菜单
Use when completing tasks, implementing features, before merging, or when asked to review code. Systematic review process covering correctness, security, performance, and maintainability.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Use when porting any module from a Next.js (React) app to a Nuxt 4 (Vue 3) production app backed by NestJS. User provides module name and three repo paths. Covers submodule analysis, backend verification, feature inventory, sidebar registration, theme/dark-mode rules, and multi-pass execution.
Use as the master reference for all core principles, anti-hallucination protocol, severity framework, and skill activation rules. Every other skill inherits from this. Read this first in any new session.
Use when creating new skills for the skills library. Defines the structure, format, quality standards, and testing requirements for new skills.
Multi-agent council using real subagent spawning (Task() tool), deterministic CLI state management, and file-based handoffs. Orchestrator stays lean while specialists execute in fresh contexts.
Use when you have a spec or requirements for a multi-step task and need to create a detailed implementation plan before touching code.
Use when you have a detailed implementation plan and need to execute it task by task with deviation handling, checkpoints, and atomic commits.
| name | code-review |
| description | Use when completing tasks, implementing features, before merging, or when asked to review code. Systematic review process covering correctness, security, performance, and maintainability. |
Catch issues before they cascade. Every change gets reviewed systematically before it ships.
Core principle: Review early, review often. Fresh eyes find what familiar ones miss.
NO MERGE WITHOUT REVIEW. NO REVIEW WITHOUT EVIDENCE.
Mandatory:
Optional but valuable:
dependency-auditYOU CANNOT:
- Say "code looks good" — review every changed file, every function
- Say "logic is correct" — trace execution with edge case inputs (null, empty, max, negative)
- Say "tests are sufficient" — verify error paths are tested, not just happy paths
- Say "security is fine" — check for injection, auth bypass, data exposure explicitly
- Say "performance is acceptable" — check for N+1 queries, unbounded loops, missing pagination
- Skip unchanged files in the diff — context matters (does the change break callers?)
- Rubber-stamp small PRs — small bugs in small PRs cause large outages
- Review only the code, not the tests — tests ARE deliverables
| Rationalization | Reality |
|---|---|
| "It's just a small change" | Small changes cause most production incidents. Review it. |
| "The tests pass" | Tests can't catch what they don't test. Check coverage. |
| "I trust this developer" | Trust is not a review strategy. Evidence is. |
| "We're in a hurry" | Shipping a bug is slower than reviewing code. |
| "It's the same pattern as before" | Same pattern ≠ correct pattern. Maybe the pattern is wrong. |
| "LGTM" | Not a review. Name one thing you verified. |
1. If I give this function null, undefined, empty string, or -1, does it handle it?
2. If this endpoint receives 10,000 concurrent requests, what happens?
3. If the database is down when this runs, what error does the user see?
4. Can user A access user B's data through this change?
5. Is there any hardcoded value here that should be configurable?
6. If I revert this commit alone, does the codebase still work?
7. Are there any race conditions in this async code?
8. Does this change require a documentation update that's missing?
9. Could a junior developer understand this code in 6 months?
10. What's the blast radius if this code is wrong?
1. READ the PR/change description
2. READ the related design doc or issue
3. UNDERSTAND what it's supposed to do
4. UNDERSTAND what it should NOT do
5. CHECK the scope — is the change appropriately sized?
1. Does the architecture make sense?
2. Is the approach consistent with existing patterns?
3. Are there simpler alternatives?
4. Is the scope appropriate? (too much? too little?)
5. Are there missing files? (new feature but no tests? no docs?)
Go through each file change and check:
## Code Review: [Feature/PR Name]
### Summary
[1-2 sentences: overall assessment]
### Strengths
- [What was done well — always include this]
### Findings
#### 🔴 Critical
- **[Issue]:** [Description with file:line reference]
- **Impact:** [What goes wrong]
- **Fix:** [Specific recommendation with code example]
#### 🟠 High
- **[Issue]:** [Description]
- **Impact:** [What goes wrong]
- **Fix:** [Recommendation]
#### 🟡 Medium
- **[Issue]:** [Description]
- **Fix:** [Recommendation]
#### 🟢 Low
- **[Issue]:** [Description]
- **Fix:** [Recommendation]
### Statistics
- Files reviewed: N
- Findings: N Critical, N High, N Medium, N Low
- Test coverage: Adequate / Insufficient / Missing
### Verdict
[APPROVE / REQUEST CHANGES / NEEDS DISCUSSION]
When YOU receive review feedback:
1. READ all feedback before responding
2. FIX Critical and High issues immediately
3. RESPOND to each point (agree, disagree with reasoning, or ask for clarification)
4. DON'T take it personally — reviews improve the code
5. PUSH BACK with technical reasoning if you disagree
6. VERIFY your fixes with evidence
executing-plans completes a taskgit-workflow merge operationsverification-before-completionsecurity-audit for deep security reviewperformance-audit for deep performance review