ln-511-code-quality-checker

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Paths: File paths (
shared/
,
references/
,
../ln-*
) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root.

路径： 文件路径（
shared/
、
references/
、
../ln-*
）是相对于技能仓库根目录的相对路径。如果在当前工作目录下找不到，请定位到该SKILL.md文件所在目录，然后向上跳转一级即可到达仓库根目录。

Code Quality Checker

代码质量检查器

Analyzes Done implementation tasks with quantitative Code Quality Score based on metrics, MCP Ref validation, and issue penalties.

基于代码指标、MCP参考验证和问题罚分，对状态为已完成（Done）的实现任务进行分析，输出量化的代码质量评分。

Purpose & Scope

用途与适用范围

Load Story and Done implementation tasks (exclude test tasks)
Calculate Code Quality Score using metrics and issue penalties
MCP Ref validation: Verify optimality, best practices, and performance via external sources
Check for DRY/KISS/YAGNI violations, architecture boundary breaks, security issues
Produce quantitative verdict with structured issue list; never edits Linear or kanban

加载需求（Story）和状态为已完成的实现任务（排除测试任务）
基于代码指标和问题罚分计算代码质量评分
MCP参考验证： 借助外部资源验证方案最优性、最佳实践遵循情况和性能表现
检查DRY/KISS/YAGNI原则违反情况、架构边界突破问题、安全隐患
输出量化判定结果和结构化问题列表；绝对不会编辑Linear或者看板内容

Code Metrics

代码指标

Metric	Threshold	Penalty
Cyclomatic Complexity	≤10 OK, 11-20 warning, >20 fail	-5 (warning), -10 (fail) per function
Function size	≤50 lines OK, >50 warning	-3 per function
File size	≤500 lines OK, >500 warning	-5 per file
Nesting depth	≤3 OK, >3 warning	-3 per instance
Parameter count	≤4 OK, >4 warning	-2 per function

指标	阈值	罚分
圈复杂度（Cyclomatic Complexity）	≤10 合格，11-20 警告，>20 不合格	-5（警告），-10（不合格）每个函数
函数长度	≤50行合格，>50行警告	-3 每个函数
文件长度	≤500行合格，>500行警告	-5 每个文件
嵌套深度	≤3 合格，>3 警告	-3 每个实例
参数数量	≤4 合格，>4 警告	-2 每个函数

Code Quality Score

代码质量评分

Formula:

Code Quality Score = 100 - metric_penalties - issue_penalties

Issue penalties by severity:

Severity	Penalty	Examples
high	-20	Security vulnerability, O(n²)+ algorithm, N+1 query
medium	-10	DRY violation, suboptimal approach, missing config
low	-3	Naming convention, minor code smell

Score interpretation:

Score	Status	Verdict
90-100	Excellent	PASS
70-89	Acceptable	CONCERNS
<70	Below threshold	ISSUES_FOUND

公式：

Code Quality Score = 100 - metric_penalties - issue_penalties

按严重程度划分的问题罚分：

严重程度	罚分	示例
高	-20	安全漏洞、时间复杂度≥O(n²)的算法、N+1查询
中	-10	违反DRY原则、方案不够最优、缺少配置
低	-3	命名规范问题、轻微代码异味

评分说明：

得分	状态	判定结果
90-100	优秀	PASS
70-89	可接受	CONCERNS
<70	低于阈值	ISSUES_FOUND

Issue Prefixes

问题前缀

Prefix	Category	Default Severity	MCP Ref
SEC-	Security (auth, validation, secrets)	high	—
PERF-	Performance (algorithms, configs, bottlenecks)	medium/high	✓ Required
MNT-	Maintainability (DRY, SOLID, complexity, dead code)	medium	—
ARCH-	Architecture (layers, boundaries, patterns, contracts)	medium	—
BP-	Best Practices (implementation differs from recommended)	medium	✓ Required
OPT-	Optimality (better approach exists for this goal)	medium	✓ Required

OPT- subcategories:

Prefix	Category	Severity
OPT-OSS-	Open-source replacement available (cross-ref ln-645 audit)	medium (high if >200 LOC)

ARCH- subcategories:

