Production code quality standards and review checklist. Use when writing or reviewing code.
Installation
Installer avec Codex ou Claude Copiez ce prompt, collez-le dans Codex, Claude ou un autre assistant, puis laissez-le vérifier la page du skill et l'installer pour vous.
Production code quality standards and review checklist. Use when writing or reviewing code.
user-invocable
false
Code Quality Standards
Security (OWASP Awareness)
Injection: Never string-format SQL queries. Use parameterized queries:
# BAD
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
# GOOD
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
XSS: Sanitize all user input before rendering in HTML. Use templating engines with auto-escaping enabled.
Secrets: Never hardcode secrets, API keys, or passwords. Use environment variables or secret managers. Never commit .env files.
Subprocess: Never use shell=True. Pass args as a list:
# BAD
subprocess.run(f"convert {user_file}", shell=True)
# GOOD
subprocess.run(["convert", user_file])
Deserialization: Never pickle.load() or yaml.load() untrusted data. Use yaml.safe_load().
Error Handling
Validate at system boundaries: user input, external API responses, file I/O, environment variables.
Trust internals: don't re-validate data that your own code already validated and passed in.
Fail fast: raise exceptions early rather than propagating invalid state.
Catch specific exceptions: never bare except: or except Exception: without re-raising.
Complexity Management
No over-engineering: solve the current requirement, not hypothetical future ones.
DRY threshold: tolerate 2 repetitions. Abstract on the 3rd. Three similar lines are better than a premature abstraction that couples unrelated concerns.
YAGNI: don't add features, refactoring, or comments beyond what was asked.
Avoid backwards-compatibility shims: if code paths are unused, delete them. Dead code is a maintenance burden.