AgentSkillsCN

code-review

代码评审流程、高效反馈、PR最佳实践、团队协作协议、评审自动化、AI辅助评审,以及评审反模式。在代码评审、PR准备、评审反馈、评审流程搭建、编写评审评论,或在服务阶段开展代码评审时使用此功能。

SKILL.md
--- frontmatter
name: code-review
description: Code review process, effective feedback, PR best practices, team working agreements, review automation, AI-augmented review, and review antipatterns. Use when reviewing code, preparing PRs, giving review feedback, setting up review processes, writing review comments, or conducting code reviews during serve phase.

Code Review

How to review code effectively, give actionable feedback, and build review processes that improve both code and teams.

Quick Reference

Review Goals (Priority Order)

GoalWhat You're CheckingTime Allocation
CorrectnessDoes it work? Edge cases, off-by-ones, null handling40%
DesignRight abstractions? Fits the architecture?25%
SecurityAuth, input validation, data exposure, injection15%
MaintainabilityReadable? Testable? Future-developer-friendly?15%
StyleNaming, formatting, conventions5% (automate this)

Effective Comment Templates (Triple-R Pattern)

Structure every non-trivial comment as Request → Rationale → Result:

ComponentPurposeExample
RequestWhat to change"Can we rename item to something more descriptive?"
RationaleWhy it matters"item is vague and doesn't convey its role in discount calculation."
ResultWhat good looks like"Something like discountEligibleItem captures the context."

Comment Severity Labels

Label comments so the author knows what's required vs. optional:

LabelMeaningAuthor Action
blockerMust fix before mergeAddress or discuss
suggestionImprovement worth consideringDecide and respond
nitpickMinor style/preferenceOptional — take or leave
questionNeed to understand intentExplain the reasoning
praiseSomething done wellAcknowledge (builds trust)

Review Process

Before You Review

  1. Read the PR description — understand the why before judging the how
  2. Check the scope — is this PR a single logical change? Flag if too large
  3. Run the code — for non-trivial changes, check out and test locally
  4. Check tests — are new behaviors covered? Do existing tests still pass?

During Review

Focus on one pass per concern to avoid cognitive overload:

  1. First pass: Correctness — Does the logic handle all cases? What breaks?
  2. Second pass: Design — Does this fit the codebase architecture?
  3. Third pass: Everything else — Naming, tests, docs, edge cases

After Review

  • Summarize — leave a top-level comment with your overall assessment
  • Be explicit about approval — "Approved with nitpicks" vs. "Needs changes before merge"
  • Follow up — check that requested changes were addressed (don't rubber-stamp re-reviews)

PR Best Practices (For Authors)

The PR Contract

Every PR should communicate:

ElementPurposeExample
TitleWhat changed (imperative mood)"Add rate limiting to auth endpoints"
DescriptionWhy and howProblem, approach, tradeoffs, alternatives considered
ProofEvidence it worksTests passing, manual verification, screenshots/logs
RiskWhat could go wrong"Touches auth flow — needs security-focused review"
Review focusWhere human judgment matters most"Please check the retry logic in lines 42-68"

Size Guidelines

PR SizeLines ChangedReview QualityRecommendation
Small< 200High attentionIdeal
Medium200-400Good attentionAcceptable
Large400-800Declining attentionSplit if possible
Huge> 800Superficial at bestMust split

Research shows reviewer attention drops sharply after ~400 lines. A 2000-line PR gets "LGTM" because nobody can review it properly.

Self-Review Checklist (Before Requesting Review)

  • PR description explains the why, not just the what
  • Changes are a single logical unit (one concern per PR)
  • Tests cover new behavior and edge cases
  • No debug code, commented-out blocks, or TODOs without tickets
  • Naming is clear and consistent with codebase conventions
  • No secrets, credentials, or PII in the diff

Team Working Agreement (TWA)

A Team Working Agreement (TWA) is a collaboratively created document that sets shared expectations for how the team does reviews. Create one together — never impose it top-down.

