flowmade-one/architecture
3
0
Fork 0
Code Issues 15 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
095b5e798219123b82f5bdb7a2be4a4b6bb9a5f8
architecture/skills/code-review/SKILL.md
Hugo Nijhuis ff56168073 Mark skills as not user-invocable 
Skills are knowledge modules referenced by commands, not
directly invoked by users. Added user-invocable: false to:
- backlog-grooming (used by /groom)
- claude-md-writing (used by /update-claude-md)
- code-review (used by /review-pr)
- issue-writing (used by /create-issue)
- roadmap-planning (used by /plan-issues)
- vision-management (used by /vision, /manifesto)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-09 13:01:19 +01:00

206 lines
5.9 KiB
Markdown
Raw Blame History

---
name: code-review
description: Review code for quality, bugs, security, and style issues. Use when reviewing pull requests, checking code quality, looking for bugs or security vulnerabilities, or when the user asks for a code review.
user-invocable: false
---
# Code Review
Guidelines for reviewing code changes in pull requests.
## Review Categories
### Code Quality
Look for:
- **Readability**: Clear naming, logical structure, appropriate comments
- **Maintainability**: Easy to modify, follows DRY, single responsibility
- **Complexity**: Avoid deep nesting, overly long functions, complex conditionals
- **Dead code**: Unused variables, unreachable code, commented-out blocks
Questions to ask:
- Can someone unfamiliar with this code understand it quickly?
- Would I be comfortable maintaining this code?
- Does this follow existing patterns in the codebase?
### Potential Bugs
Look for:
- **Edge cases**: Empty arrays, null values, boundary conditions
- **Logic errors**: Off-by-one, incorrect operators, inverted conditions
- **Race conditions**: Async operations, shared state
- **Resource leaks**: Unclosed connections, missing cleanup
- **Error handling**: Unhandled exceptions, silent failures
Questions to ask:
- What happens with unexpected input?
- Are all error paths handled appropriately?
- Could concurrent execution cause issues?
### Security Concerns
Look for:
- **Injection**: SQL, command, XSS vulnerabilities
- **Authentication**: Bypasses, weak validation
- **Authorization**: Missing permission checks
- **Data exposure**: Logging secrets, exposing internals
- **Dependencies**: Known vulnerabilities in imports
Questions to ask:
- Could an attacker exploit this?
- Is user input properly validated and sanitized?
- Are secrets properly protected?
### Style & Consistency
Look for:
- **Naming conventions**: Match existing codebase style
- **Formatting**: Consistent indentation, spacing
- **File organization**: Logical grouping, appropriate location
- **Import order**: Following project conventions
Note: Style issues are lower priority than functional concerns.
### Test Coverage
Look for:
- **Missing tests**: New functionality without tests
- **Edge cases**: Boundary conditions not tested
- **Error paths**: Exception handling not verified
- **Integration**: Component interactions not covered
Questions to ask:
- Would these tests catch a regression?
- Are the assertions meaningful?
- Do tests cover the acceptance criteria?
## Review Process
1. **Understand context**: Read PR description and linked issues
2. **High-level scan**: Understand overall structure and approach
3. **Detailed review**: Go through changes file by file
4. **Consider impact**: Think about side effects and dependencies
5. **Provide feedback**: Be constructive and specific
## Writing Review Comments
### Be Constructive
- Explain *why* something is an issue
- Suggest alternatives when possible
- Distinguish between blocking issues and suggestions
### Be Specific
- Reference exact lines or code blocks
- Provide concrete examples
- Link to relevant documentation or patterns
### Be Kind
- Phrase feedback as questions when appropriate
- Acknowledge good solutions
- Remember there's a person receiving this feedback
## Example Review Comments
### Code Quality
**Good:**
> `src/utils/parser.ts:45` - This function is doing three things: parsing, validating, and transforming. Consider splitting into `parse()`, `validate()`, and `transform()` to improve testability and make each responsibility clear.
**Bad:**
> This code is messy, please clean it up.
### Potential Bugs
**Good:**
> `src/api/users.ts:23` - `users.find()` returns `undefined` when no match is found, but line 25 accesses `user.id` without a null check. This will throw when the user doesn't exist. Consider: `const user = users.find(...); if (!user) return null;`
**Bad:**
> This might crash.
### Security
**Good:**
> `src/routes/search.ts:12` - The query parameter is interpolated directly into the SQL string, which allows SQL injection. Use parameterized queries instead: `db.query('SELECT * FROM items WHERE name = ?', [query])`
**Bad:**
> Security issue here.
### Style
**Good:**
> `src/components/Button.tsx:8` - Minor: The codebase uses `camelCase` for event handlers (e.g., `handleClick`), but this uses `on_click`. Consider renaming for consistency.
**Bad:**
> Wrong naming convention.
### Test Coverage
**Good:**
> The happy path is well tested. Consider adding a test for when `fetchUser()` rejects - the error handling in line 34 isn't currently covered.
**Bad:**
> Need more tests.
### Positive Feedback
**Good:**
> Nice use of the builder pattern here - it makes the configuration much more readable than the previous approach with multiple boolean flags.
## Verdict Criteria
### LGTM (Looks Good To Me)
- No blocking issues
- Code meets quality standards
- Tests are adequate
- Ready to merge
### Needs Changes
- Minor issues that should be addressed
- Style improvements
- Missing tests for edge cases
- Not blocking, but worth fixing
### Blocking Issues
- Security vulnerabilities
- Logic errors that would cause bugs
- Missing critical functionality
- Breaking changes without migration
## Review Comment Template
```markdown
## AI Code Review
> This is an automated review generated by the code-reviewer agent.
### Summary
[1-2 sentence overall assessment of the changes]
### Findings
#### Code Quality
- [Issue with specific file:line reference and explanation]
- [Or "Code is well-structured and readable"]
#### Potential Bugs
- [Bug risk with explanation]
- [Or "No obvious issues found"]
#### Security Concerns
- [Security issue with severity]
- [Or "No security concerns identified"]
#### Style Notes
- [Style improvement suggestion]
- [Or "Consistent with codebase conventions"]
#### Test Coverage
- [Missing test scenario]
- [Or "Tests adequately cover changes"]
### Verdict
**[LGTM / Needs Changes / Blocking Issues]**
[Brief explanation of verdict]
```
Reference in New Issue View Git Blame Copy Permalink