🇺🇸English
Code Review Expert
Overview
Perform a structured review of the current git changes with focus on SOLID, architecture, removal candidates, and security risks. Default to review-only output unless the user asks to implement changes.
Severity Levels
| Level | Name | Description | Action |
|---|
| P0 | Critical | Security vulnerability, data loss risk, correctness bug | Must block merge |
| P1 | High | Logic error, significant SOLID violation, performance regression | Should fix before merge |
| P2 | Medium | Code smell, maintainability concern, minor SOLID violation | Fix in this PR or create follow-up |
| P3 | Low | Style, naming, minor suggestion | Optional improvement |
Workflow
1) Preflight context
- Use
git status -sb, git diff --stat, and git diff to scope changes.
- If needed, use
rg or grep to find related modules, usages, and contracts.
- Identify entry points, ownership boundaries, and critical paths (auth, payments, data writes, network).
Edge cases:
- No changes : If
git diff is empty, inform user and ask if they want to review staged changes or a specific commit range.
- Large diff ( >500 lines): Summarize by file first, then review in batches by module/feature area.
- Mixed concerns : Group findings by logical feature, not just file order.
2) SOLID + architecture smells
- Load
references/solid-checklist.md for specific prompts.
- Look for:
- SRP : Overloaded modules with unrelated responsibilities.
- OCP : Frequent edits to add behavior instead of extension points.
- LSP : Subclasses that break expectations or require type checks.
- ISP : Wide interfaces with unused methods.
- DIP : High-level logic tied to low-level implementations.
- When you propose a refactor, explain why it improves cohesion/coupling and outline a minimal, safe split.
- If refactor is non-trivial, propose an incremental plan instead of a large rewrite.
3) Removal candidates + iteration plan
- Load
references/removal-plan.md for template.
- Identify code that is unused, redundant, or feature-flagged off.
- Distinguish safe delete now vs defer with plan.
- Provide a follow-up plan with concrete steps and checkpoints (tests/metrics).
4) Security and reliability scan
- Load
references/security-checklist.md for coverage.
- Check for:
- XSS, injection (SQL/NoSQL/command), SSRF, path traversal
- AuthZ/AuthN gaps, missing tenancy checks
- Secret leakage or API keys in logs/env/files
- Rate limits, unbounded loops, CPU/memory hotspots
- Unsafe deserialization, weak crypto, insecure defaults
- Race conditions : concurrent access, check-then-act, TOCTOU, missing locks
- Call out both exploitability and impact.
5) Code quality scan
- Load
references/code-quality-checklist.md for coverage.
- Check for:
- Error handling : swallowed exceptions, overly broad catch, missing error handling, async errors
- Performance : N+1 queries, CPU-intensive ops in hot paths, missing cache, unbounded memory
- Boundary conditions : null/undefined handling, empty collections, numeric boundaries, off-by-one
- Flag issues that may cause silent failures or production incidents.
6) Output format
Structure your review as follows:
## Code Review Summary
**Files reviewed**: X files, Y lines changed
**Overall assessment**: [APPROVE / REQUEST_CHANGES / COMMENT]
---
## Findings
### P0 - Critical
(none or list)
### P1 - High
1. **[file:line]** Brief title
- Description of issue
- Suggested fix
### P2 - Medium
2. (continue numbering across sections)
- ...
### P3 - Low
...
---
## Removal/Iteration Plan
(if applicable)
## Additional Suggestions
(optional improvements, not blocking)
Inline comments : Use this format for file-specific findings:
::code-comment{file="path/to/file.ts" line="42" severity="P1"}
Description of the issue and suggested fix.
::
Clean review : If no issues found, explicitly state:
- What was checked
- Any areas not covered (e.g., "Did not verify database migrations")
- Residual risks or recommended follow-up tests
7) Next steps confirmation
After presenting findings, ask user how to proceed:
---
## Next Steps
I found X issues (P0: _, P1: _, P2: _, P3: _).
**How would you like to proceed?**
1. **Fix all** - I'll implement all suggested fixes
2. **Fix P0/P1 only** - Address critical and high priority issues
3. **Fix specific items** - Tell me which issues to fix
4. **No changes** - Review complete, no implementation needed
Please choose an option or provide specific instructions.
Important : Do NOT implement any changes until user explicitly confirms. This is a review-first workflow.
Resources
references/
| File | Purpose |
|---|
solid-checklist.md | SOLID smell prompts and refactor heuristics |
security-checklist.md | Web/app security and runtime risk checklist |
code-quality-checklist.md | Error handling, performance, boundary conditions |
removal-plan.md | Template for deletion candidates and follow-up plan |
Weekly Installs
4.4K
Repository
sanyuan0704/cod…w-expert
GitHub Stars
2.9K
First Seen
Feb 4, 2026
Security Audits
Gen Agent Trust HubPassSocketPassSnykPass
Installed on
opencode3.9K
codex3.9K
gemini-cli3.8K
github-copilot3.8K
kimi-cli3.7K
amp3.6K
