/review

/review - Code Review Command

Purpose

Comprehensive code review that analyzes quality, security, performance, and maintainability. Acts as an automated code reviewer that checks for issues across multiple dimensions before code reaches production.

Usage

/review [file path | 'staged' | 'pr' | PR number]

Arguments

• [file path] - Review specific file(s), supports glob patterns
• staged - Review all staged changes (git diff --staged)
• pr - Review current branch changes vs main
• [PR number] - Review specific pull request from GitHub

How It Works

The /review command executes a comprehensive 5-phase review process:

Phase 1: Identify Review Scope

1. Determine What to Review

   • Single file: Reads the specified file
   • staged: Gets staged changes with git diff --staged
   • pr: Gets branch diff with git diff main...HEAD
   • PR number: Fetches PR details with gh pr view

2. Gather Context

   • Understands the purpose of changes
   • Checks related tests
   • Reviews CLAUDE.md for project standards

Phase 2: Code Quality Review

Checks each file for:

1. Correctness

   • Logic errors and bugs
   • Edge case handling
   • Null/undefined safety
   • Type correctness

2. Clarity

   • Clear naming (variables, functions, classes)
   • Readable structure
   • Appropriate comments
   • Self-documenting code

3. Consistency

   • Follows project conventions
   • Matches existing patterns
   • Style guide compliance

4. Complexity

   • Function length (prefer <30 lines)
   • Cyclomatic complexity
   • Nesting depth

Phase 3: Security Review

Checks for security issues:

1. Input Validation

   • User input sanitization
   • Type validation
   • Size/length limits

2. Authentication/Authorization

   • Proper auth checks
   • Role-based access control
   • Session management

3. Data Protection

   • Sensitive data handling
   • Encryption where needed
   • PII protection

4. Injection Prevention

   • SQL injection
   • XSS vulnerabilities
   • Command injection

5. Secrets

   • No hardcoded credentials
   • No API keys in code
   • Proper env var usage

Phase 4: Performance Review

Checks for performance issues:

1. Algorithmic Efficiency

   • Time complexity
   • Unnecessary loops
   • Redundant operations

2. Memory Usage

   • Large object creation
   • Memory leaks
   • Unbounded caches

3. Database

   • N+1 queries
   • Missing indexes
   • Large result sets

4. Async Operations

   • Proper async/await
   • Parallel where possible
   • Timeout handling

Phase 5: Maintainability Review

Checks for maintainability:

1. SOLID Principles

   • Single responsibility
   • Open/closed
   • Dependency injection

2. DRY

   • Code duplication
   • Opportunity for reuse

3. Testing

   • Test coverage
   • Test quality
   • Edge case tests

4. Documentation

   • API documentation
   • Complex logic explanation
   • Usage examples

Review Output Format

## Code Review: src/api/users.ts

**Reviewed**: 1 file, 142 lines
**Verdict**: Request Changes

---

### Critical Issues (Must Fix)

#### 1. [Security] SQL Injection Risk
**File**: `src/api/users.ts:42`
**Severity**: Critical

```typescript
// Current code
const query = `SELECT * FROM users WHERE id = ${userId}`;

Issue: User input directly interpolated into SQL query.

Fix:

const query = 'SELECT * FROM users WHERE id = $1';
const result = await db.query(query, [userId]);

---

Recommendations (Should Fix)

1. Missing Error Handling

File: src/services/auth.ts:78

// Current
const user = await db.findUser(email);
return user.password; // May throw if user is null

Suggestion:

const user = await db.findUser(email);
if (!user) {
  throw new NotFoundError('User not found');
}
return user.password;

---

Suggestions (Nice to Have)

1. Consider extracting the validation logic in src/utils/validate.ts:23 into a separate function for reusability.

2. The constant MAX_RETRIES in src/api/client.ts could be moved to configuration.

---

What’s Good

• Clean separation of concerns between controller and service layers
• Comprehensive error handling in the authentication flow
• Good test coverage for edge cases in auth.test.ts

---

Summary

Found 1 critical issue (security), 2 recommendations, and 2 suggestions.

Priority Actions:

1. Fix SQL injection vulnerability immediately
2. Add null check for user lookup

Ready for merge: No - Critical issues must be addressed first

## Review Checklist

### Security
- [ ] No hardcoded secrets
- [ ] Input validation present
- [ ] Output encoding for rendered content
- [ ] SQL parameterization
- [ ] Proper auth checks
- [ ] No eval() or dynamic code execution

### Quality
- [ ] Clear naming conventions
- [ ] Functions are focused (single responsibility)
- [ ] Error handling is complete
- [ ] No commented-out code
- [ ] No debug statements left

### Testing
- [ ] New code has tests
- [ ] Edge cases covered
- [ ] Tests are deterministic

### Documentation
- [ ] Public APIs documented
- [ ] Complex logic explained
- [ ] Breaking changes noted

## Flags

| Flag | Description | Example |
|------|-------------|---------|
| `--mode=[mode]` | Use specific behavioral mode | `--mode=review` |
| `--persona=[type]` | Apply persona expertise | `--persona=security` |
| `--depth=[1-5]` | Review thoroughness level (1=quick, 5=exhaustive) | `--depth=5` |
| `--format=[fmt]` | Output format (concise/detailed/json) | `--format=detailed` |
| `--focus=[area]` | Focus on specific area | `--focus=performance` |
| `--save` | Save review to file | `--save` |

### Persona Options

| Persona | Focus Area |
|---------|------------|
| `security` | Vulnerabilities, auth, data protection |
| `performance` | Efficiency, queries, caching |
| `architecture` | Patterns, coupling, SOLID |
| `testing` | Coverage, test quality |
| `accessibility` | A11y compliance |

### Focus Areas

| Focus | Checks |
|-------|--------|
| `security` | OWASP top 10, auth, input validation |
| `performance` | N+1 queries, complexity, memory |
| `quality` | Readability, maintainability |
| `testing` | Coverage, test patterns |

### Flag Examples

```bash
# Security-focused review of auth code
/review --persona=security src/auth/

# Thorough review of staged changes
/review --depth=5 --format=detailed staged

# Performance-focused review
/review --focus=performance src/services/heavy-computation.ts

# Deep review with saved report
/review --mode=deep-research --save pr

Examples

Review Staged Changes

Input:

/review staged

Output: Complete review of all staged changes with:

• Security vulnerability scan
• Code quality assessment
• Performance analysis
• Actionable feedback organized by severity

Review Pull Request

Input:

/review pr #142

Output:

• Fetches PR from GitHub
• Reviews all changed files
• Categorizes issues by severity
• Provides approval recommendation

Security-Focused Review

Input:

/review --persona=security --depth=5 src/api/

Output:

• Deep security analysis
• OWASP top 10 checks
• Auth/authorization review
• Input validation verification

Deliverables

After running /review, you receive:

1. Issue List - Organized by severity (Critical, Recommendations, Suggestions)
2. Code Examples - Before/after code snippets for fixes
3. Checklist Results - Security, quality, testing, documentation
4. Verdict - Approve, Request Changes, or Needs Discussion
5. Action Items - Prioritized list of required fixes

Related Commands

• /fix - Fix identified issues
• /refactor - Address code quality suggestions
• /test - Add missing tests
• /feature - Complete feature workflow with review