// Code review guide for all orchestrated sub-agents. Review process, quality thresholds, antipattern detection, giving/receiving feedback. Available to any agent regardless of role — read this SKILL.md when performing or receiving code reviews.
Unified desktop + browser automation. Routes DOM targets to CDP (cli-jaw browser), desktop apps to Computer Use, hybrid combos to both. Codex desktop/CLI + macOS required for Computer Use.
Backend engineering guide for orchestrated sub-agents. Framework-agnostic API design, clean architecture, database optimization, security hardening, systematic debugging. Modular: SKILL.md orchestrator + references/ for deep guidance. Injected when role=backend.
Data engineering and analysis guide for orchestrated sub-agents. Data pipelines, ETL/ELT design, data quality validation, SQL optimization, and analysis patterns. Injected when role=data.
Systematic debugging methodology for all orchestrated sub-agents. 4-phase root cause analysis: investigate → analyze → hypothesize → implement. Injected when encountering errors or during debugging phase.
Production-grade frontend with distinctive aesthetics. Detects stack and applies specialized rules. Modular: SKILL.md orchestrator + references/ for deep guidance. Injected when role=frontend.
PABCD orchestration workflow. Structured 5-phase development with user checkpoints. Injected during orchestration mode.
| name | dev-code-reviewer |
| description | Code review guide for all orchestrated sub-agents. Review process, quality thresholds, antipattern detection, giving/receiving feedback. Available to any agent regardless of role — read this SKILL.md when performing or receiving code reviews. |
Systematic code review patterns for finding real issues, not bikeshedding.
Before reviewing any code, verify:
Before reading a single line of code, run automated tools on changed files:
Run project-native linters, type checker, and tests before reviewing.
Pre-Scan Rules:
| Tool | Catches | Misses |
|---|---|---|
| ESLint/Ruff | Style, simple bugs, import issues | Architecture, business logic |
| tsc/mypy | Type errors, null safety | Runtime behavior, performance |
| Semgrep | Injection, auth bypass, SSRF | Complex multi-step vulnerabilities |
| npm audit/pip-audit | Known CVEs in deps | Zero-day, license issues |
Separation of concerns: Tools catch patterns; humans catch intent. Focus manual review on architecture, correctness, and business logic that tools cannot evaluate.
user is null on line 42"Flag these during review:
| Issue | Threshold | Severity |
|---|---|---|
| Long function | >50 lines | Medium |
| Large file | >500 lines (target 200-400) | Medium |
| God class | >20 methods | High |
| Too many parameters | >5 | Medium |
| Deep nesting | >4 levels | Medium |
| High cyclomatic complexity | >10 branches | High |
| Missing error handling | any unhandled async | High |
| Hardcoded secrets | API keys, passwords in source | Critical |
| SQL injection | string concatenation in queries | Critical |
| Debug statements | console.log, debugger left in | Low |
| TODO/FIXME | unresolved in production code | Low |
TypeScript any | bypassing type safety | Medium |
| Range | Interpretation |
|---|---|
| 200-400 lines | Healthy — easy to navigate and review |
| 400-500 lines | Acceptable — consider splitting if complexity is high |
| 500-800 lines | Review trigger — actively plan extraction |
| >800 lines | Split required — too large for effective review or AI context |
| Indicator | Verdict | Action |
|---|---|---|
| No high/critical issues | ✅ Approve | Merge |
| ≤2 high issues, clearly fixable | 🔧 Approve with suggestions | Fix before merge |
| Multiple high issues | ⚠️ Request changes | Author must address |
| Any critical issue | 🚫 Block | Cannot merge until resolved |
| Pattern | Symptom | Fix |
|---|---|---|
| God class | One class does everything | Split by single responsibility |
| Long method | Function does 5+ distinct things | Extract named helper functions |
| Deep nesting | 4+ levels of if/for/try | Guard clauses, early returns, extraction |
| Feature envy | Method uses another object's data more than its own | Move method to the data owner |
| Shotgun surgery | One change requires edits in 10+ files | Consolidate related logic |
| Pattern | Symptom | Fix |
|---|---|---|
| Boolean blindness | doThing(true, false, true) | Named options object or enum |
| Stringly typed | status === 'actve' (typo = silent bug) | Define enum or union type |
| Magic numbers | if (retries > 3) | Named constant: MAX_RETRIES = 3 |
| Primitive obsession | Passing 5 related strings around | Create a data object/type |
| Direct mutation | user.name = 'x', arr.push(y) | Immutable: {...obj, name: 'x'}, [...arr, y] |
| Missing boundary validation | Business logic handles raw user input | Schema validation (Zod, Pydantic) at API entry point |
| Pattern | Symptom | Fix |
|---|---|---|
| SQL injection | String concatenation in queries | Parameterized queries / prepared statements |
| Hardcoded secrets | apiKey = "sk-..." in source | Environment variables or secret manager |
| Missing validation | Raw user input passed to logic | Schema validation at API boundary |
| Overpermission | Broad access when narrow suffices | Principle of least privilege |
| Pattern | Symptom | Fix |
|---|---|---|
| N+1 queries | Loop → query per item | Batch fetch with WHERE IN (...) |
| Unbounded collections | .all() without LIMIT | Always paginate or set max |
| Missing index | Slow repeated lookups on same column | Add database index |
| Premature optimization | Complex caching for 10 rows | Profile first, optimize second |
| Pattern | Symptom | Fix |
|---|---|---|
| Floating promise | doAsync() without await | Always await or handle rejection |
| Callback hell | 4+ nested callbacks | Refactor to async/await |
| Missing timeout | External call can hang forever | Set timeout on all network calls |
For every review, scan for these OWASP-aligned red flags. Delegate to dev-security/SKILL.md for deep analysis.