TWA Template

AreaQuestions to Answer
Response timeHow quickly should reviews start? (e.g., within 4 business hours)
Review depthWhat's expected? (checklist-based? architecture-level?)
PR size limitsMaximum lines? When must PRs be split?
Approval policyHow many approvals to merge? Who can approve?
Comment conventionsWhich severity labels? Required vs. optional feedback?
Automation baselineWhat's automated? (linting, formatting, security scans)
EscalationWhat if reviewer and author disagree?
ExceptionsEmergency/hotfix bypass process?

Review Cadence

Blocked PRs block features. Establish review rhythms:

  • SLA target: First response within 4 hours (business hours)
  • Review windows: Dedicated review time (e.g., first hour of day)
  • Rotation: Distribute reviews to avoid bottlenecks on senior devs
  • Escalation: If a PR has no reviewer after N hours, auto-assign or notify

Review Automation

What to Automate vs. What Needs Human Judgment

Automate (Machines)Human Review (Judgment)
Style and formatting (linters)Architecture and design fit
Common bug patterns (static analysis)Business logic correctness
Security vulnerability scanningNaming and abstraction quality
Test coverage thresholdsTest quality (not just coverage)
PR size / complexity alertsKnowledge sharing and mentoring
Dependency vulnerability checksTradeoff evaluation

Rule: If a review comment could be written by a regex, it should be automated. Free human reviewers for judgment calls.

Automation Layers

LayerTool CategoryPurpose
Pre-commitFormatters, lintersCatch style issues before push
CI pipelineTests, SAST, coverageGate on correctness and security
PR botSize checks, label enforcementEnforce PR hygiene
Post-mergeDependency scanning, DASTCatch deployment-time issues

AI-Augmented Code Review

AI review tools are rapidly maturing (2025-2026), but the collaboration model matters more than the tool choice.

The AI-Human Review Partnership

PhaseAI RoleHuman Role
First passFlag bugs, style issues, missing tests, security patternsSkip — let AI handle the mechanical scan
Deep reviewSuggest refactoring, identify duplicationArchitecture fit, business logic, naming quality
Final sign-offSummarize findings, check coverageApprove or request changes — always human

AI is a reviewer, not an approver. AI catches what humans miss (patterns across thousands of lines). Humans catch what AI misses (intent, context, organizational knowledge). Neither replaces the other.

What AI Catches Well

  • Common bug patterns (null derefs, off-by-ones, resource leaks)
  • Style violations and inconsistencies
  • Missing error handling
  • Test gaps and edge cases
  • Security vulnerability patterns (injection, XSS, auth issues)
  • Code duplication across files

What AI Misses

  • Whether the code solves the right problem
  • Architectural fit with the broader system
  • Business rule correctness
  • Naming quality and abstraction appropriateness
  • Institutional context ("we tried this before and it failed because...")
  • Whether the change aligns with the team's roadmap

AI Review Pitfalls

PitfallProblemMitigation
Alert fatigueToo many low-value commentsTune thresholds; suppress nitpicks
False authorityTeam treats AI comments as mandatesLabel AI suggestions clearly; human decides
DeskillingReviewers defer to AI on everythingRequire human summary comment on every PR
Larger PRsAI makes writing easy, PRs grow ~18%Enforce size limits regardless of authorship

AI-Generated Code Review

Code written by AI requires more review rigor, not less:

  • AI-generated code has 1.75x more logic errors than human code
  • 45% of AI-generated code contains security vulnerabilities
  • Authors must understand and explain every line — "the AI wrote it" is not a defense
  • Require proof (tests, manual verification) before review begins

(see code-quality-foundations -> Code Should Work, Code Should Keep Working)

