| name | code-security-review |
| description | Comprehensive code quality and security audit for financial systems. Use when asked to "review code", "code review", "security audit", "check for issues", "審核程式碼", "檢查安全性", or before merging changes. Focuses on DDD compliance, financial precision (no floats for money), security vulnerabilities, and test coverage. |
| license | See LICENSE.txt in repository root |
Code & Security Review
💡 Recommended Agent: code-reviewer-agent (Senior Code Quality Auditor)
- CLI: Input
/agent and select code-reviewer-agent
- VS Code: Use
@workspace #code-reviewer-agent in Chat
⚠️ CLI Note: Use natural language like "review 我的 code". VS Code users can use /code-review shortcut.
When to Use This Skill
Use this skill when:
- Implementation is complete and ready for review
- Before creating pull request
- After TDD implementation phase
- Suspicious code or security concerns
- 實作完成,準備提交 PR 前
- 需要檢查程式碼品質與安全性
Prerequisites
Required:
- Code changes committed or staged (
git status shows modifications)
- Implementation phase complete
Recommended:
04-plan.md to verify all tasks completed
- Tests passing and coverage ≥80%
Review Priorities (High → Low)
🔴 Critical (Must Fix)
- Security vulnerabilities (injection, auth bypass, secrets)
- Financial precision errors (float/double for money)
- Data integrity risks (race conditions, lost updates)
- Breaking changes (undocumented API changes)
🟡 High (Should Fix)
- Test coverage (<80%)
- DDD violations (anemic models, leaked domain logic)
- SOLID violations (tight coupling, god classes)
- Error handling gaps (unhandled exceptions)
🟢 Medium (Nice to Fix)
- Naming conventions (unclear variable names)
- Code duplication (DRY violations)
- Performance issues (N+1 queries)
⚪ Low (Optional)
- Style inconsistencies (formatting, minor refactoring)
Step-by-Step Review Process
Step 1: Get Code Changes
git status
git diff
git diff main...feature-branch
Step 2: Run Security Audit
Check for Critical Security Issues:
| Issue | How to Detect | Fix |
|---|
| Secrets in code | Search for API keys, passwords, tokens | Move to environment variables |
| SQL injection | Raw SQL with string concatenation | Use parameterized queries |
| XSS vulnerabilities | Unescaped user input in HTML | Sanitize inputs, escape outputs |
| Auth bypass | Missing authorization checks | Add RBAC/ABAC checks |
| Insecure dependencies | npm audit / pip-audit | Update vulnerable packages |
Financial Systems Specific:
- ✅ Money fields use
decimal (NOT float/double)
- ✅ Idempotency keys validated for transactions
- ✅ Audit logging present for sensitive operations
- ✅ Timezone handling (store UTC, display local)
Step 3: Code Quality Audit
DDD Compliance:
SOLID Principles:
Naming Conventions (C#):
Step 4: Test Coverage Check
npm test -- --coverage
dotnet test /p:CollectCoverage=true
Coverage Requirements:
- 80% minimum for all code
- 100% required for:
- Financial calculations
- Authentication/authorization logic
- Security-critical code
- Core business logic
Test Quality:
Step 5: Generate Review Document
Create changes/<YYYY-MM-DD>-<slug>/05-review.md:
Template:
# Code Review: {Feature Name}
**Date**: {YYYY-MM-DD}
**Reviewer**: {Name or "AI Agent"}
**Status**: 🔴 Needs Work / 🟡 Minor Issues / 🟢 Approved
---
## Summary
{Brief overview of changes and overall assessment}
**Files Changed**: {X files}
**Lines Added**: {+Y}
**Lines Removed**: {-Z}
---
## Critical Issues 🔴 (Must Fix Before Merge)
### Issue 1: {Title}
**Severity**: Critical
**File**: `{path/to/file.ts}:{line}`
**Problem**: {Description of the issue}
**Risk**: {What could go wrong}
**Fix**: {How to resolve}
**Code**:
```typescript
// ❌ BAD
double price = 19.99; // Floating point for money
Recommended:
decimal price = 19.99M;
Issue 2: {Title}
{Repeat structure}
High Priority Issues 🟡 (Should Fix)
Issue 3: {Title}
Severity: High
File: {path/to/file.ts}:{line}
Problem: {Description}
Fix: {Solution}
Medium Priority Issues 🟢 (Nice to Fix)
Issue 4: {Title}
Severity: Medium
File: {path/to/file.ts}:{line}
Problem: {Description}
Fix: {Solution}
Security Checklist
Financial Precision Checklist
Code Quality Assessment
DDD Compliance
SOLID Principles
Naming & Style
Test Coverage
Overall Coverage: {X%}
| Module | Coverage | Status |
|---|
lib/transactions.ts | 95% | ✅ Pass |
api/v1/transactions | 82% | ✅ Pass |
lib/notifications.ts | 75% | ⚠️ Below 80% |
Missing Coverage:
- {File/function 1}: {Why not covered}
- {File/function 2}: {Recommendation}
Performance Concerns
Issue 1: {N+1 Query Problem}
File: {path}:{line}
Problem: {Description}
Impact: {Performance degradation}
Fix: {Use join or eager loading}
Breaking Changes
⚠️ API Breaking Change Detected
Endpoint: POST /api/v1/users
Change: Response schema adds notificationPreferences field
Impact: External clients with strict schema validation may break
Recommendation:
