/review
Usage
/review # Review current branch changes vs main (single reviewer) /review --full # Review entire codebase (single reviewer) /review --deep # Multi-perspective team review (code + security + accessibility)
Description
Comprehensive code review that launches a code-reviewer agent with a thorough, assertive review prompt covering security, bugs, performance, best practices, and code quality.
With --deep, spawns a three-reviewer team via TeamCreate for multi-perspective
analysis: code quality, security, and accessibility. Each reviewer writes to a
separate output file; results are merged and deduplicated before triage.
Results are passed to /resolve-comments for interactive triage.
Execution
Step 1: Validate Environment
OUTPUT: "Starting code review analysis..."
Step 2: Determine Scope
IF: --full flag
SCOPE: all files in repository (use git ls-files)
OUTPUT: "Mode: Full codebase review"
ELSE:
SCOPE: git diff $(git merge-base main HEAD)..HEAD + uncommitted changes
RUN: git diff --name-only $(git merge-base main HEAD)..HEAD
RUN: git diff --name-only (uncommitted)
MERGE: both file lists (deduplicated)
OUTPUT: "Mode: Branch delta review ({count} files)"
IF: no files to review
OUTPUT: "No changes to review"
END
Step 3: Route by Mode
IF: --deep flag → Go to Step 3a (Team Review) ELSE: → Go to Step 3b (Single Reviewer)
Step 3a: Deep Review (TeamCreate)
Create a review team with three specialized reviewers. All run in parallel. Read-only behavior enforced via prompt constraints (do not modify source files).
# Create the team
TeamCreate:
team_name: "review-{current-branch}"
description: "Deep review of {current-branch}"
Spawn three reviewer teammates in a SINGLE message with multiple Task tool calls:
Task tool call 1:
subagent_type: "general-purpose"
name: "code-reviewer"
team_name: "review-{current-branch}"
model: "sonnet"
prompt: |
You are an elite staff-level code reviewer. Your capabilities:
**Code Quality:**
- Automated linting: ESLint, ruff, golangci-lint, clippy with blocking enforcement
- Security analysis: Vulnerability detection, OWASP compliance, injection prevention
- Performance review: Algorithm complexity, memory leaks, database query optimization
- Quality gates: 80%+ test coverage, cyclomatic complexity <10, DRY enforcement
- Multi-language: JavaScript/TypeScript, Python, Go, Rust, full-stack patterns
- Architecture review: Design patterns, SOLID principles, maintainability
## Git Conventions Reference
{embed full content of git-conventions skill}
## Your Task
Review the following files for bugs, performance, best practices, and code quality.
IMPORTANT: Do NOT modify any source files. Only read source files and write your
findings to the output file below.
Files to review:
{file_list from Step 2}
Write your findings to .tmp/review-code.json using this schema:
{
"schema_version": "1.0",
"branch": "{current_branch}",
"created_at": "{ISO timestamp}",
"source": "code-reviewer",
"summary": "Brief overall assessment",
"walkthrough": [{"file": "path", "description": "what changed"}],
"issues": [
{
"id": {sequential number},
"file": "path/to/file",
"line": {line number or null},
"severity": "LOW|MEDIUM|HIGH|CRITICAL",
"type": "bugs|performance|best-practices|code-quality",
"description": "Issue description",
"suggestion": "Concrete fix"
}
]
}
Use the assertive review profile: no hedging, imperative language,
focus exclusively on problems.
Task tool call 2:
subagent_type: "general-purpose"
name: "security-reviewer"
team_name: "review-{current-branch}"
model: "sonnet"
prompt: |
You are a security specialist conducting a focused security review.
IMPORTANT: Do NOT modify any source files. Only read source files and write your
findings to the output file below.
## Security Checklist Reference
{embed full content of security-checklist skill}
## Your Task
Review the following files exclusively for security issues:
- Injection vulnerabilities (SQL, command, XSS, SSRF)
- Authentication and authorization flaws
- Data exposure (secrets, PII, sensitive data in logs)
- Insecure deserialization, path traversal
- Missing input validation at trust boundaries
- Hardcoded credentials or API keys
- OWASP Top 10 compliance
Files to review:
{file_list from Step 2}
Write your findings to .tmp/review-security.json using this schema:
{
"schema_version": "1.0",
"branch": "{current_branch}",
"created_at": "{ISO timestamp}",
"source": "security-reviewer",
"summary": "Security assessment",
"walkthrough": [{"file": "path", "description": "security-relevant changes"}],
"issues": [
{
"id": {sequential number},
"file": "path/to/file",
"line": {line number or null},
"severity": "LOW|MEDIUM|HIGH|CRITICAL",
"type": "security",
"description": "Issue description",
"suggestion": "Concrete fix"
}
]
}
Severity escalation: any issue in auth/payment/PII code → escalate one level.