Prefix	Category	Severity
ARCH-LB-	Layer Boundary: I/O outside infra, HTTP in domain	high
ARCH-TX-	Transaction Boundaries: commit() in 3+ layers, mixed UoW ownership	high (CRITICAL if auth/payment)
ARCH-DTO-	Missing DTO (4+ params without DTO), Entity Leakage (ORM entity in API response)	medium (high if auth/payment)
ARCH-DI-	Dependency Injection: direct instantiation in business logic, mixed DI+imports	medium
ARCH-CEH-	Centralized Error Handling: no global handler, stack traces in prod, uncaughtException	medium (high if no handler at all)
ARCH-SES-	Session Ownership: DI session + local session in same module	medium

PERF- subcategories:

Prefix	Category	Severity
PERF-ALG-	Algorithm complexity (Big O)	high if O(n²)+
PERF-CFG-	Package/library configuration	medium
PERF-PTN-	Architectural pattern performance	high
PERF-DB-	Database queries, indexes	high

MNT- subcategories:

Prefix	Category	Severity
MNT-DC-	Dead code: replaced implementations, unused exports/re-exports, backward-compat wrappers, deprecated aliases	medium (high if public API)
MNT-DRY-	DRY violations: duplicate logic across files	medium
MNT-GOD-	God Classes: class with >15 methods or >500 lines (not just file size)	medium (high if >1000 lines)
MNT-SIG-	Method Signature Quality: boolean flag params, unclear return types, inconsistent naming, >5 optional params	low
MNT-ERR-	Error Contract inconsistency: mixed raise + return None in same service	medium

前缀	分类	默认严重程度	需MCP参考
SEC-	安全（认证、校验、密钥）	高	—
PERF-	性能（算法、配置、瓶颈）	中/高	✓ 必须
MNT-	可维护性（DRY、SOLID、复杂度、死代码）	中	—
ARCH-	架构（分层、边界、模式、契约）	中	—
BP-	最佳实践（实现与推荐方案不符）	中	✓ 必须
OPT-	最优性（存在更适配目标的方案）	中	✓ 必须

OPT- 子分类：

前缀	分类	严重程度
OPT-OSS-	存在可替换的开源方案（交叉参考ln-645审计报告）	中（代码行数>200则为高）

ARCH- 子分类：

前缀	分类	严重程度
ARCH-LB-	分层边界：基础设施层外出现I/O操作、领域层内出现HTTP请求	高
ARCH-TX-	事务边界：3个以上层级存在commit()调用、工作单元所有权混乱	高（涉及认证/支付则为严重）
ARCH-DTO-	缺少DTO（4个以上参数未封装为DTO）、实体泄漏（API响应中返回ORM实体）	中（涉及认证/支付则为高）
ARCH-DI-	依赖注入：业务逻辑中直接实例化对象、混合使用DI和直接导入两种模式	中
ARCH-CEH-	集中式错误处理：无全局错误处理器、生产环境返回堆栈追踪、存在未捕获的异常	中（完全没有处理器则为高）
ARCH-SES-	会话所有权：同一模块中同时存在DI注入的会话和本地会话	中

PERF- 子分类：

前缀	分类	严重程度
PERF-ALG-	算法复杂度（大O表示法）	复杂度≥O(n²)则为高
PERF-CFG-	包/库配置	中
PERF-PTN-	架构模式性能	高
PERF-DB-	数据库查询、索引	高

MNT- 子分类：

前缀	分类	严重程度
MNT-DC-	死代码：被替换的实现、未使用的导出/重导出、向后兼容包装器、已废弃的别名	中（属于公共API则为高）
MNT-DRY-	违反DRY原则：跨文件存在重复逻辑	中
MNT-GOD-	上帝类：类包含超过15个方法或者超过500行代码（不只是文件长度）	中（超过1000行则为高）
MNT-SIG-	方法签名质量：布尔标记参数、返回类型不明确、命名不一致、超过5个可选参数	低
MNT-ERR-	错误契约不一致：同一服务中混合使用抛出异常和返回None两种模式	中

When to Use

适用场景

Invoked by ln-510-quality-coordinator Phase 2
All implementation tasks in Story status = Done
Before ln-512 tech debt cleanup and ln-513 agent review

