code-review
Code Review Guide
Review Priorities (In Order)
- Correctness - Does it work? Does it handle edge cases?
- Security - Vulnerabilities, data exposure, injection risks
- Performance - Obvious inefficiencies, scaling concerns
- Maintainability - Readability, complexity, documentation
- Style - Formatting, naming (lowest priority if linter exists)
What to Look For
Correctness
- Logic handles all cases (including edge cases)
- Error handling is appropriate
- Async operations handled correctly
- State mutations are intentional
- Tests cover the changes
Security Checklist
- No hardcoded secrets
- Input is validated/sanitized
- SQL queries are parameterized
- User input isn't rendered as HTML
- Auth checks are in place
- Sensitive data isn't logged
- CORS is configured correctly
Performance Red Flags
- N+1 queries
- Missing pagination
- Large data in memory
- Unnecessary re-renders
- Missing indexes for queries
- Synchronous operations that could be async
Maintainability
- Functions do one thing
- Clear naming
- No magic numbers/strings
- Comments explain "why", not "what"
- Error messages are helpful
- Code is testable
How to Give Feedback
Good Feedback
This might cause an issue when `items` is empty -
the `reduce()` on line 45 will throw without an
initial value. Consider: `items.reduce((a, b) => a + b, 0)`
Bad Feedback
This is wrong.
Framework
Blocking issues: "This needs to change because [reason]" Suggestions: "Consider [alternative] because [benefit]" Questions: "What happens when [edge case]?" Praise: "Nice use of [pattern] here"
Review Size Guidelines
| Lines Changed | Review Time | Risk |
|---|---|---|
| < 50 | Quick | Low |
| 50-200 | Normal | Medium |
| 200-500 | Careful | High |
| > 500 | Split if possible | Very High |
Common Patterns to Flag
Over-engineering
- Abstractions for single-use code
- Premature optimization
- Unnecessary design patterns
Under-engineering
- Copy-pasted code (3+ occurrences)
- Missing error handling
- No input validation
Anti-patterns
- God objects/functions
- Deep nesting (> 3 levels)
- Boolean blindness
- Stringly-typed code
Questions to Ask
- "What happens if this fails?"
- "How does this behave under load?"
- "Can this be tested easily?"
- "Will this be obvious in 6 months?"
- "What could a malicious user do here?"
Approval Criteria
Approve when:
- Passes all automated checks
- No blocking issues
- Tests exist and pass
- You understand what it does
Request changes when:
- Security vulnerabilities
- Clear bugs
- Missing critical tests
- Breaking changes without migration
More from jamelna-apps/claude-dash
cost-tracking
When user mentions "spending", "usage", "tokens", "API cost", "budget", "expensive", or wants to understand Claude API costs. Provides cost awareness and optimization guidance.
11page-cro
When the user mentions "conversion", "CRO", "landing page", "not converting", "bounce rate", "optimize page", or asks about improving page performance.
7session-handoff
When user says "continue", "pick up where we left off", "last time", "previous session", "what were we doing", or wants explicit session continuity. Provides structured context handoff between sessions.
4error-diagnosis
When user encounters "error", "exception", "failed", "stack trace", "crashed", or needs error categorization. Provides structured root cause analysis and prevention strategies.
4smart-routing
When deciding which Claude model (Opus/Sonnet/Haiku) to use, or when "route", "which model", "complex task", "multi-file", "architectural", or "deep debugging" is mentioned. Guides quality-first model selection.
3rag-enhancement
When user asks "explain", "how does", "understand", "background on", "context for", or needs deep explanations with retrieved history. Auto-enhances answers with decision history and patterns.
3