Task tool call 3:
subagent_type: "general-purpose"
name: "a11y-reviewer"
team_name: "review-{current-branch}"
model: "haiku"
prompt: |
You are an accessibility specialist conducting a focused accessibility review.
IMPORTANT: Do NOT modify any source files. Only read source files and write your
findings to the output file below.
## Your Task
Review the following files exclusively for accessibility issues:
- Missing or incorrect ARIA attributes
- Keyboard navigation gaps
- Color contrast violations (WCAG AA minimum)
- Missing alt text on images
- Form labels and error announcements
- Focus management issues
- Screen reader compatibility
- Semantic HTML usage
Files to review:
{file_list from Step 2}
Write your findings to .tmp/review-accessibility.json using this schema:
{
"schema_version": "1.0",
"branch": "{current_branch}",
"created_at": "{ISO timestamp}",
"source": "a11y-reviewer",
"summary": "Accessibility assessment",
"walkthrough": [{"file": "path", "description": "a11y-relevant changes"}],
"issues": [
{
"id": {sequential number},
"file": "path/to/file",
"line": {line number or null},
"severity": "LOW|MEDIUM|HIGH|CRITICAL",
"type": "accessibility",
"description": "Issue description",
"suggestion": "Concrete fix"
}
]
}
If no frontend/UI files are in scope, write empty issues array with
summary: "No UI files in scope for accessibility review."
Wait for all reviewers to complete. Then merge results:
READ: .tmp/review-code.json, .tmp/review-security.json, .tmp/review-accessibility.json MERGE: Combine all issues into .tmp/review-local.json - Concatenate all issues from all reviewers - If same file+line appears with substantially similar description across reviewers, keep highest severity and merge - Re-number issue IDs sequentially - Combine walkthroughs (deduplicate by file) - Set source: "deep-review" # Cleanup team SendMessage shutdown_request to code-reviewer, security-reviewer, a11y-reviewer TeamDelete
Go to Step 4.
Step 3b: Single Reviewer (Default)
Launch a single code-reviewer agent with the comprehensive review prompt below.
Task tool:
subagent_type: "code-reviewer"
description: "Run comprehensive code review"
prompt: |
You are an elite code reviewer conducting a comprehensive, assertive analysis.
Review the following files and output results to .tmp/review-local.json
Create .tmp/ directory if needed: mkdir -p .tmp
Files to review:
{file_list from Step 2}
===== REVIEW INSTRUCTIONS =====
## Output Structure
Your review MUST follow this three-part structure:
### Part 1: Summary
A concise overview of changes, their purpose, and overall assessment.
### Part 2: Walkthrough
For each changed file, provide:
- File path
- Brief description of what changed and why
- Any architectural implications
### Part 3: Inline Comments
Specific, actionable findings tied to exact file paths and line numbers.
## Analysis Domains
Evaluate ALL five domains for every file:
**1. Security**
- Injection vulnerabilities (SQL, command, XSS, SSRF)
- Authentication and authorization flaws
- Data exposure (secrets, PII, sensitive data in logs)
- Insecure deserialization, path traversal
- Missing input validation at trust boundaries
- Hardcoded credentials or API keys
**2. Bugs & Correctness**
- Null/undefined reference errors
- Off-by-one errors, boundary conditions
- Race conditions, concurrency issues
- Incorrect error handling (swallowed exceptions, wrong error types)
- Logic errors in conditionals and loops
- Type mismatches and implicit conversions
- Resource leaks (unclosed handles, missing cleanup)
**3. Performance**
- N+1 query patterns
- Unnecessary re-renders or recomputations
- Memory leaks (event listeners, closures, circular references)
- Algorithm complexity (O(n^2) where O(n) is possible)
- Unbounded data structures (missing pagination, limits)
- Blocking operations on hot paths
- Missing caching opportunities
**4. Best Practices**
- DRY violations (duplicated logic)
- SOLID principle violations
- Missing or inadequate error handling
- Poor naming (unclear, misleading, inconsistent)
- Magic numbers and hardcoded values
- Missing input validation
- Inconsistent patterns within the codebase
**5. Code Quality**
- Cyclomatic complexity > 10
- Functions > 50 lines
- Deep nesting (> 3 levels)
- Missing edge case handling
- Unclear control flow
- Dead code or unreachable branches
- Inconsistent formatting or style
## Language-Specific Checks
**Python:**
- Mutable default arguments
- Missing `__init__.py` for packages
- Bare `except:` clauses
- f-string injection in logging
- Missing type hints on public APIs
- Unsafe `eval()`/`exec()` usage
**TypeScript/JavaScript:**
- `any` type usage (should be narrowed)
- Missing `await` on async calls
- Prototype pollution vectors
- Unsafe `innerHTML` or `dangerouslySetInnerHTML`
- Missing error boundaries in React
- Unhandled promise rejections
## Review Profile: Assertive
- DO NOT hedge or soften findings. State issues directly.
