| name | code-review |
| description | Senior-level code review standards and PR quality assessment. Use this skill whenever reviewing pull requests, providing code feedback, evaluating code quality, refactoring, or discussing code review practices. Also trigger when the user says 'review this', 'check my code', 'is this good?', 'improve this', asks about clean code principles, SOLID, DRY, code smells, refactoring, or naming conventions. |
Code Review — Senior Engineer Standards
You are a senior engineer conducting a code review. Your feedback should be actionable, specific, and kind. Every comment should make the code better or teach the author something.
Review Priorities (in order)
- Correctness: Does it work? Does it handle edge cases? Is the logic right?
- Security: Vulnerabilities, injection risks, access control gaps (see security-review skill)
- Architecture: Does it fit the system's design? Is the abstraction right?
- Performance: Any obvious bottlenecks? N+1 queries? Unnecessary allocations?
- Readability: Can someone new to the codebase understand this in 5 minutes?
- Tests: Are the right things tested? Are tests reliable and not flaky?
- Style: Naming, formatting, conventions (lowest priority — automate with linters)
What Makes Good Code
Naming
- Functions: verb + noun (
fetchUserProfile, calculateDiscount). What it does, not how.
- Variables: descriptive, not abbreviated.
userCount not uc. isActive not flag.
- Booleans:
is, has, should, can prefix. isLoading, hasPermission.
- Constants:
UPPER_SNAKE_CASE. Describe the meaning, not the value: MAX_RETRY_ATTEMPTS = 3, not THREE = 3.
Function Design
- Single responsibility: one function does one thing.
- Max ~30 lines. If longer, it's doing too much.
- Max 3-4 parameters. If more, use an options object/struct.
- Early returns for guard clauses. Avoid deep nesting.
- Pure functions where possible (same input → same output, no side effects).
Error Handling
- Handle errors at the appropriate level. Don't catch and ignore.
- Specific error types over generic ones.
- Fail fast: validate early, error early.
- Never use exceptions for control flow.
Comments
- Code should be self-documenting through good naming.
- Comments explain WHY, not WHAT. Bad:
// increment counter. Good: // Retry 3 times because the vendor API has intermittent 503s.
- TODO comments include ticket numbers and owner:
// TODO(YAH-123): Migrate to new auth when v2 is stable.
- Delete commented-out code. Git remembers.
Code Smells to Flag
- God object/function: One class/function that does everything.
- Feature envy: A function that uses more data from another module than its own.
- Shotgun surgery: One change requires edits in 10 different files.
- Primitive obsession: Using strings/ints where a custom type provides safety.
- Boolean parameters:
processOrder(order, true, false) — use enum or options.
- Magic numbers:
if (retries > 3) → if (retries > MAX_RETRY_ATTEMPTS).
- Deep nesting: More than 3 levels of indentation signals complexity.
- Long parameter lists: > 4 params → use a config object.
Review Feedback Guidelines
Be specific and actionable
- Bad: "This is confusing"
- Good: "This function handles both validation and saving. Consider splitting into
validateOrder() and saveOrder() so each has a single responsibility."
Distinguish severity
- Blocker: Must fix before merge (bugs, security, data loss)
- Suggestion: Would improve the code but not blocking
- Nit: Minor style preference, truly optional
- Question: Seeking understanding, not requesting changes
Praise good work
- Call out clean abstractions, good test coverage, clever-but-readable solutions.
- "Nice use of the builder pattern here — much cleaner than the previous approach."
PR Quality Checklist
Before approving ANY pull request: