企业级代码审查技能：使用GoodVibes进行安全、性能与质量审计 | SkillsMD

⚠️

重要前提

安装AI Skills的关键前提是：必须科学上网，且开启TUN模式，这一点至关重要，直接决定安装能否顺利完成，在此郑重提醒三遍：科学上网，科学上网，科学上网。查看完整安装教程 →

企业级代码审查技能：使用GoodVibes进行安全、性能与质量审计

code-review by mgd34msu/goodvibes-plugin

61 周安装量

6 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/mgd34msu/goodvibes-plugin --skill code-review

代码质量测试安全

🇨🇳中文介绍

资源

scripts/
  validate-code-review.sh
references/
  review-patterns.md

代码审查质量技能

此技能教你如何使用 GoodVibes 精准工具执行彻底的企业级代码审查。系统化的代码审查能及早发现问题、确保一致性、验证安全性和性能，并在整个代码库中保持高质量标准。

何时使用此技能

在以下情况加载此技能：

审查拉取请求或合并请求时
执行代码质量审计时
验证实现的安全性和性能时
检查对架构模式的遵循情况时
评估测试覆盖率和质量时
评估无障碍访问合规性时
向开发者提供结构化反馈时

触发短语："review this code", "check the PR", "quality audit", "security review", "performance review", "validate implementation"。

核心工作流程

阶段 1：发现 - 理解变更

在审查之前，先理解变更内容、原因及影响范围。

步骤 1.1：收集变更上下文

使用 discover 来映射所有更改的文件并识别变更类型。

discover:
  queries:
    - id: changed_files
      type: glob
      patterns: ["src/**/*"]  # 列出待审查的更改文件
    - id: new_files
      type: glob
      patterns: ["**/*"]
    - id: test_files
      type: glob
      patterns: ["**/*.test.ts", "**/*.test.tsx", "**/*.spec.ts", "**/*.spec.tsx"]
  verbosity: files_only

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

相关 Skills

Azure RBAC 权限管理工具：查找最小角色、创建自定义角色与自动化分配

148,200 周安装

OpenClaw 安全 Linux 云部署指南：私有优先、SSH隧道、Podman容器化

48,800 周安装

Linux云主机安全托管指南：从SSH加固到HTTPS部署

48,600 周安装

xdrop 文件传输脚本：Bun 环境下安全上传下载工具，支持加密分享

45,900 周安装

precision_exec:
  commands:
    - cmd: "git diff --name-only HEAD~1..HEAD"
  verbosity: minimal

precision_read:
  files:
    - path: "src/api/user-routes.ts"  # 示例更改文件
      extract: content
    - path: "src/components/UserProfile.tsx"
      extract: content
  output:
    max_per_item: 200
  verbosity: standard

precision_exec:
  commands:
    - cmd: "git diff HEAD~1..HEAD -- src/api/user-routes.ts"
  verbosity: standard

discover:
  queries:
    - id: function_exports
      type: grep
      pattern: "export (function|const|class) (createUser|updateUser|deleteUser)"
      glob: "**/*.{ts,tsx,js,jsx}"
    - id: usage_sites
      type: grep
      pattern: "(createUser|updateUser|deleteUser)\\("
      glob: "**/*.{ts,tsx,js,jsx}"
    - id: related_tests
      type: grep
      pattern: "(createUser|updateUser|deleteUser)"
      glob: "**/*.test.{ts,tsx}"
  verbosity: locations

discover:
  queries:
    # SQL 注入
    - id: sql_injection
      type: grep
      pattern: '(query|execute|sql).*[`$].*\$\{'
      glob: "**/*.{ts,tsx,js,jsx}"
    # XSS 漏洞
    - id: dangerous_html
      type: grep
      pattern: "(dangerouslySetInnerHTML|innerHTML|outerHTML)"
      glob: "**/*.{ts,tsx,jsx}"
    # 硬编码密钥
    - id: hardcoded_secrets
      type: grep
      pattern: '(password|secret|api[_-]?key|token)\s*=\s*["''][^"'']+["'']'
      glob: "**/*.{ts,tsx,js,jsx,json}"
    # 缺少身份验证
    - id: unauthed_routes
      type: grep
      pattern: "export (async )?function (GET|POST|PUT|DELETE|PATCH)"
      glob: "src/app/api/**/*.ts"
  verbosity: locations

模式	严重性	重要性
SQL 注入	关键	允许攻击者读取/修改数据库
XSS 漏洞	关键	允许脚本注入、会话劫持
硬编码密钥	关键	在源代码中暴露凭据
缺少身份验证检查	关键	暴露受保护资源
不安全的反序列化	关键	远程代码执行
CORS 配置错误	主要	允许未经授权的来源
弱密码规则	主要	账户泄露
缺少输入验证	主要	数据损坏、注入

discover:
  queries:
    # 检查验证模式
    - id: zod_schemas
      type: grep
      pattern: "z\\.(object|string|number|array|enum)"
      glob: "**/*.{ts,tsx}"
    # 检查未经验证的直接 request.json()
    - id: unvalidated_input
      type: grep
      pattern: "(await request\\.json\\(\\)|req\\.body)(?!.*safeParse)"
      glob: "src/app/api/**/*.ts"
    # 检查 SQL 参数化
    - id: parameterized_queries
      type: grep
      pattern: "(db\\.(query|execute)|prisma\\.|sql`)"
      glob: "**/*.{ts,js}"
  verbosity: locations

discover:
  queries:
    # 查找身份验证中间件使用情况
    - id: auth_middleware
      type: grep
      pattern: "(getServerSession|auth\\(\\)|requireAuth|withAuth)"
      glob: "src/app/api/**/*.ts"
    # 查找资源所有权检查
    - id: ownership_checks
      type: grep
      pattern: "(userId|authorId|ownerId)\s*===\s*(session|user|currentUser)"
      glob: "**/*.{ts,tsx}"
    # 查找 RBAC 检查
    - id: rbac_checks
      type: grep
      pattern: "(role|permission|can)\s*===\s*"
      glob: "**/*.{ts,tsx}"
  verbosity: locations

discover:
  queries:
    # 查找包含数据库调用的循环
    - id: n_plus_one
      type: grep
      pattern: "(for|forEach|map).*await.*(prisma|db|query|find)"
      glob: "**/*.{ts,tsx,js,jsx}"
    # 查找 Prisma include 使用情况
    - id: prisma_includes
      type: grep
      pattern: "(findMany|findUnique|findFirst).*include:"
      glob: "**/*.{ts,js}"
  verbosity: locations

discover:
  queries:
    # 查找 JSX 中的内联对象/数组创建
    - id: inline_objects
      type: grep
      pattern: "(onClick|onChange|style)=\\{\\{|=\\{\\["
      glob: "**/*.{tsx,jsx}"
    # 查找缺失的 useMemo/useCallback
    - id: missing_memoization
      type: grep
      pattern: "(map|filter|reduce)\\("
      glob: "**/*.{tsx,jsx}"
    # 查找没有依赖项的 useEffect
    - id: missing_deps
      type: grep
      pattern: "useEffect\\([^)]+\\)\\s*$"
      glob: "**/*.{tsx,jsx}"
  verbosity: locations

反模式	修复方法
props 中的内联对象	提取为常量或使用 useMemo
props 中的内联函数	用 useCallback 包装
没有 key 的大列表	添加稳定的 key 属性
useEffect 缺少依赖项	将所有使用的变量添加到依赖项数组
Context 重新渲染所有内容	拆分上下文或使用状态管理器

precision_read:
  files:
    - path: "prisma/schema.prisma"
      extract: content
  output:
    max_per_item: 500
  verbosity: standard

discover:
  queries:
    # 查找 any 类型
    - id: any_usage
      type: grep
      pattern: ":\s*any(\\s|;|,|\\))"
      glob: "**/*.{ts,tsx}"
    # 查找类型断言 (as)
    - id: type_assertions
      type: grep
      pattern: "as (unknown|any|string|number)"
      glob: "**/*.{ts,tsx}"
    # 查找非空断言 (!)
    - id: non_null_assertions
      type: grep
      pattern: "![.;,)\\]]"
      glob: "**/*.{ts,tsx}"
    # 查找不安全的成员访问
    - id: unsafe_access
      type: grep
      pattern: "\\?\\."
      glob: "**/*.{ts,tsx}"
  verbosity: locations

问题	严重性	修复方法
`any` 类型使用	主要	使用正确的类型或 unknown
`as any` 断言	主要	修复底层类型问题
`!` 非空断言	次要	添加空值检查
缺少返回类型	次要	显式声明函数返回类型
隐式 any 参数	主要	添加参数类型

discover:
  queries:
    # 查找悬空的 Promise
    - id: floating_promises
      type: grep
      pattern: "^\\s+[a-z][a-zA-Z]*\\(.*\\);$"
      glob: "**/*.{ts,tsx,js,jsx}"
    # 查找空的 catch 块
    - id: empty_catch
      type: grep
      pattern: "catch.*\\{\\s*\\}"
      glob: "**/*.{ts,tsx,js,jsx}"
    # 查找 console.error（应使用日志记录器）
    - id: console_error
      type: grep
      pattern: "console\\.(error|warn|log)"
      glob: "**/*.{ts,tsx,js,jsx}"
  verbosity: locations

precision_exec:
  commands:
    - cmd: "find src -not -path '*/node_modules/*' -not -path '*/dist/*' -name '*.ts' -o -name '*.tsx' -print0 | xargs -0 wc -l | sort -rn | head -20"
  verbosity: standard

discover:
  queries:
    # 查找测试文件
    - id: test_files
      type: glob
      patterns: ["**/*.test.{ts,tsx}", "**/*.spec.{ts,tsx}"]
    # 查找没有测试的文件
    - id: source_files
      type: glob
      patterns: ["src/**/*.{ts,tsx}"]
    # 检查测试导入
    - id: test_imports
      type: grep
      pattern: "from ['\"].*/(api|lib|components)/"
      glob: "**/*.test.{ts,tsx}"
  verbosity: files_only

// 伪逻辑（使用 precision tools 实现）
const sourceFiles = results.source_files.files;
const testFiles = results.test_files.files;
const missingTests = sourceFiles.filter(f => !testFiles.some(t => t.includes(f.replace('.ts', ''))));

discover:
  queries:
    # 查找跳过的测试
    - id: skipped_tests
      type: grep
      pattern: "(it\\.skip|test\\.skip|describe\\.skip)"
      glob: "**/*.test.{ts,tsx}"
    # 查找聚焦的测试 (.only)
    - id: focused_tests
      type: grep
      pattern: "(it\\.only|test\\.only|describe\\.only)"
      glob: "**/*.test.{ts,tsx}"
    # 查找 expect 断言
    - id: assertions
      type: grep
      pattern: "expect\\("
      glob: "**/*.test.{ts,tsx}"
    # 查找模拟使用情况
    - id: mocks
      type: grep
      pattern: "(vi\\.mock|jest\\.mock|vi\\.fn)"
      glob: "**/*.test.{ts,tsx}"
  verbosity: locations

discover:
  queries:
    # 在 UI 中查找领域导入
    - id: ui_imports_domain
      type: grep
      pattern: "from ['\"].*/(domain|core|lib)/"
      glob: "src/components/**/*.{ts,tsx}"
    # 在领域层中查找 UI 导入
    - id: domain_imports_ui
      type: grep
      pattern: "from ['\"].*/(components|pages|app)/"
      glob: "src/domain/**/*.{ts,tsx}"
    # 查找循环依赖
    - id: imports
      type: grep
      pattern: "^import.*from"
      glob: "src/**/*.{ts,tsx}"
  verbosity: locations

discover:
  queries:
    # 组件中的数据库访问
    - id: db_in_components
      type: grep
      pattern: "(prisma|db\\.(query|execute))"
      glob: "src/components/**/*.{ts,tsx}"
    # API 路由中的业务逻辑
    - id: logic_in_routes
      type: grep
      pattern: "export (async )?function (GET|POST)"
      glob: "src/app/api/**/*.ts"
  verbosity: files_only

discover:
  queries:
    # 查找 div 按钮（应为 <button>）
    - id: div_buttons
      type: grep
      pattern: "<div.*(onClick|onKeyDown)"
      glob: "**/*.{tsx,jsx}"
    # 查找缺少 alt 文本
    - id: missing_alt
      type: grep
      pattern: "<img(?![^>]*alt=)"
      glob: "**/*.{tsx,jsx}"
    # 查找缺少标签
    - id: missing_labels
      type: grep
      pattern: "<input(?![^>]*aria-label)(?![^>]*id=)"
      glob: "**/*.{tsx,jsx}"
    # 查找缺少 ARIA 角色
    - id: missing_roles
      type: grep
      pattern: "<(nav|header|footer|main)(?![^>]*role=)"
      glob: "**/*.{tsx,jsx}"
  verbosity: locations

discover:
  queries:
    # 查找自定义组件
    - id: custom_components
      type: grep
      pattern: "(Accordion|Dialog|Dropdown|Tabs|Tooltip)"
      glob: "src/components/**/*.{tsx,jsx}"
  verbosity: files_only

precision_exec:
  commands:
    # 类型检查
    - cmd: "npm run typecheck"
    # 代码检查
    - cmd: "npm run lint"
    # 测试
    - cmd: "npm run test"
    # 安全审计
    - cmd: "npm audit --audit-level=moderate"
  verbosity: standard

## 审查摘要

**总分**: 8.2/10
**结论**: 批准，附带建议

**变更内容**: 添加了带身份验证的用户个人资料 API
**审查文件**: 8 个文件（5 个源文件，3 个测试文件）

## 维度得分

1. 正确性: 9/10
2. 类型安全: 7/10
3. 安全性: 9/10
4. 性能: 8/10
5. 错误处理: 7/10
6. 测试: 8/10
7. 代码质量: 9/10
8. 架构: 8/10
9. 无障碍访问: 8/10
10. 文档: 7/10

## 发现的问题

### 主要问题（应修复）

- **FILE:LINE** - 类型安全：函数 `updateProfile` 具有隐式 `any` 返回类型
  - 修复：添加显式返回类型 `Promise<User>`
  - 影响：TypeScript 无法在调用方捕获类型错误

### 次要问题（最好修复）

- **src/api/profile.ts:42** - 错误处理：空的 catch 块吞没了错误
  - 修复：在重新抛出前记录带有上下文的错误
  - 影响：使调试更加困难

## 做得好的方面

- 使用 Zod 模式进行出色的输入验证
- 全面的测试覆盖率 (95%)
- 所有路由都有正确的身份验证检查
- 关注点分离清晰（路由 -> 服务 -> 存储库）

discover:
  queries:
    - id: sql_injection
      type: grep
      pattern: 'query.*\$\{'
    - id: hardcoded_secrets
      type: grep
      pattern: 'api[_-]?key\s*=\s*["''][^"'']+'
    - id: xss
      type: grep
      pattern: 'dangerouslySetInnerHTML'
  verbosity: locations

precision_grep:
  queries:
    - id: catch_blocks
      pattern: "try\\s*\\{[\\s\\S]*?\\}\\s*catch"
  output:
    format: context
    context_after: 3
    context_before: 1
  verbosity: standard

precision_exec:
  commands:
    - cmd: "npm run typecheck"
    - cmd: "npm run lint"
    - cmd: "npm test -- --coverage"
  verbosity: standard

./scripts/validate-code-review.sh /path/to/review-output.md

discover:
  queries:
    - id: all_changes
      type: grep
      pattern: ".*"
      path: "src/"
  verbosity: files_only

precision_read:
  files:
    - path: "src/changed-file-1.ts"
    - path: "src/changed-file-2.ts"
  extract: content
  output:
    max_per_item: 100
  verbosity: standard

precision_grep:
  queries:
    - id: auth_checks
      pattern: "getServerSession|auth\\(\\)"
  output:
    format: context
    context_before: 5
    context_after: 10
  verbosity: standard

precision_exec:
  commands:
    - cmd: "git diff HEAD~1..HEAD --unified=5"
  verbosity: standard

discover:
  queries:
    # 安全性
    - { id: sql_injection, type: grep, pattern: 'query.*\$\{' }
    - { id: xss, type: grep, pattern: 'dangerouslySetInnerHTML' }
    - { id: secrets, type: grep, pattern: 'password\s*=\s*["''][^"'']+' }
    # 性能
    - { id: n_plus_one, type: grep, pattern: 'for.*await.*prisma' }
    - { id: inline_objects, type: grep, pattern: 'onClick=\{\{', glob: '**/*.tsx' }
    # 质量
    - { id: any_usage, type: grep, pattern: ':\s*any', glob: '**/*.ts' }
    - { id: empty_catch, type: grep, pattern: 'catch.*\{\s*\}' }
  verbosity: locations

🇺🇸English

Resources

scripts/
  validate-code-review.sh
references/
  review-patterns.md

Code Review Quality Skill

This skill teaches you how to perform thorough, enterprise-grade code reviews using GoodVibes precision tools. A systematic code review catches issues early, ensures consistency, validates security and performance, and maintains high quality standards across the codebase.

