software-code-review

📁 vasilyu1983/ai-agents-public 📅 Jan 23, 2026

总安装量

周安装量

#6173

全站排名

安装命令

npx skills add https://github.com/vasilyu1983/ai-agents-public --skill software-code-review

Agent 安装分布

claude-code 23

opencode 20

gemini-cli 19

cursor 17

github-copilot 16

Skill 文档

Code Reviewing Skill â Quick Reference

This skill provides operational checklists and prompts for structured code review across languages and stacks. Use it when the primary task is reviewing existing code rather than designing new systems.

Quick Reference

Review Type	Focus Areas	Key Checklist	When to Use
Security Review	Auth, input validation, secrets, OWASP Top 10	software-security-appsec	Security-critical code, API endpoints
Supply Chain Review	Dependencies, lockfiles, licenses, SBOM, CI policies	dev-dependency-management	Dependency bumps, build/CI changes
Performance Review	N+1 queries, algorithms, caching, hot paths	DB queries, loops, memory allocation	High-traffic features, bottlenecks
Correctness Review	Logic, edge cases, error handling, tests	Boundary conditions, null checks, retries	Business logic, data transformations
Maintainability Review	Naming, complexity, duplication, readability	Function length, naming clarity, DRY	Complex modules, shared code
Test Review	Coverage, edge cases, flakiness, assertions	Test quality, missing scenarios	New features, refactors
Frontend Review	Accessibility, responsive design, performance	frontend-review.md	UI/UX changes
Backend Review	API design, error handling, database patterns	api-review.md	API endpoints, services
Blockchain Review	Reentrancy, access control, gas optimization	crypto-review.md	Smart contracts, DeFi protocols

Specialized: .NET/EF Core Crypto Integration

Skip unless reviewing C#/.NET crypto/fintech services using Entity Framework Core.

For C#/.NET crypto/fintech services using Entity Framework Core, see:

references/dotnet-efcore-crypto-rules.md â Complete review rules (correctness, security, async, EF Core, tests, MRs)

Key rules summary:

Review only new/modified code in the MR
Use decimal for financial values, UTC for dates
Follow CC-SEC-03 (no secrets in code) and CC-OBS-02 (no sensitive data in logs)
Async for I/O, pass CancellationToken, avoid .Result/.Wait() (see CC-ERR-04, CC-FLOW-03)
EF Core: AsNoTracking for reads, avoid N+1, no dynamic SQL
Result<T> pattern for explicit success/fail

When to Use This Skill

Invoke this skill when the user asks to:

Review a pull request or diff for issues
Audit code for security vulnerabilities or injection risks
Improve readability, structure, and maintainability
Suggest targeted refactors without changing behavior
Validate tests and edge-case coverage

When NOT to Use This Skill

System design or architecture: Use software-architecture-design for greenfield architecture decisions
Writing new code from scratch: This skill reviews existing code, not authoring new features
Deep security audits: For penetration testing or comprehensive security assessments, use software-security-appsec
Deep performance investigations: For profiling/observability, use qa-observability and for SQL/query tuning use data-sql-optimization

Decision Tree: Selecting Review Mode

Code review task: [What to Focus On?]
    ââ Security-critical changes?
    â   ââ Auth/access control â Security Review (OWASP, auth patterns)
    â   ââ User input handling â Input validation, XSS, SQL injection
    â   ââ Smart contracts â Blockchain Review (reentrancy, access control)
    â
    ââ Performance concerns?
    â   ââ Database queries â Check for N+1, missing indexes
    â   ââ Loops/algorithms â Complexity analysis, caching
    â   ââ API response times â Profiling, lazy loading
    â
    ââ Correctness issues?
    â   ââ Business logic â Edge cases, error handling, tests
    â   ââ Data transformations â Boundary conditions, null checks
    â   ââ Integration points â Retry logic, timeouts, fallbacks
    â
    ââ Maintainability problems?
    â   ââ Complex code â Naming, function length, duplication
    â   ââ Hard to understand â Comments, abstractions, clarity
    â   ââ Technical debt â Refactoring suggestions
    â
    ââ Test coverage gaps?
    â   ââ New features â Happy path + error cases
    â   ââ Refactors â Regression tests
    â   ââ Bug fixes â Reproduction tests
    â
    ââ Stack-specific review?
        ââ Frontend â [frontend-review.md](assets/web-frontend/frontend-review.md)
        ââ Backend â [api-review.md](assets/backend-api/api-review.md)
        ââ Mobile â [mobile-review.md](assets/mobile/mobile-review.md)
        ââ Infrastructure â [infrastructure-review.md](assets/infrastructure/infrastructure-review.md)
        ââ Blockchain â [crypto-review.md](assets/blockchain/crypto-review.md)

Multi-Mode Reviews:

