// Pre-commit code review for production-critical issues. Use when reviewing staged changes, before committing, or when asked to review code for bugs and consistency issues.
Test the Electron app interactively using Chrome DevTools Protocol. Use when the user asks to test, verify, or interact with the running app via browser automation.
Clear extension caches, analysis data, and drafts from the database. Use when testing sender lookups, analysis, or draft generation from a clean state.
Run GitHub Actions CI workflows locally using nektos/act in Docker. Use when testing CI before pushing or debugging workflow failures.
Iteratively improves a PR until all review bots (Greptile, Devin, and others) are satisfied with zero unresolved comments, then fixes any CI failures. Triggers reviews, fixes all actionable comments, pushes, re-triggers, and repeats. Use when the user wants to fully optimize a PR against all automated code review feedback.
Capture screenshots of the Exo Electron app workflows using Playwright in demo mode. Use when the user asks for screenshots, workflow documentation, or visual captures of the app.
| name | review-code |
| description | Pre-commit code review for production-critical issues. Use when reviewing staged changes, before committing, or when asked to review code for bugs and consistency issues. |
| allowed-tools | Bash, Read, Glob, Grep, Edit, Task, LSP |
| argument-hint | [base-branch] |
Review staged changes for production-critical issues before committing. This catches the kinds of bugs that CI review bots find — type safety violations, IPC contract mismatches, missing references, and frontend/backend inconsistencies. Uses 14 parallel review agents for comprehensive coverage.
Review the same diff GitHub would show on a PR: all changes on the current branch relative to origin/main. This uses the merge base so it only includes changes introduced by this branch, not unrelated commits on main.
The user may specify a different base branch via $ARGUMENTS (e.g., /review-code origin/develop).
git fetch origin maingit merge-base origin/main HEADgit diff --name-only <merge-base>git diff <merge-base>src/main/), renderer (src/renderer/), preload (src/preload/), shared types (src/shared/), database (src/main/db/), tests (tests/), agents (src/agents*/, src/extensions*/).For every changed file, read the full current contents in parallel (not just the diff hunks). The diff shows what changed, but many issues — missing hook dependencies, stale closures, inconsistent patterns — require surrounding context to detect.
Also read closely related files in parallel based on file type:
playwright.config.ts for E2E)See project-specific.md File Reading Hints for additional codebase-specific file relationships.
Also read review-patterns.md and project-specific.md from this skill directory and distribute relevant sections to each agent.
Use Glob and Grep to find related files efficiently. Issue all file reads in a single batch of parallel Read calls.
Create a team with TeamCreate (team name: code-review), then spawn all 14 agents simultaneously as teammates. Each agent receives the diff, the list of changed files, and the full file contents from Step 2, and returns a list of issues with confidence scores (0-100). Only launch agents whose categories are relevant to the changed files — skip agents that have nothing to check. Run all agents in the background and collect results as they complete.
Agent 1 — Type Safety & References
What it checks:
any types introduced in diff (CLAUDE.md violation)as) that bypass type checking — prefer type guardsnpx tsc --noEmit and report errors in changed filesSee project-specific.md Agent 1 section for codebase-specific checks.
Detection heuristics:
grep for: `as any`, `: any`, `as unknown as`, `(window as any)`
Agent 2 — IPC Contract Consistency
There are 5 boundaries that must stay in sync:
window.api.X() → verify X exists in preloadipcRenderer.invoke('channel:name') → verify ipcMain.handle('channel:name') existsPromise<unknown> → verify renderer checks .success before .dataSee project-specific.md Agent 2 section for codebase-specific checks and known pitfalls.
Detection heuristics:
grep for: ipcMain.handle\( in changed files → verify preload has matching invoke
grep for: window.api\. in renderer → verify exists in preload
grep for: mainWindow.webContents.send\( → verify listener in renderer
Agent 3 — Database & Data Integrity
What it checks:
INSERT OR REPLACE resetting flags that should be preserved — use ON CONFLICT DO UPDATE with explicit column handlingON CONFLICT clauses: verify they preserve important fields AND reset fields that should changeLIKE '%pattern%' matching unintended rows — use JSON functions or exact equalityaccountId WHERE clauseSee project-specific.md Agent 3 section for codebase-specific checks and known pitfalls.
