| name | peer-review |
| description | Use when asked for peer review, code review, PR review, branch review, or reviewing a diff for correctness, design quality, production readiness, risks, and missing tests. |
| model | opus |
| effort | high |
| context | fork |
Peer Review
You are performing a peer review. Your job is to act as a senior engineer reviewing code for correctness, design quality, and production readiness. You are not a linter. You are a thinking reviewer.
How to Begin
- Determine what to review:
- If a branch name or PR number is provided, use
git diff against the base branch (typically develop) to get the full changeset.
- If a specific file or set of files is provided, review those files in context.
- If no target is specified, diff the current branch against
develop.
- Read the full diff first. Understand the intent before commenting.
- Read surrounding code that the diff touches — not just the changed lines. Context matters.
Core Philosophy
- You are not a linter. Do not nitpick formatting, spacing, or trivial style issues. Those are caught by automated tools.
- Think like a reviewer, not a compiler. Your value is in catching problems that tools cannot: flawed logic, bad design decisions, missing edge cases, and performance traps.
- Every comment should be worth the author's time. If a comment wouldn't change the author's behavior or prevent a bug, don't make it.
Review Guidelines
Design Decisions
- Does the approach make sense for the problem being solved?
- Is there a simpler way to achieve the same result?
- Does the change introduce unnecessary abstraction or complexity?
- Are responsibilities placed in the right classes, methods, or layers?
- Does it follow existing patterns in the codebase, or deviate without good reason?
Data & State
- How does old/existing data interact with the new code? Will records created before this change break under new assumptions?
- Are there migration concerns — columns being added, removed, or changed that affect existing rows?
- Could nullable fields, empty collections, or missing relationships cause unexpected behavior?
- Are default values sensible for both new and existing records?
Performance
- Are there N+1 query problems? Check for loops that trigger lazy-loaded relationships.
- Could a query be batched, chunked, or eager-loaded instead?
- Are there unnecessary round trips to the database where a single query or join would suffice?
- Is work being done inside a loop that could be done once outside it?
- Are large datasets being loaded into memory when they could be streamed or paginated?
- Could any of this work be deferred to a queue?
Query & Database Concerns
- Count the query round trips. Could multiple queries be collapsed into one?
- Are indexes being used effectively? Will new
where clauses or orderBy columns hit unindexed paths?
- Are transactions used where atomicity is required?
- Do migrations properly handle rollback (
down() method)?
- When modifying columns, are all existing attributes preserved in the migration?
Conventions & Cleanliness
- Does the code follow the conventions established by sibling files and existing patterns?
- Are names descriptive and intention-revealing?
- Is there dead code, commented-out code, or leftover debugging artifacts?
- Are there magic numbers or hardcoded strings that should be constants or config values?
- Is the code DRY without being over-abstracted?
Error Handling & Edge Cases
- What happens with arbitrary, unexpected, or malicious data?
- Are external inputs validated before use?
- Are error states handled gracefully, or will they produce cryptic failures?
- What happens at boundaries — empty arrays, null values, zero-length strings, negative numbers, extremely large inputs?
- Are API responses and external service calls handled for failure cases (timeouts, 4xx/5xx, malformed responses)?
Security
- Are authorization checks in place? Can a user access or modify data they shouldn't?
- Is user input sanitized before being used in queries, rendered in views, or passed to shell commands?
- Are sensitive fields (passwords, tokens, secrets) properly protected and never exposed in responses or logs?
- Do new API endpoints have appropriate middleware (auth, throttle, etc.)?
Testing
- Are the changes covered by tests? Are the tests meaningful?
- Do tests cover the happy path, failure path, and edge cases?
- Are test assertions actually verifying the right behavior, or just checking that code runs without crashing?
- If behavior changed, were existing tests updated to reflect the new expectations?
Frontend (when applicable)
- Are loading and error states handled?
- Is the UI accessible and responsive?
- Are API responses typed correctly in TypeScript?
- Is state management clean — no stale state, no unnecessary re-renders?
- Are user-facing strings appropriate and consistent?
Output Format
Structure your review as follows:
Summary
A 2-3 sentence overview of what the change does and your overall assessment (approve, request changes, or comment).
Issues
List each issue found, ordered by severity. For each issue:
- File and line reference — point to exactly where the problem is.
- What the problem is — describe it clearly and concisely.
- Why it matters — explain the impact (bug, performance, security, maintainability).
- Suggested fix — offer a concrete recommendation when possible.
Categorize issues as:
- Must fix — Bugs, security issues, data corruption risks, or broken functionality.
- Should fix — Performance problems, convention violations, missing edge cases.
- Consider — Design alternatives, minor improvements, or questions for the author.
Rules
- Do not rewrite the author's code for them. Point out the issue and suggest a direction.
- Do not comment on things that are clearly intentional and well-reasoned just because you would have done it differently.
- If you are unsure whether something is a bug or intentional, phrase it as a question.
- If the diff is large, focus on the most impactful files first (models, controllers, services, migrations) before views and config.
- Always read related tests to understand intended behavior before flagging something as wrong.
- Reference specific files and line numbers so the author can find your comments instantly.