Code Review Workflow
Focus on defects, regressions, and risks first. Be specific and evidence-based.
Review Priorities
Review in this order of importance:
- •Correctness: Does it do what it's supposed to?
- •Security: Are there vulnerabilities?
- •Regressions: Could this break existing behavior?
- •Tests: Is the change adequately tested?
- •Maintainability: Will this be easy to understand and modify?
- •Performance: Only if there are clear concerns.
Review Process
Step 1: Understand the Context
- •Read the PR description and linked issues
- •Understand the intent before reading code
- •Ask clarifying questions if the purpose is unclear
Step 2: Review for Correctness
- •Trace the logic for the main use cases
- •Identify edge cases: null, empty, max values, concurrent access
- •Check error handling paths
- •Verify data validation and sanitization
Step 3: Review for Security
Check against shared/guidelines/security.md:
- •Input validation present?
- •Injection vulnerabilities (SQL, command, path)?
- •Authentication/authorization correct?
- •Sensitive data handled properly?
Step 4: Review for Regressions
- •Are existing tests still passing?
- •Could this change affect unrelated functionality?
- •Are there implicit dependencies being broken?
Step 5: Review Tests
Check against shared/guidelines/testing.md:
- •Is the new behavior tested?
- •Are edge cases covered?
- •Are the tests meaningful (not just coverage padding)?
- •Can you think of test cases that are missing?
Step 6: Review Maintainability
Check against shared/guidelines/coding-style.md:
- •Is the code readable and self-documenting?
- •Are there complex sections that need comments?
- •Is there duplication that should be extracted?
- •Does it follow project conventions?
Output Format
Structure your review as:
Critical Issues (Must Fix)
- •Security vulnerabilities
- •Logic errors
- •Data loss risks
Suggestions (Should Consider)
- •Better approaches
- •Missing edge cases
- •Test improvements
Questions
- •Clarifications needed
- •Design decisions to discuss
Positive Notes (Optional)
- •Well-designed solutions
- •Good test coverage
- •Clean implementations
Review Etiquette
- •Be specific: Point to exact lines, explain why
- •Suggest solutions: Don't just point out problems
- •Ask, don't demand: "What do you think about..." vs "You must..."
- •Separate opinions from requirements: Style preferences vs bugs
- •Acknowledge good work: Positive feedback helps
Reminders
- •Use
shared/guidelines/security.mdfor security checklist - •Use
shared/guidelines/testing.mdfor test coverage expectations - •Flag if tests weren't run and suggest how to run them