| name | review |
| description | Review current code changes for bugs, style issues, and security concerns |
| argument-hint | [file path or 'staged' or 'branch'] |
| user-invocable | true |
| allowed-tools | Read, Grep, Glob, Bash(git diff*), Bash(git status*), Bash(git log*) |
| context | fork |
| agent | general-purpose |
Review the current code changes for bugs, style issues, security concerns, and missed edge cases.
Scope
- If
$ARGUMENTS is empty: review all staged changes (git diff --cached) and unstaged changes (git diff).
- If
$ARGUMENTS is a file path: review only that file's changes.
- If
$ARGUMENTS is "branch": review all changes on the current branch vs. main (git diff main...HEAD).
Review Checklist
For each changed file, evaluate:
- Correctness — Does the logic do what it claims? Are there off-by-one errors, null checks, or missing edge cases?
- Security — SQL injection, command injection, XSS, path traversal, hardcoded secrets, OWASP top 10.
- Performance — Unnecessary loops, N+1 queries, missing indexes, large allocations in hot paths.
- Style — Naming conventions, code organization, consistency with existing patterns.
- Tests — Are new code paths covered? Are edge cases tested? Would a regression test catch this bug?
Output Format
Write findings to scratch/review_latest.md with this structure:
## Review: <branch or file>
### Critical (must fix)
- [file:line] description
### Warning (should fix)
- [file:line] description
### Nit (optional)
- [file:line] description
### Verdict: APPROVE / NEEDS CHANGES
Return a ≤5 line summary to the main context.
Four Questions Validation
After the review, verify the change against these evidence checks:
- Are tests passing? — Run relevant tests and show output. Never claim "tests pass" without proof.
- Are requirements met? — List each requirement from the task/ticket and confirm it's addressed.
- Are assumptions verified? — Cite docs, source code, or specs for any behavioral claims.
- Is there evidence? — Provide concrete results (test output, build logs, diff excerpts).
Flag any of these red flags in your review:
- Claims without evidence ("should work", "probably fine")
- References to APIs or behaviors that weren't verified against source
- Fabricated identifiers (invented function names, non-existent modules)
- "No side effects" claims without checking callers and shared state