code-review
.NET Code Review
Trigger On
- reviewing a pull request or patch in a .NET repository
- checking for behavioral regressions, API misuse, or missing tests
- auditing architectural or framework-specific correctness
References
- checklist.md - comprehensive code review checklist organized by risk priority
- patterns.md - common patterns and anti-patterns for async, disposal, and security
Workflow
- Prioritize correctness, data loss, concurrency, security, lifecycle, and platform-compatibility issues before style concerns. Use the checklist P0-P2 categories first.
- Check async flows, cancellation propagation, exception handling, disposal, and transient versus singleton lifetime mistakes. Refer to patterns.md for common pitfalls.
- Verify tests cover the changed behavior, not only the happy path or refactored implementation details.
- Inspect framework-specific boundaries such as EF query translation, ASP.NET middleware order, Blazor render state, or MAUI UI-thread access.
- Call out missing observability, migration risk, or runtime configuration drift when those are part of the change.
- Keep findings concrete, reproducible, and tied to specific files or behavior.
Key Review Patterns
Async Code
- Async must propagate through the entire call chain; never use
.Result,.Wait(), or.GetAwaiter().GetResult()in async contexts - Always propagate
CancellationTokenparameters - Use
ConfigureAwait(false)in library code - Never use
async voidexcept for event handlers
Resource Disposal
- Use
usingdeclarations or statements for allIDisposableresources - Use
await usingforIAsyncDisposableresources - Use
IHttpClientFactoryinstead of creatingHttpClientdirectly - Unsubscribe event handlers to prevent memory leaks
- Validate DI service lifetimes to prevent captured dependencies
Security
- Use parameterized queries or EF to prevent SQL injection
- Validate all user input at system boundaries
- Prevent path traversal by validating resolved paths stay within allowed directories
- Never hardcode secrets; use configuration and secret management
- Enforce authorization checks before accessing protected resources
Deliver
- ranked review findings with file references
- clear residual risks and test gaps
- brief summary of what changed only after findings
Validate
- findings describe user-visible or maintainability-impacting risk
- assumptions are stated when repo context is incomplete
- no trivial style nit hides a more serious issue
More from managedcode/dotnet-skills
dotnet
Primary router skill for broad .NET work. Classify the repo by app model and cross-cutting concern first, then switch to the narrowest matching .NET skill instead of staying at a generic layer.
17dotnet-aspnet-core
Build, debug, modernize, or review ASP.NET Core applications with correct hosting, middleware, security, configuration, logging, and deployment patterns on current .NET.
13dotnet-entity-framework-core
Design, tune, or review EF Core data access with proper modeling, migrations, query translation, performance, and lifetime management for modern .NET applications.
12dotnet-code-review
Review .NET changes for bugs, regressions, architectural drift, missing tests, incorrect async or disposal behavior, and platform-specific pitfalls before you approve or merge them.
11dotnet-architecture
Design or review .NET solution architecture across modular monoliths, clean architecture, vertical slices, microservices, DDD, CQRS, and cloud-native boundaries without over-engineering.
11dotnet-signalr
Implement or review SignalR hubs, streaming, reconnection, transport, and real-time delivery patterns in ASP.NET Core applications.
10