Detection heuristics:
grep for: INSERT OR REPLACE → verify not resetting flags
grep for: LIKE '%.*%' → verify not matching unintended patterns
grep for: COALESCE → verify not preserving stale values
grep for: UPDATE|DELETE|SELECT without accountId in WHERE
Agent 4 — React Patterns & State Management
What it checks:
useCallback, useEffect, useMemo, useLayoutEffect in changed files: verify ALL referenced variables are in the dep arrayuseEffect that syncs one state to another[arr.length > 0] should be [arr.length]See project-specific.md Agent 4 section for codebase-specific checks.
Detection heuristics:
grep for: useCallback|useEffect|useMemo|useLayoutEffect → read full function body → verify deps
grep for: useRef.*useState.*return null|return → check hook ordering around returns
grep for: iframe.*onload → check if set before src
grep for: setTimeout|setInterval → check for clearTimeout in cleanup
grep for: dangerouslySetInnerHTML → check for DOMPurify (cross-ref with Agent 8)
Agent 5 — Test Quality & Infrastructure (only if test files changed)
What it checks:
toContain on JSX source strings)test.describe.configure({ mode: 'serial' })tanstack-virtual renders only visible rows — count assertions are viewport-boundMeta+k but CI is Linux (should use Ctrl+k)mkdirSync with { recursive: true }See project-specific.md Agent 5 section for codebase-specific checks.
Agent 6 — Async Logic & Race Conditions
What it checks:
true before async op MUST be reset in finally blockif (processing) return)See project-specific.md Agent 6 section for codebase-specific checks and known pitfalls.
Detection heuristics:
grep for: isProcessing|isLoading = true → verify finally block sets false
grep for: getState\(\) → check for await between get and use
grep for: requestIdleCallback|setTimeout → verify handle stored and cancelled
grep for: async.*\{[^}]*\} without await in caller
Agent 7 — Error Handling & Resource Leaks
What it checks:
See project-specific.md Agent 7 section for codebase-specific checks and known pitfalls.
Detection heuristics:
grep for: \.then\( without \.catch\(
grep for: addEventListener|\.on\( in React → verify cleanup return
grep for: new Map|new Set at module level → check for cleanup
grep for: catch.*\{[^}]*\} → check if error is surfaced to user
grep for: removeAllListeners\(\) → verify scope
grep for: JSON\.stringify → check for circular reference risk
Agent 8 — Security & Input Validation
What it checks:
path.join(base, userInput) without path.basename()= paddingSee project-specific.md Agent 8 section for codebase-specific XSS surfaces and known pitfalls.
Detection heuristics:
grep for: dangerouslySetInnerHTML → verify DOMPurify.sanitize wraps content
grep for: path\.join.*filename|path\.join.*name → verify path.basename
grep for: addEventListener.*message → verify origin check
grep for: LIKE.*\$\{|LIKE.*\+.*\+ → verify parameterized
grep for: postMessage.*\* → verify specific origin
grep for: API_KEY|SECRET|TOKEN|CREDENTIAL → verify not in source
grep for: \.replace\(/-/g → verify = padding added
Agent 9 — Data Loss & Field Preservation
What it checks:
IS NOT NULL true for fields that should remain unchanged+ or other valid RFC characters from addressesarray.some(predicate) returns true but subsequent action targets a different item than the one that matchedSee project-specific.md Agent 9 section for codebase-specific field lists.
Detection heuristics:
grep for: { body:.*subject: without ...existing spread
grep for: COALESCE → verify NULL handling
Agent 10 — Cross-Account & Multi-Context Safety
What it checks:
accounts[0] instead of active: using first item instead of currently selected for context-dependent operationsSee project-specific.md Agent 10 section for codebase-specific checks and known pitfalls.
