AgentSkillsCN

code-review-checklist

审查代码更改的正确性、安全性、性能与可维护性。适用于 PR 审查、代码审计、合并前检查或 Laravel + React + Python 代码的质量验证。仅限 reviewer agent 使用。

SKILL.md
--- frontmatter
name: code-review-checklist
description: |
  Review code changes for correctness, security, performance, and maintainability. Use for PR reviews,
  code audits, pre-merge checks, or quality validation of Laravel + React + Python code. EXCLUSIVE to reviewer agent.
allowed-tools: Read, Grep, Glob, Bash, mcp_codex-bridge, mcp_gemini-bridge, mcp_context7, mcp_playwright, mcp_zread, mcp_web-search-prime, mcp_web-reader, mcp_zai-mcp-server, mcp_open-bridge

Code Review Checklist

Exclusive to: reviewer agent

MCP Helpers (Brain + Memory)

🧠 Gemini-Bridge — Deep Code Analysis

code
mcp_gemini-bridge_consult_gemini(query="Review this code for best practices, security, and performance: [code snippet]", directory=".")

🌉 Open-Bridge — Alternative Analysis

code
mcp_open-bridge_consult_gemini(query="Review this code for best practices, security, and performance: [code snippet]", directory=".")

💻 Codex-Bridge — Code-Focused Review

code
mcp_codex-bridge_consult_codex(query="Analyze this code for bugs, anti-patterns, and improvements: [code]", directory=".")

📚 Context7 (Memory) — Up-to-Date Docs

Lookup best practices and anti-patterns:

code
mcp_context7_resolve-library-id(libraryName="[library]", query="best practices")
mcp_context7_query-docs(libraryId="/[resolved-id]", query="[specific pattern to validate]")

Validation Loop (MANDATORY)

Before completing any review, verify the codebase passes all checks:

bash
composer test           # All PHP tests pass
npm run types          # No TypeScript errors
npm run lint           # No linting errors
./vendor/bin/pint --test  # PHP style OK

Report any failures as Critical findings.

Instructions

  1. Review against project standards in docs/code-standards.md
  2. Run through the checklist below
  3. Report issues by severity (Critical → Warning → Suggestion)

Review Checklist

✅ Correctness

  • Logic handles edge cases
  • Error handling is appropriate
  • Types are correct (no any unless justified)
  • Tests cover new/changed behavior
  • No dead code or unused imports

🔒 Security (OWASP)

  • No secrets or credentials in code
  • User input validated and sanitized
  • Authorization checks in place
  • No SQL injection (use Eloquent/query builder)
  • No XSS (proper escaping, sanitization)
  • CSRF protection enabled
  • Rate limiting considered

⚡ Performance

  • No N+1 queries (use eager loading: with())
  • No unnecessary database calls
  • Large datasets are paginated
  • Indexes exist for filtered/joined columns

🧹 Maintainability

  • Follows patterns in docs/code-standards.md
  • Names are clear and consistent
  • No unnecessary complexity
  • DRY — no copy-paste duplication

🎨 Frontend

  • Uses existing shadcn/ui components
  • Loading and error states handled
  • Accessible (keyboard, labels, contrast)
  • Responsive (mobile + desktop)

📝 Documentation

  • Code comments for non-obvious logic
  • Docs updated if behavior changed
  • Types documented with JSDoc if complex

Laravel Security Checks

CheckVerify
Mass assignment$fillable or $guarded defined
AuthorizationPolicy or Gate used
ValidationFormRequest with rules
CSRF@csrf in forms
SQL injectionNo raw queries with user input

React Security Checks

CheckVerify
XSSNo dangerouslySetInnerHTML
PropsTypeScript interfaces used
SecretsNo sensitive data in client

Severity Guide

LevelCriteriaAction
🚨 CriticalSecurity flaw, data loss, breaks functionalityBlock merge
⚠️ WarningPerformance issue, code smell, missing testRequest fix
💡 SuggestionStyle improvement, better patternOptional

Output Format

markdown
## 🔍 Review Summary
[One paragraph overview]

## 🚨 Critical (must fix)
1. [Issue]: [File:Line] — [Why critical]

## ⚠️ Warnings (should fix)
1. [Issue]: [File:Line] — [Recommendation]

## 💡 Suggestions (nice to have)
1. [Suggestion]: [File:Line] — [Improvement]

## ✅ What's Good
- [Positive observation]

Examples

  • "Review this PR before merge"
  • "Check this code for security issues"
  • "Audit changes for performance"