| name | code-review-checklist |
| description | Skill for the reviewer agent. Structured checklist for reviewing code changes with depth and consistency. Includes severity taxonomy, comment guide, anti-patterns, and domain-specific checklists. Load BEFORE starting any code review. |
Code Review Checklist
Review Methodology (6 Steps)
- Scope — Read PR title, description, linked ticket. Check which files and areas changed.
- High-level pass — Does the overall approach make sense? Simpler alternative? Respects architecture?
- Deep dive — Read every changed line. Logic correct? Edge cases handled? Tests verify the right behavior?
- Cross-cutting pass — Security, performance, observability across the whole change.
- Craft comments — Group related feedback, assign severity, write clearly.
- Follow up — Verify blocker fixes were applied; approve when all blockers resolved.
Severity Taxonomy
Label every issue so the author can triage at a glance:
| Severity | Label | Meaning |
|---|
| 🔴 | BLOCKER | Must fix before merge. Bug, security hole, or spec violation. |
| 🟠 | CRITICAL | Should fix before merge. Likely causes production bugs. |
| 🟡 | IMPORTANT | Should fix, doesn't block merge. May cause future issues. |
| 🔵 | SUGGESTION | Nice to have. Quality or maintainability improvement. |
| ⚪ | NIT | Style preference only. Never blocks a PR. |
The Checklist
1. PR Overview
2. Design & Architecture
3. Correctness & Functionality
4. Complexity
5. Security
6. Tests
7. Error Handling & Resilience
8. Performance
9. Naming & Readability
10. Comments & Documentation
11. Style & Consistency
12. Observability & Operations
Comment Crafting
- One concern per comment — don't bury multiple issues in one thread
- Explain WHY — "this is wrong because..." is valuable; "this is wrong" is not
- Be specific — reference exact lines, not just files
- Offer alternatives — "consider using X instead" beats "don't use X"
- Use "we" or "this line" — keeps feedback impersonal
- Acknowledge good code — at least one positive comment per review
Domain-Specific Checks
Web / Frontend
- Accessibility: keyboard navigation, screen reader support, color contrast
- Bundle size: new dependencies justified? Code-splitting used?
- State management: cleanup on unmount? Race conditions in async effects?
API / Backend
- API contract matches what clients expect; versioning handled
- Request body validated at the boundary
- POST/PUT endpoints handle duplicate requests safely (idempotency)
Data / Migrations
DROP or destructive ALTER statements — reversible?
- Rollback plan exists and is documented
- Data integrity: constraints, orphaned records handled
Infrastructure / Config
- No hardcoded credentials; environment variables used properly
- Service roles and IAM policies follow least privilege
- Dependency/image version changes tested
PR Size Strategy
| Size | Lines | Approach |
|---|
| 🟢 Small | < 200 | Full review using entire checklist |
| 🟡 Medium | 200-500 | Deep review on changed files; quick scan on related files |
| 🟠 Large | 500-1000 | Ask to split. If can't, review by commit or feature boundary |
| 🔴 Excessive | > 1000 | Request smaller PRs before reviewing |
Anti-Patterns
| Anti-Pattern | Do This Instead |
|---|
| Rubber-stamping | Read every changed line |
| Bikeshedding on trivial issues | Label nits; never let style block a PR |
| 50+ comments without prioritization | Use severity labels; distinguish blockers from nits |
| Criticizing test style over missing coverage | Fix coverage gaps first |