Review Antipatterns

The Eight Review Antipatterns

AntipatternSymptomFix
Rubber-stamping"LGTM" without reading the codeRequire specific comment on at least one aspect
Nitpicking20 comments about spacing, zero about logicAutomate style; focus comments on design
GatekeepingOne person blocks all merges with personal preferencesTWA defines objective standards; rotate reviewers
Ghost reviewingReview assigned, no response for daysSLA with escalation; review rotation
Bike-sheddingLengthy debate on trivial decisionsTime-box discussions; "author decides" for preferences
Drive-by reviewingComments without context or follow-upRequire summary; follow up on requested changes
Scope creep"While you're here, can you also..."New work gets its own PR and ticket
Approval hoardingRequiring 4+ approvals "for safety"1-2 approvals with clear ownership; more is friction

(see code-antipatterns -> Pattern Recognition)

<details> <summary>The emergency playbook</summary>

Sometimes you need to bypass normal review. Have a pre-agreed protocol:

SituationProcessSafeguards
Production outageSingle senior approval + deployPost-incident review within 24h
Security patchSecurity team fast-trackAudit log; full review within 48h
Time-critical hotfixPair with reviewer in real-timeDocument the bypass; retroactive PR

Rules for emergency bypasses:

  1. Never skip review silently — always document
  2. Retroactive review is mandatory, not optional
  3. If you bypass more than once a month, your process has a deeper problem
</details> <details> <summary>Code reviews and pair/mob programming</summary>

Pair and mob programming can complement or partially replace traditional async review:

ModeWhen It FitsReview Implication
Solo + async reviewIndependent work, distributed teamsStandard PR review process
Pair programmingComplex features, onboarding, knowledge transferLighter review (real-time feedback already happened)
Mob programmingCritical architecture, team alignmentMinimal review (whole team already participated)

Pair/mob sessions don't eliminate the value of a fresh-eyes review, but they reduce the need for extensive async feedback because design discussions happened in real time.

</details>

Decision Tables

"What Should I Focus on in This Review?"

SignalFocus AreaWhy
New contributor's PRCorrectness + mentoringBuild their understanding of conventions
Touches auth/payments/securitySecurity-first reviewHigh-impact failure domain
Large refactoringDesign + test coverageStructural changes need architectural validation
Bug fixCorrectness + regression testsVerify root cause addressed, not just symptom
New featureDesign + maintainabilityWill this age well? Is it tested?
Performance-critical pathCorrectness + efficiencyAlgorithmic review, benchmark evidence
AI-generated codeEverything + extra scrutinyHigher defect rate; verify author understands it
Dependency updateSecurity + compatibilityCheck changelogs, breaking changes, CVEs

"Should I Approve This PR?"

ConditionDecision
All blockers addressed, tests pass, design is soundApprove
Minor nitpicks only, no functional concernsApprove with comments
Design concerns but implementation is correctRequest changes (design discussion needed)
Missing tests for new behaviorRequest changes
Security concernsRequest changes (escalate if needed)
Too large to review effectivelyRequest split
Don't understand the domain well enoughDefer to qualified reviewer

Checklists

Reviewer Checklist

  • PR description explains intent clearly
  • Changes are appropriately scoped (single concern)
  • Logic handles edge cases and error paths
  • New behavior has test coverage
  • No security concerns (auth, injection, data exposure)
  • Naming and abstractions fit the codebase
  • No performance regressions in hot paths
  • Comments use severity labels (blocker/suggestion/nitpick)

Review Culture Health Check

  • Average first-response time < 4 hours
  • Reviews include praise, not just criticism
  • Junior developers review senior developers' code (both directions)
  • Disagreements resolved by TWA standards, not authority
  • Automation handles style enforcement (humans focus on design)
  • Emergency bypasses are documented and retroactively reviewed

See Also

  • code-quality-foundations — Quality pillars and goals that reviews enforce (see code-quality-foundations -> The Six Pillars)
  • code-antipatterns — Common patterns to watch for during review (see code-antipatterns -> Pattern Recognition)
  • code-readability — Readability standards to apply in review (see code-readability -> Naming and Structure)
  • code-testing-quality — Evaluating test quality during review (see code-testing-quality -> Test Strategy)