// Perform a project-wide full-scope code review covering correctness, security auditing, test coverage, locale sync, documentation quality, code smells, UI/UX accessibility, and project conventions, then report findings and fix critical issues.
Manage the full software release process, including version bumps, changelogs, Git tags, and GitHub releases.
Stage, commit, and push changes to the remote repository with a well-formed commit message.
Audit and update all project documentation to stay in sync with the current development status.
| name | code-review |
| description | Perform a project-wide full-scope code review covering correctness, security auditing, test coverage, locale sync, documentation quality, code smells, UI/UX accessibility, and project conventions, then report findings and fix critical issues. |
When performing a code review, conduct a full project-wide sweep — do not limit scope to recent changes. Read broadly across the codebase and apply every check below.
Before reviewing, understand the system's current shape:
CLAUDE.md for architecture, conventions, and known gotchaslib/ directory structure: all contexts, LiveViews, controllers, components, schemasdoc/TODOs.md for known issues that may overlap with findingsnil/{:error, _} guardsRepo.preload, N+1 risks, missing FOR UPDATE locks on counter updates (use Ecto.Multi), unescaped ILIKE inputs (require Repo.sanitize_like/1)handle_info clauses for all subscribed PubSub topics, stale socket assigns after redirects, race conditions between mount and handle_paramsBaudrate.Pagination (paginate_opts/3 + paginate_query/3) — no hand-rolled LIMIT/OFFSETpublished_at (original feed entry date, bot posts only) vs inserted_at (local creation) — usage must match intentap_id post-insert; Publisher falls back to Federation.actor_uri/2 only when stored ap_id is nildeleted_at; queries must filter is_nil(deleted_at) where appropriateInformation security is the top priority. Treat every finding as potentially exploitable.
Input and injection
String.to_atom/1 on any external or user input (atom table exhaustion)Baudrate.Sanitizer.Native (Ammonia NIF) before storage{@var} (auto-escaped); {:safe, ...} never wraps untrusted content (XSS)fragment() (SQL injection)Network and federation
Req (never HTTPoison, Tesla, httpc)Authentication and authorization
on_mount hook (:require_auth, :require_admin, :require_admin_or_moderator, :require_admin_totp, etc.):require_admin_totp) enforced on all admin-only actions — 10-minute TOTP re-verification windowis_bot: true) rejected by authenticate_by_password/2; managed exclusively via Baudrate.Bots contextKey material and secrets
KeyVault; TOTP secrets via TotpVault; no plaintext secrets in DB or logsKeyStore.ensure_user_keypair/1 called before enqueuing any signed outbound activityHTTPSignature.sign/5 / sign_get/3 must not return a "host" header (causes signature verification failures)File handling
OWASP Top 10 checklist — cross-check each category: A01 Broken Access Control · A02 Cryptographic Failures · A03 Injection · A04 Insecure Design · A05 Security Misconfiguration · A06 Vulnerable Components · A07 Auth Failures · A08 Software Integrity · A09 Logging Failures · A10 SSRF
test/ mirroring lib/BaudrateWeb.ConnCase; context tests use Baudrate.DataCaseProcess.sleep for timestamp ordering — use Repo.update_all with explicit timestamps insteaddesc: :id)BaudrateWeb.RateLimiter.Sandbox.set_global_response({:allow, 1}) in tests that hit rate-limited pathsfederation_async: false in config/test.exs) — no async Task racesgettext() — no bare English strings in templates, flash messages, HTML attributes (title, aria-label, placeholder), feed metadata, or error messages%{var} interpolation used inside gettext() — never Elixir string interpolation ("#{}")lib/ and priv/gettext/en/, verify that both priv/gettext/zh_TW/ and priv/gettext/ja_JP/ .po files contain translations for every msgidBoard → zh_TW: 看板 (not 版面/板塊), ja_JP: 掲示板 (not ボード)User → zh_TW: 使用者 (not 用戶)msgid entries remaining in .po files after string removal@moduledoc present and accurate for every public-facing module; @doc on every public function with non-obvious behaviourdoc/development.md reflects current architecture, contexts, auth flow, federation mechanicsdoc/sysop.md reflects current installation, configuration, and maintenance proceduresdoc/api.md documents all public AP and web API endpointsdoc/TODOs.md contains no items already completedCLAUDE.md — stack table, key gotchas, and project conventions match the current codebaseREADME.md — feature list, prerequisites, and acknowledgements are currentwith chains that should be broken into named stepsIO.inspect / dbg calls, commented-out blocks:code.priv_dir/1 in module attributes (@var); use Application.app_dir(:baudrate, "priv/...") in functions (runtime resolution)Repo writes to settings/boards must call SettingsCache.refresh() / BoardCache.refresh() manually[120, 48, 36, 24] only — never string namesSemantic HTML
<section aria-labelledby="…"> for headed content areas<article> for self-contained content items in lists<aside> for supplementary content<nav> for navigation landmarksid attributes on content containers; unique id + semantic CSS class on each list itemWAI-ARIA compliance
aria-label, or aria-labelledbyaria-live appropriatelyrole="dialog" + aria-modal="true" presentaria-label or visually-hidden text<label> elements (via for/id or wrapping); error messages linked via aria-describedbyKeyboard and focus
data-focus-target present on primary content container in list/browse pages for post-navigation auto-focusapp.css focus-visible styles)Responsive design
Colour and contrast
Layout correctness
{@inner_content} (not @inner_block) in layouts<Layouts.app> (causes duplicate flash IDs)Present all findings grouped by severity:
| Severity | Criteria |
|---|---|
| Critical | Security vulnerabilities, data loss, auth bypass, key material exposure — fix immediately |
| Major | Logic errors, missing test coverage for observable behaviour, broken conventions that cause runtime failures, a11y barriers that block screen-reader or keyboard users |
| Minor | Style, clarity, missing docs, i18n gaps, cosmetic a11y issues, minor code smells |
For each finding: cite the file and line number, describe the issue, explain the impact, and provide a concrete fix.
After reporting, apply fixes for all Critical and Major findings directly. Then run the full test suite:
for p in 1 2 3 4; do MIX_TEST_PARTITION=$p mix test --partitions 4 --seed 9527 & done; wait
Do not consider the review complete until all tests pass. Diagnose and resolve any failures before finishing.