When to Use This Skill

Load this skill when:

Reviewing pull requests or merge requests
Performing code quality audits
Validating security and performance of implementations
Checking adherence to architectural patterns
Assessing test coverage and quality
Evaluating accessibility compliance
Providing structured feedback to developers

Trigger phrases: "review this code", "check the PR", "quality audit", "security review", "performance review", "validate implementation".

Core Workflow

Phase 1: Discovery - Understand the Change

Before reviewing, understand what changed, why, and the scope of impact.

Step 1.1: Gather Change Context

Use discover to map all changed files and identify the type of change.

discover:
  queries:
    - id: changed_files
      type: glob
      patterns: ["src/**/*"]  # List changed files for review
    - id: new_files
      type: glob
      patterns: ["**/*"]
    - id: test_files
      type: glob
      patterns: ["**/*.test.ts", "**/*.test.tsx", "**/*.spec.ts", "**/*.spec.tsx"]
  verbosity: files_only

Extract from git:

precision_exec:
  commands:
    - cmd: "git diff --name-only HEAD~1..HEAD"
  verbosity: minimal

What this reveals:

All files modified in the changeset
New vs modified vs deleted files
Test files included (or missing)
Scope of change (frontend, backend, full-stack)

Step 1.2: Analyze Changed Code

Use precision_read to examine the actual changes.

precision_read:
  files:
    - path: "src/api/user-routes.ts"  # Example changed file
      extract: content
    - path: "src/components/UserProfile.tsx"
      extract: content
  output:
    max_per_item: 200
  verbosity: standard

Get diff context:

precision_exec:
  commands:
    - cmd: "git diff HEAD~1..HEAD -- src/api/user-routes.ts"
  verbosity: standard

Step 1.3: Find Related Code

Use discover to find imports, exports, and usage of changed symbols.

discover:
  queries:
    - id: function_exports
      type: grep
      pattern: "export (function|const|class) (createUser|updateUser|deleteUser)"
      glob: "**/*.{ts,tsx,js,jsx}"
    - id: usage_sites
      type: grep
      pattern: "(createUser|updateUser|deleteUser)\\("
      glob: "**/*.{ts,tsx,js,jsx}"
    - id: related_tests
      type: grep
      pattern: "(createUser|updateUser|deleteUser)"
      glob: "**/*.test.{ts,tsx}"
  verbosity: locations

What this reveals:

Where changed functions are used
Potential breaking changes
Test coverage for changed code
Ripple effects across the codebase

Phase 2: Security Review

Security issues are critical and must be caught in review.

Step 2.1: Check for Common Vulnerabilities

Use discover to find security anti-patterns.

discover:
  queries:
    # SQL Injection
    - id: sql_injection
      type: grep
      pattern: '(query|execute|sql).*[`$].*\$\{'
      glob: "**/*.{ts,tsx,js,jsx}"
    # XSS vulnerabilities
    - id: dangerous_html
      type: grep
      pattern: "(dangerouslySetInnerHTML|innerHTML|outerHTML)"
      glob: "**/*.{ts,tsx,jsx}"
    # Hardcoded secrets
    - id: hardcoded_secrets
      type: grep
      pattern: '(password|secret|api[_-]?key|token)\s*=\s*["''][^"'']+["'']'
      glob: "**/*.{ts,tsx,js,jsx,json}"
    # Missing authentication
    - id: unauthed_routes
      type: grep
      pattern: "export (async )?function (GET|POST|PUT|DELETE|PATCH)"
      glob: "src/app/api/**/*.ts"
  verbosity: locations

Critical patterns to check:

Pattern	Severity	Why It Matters
SQL injection	Critical	Allows attackers to read/modify database
XSS vulnerabilities	Critical	Allows script injection, session hijacking
Hardcoded secrets	Critical	Exposes credentials in source code
Missing auth checks	Critical	Exposes protected resources
Unsafe deserialization	Critical	Remote code execution
CORS misconfiguration	Major	Allows unauthorized origins
Weak password rules	Major	Account compromise
Missing input validation	Major	Data corruption, injection

Step 2.2: Validate Input Handling

All external input must be validated.

discover:
  queries:
    # Check for validation schemas
    - id: zod_schemas
      type: grep
      pattern: "z\\.(object|string|number|array|enum)"
      glob: "**/*.{ts,tsx}"
    # Check for direct request.json() without validation
    - id: unvalidated_input
      type: grep
      pattern: "(await request\\.json\\(\\)|req\\.body)(?!.*safeParse)"
      glob: "src/app/api/**/*.ts"
    # Check for SQL parameterization
    - id: parameterized_queries
      type: grep
      pattern: "(db\\.(query|execute)|prisma\\.|sql`)"
      glob: "**/*.{ts,js}"
  verbosity: locations

Best practices to validate:

All API routes validate input with Zod, Joi, or equivalent
All database queries use parameterized queries (Prisma, prepared statements)
File uploads validate content type and size
URLs and redirects are validated against allowlists

Step 2.3: Check Authentication & Authorization

Verify that protected resources require authentication.

discover:
  queries:
    # Find auth middleware usage
    - id: auth_middleware
      type: grep
      pattern: "(getServerSession|auth\\(\\)|requireAuth|withAuth)"
      glob: "src/app/api/**/*.ts"
    # Find resource ownership checks
    - id: ownership_checks
      type: grep
      pattern: "(userId|authorId|ownerId)\s*===\s*(session|user|currentUser)"
      glob: "**/*.{ts,tsx}"
    # Find RBAC checks
    - id: rbac_checks
      type: grep
      pattern: "(role|permission|can)\s*===\s*"
      glob: "**/*.{ts,tsx}"
  verbosity: locations

Critical checks:

Protected API routes call auth middleware
User can only modify their own resources (ownership checks)
Admin-only actions check for admin role
JWTs are validated with proper secret
Session tokens are rotated and have expiration

Phase 3: Performance Review

Performance issues cause poor UX and cost scalability.

