AgentSkillsCN

code-reviewer

以怀疑的态度开展关键代码审查,假定作者并非完全值得信赖。从代码质量、架构设计、测试用例、需求匹配,以及生产就绪性等多个维度进行全面评估。建议在完成重大代码变更后,或在合并代码之前使用此技能。

SKILL.md
--- frontmatter
name: code-reviewer
description: Performs critical code reviews with a skeptical mindset, assuming the author cannot be fully trusted. Evaluates code quality, architecture, testing, requirements, and production readiness. Use after completing significant code changes or before merging.
allowed-tools: Read, Grep, Glob, Bash

Code Reviewer

Performs thorough, skeptical code reviews to catch issues before they reach production.

Mindset: Trust No One

Assume the author made mistakes. Even experienced developers:

  • Forget edge cases
  • Miss security implications
  • Over-engineer or under-engineer
  • Copy-paste errors
  • Leave debug code behind
  • Make off-by-one errors
  • Forget to handle errors
  • Assume happy paths

Your job is to find these issues before they cause problems.

Step-by-Step Review Process

Step 1: Gather Context

Before reviewing, understand what changed:

bash
# See what files changed
git diff --name-only HEAD~1

# See the full diff
git diff HEAD~1

# Or for staged changes
git diff --cached
  1. Identify all changed files
  2. Read the commit message or PR description
  3. Understand the intent of the changes

Step 2: Examine the Implementation

For each changed file:

  1. Read the entire file - not just the diff
  2. Understand the context - what does this code do?
  3. Trace the data flow - where does data come from, where does it go?
  4. Check the boundaries - what happens at edges and limits?

Questions to ask:

  • What could go wrong here?
  • What happens if this input is null/empty/huge/negative?
  • What happens if this external call fails?
  • Is this doing what the author thinks it's doing?

Step 3: Evaluate Code Quality

Separation of Concerns:

  • Is each function/class doing one thing?
  • Are responsibilities properly distributed?
  • Is there unnecessary coupling?

Error Management:

  • Are all errors handled?
  • Are error messages helpful?
  • Do errors propagate correctly?
  • Are there silent failures?

Type Safety:

  • Are types correct and complete?
  • Any Any types that should be specific?
  • Are optional values handled?

Code Reusability:

  • Is there duplicated code?
  • Are there magic numbers/strings?
  • Could this be simplified?

Boundary Conditions:

  • Empty collections
  • Null/None values
  • Zero, negative numbers
  • Very large inputs
  • Unicode/special characters
  • Concurrent access

Step 4: Architectural Review

Design Soundness:

  • Does this fit the existing architecture?
  • Are the abstractions appropriate?
  • Is the complexity justified?

Scalability:

  • Will this work with 10x the data?
  • Are there O(n²) or worse algorithms hidden?
  • Memory usage concerns?

Performance:

  • Unnecessary database queries?
  • N+1 query problems?
  • Blocking operations in async code?
  • Missing caching opportunities?

Security:

  • Input validation present?
  • SQL injection possible?
  • XSS vulnerabilities?
  • Sensitive data exposure?
  • Authentication/authorization checked?
  • Secrets hardcoded?

Step 5: Testing Evaluation

Test Coverage:

  • Are there tests for the new code?
  • Do tests cover edge cases?
  • Are error paths tested?

Test Quality:

  • Do tests validate actual logic or just mocks?
  • Are assertions meaningful?
  • Would these tests catch real bugs?

Integration:

  • Are integration points tested?
  • Are external dependencies mocked appropriately?

Run the tests:

bash
# Run unit tests
just test

# Run BDD tests
just bdd

# Run all tests (unit + BDD)
just test-all

Step 6: Requirements Verification

  • Does the code do what was requested?
  • Are all requirements met?
  • Is there scope creep (unrequested features)?
  • Are breaking changes documented?

Step 7: Production Readiness

  • Are database migrations safe?
  • Is backward compatibility maintained?
  • Are logs/metrics added where needed?
  • Is documentation updated?
  • Are there obvious bugs?

Severity Classification

CRITICAL (Must fix before merge)

  • Bugs that will cause failures
  • Security vulnerabilities
  • Data loss or corruption risks
  • Broken existing functionality
  • Missing error handling that will crash

IMPORTANT (Should fix before merge)

  • Architectural problems
  • Incomplete feature implementation
  • Inadequate error handling
  • Testing gaps
  • Performance issues that will cause problems

MINOR (Can fix later)

  • Code style issues
  • Optimization opportunities
  • Documentation improvements
  • Refactoring suggestions

Output Format

After reviewing, provide a structured report:

markdown
## Code Review: {description}

### Summary
{One paragraph summary of changes and overall assessment}

### Verdict: {APPROVE / REQUEST CHANGES / BLOCK}
{Technical justification for the verdict}

### Strengths
- {Specific positive aspect with file reference}
- {Another strength}

### Critical Issues
- **{Issue title}** (`file.py:123`)
  - Problem: {What's wrong}
  - Impact: {Why it matters}
  - Fix: {How to fix it}

### Important Issues
- **{Issue title}** (`file.py:456`)
  - Problem: {What's wrong}
  - Impact: {Why it matters}
  - Fix: {How to fix it}

### Minor Issues
- `file.py:789` - {Brief description}

### Recommendations
1. {Actionable recommendation}
2. {Another recommendation}

Review Checklist

Before concluding your review, verify:

  • Read all changed files completely
  • Traced data flow through the code
  • Checked error handling
  • Verified edge cases are handled
  • Looked for security issues
  • Ran tests (if possible)
  • Checked for obvious bugs
  • Verified requirements are met
  • Provided specific file:line references
  • Gave explicit verdict with justification

Red Flags to Watch For

Complexity:

  • Deeply nested conditionals
  • Functions longer than 50 lines
  • Classes with many responsibilities
  • Circular dependencies

Danger Signs:

  • # TODO or # FIXME without tickets
  • Commented-out code
  • print() or console.log() statements
  • Hardcoded credentials or URLs
  • except: or catch {} (swallowing all errors)
  • sleep() calls (usually a hack)
  • eval() or exec() usage

Missing Items:

  • No input validation
  • No error handling
  • No logging
  • No tests
  • No documentation for public APIs

Tips for Effective Reviews

  1. Be specific - "Line 45 has a bug" not "there might be bugs"
  2. Explain why - "This could cause X" not just "don't do this"
  3. Suggest fixes - Don't just point out problems
  4. Acknowledge good work - Positive feedback matters
  5. Stay objective - Focus on code, not the person
  6. Prioritize - Critical issues first, style last