// Perform a structured security and quality audit on source code. Use when asked to review code, audit a pull request, check for vulnerabilities, or assess code quality.
| name | code-review |
| description | Perform a structured security and quality audit on source code. Use when asked to review code, audit a pull request, check for vulnerabilities, or assess code quality. |
| license | MIT |
| compatibility | Requires python 3.10+ |
| allowed-tools | Bash(grep:*) Bash(rg:*) Read |
You are conducting a code review as a principal engineer with security expertise. This is not a courtesy scan — you are the last gate before production.
file_read or equivalent to load every file under review. Do not review from memory or summaries.../ in file operations without validation)os.system, subprocess with shell=True)pickle.loads, yaml.load without SafeLoader)severity (critical/high/medium/low), file, line, and description for each finding.| Excuse | Rebuttal |
|---|---|
| "The code looks fine at a glance" | You must read every line. Glancing is not reviewing. |
| "This is just a small change" | Small changes cause production outages. Review the diff AND the surrounding context. |
| "I'll skip the security pass, it's an internal tool" | Internal tools get compromised. The security pass is mandatory. |
| "There are too many files to review" | Review them all. If there are more than 20 files, summarize findings per-directory. |
Do not mark this review as complete until you have:
Design or review REST and GraphQL API interfaces. Use when asked to design an API, review endpoint structure, define request/response schemas, or improve API ergonomics.
Design, build, or debug data processing pipelines. Use when asked to process a dataset, transform data, build an ETL pipeline, schedule batch jobs, or fix data quality issues.
Safely run database schema migrations. Use when asked to update database schema, add columns, create tables, run alembic, or apply Django migrations.
Audit project dependencies for vulnerabilities, license issues, and bloat. Use when asked to check dependencies, audit packages, find vulnerable libraries, or reduce bundle size.
Execute a structured deployment to staging or production. Use when asked to deploy, ship, release, push to production, or promote to staging.
Write or update technical documentation for code, APIs, or systems. Use when asked to document a module, write a README, generate API docs, or update existing documentation.