Step 3.1: Check for N+1 Queries

N+1 queries are the #1 database performance killer.

discover:
  queries:
    # Find loops with database calls
    - id: n_plus_one
      type: grep
      pattern: "(for|forEach|map).*await.*(prisma|db|query|find)"
      glob: "**/*.{ts,tsx,js,jsx}"
    # Find Prisma include usage
    - id: prisma_includes
      type: grep
      pattern: "(findMany|findUnique|findFirst).*include:"
      glob: "**/*.{ts,js}"
  verbosity: locations

How to fix:

Use include to eager load related records (Prisma)
Use joins or SELECT IN for batch loading
Implement DataLoader for GraphQL
Cache frequently accessed data

Step 3.2: Check for Unnecessary Re-renders

React re-render issues harm frontend performance.

discover:
  queries:
    # Find inline object/array creation in JSX
    - id: inline_objects
      type: grep
      pattern: "(onClick|onChange|style)=\\{\\{|=\\{\\["
      glob: "**/*.{tsx,jsx}"
    # Find missing useMemo/useCallback
    - id: missing_memoization
      type: grep
      pattern: "(map|filter|reduce)\\("
      glob: "**/*.{tsx,jsx}"
    # Find useEffect without dependencies
    - id: missing_deps
      type: grep
      pattern: "useEffect\\([^)]+\\)\\s*$"
      glob: "**/*.{tsx,jsx}"
  verbosity: locations

Common issues:

Anti-pattern	Fix
Inline object in props	Extract to constant or useMemo
Inline function in props	Wrap in useCallback
Large list without key	Add stable key prop
useEffect missing deps	Add all used variables to deps array
Context re-renders everything	Split context or use state managers

Step 3.3: Check Database Indexes

Missing indexes cause slow queries.

precision_read:
  files:
    - path: "prisma/schema.prisma"
      extract: content
  output:
    max_per_item: 500
  verbosity: standard

Validate indexes exist for:

Foreign keys (userId, postId, etc.)
Frequently filtered fields (status, createdAt, published)
Fields used in WHERE clauses
Compound indexes for multi-column queries

Phase 4: Code Quality Review

Code quality affects maintainability and reliability.

Step 4.1: Check Type Safety

TypeScript should catch errors at compile time, not runtime.

discover:
  queries:
    # Find any types
    - id: any_usage
      type: grep
      pattern: ":\s*any(\\s|;|,|\\))"
      glob: "**/*.{ts,tsx}"
    # Find type assertions (as)
    - id: type_assertions
      type: grep
      pattern: "as (unknown|any|string|number)"
      glob: "**/*.{ts,tsx}"
    # Find non-null assertions (!)
    - id: non_null_assertions
      type: grep
      pattern: "![.;,)\\]]"
      glob: "**/*.{ts,tsx}"
    # Find unsafe member access
    - id: unsafe_access
      type: grep
      pattern: "\\?\\."
      glob: "**/*.{ts,tsx}"
  verbosity: locations

Type safety issues:

Issue	Severity	Fix
`any` type usage	Major	Use proper types or unknown
`as any` assertions	Major	Fix the underlying type issue
`!` non-null assertion	Minor	Add null checks
Missing return types	Minor	Explicitly type function returns
Implicit any params	Major	Add parameter types

Step 4.2: Check Error Handling

All async operations and API calls must handle errors.

discover:
  queries:
    # Find floating promises
    - id: floating_promises
      type: grep
      pattern: "^\\s+[a-z][a-zA-Z]*\\(.*\\);$"
      glob: "**/*.{ts,tsx,js,jsx}"
    # Find empty catch blocks
    - id: empty_catch
      type: grep
      pattern: "catch.*\\{\\s*\\}"
      glob: "**/*.{ts,tsx,js,jsx}"
    # Find console.error (should use logger)
    - id: console_error
      type: grep
      pattern: "console\\.(error|warn|log)"
      glob: "**/*.{ts,tsx,js,jsx}"
  verbosity: locations

Error handling checklist:

All promises have .catch() or try/catch
Errors are logged with context (user ID, request ID)
User-facing errors are sanitized (no stack traces)
API errors return proper HTTP status codes
Retry logic for transient failures

Step 4.3: Check Code Organization

Large files and high complexity make code hard to maintain.

precision_exec:
  commands:
    - cmd: "find src -not -path '*/node_modules/*' -not -path '*/dist/*' -name '*.ts' -o -name '*.tsx' -print0 | xargs -0 wc -l | sort -rn | head -20"
  verbosity: standard

Code organization rules:

Files should be < 300 lines (exception: generated code)
Functions should be < 50 lines
Cyclomatic complexity < 10
Max nesting depth: 3 levels
Extract helpers to separate files

Phase 5: Testing Review

Tests validate correctness and prevent regressions.

