| name | loom-code-review |
| description | Comprehensive code review covering correctness, maintainability, performance, security, and best practices. Use for PR reviews, pre-merge audits, architecture and design critique, and actionable reviewer feedback. |
| allowed-tools | ["Read","Grep","Glob","Bash"] |
| triggers | ["review","code review","PR review","pull request","check code","audit code","feedback","approve","request changes","comment","suggestion","LGTM","nit","blocker","code quality","best practice","architecture review","design review","security review","infra review"] |
Code Review
Overview
Review a change for correctness, security, performance, and maintainability, then produce prioritized, actionable feedback. Optimize signal: gate on what breaks users; comment (don't gate) on the rest.
Review vs. adversarial security audit
Different jobs — don't conflate:
- Code review (this skill): holistic, author-empathetic. Reviews the diff and its blast radius against stated intent across four lenses. Assumes good faith; catches the bugs a careful peer catches.
- Security audit (
/loom-security-audit, /loom-threat-model): attacker mindset, threat model, whole-attack-surface. Assumes hostile input everywhere.
For auth, crypto, payments, deserialization, or anything touching a trust boundary: do the code review AND trigger a security audit. A passing code review is not a security sign-off.
Severity taxonomy
Label every comment. Only the first two gate the merge.
| Severity | Gate? | Meaning |
|---|
| BLOCKER | ✅ | Security hole, data loss, crash, corruption. Merge is unsafe. |
| SILENT_FAILURE | ✅ | Exit 0 but the operation actually failed (sandbox-blocked download, partial fetch, stale cache, swallowed error). Always investigate before merge. |
| CRITICAL | ✅ | Logic error / real bug that will bite in normal use. |
| MAJOR | ❌ | Maintainability, tech debt, missing test for a real path. Fix soon. |
| MINOR / nit | ❌ | Style, naming, micro-optimization. Prefix with nit: so the author can skip it. |
Approve-with-comments discipline: if nothing is BLOCKER/CRITICAL, approve and leave the MAJOR/MINOR notes as non-blocking. Don't hold a PR hostage over nits or personal style. Blocking on taste is the top reviewer anti-pattern — it trains authors to ignore you.
Method
- Read intent first. PR description, linked issue, commit messages. Review against what the change claims to do; flag scope creep separately from bugs.
- Review the diff AND its blast radius. A hunk is not self-contained. For every changed symbol,
rg its callers and callees — a signature change, a new early-return, a changed default, or a widened type ripples outward. Bugs hide at the seams the diff doesn't show.
- Four lenses per hunk: correctness → security → performance → maintainability (below).
- Missing-tests / missing-error-path pass (separate sweep — easy to skip).
- Verdict: approve / approve-with-comments / request-changes, each comment severity-tagged.
Blast-radius checklist
Four lenses
- Correctness: edge cases (empty, null, zero, negative, overflow, unicode, TZ/DST), off-by-one, error paths, resource cleanup (files/locks/connections on every return incl. early ones), idempotency/retry safety, race conditions. Trace the unhappy path, not just the happy one.
- Security: input validation at the boundary, injection (SQL/command/path/SSRF/XSS), authz on every sensitive op, secrets not logged, crypto-grade randomness. (Deep dive → security audit.)
- Performance: algorithmic complexity, N+1 queries, unnecessary allocation/clone in hot paths, missing pagination/streaming for unbounded data,
O(n)-in-a-loop membership checks (want a set/map). Don't nitpick micro-perf off the hot path.
- Maintainability: does the abstraction fit the problem? single responsibility, honest naming, no copy-paste of logic that will drift, no dead/speculative code, comments explain why not what.
Missing tests & error paths
The most common real defect in a passing PR: an untested error path. Ask:
Loom orchestration review
For code produced by loom stages, add these (they catch the "compiles + tests pass but doesn't work" class):
- Silent failure (BLOCKER): exit 0 with error/warning on stderr; sandbox blocked a download but stage completed; external dep referenced but not installed/reachable.
- Wiring (CRITICAL): feature compiles and tests pass but is never imported / registered / mounted / reachable by a real user. Verify: is the module imported at the entry point? command/route registered? event handler connected? DI binding present? Can a user actually invoke it? (See
/loom-wiring-test.)
- Dependency reality: package actually installed (not just in manifest); data file actually downloaded (not just referenced); endpoint actually reachable (not just configured).
Domain quick-checklists
Compressed — expand the relevant one only when the diff touches that domain.
- Infra/IaC: no hardcoded secrets; least-privilege IAM; state backend secured; resource limits/requests (k8s); non-root, minimal base image, no secrets in layers (Docker); rollback path (CI/CD).
- Data pipeline: schema validation; null/dup handling; idempotent + exactly-once where claimed; dead-letter queue; partitioning/batching; storage lifecycle for cost.
- ML: seed set for reproducibility; train/val/test split has no leakage; data + model versioned; drift monitoring and rollback in prod; bias/fairness on training data.
Reviewer output format
Group by severity, cite file:line, state issue → impact → fix. Keep it scannable.
# Review: auth/login.py
## BLOCKER
- **L45 SQL injection** — `f"... WHERE email = '{email}'"` interpolates user input.
Impact: arbitrary SQL. Fix: `cursor.execute("... WHERE email = %s", (email,))`.
## MAJOR
- **L112 unchecked None** — `send_email(user.email, ...)` after `.first()` can `None`-deref
when the user doesn't exist. Add a guard returning 404.
## nit
- **L23** `GetUser` → `get_user` (snake_case).
## Good
- Clean validation split (L30-40); solid test coverage on the happy path.
Two tiny wrong→right patterns worth internalizing:
if user.id in active_ids:
active = set(active_ids)
if user.id in active:
Author-empathy phrasing
Same fact, better delivery — critique the code, ask don't command, give the reason:
- ❌ "This is wrong." → ✅ "This deref crashes when
user is None (L112) — guard it?"
- ❌ "Why didn't you use a set?" → ✅ "A
set here makes this O(1) per lookup; worth it on the hot path."
- ❌ "Bad naming." → ✅ "nit:
data is vague — active_orders?"
Acknowledge good work explicitly; it makes the blocking comments land.
Verify before done