- Version bump to
/api/v2/users
- Maintain v1 for 2 weeks (deprecation period)
- Announce to API consumers
Recommendations
Must Do (Before Merge)
- {Critical issue 1}
- {Critical issue 2}
Should Do (Current PR)
- {High priority issue 1}
- {High priority issue 2}
Nice to Do (Future PR)
- {Medium priority issue}
- {Refactoring opportunity}
Approval Status
Reviewer Decision: {Choose one}
- 🔴 Request Changes: Critical issues must be fixed
- 🟡 Approve with Comments: Minor issues, can merge after fixes
- 🟢 Approve: No blocking issues, ready to merge
Next Steps:
- {Action item 1}
- {Action item 2}
- After fixes, run review again or proceed to archive
Related Artifacts
- Spec:
03-spec.md
- Plan:
04-plan.md
- Test Plan:
05-test-plan.md (if exists)
- Git branch:
feature/{branch-name}
---
## Review Checklist Template
Use this checklist during review:
```markdown
## Code Review Checklist
### Security ✅
- [ ] No secrets/credentials in code
- [ ] SQL injection prevented
- [ ] XSS prevented (input sanitization)
- [ ] Authorization checks present
- [ ] Dependencies secure (npm audit / pip-audit)
### Financial Precision ✅
- [ ] Money uses decimal (NOT float/double)
- [ ] Currency stored explicitly
- [ ] Idempotency for transactions
- [ ] Audit logging present
- [ ] Timezone handling correct (UTC storage)
### Code Quality ✅
- [ ] DDD: Domain logic in domain layer
- [ ] SOLID principles followed
- [ ] Clear naming conventions
- [ ] No code duplication (DRY)
- [ ] Error handling complete
### Testing ✅
- [ ] Test coverage ≥80%
- [ ] Edge cases tested
- [ ] Integration tests for critical paths
- [ ] Tests verify behavior (not implementation)
### Performance ✅
- [ ] No N+1 query problems
- [ ] Database indexes appropriate
- [ ] Caching where beneficial
- [ ] No memory leaks
### Breaking Changes ✅
- [ ] API changes documented
- [ ] Migration guide provided (if needed)
- [ ] Deprecation warnings added
- [ ] Versioning strategy followed
Common Issues & Fixes
Issue: Float/Double for Money
double totalPrice = orderItems.Sum(x => x.Price * x.Quantity);
decimal totalPrice = orderItems.Sum(x => x.Price * x.Quantity);
Issue: Missing Idempotency
[HttpPost("transactions")]
public async Task<IActionResult> CreateTransaction([FromBody] TransactionDto dto)
{
var transaction = await _service.CreateAsync(dto);
return Ok(transaction);
}
[HttpPost("transactions")]
public async Task<IActionResult> CreateTransaction(
[FromBody] TransactionDto dto,
[FromHeader(Name = "Idempotency-Key")] string idempotencyKey)
{
if (string.IsNullOrEmpty(idempotencyKey))
return BadRequest("Idempotency-Key required");
var transaction = await _service.CreateOrGetAsync(dto, idempotencyKey);
return Ok(transaction);
}
Issue: Anemic Domain Model
public class Order
{
public decimal Total { get; set; }
public OrderStatus Status { get; set; }
}
public class OrderService
{
public void CompleteOrder(Order order)
{
order.Status = OrderStatus.Completed;
order.Total = CalculateTotal(order);
}
}
public class Order
{
public decimal Total { get; private set; }
public OrderStatus Status { get; private set; }
public void Complete()
{
if (Status == OrderStatus.Cancelled)
throw new InvalidOperationException("Cannot complete cancelled order");
Status = OrderStatus.Completed;
Total = CalculateTotalInternal();
}
private decimal CalculateTotalInternal() { }
}
Next Step
After review completion:
If issues found:
Fix critical issues → Re-run tests → Request re-review
If approved:
CLI:
Input: "archive 這個 change package"
[System loads work-archiving skill]
→ Generate 99-archive.md and WORK_LOG entry
VS Code:
Input: /archive
Or: "finalize and archive"
Or use workflow orchestrator:
Input: "what's next?"
[System detects review complete, recommends archive stage]
Troubleshooting
"Too many issues found, overwhelming"
Solution: Fix critical (🔴) first, then high (🟡). Medium (🟢) can be separate PR.
"How strict should I be?"
Solution:
- Critical & High: Block merge
- Medium: Accept with follow-up issue
- Low: Optional, nice to have
"Should I review everything?"
Solution: Focus on:
- Business logic changes (high risk)
- Security-critical code
- Financial calculations
- Skip: Auto-generated code, minor formatting
Related Documentation
💡 Tip: A good review finds issues before they reach production. Be thorough but pragmatic—perfection is the enemy of shipping.
Common Rationalizations
在程式碼審查過程中,AI 可能以下列藉口略過關鍵步驟:
| 常見藉口 | 反制說明 |
|---|
| "我已從作者角度完整審查" | ⛔ 不能只從程式碼作者視角審查——必須依序切換至少 3 個 Specialist Lens(Security、Performance、Future Maintainer)再完成審查 |
| "測試覆蓋率 80%,這個模組邏輯簡單不需要 100%" | Financial / Auth / Security 核心路徑要求 100% 覆蓋——沒有例外,「簡單」不是降低標準的理由 |
| "這只是小改動,不需要完整安全稽核" | 改動大小與安全風險無關——任何接觸認證、授權、金融精度的程式碼均需完整安全步驟 |
| "PR 已通過所有自動測試,審查可以快速完成" | 自動測試無法捕捉所有安全弱點——必須手動執行 Specialist Lens Review,不得以 CI green 替代人工審查 |
Verification
在產出 05-review.md 前,逐項確認(Gate = 交付前閘門;Verification = 自我完成確認):