Step 5.1: Check Test Coverage

Every changed file should have tests.

discover:
  queries:
    # Find test files
    - id: test_files
      type: glob
      patterns: ["**/*.test.{ts,tsx}", "**/*.spec.{ts,tsx}"]
    # Find files without tests
    - id: source_files
      type: glob
      patterns: ["src/**/*.{ts,tsx}"]
    # Check test imports
    - id: test_imports
      type: grep
      pattern: "from ['\"].*/(api|lib|components)/"
      glob: "**/*.test.{ts,tsx}"
  verbosity: files_only

Compare source files to test files:

// Pseudo-logic (implement with precision tools)
const sourceFiles = results.source_files.files;
const testFiles = results.test_files.files;
const missingTests = sourceFiles.filter(f => !testFiles.some(t => t.includes(f.replace('.ts', ''))));

Step 5.2: Check Test Quality

Tests should test behavior, not implementation.

discover:
  queries:
    # Find skipped tests
    - id: skipped_tests
      type: grep
      pattern: "(it\\.skip|test\\.skip|describe\\.skip)"
      glob: "**/*.test.{ts,tsx}"
    # Find focused tests (.only)
    - id: focused_tests
      type: grep
      pattern: "(it\\.only|test\\.only|describe\\.only)"
      glob: "**/*.test.{ts,tsx}"
    # Find expect assertions
    - id: assertions
      type: grep
      pattern: "expect\\("
      glob: "**/*.test.{ts,tsx}"
    # Find mock usage
    - id: mocks
      type: grep
      pattern: "(vi\\.mock|jest\\.mock|vi\\.fn)"
      glob: "**/*.test.{ts,tsx}"
  verbosity: locations

Test quality checklist:

No .skip or .only (should be removed before merge)
Each test has at least one assertion
Tests have descriptive names ("it should...", "when...then...")
Tests are isolated (no shared state)
Mocks are used sparingly (prefer real implementations)
Edge cases are tested (null, empty, large values)

Phase 6: Architecture Review

Architecture violations create technical debt.

Step 6.1: Check Dependency Direction

Dependencies should flow from outer layers to inner layers.

discover:
  queries:
    # Find domain imports in UI
    - id: ui_imports_domain
      type: grep
      pattern: "from ['\"].*/(domain|core|lib)/"
      glob: "src/components/**/*.{ts,tsx}"
    # Find UI imports in domain
    - id: domain_imports_ui
      type: grep
      pattern: "from ['\"].*/(components|pages|app)/"
      glob: "src/domain/**/*.{ts,tsx}"
    # Find circular dependencies
    - id: imports
      type: grep
      pattern: "^import.*from"
      glob: "src/**/*.{ts,tsx}"
  verbosity: locations

Dependency rules:

UI components can import hooks, utils, domain logic
Domain logic should NOT import UI components
API routes can import domain logic, not UI
Shared utils should have zero dependencies

Step 6.2: Check for Layering Violations

discover:
  queries:
    # Database access in components
    - id: db_in_components
      type: grep
      pattern: "(prisma|db\\.(query|execute))"
      glob: "src/components/**/*.{ts,tsx}"
    # Business logic in API routes
    - id: logic_in_routes
      type: grep
      pattern: "export (async )?function (GET|POST)"
      glob: "src/app/api/**/*.ts"
  verbosity: files_only

Read the route handlers to check:

Route handlers should be < 30 lines (delegate to services)
No database queries in components (use server actions or API routes)
No business logic in routes (extract to service layer)

Phase 7: Accessibility Review

Accessibility ensures your app is usable by everyone.

Step 7.1: Check Semantic HTML

Use proper HTML elements for accessibility.

discover:
  queries:
    # Find div buttons (should be <button>)
    - id: div_buttons
      type: grep
      pattern: "<div.*(onClick|onKeyDown)"
      glob: "**/*.{tsx,jsx}"
    # Find missing alt text
    - id: missing_alt
      type: grep
      pattern: "<img(?![^>]*alt=)"
      glob: "**/*.{tsx,jsx}"
    # Find missing labels
    - id: missing_labels
      type: grep
      pattern: "<input(?![^>]*aria-label)(?![^>]*id=)"
      glob: "**/*.{tsx,jsx}"
    # Find missing ARIA roles
    - id: missing_roles
      type: grep
      pattern: "<(nav|header|footer|main)(?![^>]*role=)"
      glob: "**/*.{tsx,jsx}"
  verbosity: locations

Accessibility checklist:

Buttons use <button>, not <div onClick>
Images have descriptive alt text
Form inputs have labels or aria-label
Focus states are visible (no outline: none without replacement)
Color contrast meets WCAG AA (4.5:1 for text)
Keyboard navigation works (tab order, Enter/Space)

Step 7.2: Check ARIA Patterns

discover:
  queries:
    # Find custom components
    - id: custom_components
      type: grep
      pattern: "(Accordion|Dialog|Dropdown|Tabs|Tooltip)"
      glob: "src/components/**/*.{tsx,jsx}"
  verbosity: files_only

Read components to validate:

Modals trap focus and close on Escape
Dropdowns support arrow keys
Tabs support arrow keys and Home/End
Tooltips are accessible (not just on hover)

Phase 8: Review Scoring

Use the review-scoring skill to provide structured feedback.

See plugins/goodvibes/skills/protocol/review-scoring/SKILL.md for the full rubric.