For complex PRs, apply multiple review modes sequentially:

Security first (P0/P1 issues)
Correctness (logic, edge cases)
Performance (if applicable)
Maintainability (P2/P3 suggestions)

Async Review Workflows (2026)

Timezone-Friendly Reviews

Practice	Implementation
Review windows	Define 4-hour overlap windows
Review rotation	Assign reviewers across timezones
Async communication	Use PR comments, not DMs
Review SLAs	24-hour initial response, 48-hour completion

Non-Blocking Reviews

PR Submitted -> Auto-checks (CI) -> Async Review -> Merge
       |              |               |
  Author continues   If green,    Reviewer comments
  on other work      queue for    when available
                     review

Anti-patterns:

Synchronous review meetings for routine PRs
Blocking on reviewer availability for non-critical changes
Single reviewer bottleneck

Review Prioritization Matrix

Priority	Criteria	SLA
P0	Security fix, production incident	4 hours
P1	Bug fix, blocking dependency	24 hours
P2	Feature work, tech debt	48 hours
P3	Documentation, refactoring	72 hours

Optional: AI/Automation Extensions

Note: AI-assisted review tools. Human review remains authoritative.

AI Review Assistants

Tool	Use Case	Limitation
GitHub Copilot PR	Summary, suggestions	May miss context
CodeRabbit	Automated PR review comments	Requires human validation
Qodo	Test generation + review, 15+ workflows	Enterprise pricing
OpenAI Codex	System-level codebase context	API integration required
AWS Security Agent	OWASP Top 10, policy violations	Preview only (2026)
Endor Labs AI SAST	AI-assisted SAST	Security-focused
Graphite	PR stacking, stack-aware merge queue	Process, not content

AI assistant rules:

AI suggestions are advisory only
Human reviewer approves/rejects
AI cannot bypass security review
AI findings require manual verification

AI Review Checklist

AI suggestions validated against codebase patterns
AI-flagged issues manually confirmed
False positives documented for tool improvement
Human reviewer explicitly approved

Simplicity and Complexity Control

Prefer existing, battle-tested libraries over bespoke implementations when behavior is identical.
Flag avoidable complexity early: remove dead/commented-out code, collapse duplication, and extract single-responsibility helpers.
Call out premature optimization; favor clarity and measured, evidence-based tuning.
Encourage incremental refactors alongside reviews to keep modules small, predictable, and aligned to standards.

Operational Playbooks

Shared Foundation

../software-clean-code-standard/references/clean-code-standard.md – Canonical clean code rules (CC-*) for citation in reviews
Legacy playbook: ../software-clean-code-standard/references/code-quality-operational-playbook.md – RULE-01âRULE-13, refactoring decision trees, and design patterns

Code Review Specific

references/operational-playbook.md â Review scope rules, severity ratings (P0-P3), checklists, modes, and PR workflow patterns

Default Review Output (Agent-Facing)

When producing a review, default to:

Short summary of intent + risk
Findings grouped by P0/P1/P2/P3 (mark REQUIRED vs OPTIONAL)
Concrete suggestions (minimal diffs or test cases)
Follow-up questions when requirements or constraints are unclear

Use assets/core/review-comment-guidelines.md for comment style and labeling.

Navigation

Resources

Templates

Data

data/sources.json â Curated external references
Shared checklists: ../software-clean-code-standard/assets/checklists/secure-code-review-checklist.md, ../software-clean-code-standard/assets/checklists/backend-api-review-checklist.md

Trend Awareness Protocol

IMPORTANT: When users ask recommendation questions about code review tools, practices, or automation, you MUST use WebSearch to check current trends before answering.

Trigger Conditions

“What’s the best code review tool?”
“What should I use for [automated code review/PR automation]?”
“What’s the latest in code review practices?”
“Current best practices for [code review/PR workflow]?”
“Is [GitHub Copilot PR/CodeRabbit] still relevant in 2026?”
“[CodeRabbit] vs [Graphite] vs [other]?”
“Best AI code review assistant?”

Required Searches

Search: "code review best practices 2026"
Search: "[specific tool] vs alternatives 2026"
Search: "AI code review tools January 2026"
Search: "PR automation trends 2026"

What to Report

After searching, provide:

Current landscape: What code review tools/practices are popular NOW
Emerging trends: New AI assistants, PR tools, or review patterns gaining traction
Deprecated/declining: Tools/approaches losing relevance or support
Recommendation: Based on fresh data, not just static knowledge

Example Topics (verify with fresh search)

AI code review (GitHub Copilot PR, CodeRabbit, Cursor)
PR automation (Graphite, Stacked PRs, merge queues)
Code review platforms (GitHub, GitLab, Bitbucket)
Review bots and automation
Async review practices for distributed teams
Review metrics and analytics tools

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台