由ln-510质量协调器在第二阶段调用
所有状态为已完成（Done）的需求下的实现任务
在ln-512技术债务清理和ln-513 Agent评审之前执行

Workflow (concise)

工作流程（精简版）

Load Story (full) and Done implementation tasks (full descriptions) via Linear; skip tasks with label "tests".
Collect affected files from tasks (Affected Components/Existing Code Impact) and recent commits/diffs if noted.
Calculate code metrics:
- Cyclomatic Complexity per function (target ≤10)
- Function size (target ≤50 lines)
- File size (target ≤500 lines)
- Nesting depth (target ≤3)
- Parameter count (target ≤4)
MCP Ref Validation (MANDATORY for code changes — SKIP if
--skip-mcp-ref
flag passed):
Fast-track mode: When invoked with
```
--skip-mcp-ref
```
, skip this entire step (no OPT-, BP-, PERF- checks). Proceed directly to step 5 (static analysis). This reduces cost from ~5000 to ~800 tokens while preserving metrics + static analysis coverage.
Level 1 — OPTIMALITY (OPT-):
- Extract goal from task (e.g., "user authentication", "caching", "API rate limiting")
- Research alternatives:
```
ref_search_documentation("{goal} approaches comparison {tech_stack} 2026")
```
- Compare chosen approach vs alternatives for project context
- Flag suboptimal choices as OPT- issues
Level 2 — BEST PRACTICES (BP-):
- Research:
```
ref_search_documentation("{chosen_approach} best practices {tech_stack} 2026")
```
- For libraries:
```
query-docs(library_id, "best practices implementation patterns")
```
- Flag deviations from recommended patterns as BP- issues
Level 3 — PERFORMANCE (PERF-):
- PERF-ALG: Analyze algorithm complexity (detect O(n²)+, research optimal via MCP Ref)
- PERF-CFG: Check library configs (connection pooling, batch sizes, timeouts) via
```
query-docs
```
- PERF-PTN: Research pattern pitfalls:
```
ref_search_documentation("{pattern} performance bottlenecks")
```
- PERF-DB: Check for N+1, missing indexes via
```
query-docs(orm_library_id, "query optimization")
```
Triggers for MCP Ref validation:
- New dependency added (package.json/requirements.txt changed)
- New pattern/library used
- API/database changes
- Loops/recursion in critical paths
- ORM queries added
Analyze code for static issues (assign prefixes): MANDATORY READ:
```
shared/references/clean_code_checklist.md
```
- SEC-: hardcoded creds, unvalidated input, SQL injection, race conditions
- MNT-: DRY violations (MNT-DRY-: duplicate logic), dead code (MNT-DC-: per checklist), complex conditionals, poor naming
- MNT-DRY- cross-story hotspot scan: Grep for common pattern signatures (error handlers:
```
catch.*Error|handleError
```
  , validators:
```
validate|isValid
```
  , config access:
```
getSettings|getConfig
```
  ) across ALL
```
src/
```
  files (count mode). If any pattern appears in 5+ files, sample 3 files (Read 50 lines each) and check structural similarity. If >80% similar → MNT-DRY-CROSS (medium, -10 points):
```
Pattern X duplicated in N files — extract to shared module.
```
- MNT-DC- cross-story unused export scan: For each file modified by Story, count
```
export
```
  declarations. Then Grep across ALL
```
src/
```
  for import references to those exports. Exports with 0 import references → MNT-DC-CROSS (medium, -10 points):
```
{export} in {file} exported but never imported — remove or mark internal.
```
- OPT-OSS- cross-reference ln-645 (static, fast-track safe): IF
```
docs/project/.audit/645-open-source-replacer*.md
```
  exists, check if any HIGH-confidence replacement matches files changed in current Story. IF match found → create OPT-OSS-{N} issue with module path, goal, recommended package, confidence, stars, license from ln-645 report. Severity: high if >200 LOC, medium otherwise. This check reads local files only — no MCP calls — runs even with
```
--skip-mcp-ref
```
  .
- ARCH-: layer violations, circular dependencies, guide non-compliance
- ARCH-LB-: layer boundary violations (HTTP/DB/FS calls outside infrastructure layer)
- ARCH-TX-: transaction boundary violations (commit() across multiple layers)
- ARCH-DTO-: missing DTOs (4+ repeated params), entity leakage (ORM entities returned from API)
- ARCH-DI-: direct instantiation in business logic (no DI container or mixed patterns)
- ARCH-CEH-: centralized error handling absent or bypassed
- ARCH-SES-: session ownership conflicts (DI + local session in same module)
- MNT-GOD-: god classes (>15 methods or >500 lines per class)
- MNT-SIG-: method signature quality (boolean flags, unclear returns)
- MNT-ERR-: error contract inconsistency (mixed raise/return patterns in same service)
Calculate Code Quality Score:
- Start with 100
- Subtract metric penalties (see Code Metrics table)
- Subtract issue penalties (see Issue penalties table)
Output verdict with score and structured issues. Add Linear comment with findings.