The 10 Dimensions (weighted):

Correctness (15%) - Does it work? Does it meet requirements?
Type Safety (10%) - Proper TypeScript usage, no any
Security (15%) - No vulnerabilities, input validation, auth checks
Performance (10%) - No N+1 queries, proper indexes, memoization
Error Handling (10%) - All errors caught, logged, and handled
Testing (10%) - Adequate test coverage, quality assertions
Code Quality (10%) - Readable, maintainable, follows patterns
Architecture (10%) - Proper layering, no violations
Accessibility (5%) - Semantic HTML, ARIA, keyboard nav
Documentation (5%) - JSDoc, README, inline comments where needed

Score each dimension 1-10:

1-3: Needs major work
4-6: Needs improvement
7-8: Good, minor issues
9-10: Excellent

Overall score = weighted average

Pass/fail thresholds:

9.5+ : Excellent (approve immediately)
8.0-9.4 : Good (approve with minor suggestions)
7.0-7.9 : Acceptable (request changes - minor issues)
5.0-6.9 : Needs work (request changes - major issues)
< 5.0: Reject (needs significant rework)

Phase 9: Automated Validation

Run automated checks to catch issues.

precision_exec:
  commands:
    # Type check
    - cmd: "npm run typecheck"
    # Lint
    - cmd: "npm run lint"
    # Tests
    - cmd: "npm run test"
    # Security audit
    - cmd: "npm audit --audit-level=moderate"
  verbosity: standard

All checks must pass before approval.

Phase 10: Provide Feedback

Structured feedback is actionable and specific.

Review output format:

## Review Summary

**Overall Score**: 8.2/10
**Verdict**: APPROVE with suggestions

**What changed**: Added user profile API with authentication
**Files reviewed**: 8 files (5 source, 3 test)

## Dimension Scores

1. Correctness: 9/10
2. Type Safety: 7/10
3. Security: 9/10
4. Performance: 8/10
5. Error Handling: 7/10
6. Testing: 8/10
7. Code Quality: 9/10
8. Architecture: 8/10
9. Accessibility: 8/10
10. Documentation: 7/10

## Issues Found

### Major (should fix)

- **FILE:LINE** - Type safety: Function `updateProfile` has implicit `any` return type
  - Fix: Add explicit return type `Promise<User>`
  - Impact: TypeScript can't catch type errors in callers

### Minor (nice to fix)

- **src/api/profile.ts:42** - Error handling: Empty catch block swallows errors
  - Fix: Log error with context before re-throwing
  - Impact: Makes debugging harder

## What Was Done Well

- Excellent input validation with Zod schemas
- Comprehensive test coverage (95%)
- Proper authentication checks on all routes
- Clean separation of concerns (route -> service -> repository)

Feedback guidelines:

Be specific: Include file path and line number
Be actionable: Explain exactly how to fix
Explain impact: Why does this matter?
Acknowledge good work: Highlight what was done well
Categorize by severity: Critical > Major > Minor

Common Review Patterns

See references/review-patterns.md for detailed anti-patterns organized by category.

Quick reference:

Security Patterns

SQL injection: String concatenation in queries
XSS: Unsafe HTML rendering
Auth bypass: Missing auth checks
Secrets exposure: Hardcoded API keys

Performance Patterns

N+1 queries: Loops with database calls
Missing indexes: WHERE clauses without indexes
Unnecessary re-renders: Inline objects in React
Memory leaks: Event listeners not cleaned up

Code Quality Patterns

Type unsafety: any types, type assertions
Error handling: Floating promises, empty catches
Complexity: Functions > 50 lines, nesting > 3
Duplication: Copy-paste code

Testing Patterns

Missing tests: Changed files without tests
Poor assertions: expect(result).toBeTruthy()
Test pollution: Shared state between tests
Skipped tests: .skip or .only left in

Precision Tools for Review

Discover Tool

Run multiple grep/glob queries in parallel to find patterns.

Example: Find security issues

discover:
  queries:
    - id: sql_injection
      type: grep
      pattern: 'query.*\$\{'
    - id: hardcoded_secrets
      type: grep
      pattern: 'api[_-]?key\s*=\s*["''][^"'']+'
    - id: xss
      type: grep
      pattern: 'dangerouslySetInnerHTML'
  verbosity: locations

Precision Grep

Search with context, multiline support, and token limits.

Example: Find error handling

precision_grep:
  queries:
    - id: catch_blocks
      pattern: "try\\s*\\{[\\s\\S]*?\\}\\s*catch"
  output:
    format: context
    context_after: 3
    context_before: 1
  verbosity: standard

Precision Exec

Run validation commands.

precision_exec:
  commands:
    - cmd: "npm run typecheck"
    - cmd: "npm run lint"
    - cmd: "npm test -- --coverage"
  verbosity: standard

Validation Script

Use scripts/validate-code-review.sh to validate review completeness.

./scripts/validate-code-review.sh /path/to/review-output.md

The script checks:

Security patterns were checked
Performance patterns were checked
Test coverage was reviewed
All changed files were reviewed
Review includes scoring with rubric
Feedback is specific with file/line references

Quick Reference

Review Checklist

Before reviewing:

Understand the change (read PR description, commits)
Get the diff (git diff or GitHub PR)
Identify changed files and their purpose

During review:

Security: Check for vulnerabilities, auth, validation
Performance: Check for N+1, indexes, re-renders
Type safety: Check for any, assertions, return types
Error handling: Check for floating promises, empty catches
Testing: Check coverage, quality, skipped tests
Architecture: Check layering, dependencies, organization
Accessibility: Check semantic HTML, ARIA, keyboard nav

After review:

Run automated validation (typecheck, lint, test)
Score all 10 dimensions
Calculate weighted score
Provide verdict (approve/request changes/reject)
Write actionable feedback with file/line references

Severity Guidelines

Critical (must fix before merge):

Security vulnerabilities (SQL injection, XSS, auth bypass)
Data loss bugs
Compilation/runtime errors
Breaking changes to public API

Major (should fix before merge):

Type safety issues (any usage, missing types)
Performance issues (N+1 queries, missing indexes)
Missing error handling
Missing tests for critical paths
Architecture violations

Minor (nice to fix, or address in follow-up):

