| name | code-review |
| description | Code review checklists and patterns for Pennyfarthing. Use when reviewing PRs, self-reviewing code, or checking for common issues before commit. |
Code Review Skill
Review code against the checklists below. Focus on authorization, error handling, TypeScript/React patterns, and performance.
Code review comments using [MUST FIX], [SUGGESTION], [QUESTION], [NICE] prefixes
Overview
This skill provides code review patterns and checklists for the Pennyfarthing project. Use this when reviewing PRs or self-reviewing before commit.
Review Checklists
API Handler Review
UI Component Review
Database Changes
TypeScript/React
Common Review Issues
Authorization
if len(clientIDs) == 0 {
return http.StatusForbidden
}
clientIDs, err := utils.GetClientIDsForQuery(user, h.db)
Error Messages
http.Error(w, err.Error(), 500)
log.Error("database error", "error", err, "user_id", user.ID)
http.Error(w, "Internal server error", 500)
TypeScript Imports
import { SomeType } from './types';
import type { SomeType } from './types';
React Query
const { data } = useQuery({
queryKey: ['items', clientId],
queryFn: () => fetchItems(clientId),
});
const { data } = useQuery({
queryKey: ['items', clientId],
queryFn: () => fetchItems(clientId),
enabled: !!clientId,
});
Approval Criteria
Must Have for Approval
- Tests pass - All CI checks green
- No security issues - Auth, input validation, no SQL injection
- No breaking changes - Or migration path provided
- Code follows patterns - Consistent with existing codebase
Nice to Have
- Documentation updated
- Performance considered
- Error messages helpful
- Edge cases handled
Security Checklist
Performance Checklist
Review Comments Format
Requesting Changes
**[MUST FIX]** This leaks internal error details to the client.
Suggest: Use a generic message and log the details server-side.
Suggestions
**[SUGGESTION]** Consider using `useMemo` here since this calculation
runs on every render.
Questions
**[QUESTION]** What happens if `clientId` is undefined? Should we
add an early return or enabled flag?
Praise
**[NICE]** Good use of the centralized auth utility here!
Recent Learnings
| Date | Issue | Resolution |
|---|
| Dec 2024 | Admin 403 errors | Use GetClientIDsForQuery() |
| Dec 2024 | Type import errors | Use import type |
| Dec 2024 | Role-based filtering | Check analyst vs manager vs admin |
| Dec 2024 | Error boundaries | Wrap risky components |