| Check | Red Flag | Severity |
|---|---|---|
| Hardcoded secrets | apiKey = "sk-...", DB URLs in source | Critical |
| SQL/NoSQL injection | String concatenation in queries | Critical |
| Missing input validation | User input passed to logic without schema check | High |
| Missing auth check | Endpoint accessible without authentication | High |
| BOLA (Broken Object Auth) | No ownership check on object access (/users/:id without verifying caller owns resource) | High |
| Secrets in logs | console.log(req.body) leaking tokens/passwords | High |
| Check | When | Red Flag |
|---|---|---|
| SSRF | External URL from user input | No URL allowlist, no domain validation |
| Path traversal | File path from user input | No path sanitization, ../ not blocked |
| Mass assignment | Object spread into DB model | Object.assign(model, req.body) without allowlist |
| Dep vulnerabilities | New dependencies added | No npm audit/pip-audit run |
| Lockfile changes | package-lock.json modified | Unexpected dependency resolution changes |
Deep security analysis → invoke
dev-security/SKILL.md. This checklist catches surface-level issues during code review;dev-securityprovides OWASP Top 10 depth, ASVS checklists, and static analysis integration.
Scan every PR for these common performance pitfalls:
| Check | Red Flag | Fix |
|---|---|---|
| N+1 queries | Loop containing DB call or API fetch | Batch with WHERE IN (...) or DataLoader |
| Missing pagination | .findAll() or SELECT * without LIMIT | Add cursor-based or offset pagination |
| Missing index | New WHERE/JOIN column without index | CREATE INDEX on filtered/joined columns |
| Unbounded query | No LIMIT on user-facing list endpoints | Always set max page size |
| Check | Red Flag | Fix |
|---|---|---|
| Unnecessary re-renders | State updates in parent causing child re-render cascade | React.memo, useMemo, extract state down |
| Bundle size impact | New large dependency (>50KB gzipped) | Check bundlephobia.com, consider alternatives or lazy loading |
Missing key prop | List rendering without stable keys | Use unique ID, never array index for dynamic lists |
| Unoptimized images | Large images without next/image, loading="lazy", or srcset | Use framework image optimization |
| Check | Red Flag | Fix |
|---|---|---|
| Missing timeout | External HTTP call without timeout | Set timeout on all network requests |
| Sync blocking | CPU-intensive work on main thread/event loop | Offload to worker/queue |
| Memory leak | Event listeners/subscriptions without cleanup | Add cleanup in useEffect return / finally block |
When receiving review feedback:
Push back when:
How: Use technical reasoning. Reference working tests, existing code, or documented decisions. Never push back emotionally — always with evidence.
✅ "Fixed. Changed X to use parameterized query."
✅ "Good catch — the null check was missing. Added guard on line 42."
✅ Just fix it and show the result in code.
❌ "You're absolutely right!"
❌ "Great point! Thanks for catching that!"
❌ Any performative agreement without verification
| Situation | Priority |
|---|---|
| Before merge to main | Mandatory |
| After major feature completion | Mandatory |
| Before large refactoring | Mandatory |
| After complex bug fix | Recommended |
| When stuck on approach | Recommended |
| Small config/docs changes | Skip unless impactful |
| Severity | Action |
|---|---|
| Critical | Fix immediately, re-request review |
| High | Fix before proceeding to next task |
| Medium | Fix before merge, can continue other work |
| Low | Note for later, apply if trivial |
| Style | Apply if trivial, otherwise defer to team conventions |
Parallelize review only when domain breadth exceeds one reviewer's context (e.g., frontend + backend + infra in a single diff, or when the diff spans too many unrelated domains for a single pass). Each sub-agent receives its file subset, the review process from sections 1-5, and outputs structured findings. The orchestrator deduplicates, normalizes severity, and presents a unified review.
When external AI review tools are available, coordinate — don't duplicate:
| Tool | Strengths | Use When | Agent Focus Shifts To |
|---|---|---|---|
| GitHub Copilot Code Review | Full repo context, multi-model, auto-fix PRs | PR review on GitHub | Architecture, business logic, domain correctness |
| CodeRabbit | 40+ linters, learnable preferences, low false-positive | Team with .coderabbit.yml configured | Cross-service impact, subtle logic errors |
| SonarQube | Enterprise SAST, tech debt tracking, security depth | Regulated environments, existing setup | Review findings, add context tools miss |
| Manual agent review | Full codebase understanding, intent verification | No external tools, offline, sensitive code | Everything — full §1-5 process |
Coordination rule: If an external AI tool already reviewed the PR, read its findings first, then focus manual review on what the tool explicitly cannot do: architectural fit, business intent alignment, and cross-system impact.