Code style inconsistencies
Missing documentation
Non-critical accessibility issues
Refactoring opportunities
Low test coverage on edge cases

Common Mistakes to Avoid

Score inflation:

Don't give 9-10 scores when issues exist
Be honest about quality gaps
Critical issues should fail review

Vague feedback:

BAD: "Fix the types"
GOOD: "src/api/user.ts:42 - Add return type Promise<User> to function getUser"

Ignoring positives:

Always acknowledge what was done well
Positive feedback motivates improvement

Inconsistent severity:

Security issues are always Critical
Missing tests are Major, not Minor
Style issues are Minor, not Major

Advanced Techniques

Batch Review with Discover

Review multiple PRs or files in parallel.

discover:
  queries:
    - id: all_changes
      type: grep
      pattern: ".*"
      path: "src/"
  verbosity: files_only

Then read files in batch:

precision_read:
  files:
    - path: "src/changed-file-1.ts"
    - path: "src/changed-file-2.ts"
  extract: content
  output:
    max_per_item: 100
  verbosity: standard

Contextual Review

Use precision_grep with context to understand surrounding code.

precision_grep:
  queries:
    - id: auth_checks
      pattern: "getServerSession|auth\\(\\)"
  output:
    format: context
    context_before: 5
    context_after: 10
  verbosity: standard

Differential Review

Focus on changed lines only.

precision_exec:
  commands:
    - cmd: "git diff HEAD~1..HEAD --unified=5"
  verbosity: standard

Parse the diff and review only changed sections.

Automated Pattern Detection

Create a batch of security/performance checks.

discover:
  queries:
    # Security
    - { id: sql_injection, type: grep, pattern: 'query.*\$\{' }
    - { id: xss, type: grep, pattern: 'dangerouslySetInnerHTML' }
    - { id: secrets, type: grep, pattern: 'password\s*=\s*["''][^"'']+' }
    # Performance
    - { id: n_plus_one, type: grep, pattern: 'for.*await.*prisma' }
    - { id: inline_objects, type: grep, pattern: 'onClick=\{\{', glob: '**/*.tsx' }
    # Quality
    - { id: any_usage, type: grep, pattern: ':\s*any', glob: '**/*.ts' }
    - { id: empty_catch, type: grep, pattern: 'catch.*\{\s*\}' }
  verbosity: locations

Aggregate results and score based on findings.

Integration with Other Skills

Use review-scoring for structured feedback with the 10-dimension rubric
Use error-recovery when fix attempts fail during review remediation
Use precision-mastery for advanced precision tool usage
Use testing-strategy to validate test quality
Use component-architecture when reviewing UI components
Use api-design when reviewing API routes
Use database-layer when reviewing database queries and schemas

Resources

references/review-patterns.md - Common anti-patterns by category
scripts/validate-code-review.sh - Automated review validation
plugins/goodvibes/skills/protocol/review-scoring/SKILL.md - Scoring rubric details
OWASP Top 10 - https://owasp.org/www-project-top-ten/
WCAG Guidelines - https://www.w3.org/WAI/WCAG21/quickref/

Weekly Installs

Repository

mgd34msu/goodvi…s-plugin

GitHub Stars

First Seen

Feb 16, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykFail

Installed on

opencode60

gemini-cli58

github-copilot58

codex57

cursor57

amp56

企业级代码审查技能：使用GoodVibes进行安全、性能与质量审计

🇨🇳中文介绍

资源

代码审查质量技能

何时使用此技能

核心工作流程

阶段 1：发现 - 理解变更

步骤 1.1：收集变更上下文

相关 Skills

步骤 1.2：分析更改的代码

步骤 1.3：查找相关代码

阶段 2：安全审查

步骤 2.1：检查常见漏洞

步骤 2.2：验证输入处理

步骤 2.3：检查身份验证与授权

阶段 3：性能审查

步骤 3.1：检查 N+1 查询

步骤 3.2：检查不必要的重新渲染

步骤 3.3：检查数据库索引

阶段 4：代码质量审查

步骤 4.1：检查类型安全

步骤 4.2：检查错误处理

步骤 4.3：检查代码组织

阶段 5：测试审查

步骤 5.1：检查测试覆盖率

步骤 5.2：检查测试质量

阶段 6：架构审查

步骤 6.1：检查依赖方向

步骤 6.2：检查分层违规

阶段 7：无障碍访问审查

步骤 7.1：检查语义化 HTML

步骤 7.2：检查 ARIA 模式

阶段 8：审查评分

阶段 9：自动化验证

阶段 10：提供反馈

常见审查模式

安全模式

性能模式

代码质量模式

测试模式

用于审查的精准工具

Discover 工具

Precision Grep

Precision Exec

验证脚本

快速参考

审查清单

严重性指南

应避免的常见错误

高级技巧

使用 Discover 进行批量审查

上下文审查

差异审查

自动化模式检测

与其他技能的集成

资源

🇺🇸English

Resources

Code Review Quality Skill

When to Use This Skill

Core Workflow

Phase 1: Discovery - Understand the Change

Step 1.1: Gather Change Context

Step 1.2: Analyze Changed Code

Step 1.3: Find Related Code

Phase 2: Security Review

Step 2.1: Check for Common Vulnerabilities

Step 2.2: Validate Input Handling

Step 2.3: Check Authentication & Authorization

Phase 3: Performance Review

Step 3.1: Check for N+1 Queries

Step 3.2: Check for Unnecessary Re-renders

Step 3.3: Check Database Indexes

Phase 4: Code Quality Review

Step 4.1: Check Type Safety

Step 4.2: Check Error Handling

Step 4.3: Check Code Organization

Phase 5: Testing Review

Step 5.1: Check Test Coverage

Step 5.2: Check Test Quality