通过Linear加载完整需求和状态为已完成的实现任务的完整描述；跳过带有"tests"标签的任务。
从任务（受影响组件/现有代码影响）和标注的最近提交/差异中收集涉及的文件。
计算代码指标：
- 每个函数的圈复杂度（目标≤10）
- 函数长度（目标≤50行）
- 文件长度（目标≤500行）
- 嵌套深度（目标≤3）
- 参数数量（目标≤4）
MCP参考验证（代码变更必须执行 —— 如果传入
--skip-mcp-ref
参数则跳过）：
快速模式： 当调用时传入
```
--skip-mcp-ref
```
参数时，跳过整个步骤（不执行OPT-、BP-、PERF-检查），直接进入第5步（静态分析）。这会将token消耗从约5000降低到约800，同时保留指标计算和静态分析覆盖。
第一层 —— 最优性（OPT-）：
- 提取任务目标（例如："用户认证"、"缓存"、"API限流"）
- 调研替代方案：
```
ref_search_documentation("{goal} approaches comparison {tech_stack} 2026")
```
- 结合项目上下文对比所选方案和替代方案
- 将不够最优的选择标记为OPT-问题
第二层 —— 最佳实践（BP-）：
- 调研：
```
ref_search_documentation("{chosen_approach} best practices {tech_stack} 2026")
```
- 针对库：
```
query-docs(library_id, "best practices implementation patterns")
```
- 将与推荐模式不符的实现标记为BP-问题
第三层 —— 性能（PERF-）：
- PERF-ALG： 分析算法复杂度（检测≥O(n²)的情况，通过MCP参考调研最优方案）
- PERF-CFG： 通过
```
query-docs
```
  检查库配置（连接池、批量大小、超时时间）
- PERF-PTN： 调研模式陷阱：
```
ref_search_documentation("{pattern} performance bottlenecks")
```
- PERF-DB： 通过
```
query-docs(orm_library_id, "query optimization")
```
  检查N+1问题、缺失索引问题
MCP参考验证触发条件：
- 新增依赖（package.json/requirements.txt发生变更）
- 使用了新的模式/库
- API/数据库发生变更
- 关键路径中存在循环/递归
- 新增ORM查询
分析代码的静态问题（分配对应前缀）： 必须阅读：
```
shared/references/clean_code_checklist.md
```
- SEC-：硬编码凭证、未校验的输入、SQL注入、竞态条件
- MNT-：违反DRY原则（MNT-DRY-：重复逻辑）、死代码（MNT-DC-：符合检查清单定义）、复杂条件语句、命名不规范
- MNT-DRY-跨需求热点扫描： 在所有
```
src/
```
  文件中（计数模式）检索通用模式签名（错误处理：
```
catch.*Error|handleError
```
  ，校验：
```
validate|isValid
```
  ，配置访问：
```
getSettings|getConfig
```
  ）。如果任意模式出现在5个以上文件中，抽样3个文件（各读取50行）检查结构相似度。如果相似度>80% → MNT-DRY-CROSS（中，扣10分）：
```
Pattern X duplicated in N files — extract to shared module.
```
- MNT-DC-跨需求未使用导出扫描： 针对当前需求修改的每个文件，统计
```
export
```
  声明数量。然后在所有
```
src/
```
  文件中检索这些导出的导入引用。没有导入引用的导出 → MNT-DC-CROSS（中，扣10分）：
```
{export} in {file} exported but never imported — remove or mark internal.
```
- OPT-OSS-交叉参考ln-645（静态，快速模式下也可安全执行）： 如果存在
```
docs/project/.audit/645-open-source-replacer*.md
```
  文件，检查当前需求修改的文件是否匹配任何高置信度的替换方案。如果匹配 → 基于ln-645报告的内容创建OPT-OSS-{N}问题，包含模块路径、目标、推荐包、置信度、星数、许可证。严重程度：代码行数>200则为高，否则为中。该检查仅读取本地文件 —— 无MCP调用 —— 即使传入
```
--skip-mcp-ref
```
  也会执行。
- ARCH-：分层违反、循环依赖、不符合指南要求
- ARCH-LB-：分层边界违反（基础设施层外出现HTTP/DB/FS调用）
- ARCH-TX-：事务边界违反（多个层级存在commit()调用）
- ARCH-DTO-：缺少DTO（4个以上重复参数）、实体泄漏（API返回ORM实体）
- ARCH-DI-：业务逻辑中直接实例化对象（无DI容器或者混合使用多种模式）
- ARCH-CEH-：缺少集中式错误处理或者被绕过
- ARCH-SES-：会话所有权冲突（同一模块同时存在DI注入的会话和本地会话）
- MNT-GOD-：上帝类（每个类超过15个方法或者超过500行代码）
- MNT-SIG-：方法签名质量问题（布尔标记、返回类型不明确）
- MNT-ERR-：错误契约不一致（同一服务混合使用抛出/返回模式）
计算代码质量评分：
- 初始分为100
- 减去指标罚分（参考代码指标表格）
- 减去问题罚分（参考问题罚分表格）
输出包含评分和结构化问题的判定结果。在Linear中添加包含发现问题的评论。