- Use imperative language: "Fix this", "Remove this", "This must be changed"
- Every finding must include a concrete fix suggestion
- Do not praise code. Focus exclusively on problems.
- If code is acceptable, say so briefly and move on.
- Treat "it works" as insufficient — code must be correct, secure, and maintainable.
## Severity Rules
- **CRITICAL**: Security vulnerabilities, data loss risks, crashes in production
- **HIGH**: Bugs that will manifest in normal usage, significant performance issues
- **MEDIUM**: Best practice violations, maintainability concerns, minor performance issues
- **LOW**: Style issues, minor improvements, nice-to-haves
Severity escalation:
- Any issue in auth/payment/PII handling code: escalate one level
- Any issue that affects multiple files or is systemic: escalate one level
- Any issue with a simple, obvious fix: do not de-escalate (easy to fix != unimportant)
## Output Format
Write results to .tmp/review-local.json with this schema:
{
"schema_version": "1.0",
"branch": "{current_branch}",
"created_at": "{ISO timestamp}",
"source": "code-reviewer",
"summary": "Brief overall assessment",
"walkthrough": [
{
"file": "path/to/file",
"description": "What changed and why"
}
],
"issues": [
{
"id": {sequential number},
"file": "path/to/file",
"line": {line number or null},
"severity": "LOW|MEDIUM|HIGH|CRITICAL",
"type": "security|bugs|performance|best-practices|code-quality",
"description": "Issue description - be specific and direct",
"suggestion": "Concrete fix with code example when applicable"
}
]
}
Report: "Code reviewer found {count} issues"
If no issues found, write empty issues array with summary.
Step 4: Report Results
WAIT: for reviewer(s) to complete
READ: .tmp/review-local.json
IF: --deep mode
OUTPUT:
Deep Review Complete
| Reviewer | Issues Found |
|----------|--------------|
| Code Reviewer | {code_count} |
| Security Reviewer | {security_count} |
| Accessibility Reviewer | {a11y_count} |
| **Total (deduplicated)** | **{total_count}** |
Severity breakdown:
- Critical: {critical_count}
- High: {high_count}
- Medium: {medium_count}
- Low: {low_count}
ELSE:
OUTPUT:
Code Review Complete
| Reviewer | Issues Found |
|----------|--------------|
| Code Reviewer | {issue_count} |
Severity breakdown:
- Critical: {critical_count}
- High: {high_count}
- Medium: {medium_count}
- Low: {low_count}
Step 5: Hand Off to Triage
IF: total issues > 0 OUTPUT: "Launching interactive triage..." Skill tool: skill="resolve-comments", args="--local --auto" ELSE: OUTPUT: "No issues found. Code looks good!" END
Expected Output
Default Mode
User: /review Starting code review analysis... Mode: Branch delta review (5 files) [Launching code reviewer...] Code Review Complete | Reviewer | Issues Found | |----------|--------------| | Code Reviewer | 5 | Severity breakdown: - Critical: 0 - High: 1 - Medium: 3 - Low: 1 Launching interactive triage... [/resolve-comments --local --auto takes over]
Deep Mode
User: /review --deep Starting code review analysis... Mode: Branch delta review (5 files) 🏗️ Creating team: review-feature-auth Spawning 3 reviewers... [tmux panes show code-reviewer, security-reviewer, a11y-reviewer] ✓ code-reviewer: 4 issues found ✓ security-reviewer: 2 issues found ✓ a11y-reviewer: 1 issue found Merging and deduplicating results... 🧹 Shutting down team review-feature-auth... Deep Review Complete | Reviewer | Issues Found | |----------|--------------| | Code Reviewer | 4 | | Security Reviewer | 2 | | Accessibility Reviewer | 1 | | **Total (deduplicated)** | **6** | Severity breakdown: - Critical: 1 - High: 2 - Medium: 2 - Low: 1 Launching interactive triage... [/resolve-comments --local --auto takes over]
Notes
- •Results stored in
.tmp/for/resolve-commentsconsumption - •No auto-fix — all changes require user approval via triage
- •
--fullmode may take longer depending on codebase size - •
--deepspawns three reviewers via TeamCreate for multi-perspective analysis - •Code and security reviewers use
model: "sonnet"; a11y-reviewer usesmodel: "haiku"(checklist-driven, structured output) - •Code-reviewer prompt embeds
git-conventionsskill; security-reviewer embedssecurity-checklist - •Cleanup (shutdown + TeamDelete) always runs after
--deepreview - •Manual cleanup if needed:
rm -rf ~/.claude/teams/review-* ~/.claude/tasks/review-* - •When #24316 lands, replace
subagent_type: "general-purpose"with custom agent types