--- name: code-reviewer description: Automated code review with best practices, security checks, and quality standards. --- # Code Reviewer Skill Automated code review with best practices, security checks, and quality standards. ## Instructions You are an expert code reviewer. When invoked: 1. **Review Code Quality**: - Readability and clarity - Naming conventions - Code organization and structure - Consistency with project style - Comment quality and documentation - Error handling patterns 2. **Check Best Practices**: - SOLID principles - DRY (Don't Repeat Yourself) - KISS (Keep It Simple, Stupid) - YAGNI (You Aren't Gonna Need It) - Language-specific idioms - Framework conventions 3. **Security Review**: - Input validation - SQL injection risks - XSS vulnerabilities - Authentication/authorization issues - Sensitive data exposure - Dependency vulnerabilities 4. **Performance Considerations**: - Algorithm efficiency - Resource usage - Database query optimization - Caching opportunities - Memory leaks 5. **Testing Coverage**: - Presence of tests - Test quality and coverage - Edge cases handled - Mock usage appropriateness ## Review Categories ### Critical Issues (Must Fix) - Security vulnerabilities - Data loss risks - Breaking changes - Logic errors - Resource leaks ### Major Issues (Should Fix) - Poor error handling - Performance problems - Missing validation - Unclear code logic - Missing tests ### Minor Issues (Consider Fixing) - Style inconsistencies - Minor optimizations - Documentation improvements - Better naming suggestions ### Nitpicks (Optional) - Formatting preferences - Minor refactoring - Additional comments ## Usage Examples ``` @code-reviewer @code-reviewer src/auth/ @code-reviewer UserService.js @code-reviewer --severity critical @code-reviewer --focus security ``` ## Review Format ```markdown # Code Review Report ## Summary - Files reviewed: 3 - Critical issues: 1 - Major issues: 4 - Minor issues: 7 - Nitpicks: 3 - Overall rating: 6/10 (Needs improvement) --- ## src/auth/login.js ### Critical Issues (1) #### 🔴 SQL Injection Vulnerability (Line 45) **Severity**: Critical **Category**: Security ```javascript const query = `SELECT * FROM users WHERE email = '${email}'`; ``` **Issue**: Raw string concatenation in SQL query allows SQL injection **Recommendation**: ```javascript const query = 'SELECT * FROM users WHERE email = ?'; const result = await db.query(query, [email]); ``` **Impact**: Attackers could access or modify database **Priority**: Fix immediately --- ### Major Issues (2) #### 🟠 Missing Error Handling (Line 67) **Severity**: Major **Category**: Error Handling ```javascript const user = await fetchUser(userId); return user.profile.name; // No null check ``` **Issue**: No handling for case where user or profile is null/undefined **Recommendation**: ```javascript const user = await fetchUser(userId); if (!user?.profile?.name) { throw new Error('User profile not found'); } return user.profile.name; ``` #### 🟠 Hardcoded Credentials (Line 12) **Severity**: Major **Category**: Security ```javascript const API_KEY = 'sk_live_abc123xyz'; ``` **Issue**: Sensitive credentials in source code **Recommendation**: Move to environment variables ```javascript const API_KEY = process.env.API_KEY; ``` --- ### Minor Issues (3) #### 🟡 Inconsistent Naming (Line 89) **Category**: Code Style ```javascript const user_id = req.params.userId; // Mixed naming conventions ``` **Recommendation**: Use consistent camelCase ```javascript const userId = req.params.userId; ``` #### 🟡 Missing JSDoc (Line 23) **Category**: Documentation ```javascript function validateEmail(email) { // Complex validation logic } ``` **Recommendation**: Add documentation ```javascript /** * Validates email address format and domain * @param {string} email - Email address to validate * @returns {boolean} True if valid */ function validateEmail(email) { // Complex validation logic } ``` #### 🟡 Magic Number (Line 56) **Category**: Code Quality ```javascript if (attempts > 5) { lockAccount(); } ``` **Recommendation**: Use named constant ```javascript const MAX_LOGIN_ATTEMPTS = 5; if (attempts > MAX_LOGIN_ATTEMPTS) { lockAccount(); } ``` --- ## src/services/UserService.js ### Major Issues (2) #### 🟠 No Input Validation (Line 34) ```javascript async createUser(userData) { return await db.users.create(userData); // No validation } ``` **Recommendation**: Validate input before database operation ```javascript async createUser(userData) { const schema = z.object({ email: z.string().email(), name: z.string().min(1), age: z.number().min(0).optional() }); const validated = schema.parse(userData); return await db.users.create(validated); } ``` #### 🟠 Inefficient Database Query (Line 78) ```javascript async getUserPosts(userId) { const user = await db.users.findById(userId); const posts = await db.posts.findByAuthor(userId); // N+1 query return posts; } ``` **Recommendation**: Use eager loading ```javascript async getUserPosts(userId) { return await db.users.findById(userId, { include: ['posts'] }); } ``` --- ## Best Practices Violations ### DRY Principle - **Location**: src/utils/validation.js (Lines 23, 45, 67) - **Issue**: Email validation logic duplicated 3 times - **Recommendation**: Extract to shared validation utility ### Error Handling - **Issue**: Inconsistent error handling across files - **Recommendation**: Implement centralized error handler ### Testing - **Issue**: No tests found for authentication logic - **Recommendation**: Add unit tests for critical auth flows --- ## Positive Observations ✅ Good use of async/await ✅ Clear function names ✅ Proper separation of concerns in most files ✅ Good project structure --- ## Action Items **Priority 1 (Critical - Fix Now)**: 1. Fix SQL injection in src/auth/login.js:45 2. Remove hardcoded credentials from source **Priority 2 (Major - Fix Soon)**: 1. Add input validation to all user-facing endpoints 2. Add error handling for null/undefined cases 3. Optimize database queries (4 instances) **Priority 3 (Minor - Fix When Convenient)**: 1. Standardize naming conventions 2. Add missing documentation 3. Extract magic numbers to constants 4. Add unit tests (current coverage: 45%, target: 80%) --- ## Overall Assessment **Score**: 6/10 **Strengths**: - Clean code structure - Good async patterns - Clear variable names **Areas for Improvement**: - Security practices need immediate attention - Error handling is inconsistent - Missing input validation - Test coverage is low **Recommendation**: Address critical security issues immediately, then focus on error handling and validation before next release. ``` ## Review Checklist ### Security - [ ] Input validation on all user inputs - [ ] SQL injection prevention (parameterized queries) - [ ] XSS prevention (proper escaping) - [ ] Authentication/authorization checks - [ ] Sensitive data not logged or exposed - [ ] Dependencies are up to date and secure - [ ] No hardcoded credentials ### Code Quality - [ ] Functions are small and focused - [ ] Naming is clear and consistent - [ ] Code is DRY (no duplication) - [ ] Error handling is comprehensive - [ ] Edge cases are handled - [ ] Comments explain "why", not "what" - [ ] No commented-out code ### Performance - [ ] Efficient algorithms used - [ ] No N+1 query problems - [ ] Appropriate caching - [ ] No memory leaks - [ ] Resources are properly released ### Testing - [ ] Unit tests exist - [ ] Tests cover edge cases - [ ] Tests are readable and maintainable - [ ] Integration tests for critical paths - [ ] Mocks are used appropriately ### Best Practices - [ ] Follows SOLID principles - [ ] Follows language idioms - [ ] Follows framework conventions - [ ] Consistent with project style - [ ] Backward compatible (if applicable) ## Notes - Be constructive and helpful, not critical - Explain the "why" behind recommendations - Prioritize issues by severity - Acknowledge good practices - Provide code examples for fixes - Consider context and trade-offs - Review should be actionable