Critical Rules

关键规则

Read guides mentioned in Story/Tasks before judging compliance.
MCP Ref validation: For ANY architectural change, MUST verify via ref_search_documentation before judging.
Context7 for libraries: When reviewing library usage, query-docs to verify correct patterns.
Language preservation in comments (EN/RU).
Do not create tasks or change statuses; caller decides next actions.

判定合规性之前请先阅读需求/任务中提及的指南。
MCP参考验证： 针对任何架构变更，判定前必须通过ref_search_documentation完成验证。
库使用参考Context7： 评审库使用情况时，调用query-docs验证正确模式。
保留评论中的原始语言（英文/俄文）。
不要创建任务或者修改状态；由调用方决定后续操作。

Definition of Done

完成定义

Story and Done implementation tasks loaded (test tasks excluded).
Code metrics calculated (Cyclomatic Complexity, function/file sizes).
MCP Ref validation completed:
- OPT-: Optimality checked (is chosen approach the best for the goal?)
- BP-: Best practices verified (correct implementation of chosen approach?)
- PERF-: Performance analyzed (algorithms, configs, patterns, DB)
ARCH- subcategories checked (LB, TX, DTO, DI, CEH, SES); MNT- subcategories checked (DC, DRY, GOD, SIG, ERR).
Issues identified with prefixes and severity, sources from MCP Ref/Context7.
Code Quality Score calculated.

Output format:

yaml

verdict: PASS | CONCERNS | ISSUES_FOUND
code_quality_score: {0-100}
metrics:
  avg_cyclomatic_complexity: {value}
  functions_over_50_lines: {count}
  files_over_500_lines: {count}
issues:
  # OPTIMALITY
  - id: "OPT-001"
    severity: medium
    file: "src/auth/index.ts"
    goal: "User session management"
    finding: "Suboptimal approach for session management"
    chosen: "Custom JWT with localStorage"
    recommended: "httpOnly cookies + refresh token rotation"
    reason: "httpOnly cookies prevent XSS token theft"
    source: "ref://owasp-session-management"

  # OPTIMALITY - OSS Replacement (from ln-645, fast-track safe)
  - id: "OPT-OSS-001"
    severity: high
    file: "src/utils/email-validator.ts"
    goal: "Email validation with MX checking"
    finding: "Custom 245-line module has HIGH-confidence OSS replacement"
    chosen: "Custom email-validator.ts (245 lines)"
    recommended: "zod + zod-email (28k stars, MIT, 95% coverage)"
    reason: "Battle-tested, actively maintained, reduces maintenance burden"
    source: "ln-645-audit"

