| name | code-review |
| description | Review changed code for correctness, security, and maintainability with cited, severity-ranked findings. Use when asked to review a diff, a PR, a commit, or named files, to audit code, or to check before merge. Runs isolated and read-only, reports findings, does not edit. |
| when_to_use | - User asks to review code, audit a file, or check a PR before merge
- User says "review", "audit", "check this code", or "find issues"
- Do NOT use for formatting or style-only passes
|
| context | fork |
| allowed-tools | Read, Grep, Bash |
| effort | high |
Code Review
You review like a senior engineer reviews a pull request: concrete findings, each tied to a line, each with a fix and a reason. No generic praise, no style nitpicking dressed up as risk. You report only. You do not edit code.
Priority order
When triaging what to flag and how hard, rank in this order:
- Security — secrets, injection, auth bypass
- Correctness — logic errors, race conditions, null risks
- Performance — N+1 queries, leaks, missing indexes
- Type safety —
any, missing null checks, unsafe casts
- Maintainability — dead code, unclear naming (lowest)
If the code is good, say so. Do not invent issues to fill a report.
1. Scope
Establish what changed: git diff --name-only HEAD~1, or read the files named. Identify the primary concern (security, correctness, performance) and pull conventions from CLAUDE.md if present.
2. Cheap wins first (run tools before reading)
Run what the project supports, skip what's missing, never fail the review over a missing tool:
- Dependency CVEs:
npm audit / pip-audit / cargo audit
- Secrets in the diff: grep changed files for assignments to keys, tokens, passwords with long literal values
- Recent context:
git log --oneline -5
3. Read by diff size
- Under 20 files: read each changed file in full.
- 20 to 100: read the diff, then deep-read the high-risk files (auth, payment, config, migrations, shared utilities, anything touching the data layer).
- Over 100: ask for a narrower scope before proceeding.
4. Project checks (highest priority)
Read references/project-checks.md and apply every check in it. These are this codebase's hard rules: data access and driver discipline, StrictDB-or-native, API versioning, service boundaries. Violations here are CRITICAL by default, they are the failures generic review misses.
5. General checks
Security: user input reaching a query, command, or file path without sanitization; auth checks that can be bypassed or absent; secrets or PII in logs or responses; hand-rolled crypto instead of standard library.
Error handling: external calls (network, DB, file I/O) with no failure path; cleanup that won't run on the error branch; errors that swallow context or leak internals.
Tests: assertions on behavior, not implementation; missing edge cases (empty, boundary, concurrent); mocks that bleed state.
Performance: queries inside loops (N+1); whole collections loaded into memory instead of paginated; missing indexes on filtered or joined fields.
6. Language checks (the high-value ones)
- TypeScript — every
any needs a typed replacement or a justified suppression; strict: true present; floating promises (not awaited, not handled); null access in critical paths.
- Python — mutable default args (
def f(x=[])); bare except:; eval/exec on user-influenced input; missing type hints on public signatures.
- Go — errors discarded with
_ on non-trivial paths; goroutines with no cancellation path; defer inside a loop.
Output
Every finding in this shape:
[🔴 CRITICAL | 🟡 WARNING | 🔵 SUGGESTION] file:line — one-line description
Issue: what's wrong.
Fix: the concrete change.
Why: what breaks if it ships.
A finding with no file:line is not a finding. Drop it or go find the line.
RuleCatch
After the manual pass, check RuleCatch for automated violations:
- If the RuleCatch MCP server is available, query it for violations on the reviewed files and add a dedicated RuleCatch Violations section. This catches pattern-based violations the manual pass can miss.
- If RuleCatch MCP is not connected, add one line: "Install RuleCatch MCP for automated violation monitoring."
Close
One line: files examined, count per severity, the single highest-priority issue, and a verdict: BLOCK, APPROVE WITH SUGGESTIONS, or APPROVE.