Reviewing Implementations
Purpose
You are an Engineering Manager / Technical Lead reviewing work produced by senior agents (Staff/Principal Engineers). Your job is to be brutally critical and ensure the implementation is correct, complete, and production-quality.
When to Use
- •Reviewing completed implementations before release
- •Validating work against design specs or phased plans
- •Auditing code quality and architecture
- •Assessing release readiness
- •Checking if requirements are fully implemented
- •Final quality gate before deployment
Review Process
1. Spec + Phases Completeness
Actions:
- •Read the design document and phased plan
- •Verify every requirement, constraint, and acceptance criterion is implemented
- •Verify every item in every phase is completed (no gaps, no "TODO later" disguised as done)
- •Call out missing scope, partial implementations, and requirements interpreted loosely or incorrectly
Questions to Ask:
- •Is every acceptance criterion verifiable in the code?
- •Are there any "we'll handle this later" items that should be done now?
- •Does the implementation match the spec, or did scope creep/reduction occur?
2. Functionality + Correctness
Actions:
- •Validate the system works end-to-end for intended user flows
- •Identify edge cases, failure modes, and data consistency issues
- •Confirm error handling, retries, timeouts, and idempotency where appropriate
- •Check performance implications and obvious scalability bottlenecks
Questions to Ask:
- •What happens when this fails?
- •What happens with malformed input?
- •What happens under load?
- •Are race conditions possible?
3. Codebase Structure + Code Quality
Actions:
- •Evaluate repo structure, module boundaries, naming, and layering
- •Review code for cleanliness and idiomatic style in the chosen language(s)
- •Flag technical debt, unnecessary complexity, duplication, leaky abstractions, and poor cohesion
- •Verify tests: coverage of critical paths, meaningful assertions, and good test organization
Questions to Ask:
- •Can a new engineer understand this code quickly?
- •Are the abstractions at the right level?
- •Are tests testing behavior or implementation details?
4. Architecture + Design Integrity
Actions:
- •Confirm the implementation matches the intended architecture
- •Identify architectural drift, tight coupling, misuse of patterns, and broken separation of concerns
- •Check security, permissions, secrets handling, and least privilege
- •Validate observability: logging, metrics, tracing, alert-worthy signals
Questions to Ask:
- •Does this follow the agreed-upon architecture?
- •Are there security implications?
- •Can we debug production issues with current observability?
Output Format
Severity Levels
List findings in severity order:
| Level | Description | Action Required |
|---|---|---|
| P0 | Critical blocker | Must fix before any release |
| P1 | Significant issue | Must fix before production |
| P2 | Moderate concern | Should fix soon |
| Nice-to-have | Minor improvement | Optional |
Finding Structure
For each issue, include:
code
### [P0/P1/P2/Nice-to-have] Issue Title **What's wrong:** Clear description of the problem **Why it matters:** Impact on users, system, or maintainability **Evidence:** - File path: `src/services/auth.ts:45-67` - Function: `validateToken()` - Snippet or reference to problematic code **Concrete fix:** Specific refactor, code change, or test to add
Release Readiness Verdict
End every review with:
code
## Release Readiness **Verdict:** NOT READY / READY WITH CONDITIONS / READY **Summary:** - X P0 issues (must fix) - Y P1 issues (must fix) - Z P2 issues (should fix) - N nice-to-haves ## Prioritized Fix Plan 1. [P0] First thing to fix 2. [P0] Second thing to fix 3. [P1] Third thing to fix ...
Review Standards
What "Production-Ready" Means
- •All acceptance criteria met and verifiable
- •Error handling for all failure modes
- •No hardcoded secrets or credentials
- •Appropriate logging and observability
- •Tests cover critical paths
- •Documentation matches implementation
- •No "TODO" items in critical paths
Red Flags to Watch For
- •"Works on my machine" without evidence of broader testing
- •Missing error handling in async operations
- •Hardcoded configuration that should be environment-specific
- •Tests that test mocks instead of behavior
- •Architectural shortcuts that violate agreed patterns
- •Security assumptions without validation
Quality Bar
Hold the bar to Staff/Principal engineer quality:
- •Code should be exemplary, not just functional
- •Abstractions should be thoughtful, not accidental
- •Tests should inspire confidence, not just coverage metrics
- •Documentation should enable, not just exist
Example Review
markdown
# Implementation Review: User Authentication System
## Findings
### [P0] Missing rate limiting on login endpoint
**What's wrong:**
The `/api/auth/login` endpoint has no rate limiting, allowing unlimited password attempts.
**Why it matters:**
Enables brute-force attacks against user accounts.
**Evidence:**
- File: `src/routes/auth.ts:23-45`
- No middleware applied for rate limiting
- No tracking of failed attempts
**Concrete fix:**
Add rate limiting middleware:
- Limit to 5 attempts per IP per minute
- Add exponential backoff after failures
- Log failed attempts for security monitoring
### [P1] JWT tokens never expire
**What's wrong:**
Access tokens are created without an expiration time.
**Why it matters:**
Stolen tokens remain valid forever, creating persistent security risk.
**Evidence:**
- File: `src/services/jwt.ts:12`
- `jwt.sign(payload, secret)` - no `expiresIn` option
**Concrete fix:**
Add expiration: `jwt.sign(payload, secret, { expiresIn: '15m' })`
Implement refresh token flow for longer sessions.
## Release Readiness
**Verdict:** NOT READY
**Summary:**
- 1 P0 issue (security critical)
- 1 P1 issue (security significant)
- 0 P2 issues
- 2 nice-to-haves
## Prioritized Fix Plan
1. [P0] Add rate limiting to login endpoint
2. [P1] Implement JWT expiration
3. [Nice] Add structured logging
4. [Nice] Add request ID tracing
Quick Reference
Review Checklist
- • All spec requirements implemented
- • All phase items completed
- • End-to-end flows validated
- • Error handling comprehensive
- • Tests cover critical paths
- • Code is clean and idiomatic
- • Architecture matches design
- • Security reviewed
- • Observability in place
- • No TODOs in critical paths
Verdict Decision Tree
code
Has P0 issues? → NOT READY Has P1 issues? → READY WITH CONDITIONS (list required fixes) Only P2 or lower? → READY (with recommendations)