  # BEST PRACTICES
  - id: "BP-001"
    severity: medium
    file: "src/api/routes.ts"
    finding: "POST for idempotent operation"
    best_practice: "Use PUT for idempotent updates (RFC 7231)"
    source: "ref://api-design-guide#idempotency"

  # PERFORMANCE - Algorithm
  - id: "PERF-ALG-001"
    severity: high
    file: "src/utils/search.ts:42"
    finding: "Nested loops cause O(n²) complexity"
    current: "O(n²) - nested filter().find()"
    optimal: "O(n) - use Map/Set for lookup"
    source: "ref://javascript-performance#data-structures"

  # PERFORMANCE - Config
  - id: "PERF-CFG-001"
    severity: medium
    file: "src/db/connection.ts"
    finding: "Missing connection pool config"
    current_config: "default (pool: undefined)"
    recommended: "pool: { min: 2, max: 10 }"
    source: "context7://pg#connection-pooling"

  # PERFORMANCE - Database
  - id: "PERF-DB-001"
    severity: high
    file: "src/repositories/user.ts:89"
    finding: "N+1 query pattern detected"
    issue: "users.map(u => u.posts) triggers N queries"
    solution: "Use eager loading: include: { posts: true }"
    source: "context7://prisma#eager-loading"

  # ARCHITECTURE - Entity Leakage
  - id: "ARCH-DTO-001"
    severity: high
    file: "src/api/users.ts:35"
    finding: "ORM entity returned directly from API endpoint"
    issue: "User entity with password hash exposed in GET /users response"
    fix: "Create UserResponseDTO, map entity → DTO before return"

  # ARCHITECTURE - Centralized Error Handling
  - id: "ARCH-CEH-001"
    severity: medium
    file: "src/app.ts"
    finding: "No global error handler registered"
    issue: "Unhandled exceptions return stack traces to client in production"
    fix: "Add app.use(globalErrorHandler) with sanitized error responses"

  # MAINTAINABILITY - God Class
  - id: "MNT-GOD-001"
    severity: medium
    file: "src/services/order-service.ts"
    finding: "God class with 22 methods and 680 lines"
    issue: "OrderService handles creation, payment, shipping, notifications"
    fix: "Extract PaymentService, ShippingService, NotificationService"

  # MAINTAINABILITY - Dead Code
  - id: "MNT-DC-001"
    severity: medium
    file: "src/auth/legacy-adapter.ts"
    finding: "Backward-compatibility wrapper kept after migration"
    dead_code: "legacyLogin() wraps newLogin() — callers already migrated"
    action: "Delete legacy-adapter.ts, remove re-export from index.ts"

  # MAINTAINABILITY - DRY
  - id: "MNT-DRY-001"
    severity: medium
    file: "src/service.ts:42"
    finding: "DRY violation: duplicate validation logic"
    suggested_action: "Extract to shared validator"

Linear comment posted with findings.

已加载需求和状态为已完成的实现任务（排除测试任务）。
已计算代码指标（圈复杂度、函数/文件长度）。
已完成MCP参考验证：
- OPT-：已检查最优性（所选方案是否是最适配目标的方案？）
- BP-：已验证最佳实践（所选方案的实现是否正确？）
- PERF-：已分析性能（算法、配置、模式、数据库）
已检查ARCH-子分类（LB、TX、DTO、DI、CEH、SES）；已检查MNT-子分类（DC、DRY、GOD、SIG、ERR）。
已识别问题，标注前缀和严重程度，来源为MCP参考/Context7。
已计算代码质量评分。

输出格式：

yaml

verdict: PASS | CONCERNS | ISSUES_FOUND
code_quality_score: {0-100}
metrics:
  avg_cyclomatic_complexity: {value}
  functions_over_50_lines: {count}
  files_over_500_lines: {count}
issues:
  # OPTIMALITY
  - id: "OPT-001"
    severity: medium
    file: "src/auth/index.ts"
    goal: "User session management"
    finding: "Suboptimal approach for session management"
    chosen: "Custom JWT with localStorage"
    recommended: "httpOnly cookies + refresh token rotation"
    reason: "httpOnly cookies prevent XSS token theft"
    source: "ref://owasp-session-management"

