119 lines
4.2 KiB
Markdown
119 lines
4.2 KiB
Markdown
---
|
|
name: code-review
|
|
description: Review code changes for security, performance, and correctness. Trigger with a PR URL or diff, "review this before I merge", "is this code safe?", or when checking a change for N+1 queries, injection risks, missing edge cases, or error handling gaps.
|
|
argument-hint: "<PR URL, diff, or file path>"
|
|
---
|
|
|
|
# /code-review
|
|
|
|
> If you see unfamiliar placeholders or need to check which tools are connected, see [CONNECTORS.md](../../CONNECTORS.md).
|
|
|
|
Review code changes with a structured lens on security, performance, correctness, and maintainability.
|
|
|
|
## Usage
|
|
|
|
```
|
|
/code-review <PR URL or file path>
|
|
```
|
|
|
|
Review the provided code changes: @$1
|
|
|
|
If no specific file or URL is provided, ask what to review.
|
|
|
|
## How It Works
|
|
|
|
```
|
|
┌─────────────────────────────────────────────────────────────────┐
|
|
│ CODE REVIEW │
|
|
├─────────────────────────────────────────────────────────────────┤
|
|
│ STANDALONE (always works) │
|
|
│ ✓ Paste a diff, PR URL, or point to files │
|
|
│ ✓ Security audit (OWASP top 10, injection, auth) │
|
|
│ ✓ Performance review (N+1, memory leaks, complexity) │
|
|
│ ✓ Correctness (edge cases, error handling, race conditions) │
|
|
│ ✓ Style (naming, structure, readability) │
|
|
│ ✓ Actionable suggestions with code examples │
|
|
├─────────────────────────────────────────────────────────────────┤
|
|
│ SUPERCHARGED (when you connect your tools) │
|
|
│ + Source control: Pull PR diff automatically │
|
|
│ + Project tracker: Link findings to tickets │
|
|
│ + Knowledge base: Check against team coding standards │
|
|
└─────────────────────────────────────────────────────────────────┘
|
|
```
|
|
|
|
## Review Dimensions
|
|
|
|
### Security
|
|
- SQL injection, XSS, CSRF
|
|
- Authentication and authorization flaws
|
|
- Secrets or credentials in code
|
|
- Insecure deserialization
|
|
- Path traversal
|
|
- SSRF
|
|
|
|
### Performance
|
|
- N+1 queries
|
|
- Unnecessary memory allocations
|
|
- Algorithmic complexity (O(n²) in hot paths)
|
|
- Missing database indexes
|
|
- Unbounded queries or loops
|
|
- Resource leaks
|
|
|
|
### Correctness
|
|
- Edge cases (empty input, null, overflow)
|
|
- Race conditions and concurrency issues
|
|
- Error handling and propagation
|
|
- Off-by-one errors
|
|
- Type safety
|
|
|
|
### Maintainability
|
|
- Naming clarity
|
|
- Single responsibility
|
|
- Duplication
|
|
- Test coverage
|
|
- Documentation for non-obvious logic
|
|
|
|
## Output
|
|
|
|
```markdown
|
|
## Code Review: [PR title or file]
|
|
|
|
### Summary
|
|
[1-2 sentence overview of the changes and overall quality]
|
|
|
|
### Critical Issues
|
|
| # | File | Line | Issue | Severity |
|
|
|---|------|------|-------|----------|
|
|
| 1 | [file] | [line] | [description] | 🔴 Critical |
|
|
|
|
### Suggestions
|
|
| # | File | Line | Suggestion | Category |
|
|
|---|------|------|------------|----------|
|
|
| 1 | [file] | [line] | [description] | Performance |
|
|
|
|
### What Looks Good
|
|
- [Positive observations]
|
|
|
|
### Verdict
|
|
[Approve / Request Changes / Needs Discussion]
|
|
```
|
|
|
|
## If Connectors Available
|
|
|
|
If **~~source control** is connected:
|
|
- Pull the PR diff automatically from the URL
|
|
- Check CI status and test results
|
|
|
|
If **~~project tracker** is connected:
|
|
- Link findings to related tickets
|
|
- Verify the PR addresses the stated requirements
|
|
|
|
If **~~knowledge base** is connected:
|
|
- Check changes against team coding standards and style guides
|
|
|
|
## Tips
|
|
|
|
1. **Provide context** — "This is a hot path" or "This handles PII" helps me focus.
|
|
2. **Specify concerns** — "Focus on security" narrows the review.
|
|
3. **Include tests** — I'll check test coverage and quality too.
|