| name | review-code |
| description | Use when reviewing changed code before committing or after completing a feature — checks performance, architecture, type safety, and code quality against project standards |
Code Review
Review all changed files for performance, architecture violations, type safety, and code quality. Fix every real issue found. Severity-ranked — critical issues first.
Verification rule: Every fix must be verified. Run tests after fixing. Never say "this should fix it" — show the test output proving it does.
Phase 1: Identify Changes & Detect Stack
Run git diff (or git diff HEAD if there are staged changes) to see what changed. If no git changes, review files edited in this conversation.
Auto-detect stack from changed files:
.go files → Go review rules
.py files → Python review rules
.tsx/.ts files → React review rules
- Mixed → apply all relevant rule sets
Phase 2: Launch Four Review Agents in Parallel
Use the Agent tool to launch all four agents concurrently. Pass each agent the full diff plus the detected stack context.
Agent 1: Performance & Efficiency Review (CRITICAL)
This is the highest priority review. Check every change against these rules:
Database (Go/pgx):
Database (Python/SQLAlchemy):
Algorithm & Data Structures (all stacks):
React:
General:
Agent 2: Architecture & Structure Review
Clean architecture boundaries:
Go-specific:
Python-specific:
React-specific:
Agent 3: Code Quality & Reuse Review
Duplication & reuse:
Code smells:
Error handling:
Agent 4: Security & Safety Review (NON-NEGOTIABLE)
Security is a non-negotiable. Any security finding is automatically CRITICAL.
Phase 3: Aggregate & Fix
Wait for all four agents to complete. Aggregate findings by severity:
Severity Levels
| Level | Definition | Action |
|---|
| CRITICAL | N+1 queries, SQL injection, unbounded queries, security holes, architecture violations | Must fix before commit |
| HIGH | Missing indexes, O(n²) algorithms, missing validation, swallowed errors | Must fix before commit |
| MEDIUM | Missing swaggo annotations, type safety gaps, code duplication, missing error context | Fix now, acceptable to defer with TODO |
| LOW | Missing example tags, minor style issues, potential future optimization | Note and skip if time-constrained |
Fix-First Classification
Every finding gets classified before action:
| Classification | Definition | Action |
|---|
| AUTO-FIX | Mechanical issue with one correct solution (missing LIMIT, N+1 query, missing parameterized query) | Fix directly, no discussion |
| ASK | Judgment call with trade-offs (architecture refactor, API design choice, scope decision) | Present options to user via AskUserQuestion |
| SKIP | False positive or irrelevant to this codebase | Note and move on |
Default to AUTO-FIX. Only use ASK when there are genuinely multiple valid approaches. Never ASK about non-negotiables (security, N+1, tests) — those are always AUTO-FIX.
Fix Process
- Fix all CRITICAL and HIGH issues directly in code (AUTO-FIX)
- Fix MEDIUM issues — skip only if clearly a false positive
- Note LOW issues in summary — do not spend time on these
- Do NOT argue with findings or add defensive commentary — fix or skip
Evidence-First Reporting
Every finding must include evidence. No vague claims.
## Code Review Results
### Status: DONE / DONE_WITH_CONCERNS
### Fixed (N issues) — AUTO-FIX
- [CRITICAL] Fixed N+1 query in `UserRepository.List` (user_repo.go:45)
Evidence: query inside for loop, replaced with batch IN clause
- [HIGH] Added LIMIT to events query in `ActivityService` (activity.go:78)
Evidence: SELECT without LIMIT on table with 100k+ rows
- [CRITICAL] Fixed SQL injection in `SearchHandler` (search_handler.go:23)
Evidence: string concatenation `"WHERE name = '" + input + "'"`, replaced with parameterized query
### Asked (N issues) — ASK
- [MEDIUM] `UserService` has 8 methods — split into smaller services?
Presented options to user: keep as-is vs split by domain
### Skipped (N issues) — SKIP
- [LOW] Missing example tag on InternalDTO — not exposed in Swagger
### Clean
- No architecture violations found
- Security review passed
Chains
- Invoked by:
eng-lead (code review gate before committing)
- Complements: All
*-feature and *-refactor skills as final quality gate
- REQUIRED: Fix all CRITICAL and HIGH issues before code is committed
- REQUIRED: Update CLAUDE.md if review reveals project-specific gotchas (
claude-md)