  # OPTIMALITY - OSS Replacement (from ln-645, fast-track safe)
  - id: "OPT-OSS-001"
    severity: high
    file: "src/utils/email-validator.ts"
    goal: "Email validation with MX checking"
    finding: "Custom 245-line module has HIGH-confidence OSS replacement"
    chosen: "Custom email-validator.ts (245 lines)"
    recommended: "zod + zod-email (28k stars, MIT, 95% coverage)"
    reason: "Battle-tested, actively maintained, reduces maintenance burden"
    source: "ln-645-audit"

  # BEST PRACTICES
  - id: "BP-001"
    severity: medium
    file: "src/api/routes.ts"
    finding: "POST for idempotent operation"
    best_practice: "Use PUT for idempotent updates (RFC 7231)"
    source: "ref://api-design-guide#idempotency"

  # PERFORMANCE - Algorithm
  - id: "PERF-ALG-001"
    severity: high
    file: "src/utils/search.ts:42"
    finding: "Nested loops cause O(n²) complexity"
    current: "O(n²) - nested filter().find()"
    optimal: "O(n) - use Map/Set for lookup"
    source: "ref://javascript-performance#data-structures"

  # PERFORMANCE - Config
  - id: "PERF-CFG-001"
    severity: medium
    file: "src/db/connection.ts"
    finding: "Missing connection pool config"
    current_config: "default (pool: undefined)"
    recommended: "pool: { min: 2, max: 10 }"
    source: "context7://pg#connection-pooling"

  # PERFORMANCE - Database
  - id: "PERF-DB-001"
    severity: high
    file: "src/repositories/user.ts:89"
    finding: "N+1 query pattern detected"
    issue: "users.map(u => u.posts) triggers N queries"
    solution: "Use eager loading: include: { posts: true }"
    source: "context7://prisma#eager-loading"

  # ARCHITECTURE - Entity Leakage
  - id: "ARCH-DTO-001"
    severity: high
    file: "src/api/users.ts:35"
    finding: "ORM entity returned directly from API endpoint"
    issue: "User entity with password hash exposed in GET /users response"
    fix: "Create UserResponseDTO, map entity → DTO before return"

  # ARCHITECTURE - Centralized Error Handling
  - id: "ARCH-CEH-001"
    severity: medium
    file: "src/app.ts"
    finding: "No global error handler registered"
    issue: "Unhandled exceptions return stack traces to client in production"
    fix: "Add app.use(globalErrorHandler) with sanitized error responses"

  # MAINTAINABILITY - God Class
  - id: "MNT-GOD-001"
    severity: medium
    file: "src/services/order-service.ts"
    finding: "God class with 22 methods and 680 lines"
    issue: "OrderService handles creation, payment, shipping, notifications"
    fix: "Extract PaymentService, ShippingService, NotificationService"

  # MAINTAINABILITY - Dead Code
  - id: "MNT-DC-001"
    severity: medium
    file: "src/auth/legacy-adapter.ts"
    finding: "Backward-compatibility wrapper kept after migration"
    dead_code: "legacyLogin() wraps newLogin() — callers already migrated"
    action: "Delete legacy-adapter.ts, remove re-export from index.ts"

  # MAINTAINABILITY - DRY
  - id: "MNT-DRY-001"
    severity: medium
    file: "src/service.ts:42"
    finding: "DRY violation: duplicate validation logic"
    suggested_action: "Extract to shared validator"

已在Linear中发布包含发现问题的评论。

Reference Files

参考文件

Code metrics:
```
references/code_metrics.md
```
(thresholds and penalties)
Guides:
```
docs/guides/
```

Templates for context:

shared/templates/task_template_implementation.md

Clean code checklist:

shared/references/clean_code_checklist.md

Version: 5.0.0 Last Updated: 2026-01-29

代码指标：
```
references/code_metrics.md
```
（阈值和罚分）
指南：
```
docs/guides/
```

上下文模板：

shared/templates/task_template_implementation.md

整洁代码检查清单：

shared/references/clean_code_checklist.md

版本： 5.0.0 最后更新： 2026-01-29