Code Review Skill
This skill provides comprehensive code review guidance for evaluating changes to the codebase.
When to Use This Skill
Use this skill when you need to:
- •Review pull requests
- •Review code changes before commits
- •Audit code quality and adherence to project standards
- •Provide feedback on implementation correctness and patterns
Review Checklist
Please review this code change and provide feedback on:
1. Potential Bugs
Look for common programming errors such as:
- •Off-by-one errors
- •Incorrect conditionals
- •Use of wrong variable when multiple variables of same type are in scope
- •
minvsmax,firstvslast, flipped ordering - •Iterating over hashmap/hashset in order-sensitive operations
2. Panic Branches
Identify panic branches that cannot be locally proven to be unreachable:
- •
unwraporexpectcalls - •Indexing operations
- •Panicking operations on external data
Note: This overlaps with the error handling patterns documented in docs/code/rust-error-handling.md. Verify compliance with the project's error handling standards.
3. Dead Code
Find dead code that is not caught by warnings:
- •Overriding values that should be read first
- •Silently dead code due to
pub - •
todo!()ordbg!()macros left in production code
4. Performance
Check for performance issues:
- •Blocking operations in async code
- •DB connection with lifetimes that exceed a local scope
- •Inefficient algorithms or data structures
5. Inconsistencies
Look for inconsistencies between comments and code:
- •Documentation that doesn't match implementation
- •Misleading variable names or comments
- •Outdated comments after refactoring
6. Backwards Compatibility
Verify backwards compatibility is maintained:
- •Changes to
Deserializestructs that break existing data - •Check that DB migrations keep compatibility when possible:
- •Use
IF NOT EXISTS - •Avoid dropping columns or altering their data types
- •Check if migration can be made friendly to rollbacks
- •Use
- •Breaking changes to HTTP APIs or CLIs
7. Documentation
Ensure documentation is up-to-date:
- •The
config.sample.tomlshould be kept up-to-date - •API changes are reflected in OpenAPI specs
- •README and architectural docs reflect current behavior
8. Security Concerns
Review for security vulnerabilities:
- •Exposed secrets or credentials
- •Input validation and sanitization
- •SQL injection, XSS, or other OWASP Top 10 vulnerabilities
- •Authentication and authorization bypasses
- •For security-sensitive crates (admin-api, metadata-db), verify compliance with crate-specific security patterns in
docs/code/
9. Testing
Evaluate test coverage and quality:
- •Reduced test coverage without justification
- •Tests that don't actually test the intended behavior
- •Tests with race conditions or non-deterministic behavior
- •Integration tests that should be unit tests (or vice versa)
- •Changes to existing tests that weaken assertions
- •Changes to tests that are actually a symptom of breaking changes to user-visible behaviour
10. Coding Pattern Violations
Use /code-pattern-discovery to load relevant patterns based on the crates being modified, then verify the code changes comply with those patterns.
Process:
- •Identify affected crates: Determine which crates are modified by the changes
- •Load patterns: Invoke
/code-pattern-discoveryto load applicable patterns:- •Core patterns (error handling, module structure, type design)
- •Architectural patterns (services, workspace structure)
- •Crate-specific patterns (admin-api, metadata-db, etc.)
- •Review compliance: Check the code changes against each loaded pattern
- •Flag violations: Report any deviations from documented patterns
Key patterns to verify (loaded automatically by /code-pattern-discovery):
- •Error handling: Proper use of
Result<T, E>, error types, error context - •Module structure: Correct module organization and visibility
- •Type design: Appropriate use of newtypes, enums, and type aliases
- •Services pattern: Adherence to service architecture (if applicable)
- •Security patterns: For admin-api and metadata-db crates
- •Testing patterns: Test organization and coverage standards
- •Documentation patterns: UDF documentation for query layer (if applicable)
References:
- •Pattern documentation:
docs/code/directory - •AGENTS.md: See Coding Patterns section
- •Use
/code-pattern-discoveryskill to load and review patterns dynamically
11. Documentation Validation
When reviewing PRs, validate documentation alignment:
Format Validation
- •Feature docs (
docs/features/*.md): Invoke/feature-fmt-checkto validate format compliance - •Pattern docs (
docs/code/*.md): Invoke/code-pattern-fmt-checkto validate format compliance
Implementation Alignment
- •Feature docs: Invoke
/feature-validateto verify feature documentation aligns with actual code implementation - •Check whether code changes require feature doc updates (new features, changed behavior)
- •Check whether feature doc changes reflect actual implementation state
Process:
- •Check if PR modifies files in
docs/features/ordocs/code/ - •If feature docs changed: Run
/feature-fmt-checkskill for format validation - •If pattern docs changed: Run
/code-pattern-fmt-checkskill for format validation - •If PR changes feature-related code OR feature docs: Run
/feature-validateto verify alignment - •Report any format violations or implementation mismatches in the review
Important Guidelines
Focus on Actionable Feedback
- •Provide specific, actionable feedback on actual lines of code
- •Avoid general comments without code references
- •Reference specific file paths and line numbers
- •Suggest concrete improvements
Pattern Compliance is Critical
Pattern violations should be treated seriously as they:
- •Reduce codebase consistency
- •Make maintenance harder
- •May introduce security vulnerabilities (in security-sensitive crates)
- •Conflict with established architectural decisions
Always invoke /code-pattern-discovery before completing a code review to ensure pattern compliance.
Review Priority
Review items in this priority order:
- •Security concerns (highest priority)
- •Potential bugs and panic branches
- •Backwards compatibility issues
- •Coding pattern violations
- •Testing gaps
- •Performance issues
- •Documentation and dead code
Next Steps
After completing the code review:
- •Provide clear, prioritized feedback
- •Distinguish between blocking issues (bugs, security) and suggestions (style, performance)
- •Reference specific patterns from
docs/code/when flagging violations - •Suggest using
/code-format,/code-check, and/code-testskills to validate fixes