf("doing thing: %w", err)`
- No `interface{}` without justification (use `any` if needed)
- Channels for communication, mutexes for state
- Context propagation for cancellation
- Goroutines have a clear lifetime

### Django
- ORM by default, raw SQL only with justification
- Use `select_related` / `prefetch_related` for N+1
- `transaction.atomic` around multi-statement writes
- Form/Serializer validation, not manual
- No business logic in views - keep them thin
- Settings split per environment

### React/Vue
- No state in components that should be in store
- Memoize expensive renders
- Keys on list items
- Avoid prop drilling beyond 2-3 levels
- Side effects in `useEffect` / `onMounted`, not in render
- Loading/error/empty states for every async UI
- Cleanup in effects (event listeners, timers, subscriptions)

## Recommendations

After review, output broader recommendations:
- Patterns repeated 3+ times that should become shared utilities
- Areas of the codebase that are getting tangled (refactor candidates)
- Tests that don't exist but should
- Tooling that would catch this class of issue automatically next time