Comprehensive code review checklist covering security, performance, TypeScript standards, NextJS patterns, accessibility, error handling, and test coverage. Stack-aware — applies web, mobile, or fullstack sections as appropriate. Automatically loaded by the reviewer agent.
user-invokable
false
Code Review Checklist
Apply each section systematically to every file changed in the review scope.
Use severity levels: Critical (must fix), Warning (should fix),
Suggestion (consider for improvement).
1. Security
No hardcoded secrets, API keys, or credentials in code
All user input validated server-side (Zod schemas on API routes)
SQL injection prevented (Prisma parameterized queries only, no raw SQL)
XSS prevented (no dangerouslySetInnerHTML without sanitization)
CSRF protection on all state-changing endpoints
Authentication checked on all protected API routes
Authorization verified (users can only access their own data)
Rate limiting considered for public-facing endpoints
Sensitive data not logged or exposed in error messages