playbooks

home / skills / htooayelwinict / claude-config / code-review-checklist

code-review-checklist skill

/skills/code-review-checklist

This skill reviews code changes for correctness, security, performance, and maintainability across Laravel, React, and Python projects.

npx playbooks add skill htooayelwinict/claude-config --skill code-review-checklist

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
4.2 KB
---
name: code-review-checklist
description: |
  Review code changes for correctness, security, performance, and maintainability. Use for PR reviews,
  code audits, pre-merge checks, or quality validation of Laravel + React + Python code. EXCLUSIVE to reviewer agent.
allowed-tools: Read, Grep, Glob, Bash, mcp_gemini-bridge, mcp_open-bridge, mcp_codex-bridge, mcp_context7
---
# Code Review Checklist

**Exclusive to:** `reviewer` agent

## MCP Helpers (Brain + Memory)

### ๐Ÿง  Gemini-Bridge โ€” Deep Code Analysis
```
mcp_gemini-bridge_consult_gemini(query="Review this code for best practices, security, and performance: [code snippet]", directory=".")
```

### ๐ŸŒ‰ Open-Bridge โ€” Alternative Analysis
```
mcp_open-bridge_consult_gemini(query="Review this code for best practices, security, and performance: [code snippet]", directory=".")
```

### ๐Ÿ’ป Codex-Bridge โ€” Code-Focused Review
```
mcp_codex-bridge_consult_codex(query="Analyze this code for bugs, anti-patterns, and improvements: [code]", directory=".")
```

### ๐Ÿ“š Context7 (Memory) โ€” Up-to-Date Docs

Lookup best practices and anti-patterns:
```
mcp_context7_resolve-library-id(libraryName="[library]", query="best practices")
mcp_context7_query-docs(libraryId="/[resolved-id]", query="[specific pattern to validate]")
```

## Validation Loop (MANDATORY)

Before completing any review, verify the codebase passes all checks:
```bash
composer test           # All PHP tests pass
npm run types          # No TypeScript errors
npm run lint           # No linting errors
./vendor/bin/pint --test  # PHP style OK
```

Report any failures as Critical findings.

## Instructions

1. Review against project standards in `docs/code-standards.md`
2. Run through the checklist below
3. Report issues by severity (Critical โ†’ Warning โ†’ Suggestion)

## Review Checklist

### โœ… Correctness
- [ ] Logic handles edge cases
- [ ] Error handling is appropriate
- [ ] Types are correct (no `any` unless justified)
- [ ] Tests cover new/changed behavior
- [ ] No dead code or unused imports

### ๐Ÿ”’ Security (OWASP)
- [ ] No secrets or credentials in code
- [ ] User input validated and sanitized
- [ ] Authorization checks in place
- [ ] No SQL injection (use Eloquent/query builder)
- [ ] No XSS (proper escaping, sanitization)
- [ ] CSRF protection enabled
- [ ] Rate limiting considered

### โšก Performance
- [ ] No N+1 queries (use eager loading: `with()`)
- [ ] No unnecessary database calls
- [ ] Large datasets are paginated
- [ ] Indexes exist for filtered/joined columns

### ๐Ÿงน Maintainability
- [ ] Follows patterns in `docs/code-standards.md`
- [ ] Names are clear and consistent
- [ ] No unnecessary complexity
- [ ] DRY โ€” no copy-paste duplication

### ๐ŸŽจ Frontend
- [ ] Uses existing shadcn/ui components
- [ ] Loading and error states handled
- [ ] Accessible (keyboard, labels, contrast)
- [ ] Responsive (mobile + desktop)

### ๐Ÿ“ Documentation
- [ ] Code comments for non-obvious logic
- [ ] Docs updated if behavior changed
- [ ] Types documented with JSDoc if complex

## Laravel Security Checks

| Check | Verify |
|-------|--------|
| Mass assignment | `$fillable` or `$guarded` defined |
| Authorization | Policy or Gate used |
| Validation | FormRequest with rules |
| CSRF | `@csrf` in forms |
| SQL injection | No raw queries with user input |

## React Security Checks

| Check | Verify |
|-------|--------|
| XSS | No `dangerouslySetInnerHTML` |
| Props | TypeScript interfaces used |
| Secrets | No sensitive data in client |

## Severity Guide

| Level | Criteria | Action |
|-------|----------|--------|
| ๐Ÿšจ Critical | Security flaw, data loss, breaks functionality | Block merge |
| โš ๏ธ Warning | Performance issue, code smell, missing test | Request fix |
| ๐Ÿ’ก Suggestion | Style improvement, better pattern | Optional |

## Output Format

```markdown
## ๐Ÿ” Review Summary
[One paragraph overview]

## ๐Ÿšจ Critical (must fix)
1. [Issue]: [File:Line] โ€” [Why critical]

## โš ๏ธ Warnings (should fix)
1. [Issue]: [File:Line] โ€” [Recommendation]

## ๐Ÿ’ก Suggestions (nice to have)
1. [Suggestion]: [File:Line] โ€” [Improvement]

## โœ… What's Good
- [Positive observation]
```

## Examples
- "Review this PR before merge"
- "Check this code for security issues"
- "Audit changes for performance"

Overview

This skill reviews code changes for correctness, security, performance, and maintainability, focused on Laravel, React, and Python projects. It is exclusive to the reviewer agent and designed for PR reviews, audits, pre-merge checks, and quality validation. The output follows a clear severity-based report format for actionable findings. The skill enforces a mandatory validation loop to catch test, lint, and style failures before completing a review.

How this skill works

The reviewer runs automated project checks (tests, type checks, linters, and style tools) and inspects changed files against a structured checklist covering correctness, security (OWASP), performance, maintainability, frontend, and documentation. It uses memory helpers to consult deep code analysis tools and up-to-date docs for library best practices when needed. Findings are categorized by severity (Critical, Warning, Suggestion) and returned in a concise report format.

When to use it

  • Before merging a PR that touches backend or frontend logic.
  • During security audits or when handling sensitive data changes.
  • For performance reviews where DB queries or large datasets are affected.
  • When adopting new libraries or patterns and validating against standards.
  • As a pre-release gate to ensure tests, types, and lint pass.

Best practices

  • Run the validation loop: tests, type checks, lint, and style before finalizing review.
  • Reference project standards in docs/code-standards.md for consistency checks.
  • Prioritize Critical findings that block merges (security, data loss, broken functionality).
  • Include repro steps or failing commands for any automated check failures.
  • Use concrete file:line references and minimal examples for suggested fixes.

Example use cases

  • Review a feature PR adding new API endpoints in Laravel and React UI changes.
  • Audit a change that introduces complex DB joins to check for N+1 queries and indexes.
  • Validate form handling and authorization when adding CRUD operations.
  • Check TypeScript migrations to ensure no any types and proper props interfaces.
  • Run a security pass on code that handles authentication, sensitive fields, or third-party secrets.

FAQ

What automated checks are mandatory before completing a review?

Run PHP tests (composer test), TypeScript checks (npm run types), linters (npm run lint), and PHP style checks (./vendor/bin/pint --test). Report failures as Critical.

How are findings prioritized?

Findings are grouped by severity: Critical blocks merge (security, data loss, broken functionality), Warnings should be fixed (performance, missing tests), and Suggestions are optional improvements.