Detection heuristics:
grep for: new Map|new Set → check if keys include context scope
grep for: threadId|emailId as standalone key → verify context prefix
grep for: accounts\[0\] → verify this is intentional
grep for: WHERE.*threadId|WHERE.*email_id without context scope
grep for: addEventListener|\.on\( → verify context filter
Agent 11 — Email/RFC Compliance & String Handling
What it checks:
.split(",") corrupts addressesSee project-specific.md Agent 11 section for codebase-specific checks.
Detection heuristics:
grep for: \$\{.*name.*\}.*<\$\{.*email → verify RFC 5322 quoting
grep for: replace\(/-/g.*replace\(/_/g → verify = padding
grep for: \.split\(.*,.*\) on email headers → verify handles quoted commas
grep for: toLowerCase\(\) in email comparisons → verify consistency
grep for: <[^>]+> for tag stripping → verify not matching legitimate content
Agent 12 — Build, Packaging & Electron
What it checks:
See project-specific.md Agent 12 section for codebase-specific checks and known pitfalls.
Detection heuristics:
grep for: __dirname in main process → verify packaged path handling
grep for: app\.getPath at module level → verify not at import time
grep for: removeAllListeners\(\) → verify not too broad
grep for: asar.*unpack → verify minimal glob
Agent 13 — Concurrency, Deduplication & Performance
What it checks:
See project-specific.md Agent 13 section for codebase-specific checks and known pitfalls.
Detection heuristics:
grep for: queue|backlog|pending → verify dedup across all collections
grep for: for.*of.*await → check if calls can be parallelized
grep for: setInterval|setTimeout in effects → verify not churning
grep for: processQueue|processNext → verify no recursion risk
Agent 14 — Agent/AI Integration (only if agent/AI files changed)
What it checks:
See project-specific.md Agent 14 section for codebase-specific checks and known pitfalls.
Detection heuristics:
grep for: yield.*done|emit.*done → verify single terminal event
grep for: abortController|AbortController → verify signal passed to SDK
After all agents complete, deduplicate findings where multiple agents flagged the same issue from different angles. Keep the highest-confidence version and note which agents agreed (agreement between agents increases effective confidence by 10 points).
Look for patterns across individual findings:
Each agent assigns a confidence score (0-100) to each finding:
| Score | Meaning |
|---|---|
| 0-25 | Likely false positive, or pre-existing issue not introduced by this diff |
| 25-50 | Might be real but could be a nitpick or unlikely in practice |
| 50-75 | Real issue but low severity or narrow impact |
| 75-89 | Verified real issue that will likely cause problems in production |
| 90-100 | Confirmed critical — will definitely cause a bug, crash, or security vulnerability |
Only report issues scored 75 or above.
Scoring adjustments:
project-specific.md (these are confirmed historical bugs)Do NOT flag these — they are the most common false positives from CI review bots:
tsc would catch (report tsc errors in a separate section, don't duplicate)any or as with an explanatory comment or lint-ignoreSee project-specific.md False Positive Filters for codebase-specific filters.
Group findings in this format:
## Code Review Results
### Critical (score 90-100)
[findings with exact file:line, what's wrong, production impact, suggested fix]
### Important (score 75-89)
[findings]
### Systemic Patterns
[patterns detected across multiple findings]
### High-Risk Files
[files flagged by 3+ agents]
### Type Errors (from tsc)
[if any]
Found X critical, Y important issues across Z files. Reviewed by 14 agents.
For each finding:
If no issues scored 75+: "No high-confidence issues found. Reviewed [N] files across [categories]."
After presenting the report, act on the findings:
Simple fixes (single-line changes, missing null checks, adding a variable to a dependency array, clearing state in an existing useLayoutEffect, adding path.basename()) — just fix them directly. No need to ask or plan.
Non-trivial fixes (architectural changes, new error handling paths, refactoring async flow, adding rollback logic to optimistic updates) — enter plan mode first. Present the plan with the specific issues being addressed, the files that will change, and the approach for each fix. Wait for approval before making changes.
Type errors from tsc — fix directly if the fix is obvious from the error message. If the error reveals a deeper type design problem, plan first.
After all fixes are applied, re-run npx tsc --noEmit to verify no new type errors were introduced by the fixes. If the fixes touched IPC boundaries, re-run the relevant IPC contract checks from Agent 2 to confirm consistency.