code-review

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Resources

资源

scripts/
  validate-code-review.sh
references/
  review-patterns.md

scripts/
  validate-code-review.sh
references/
  review-patterns.md

Code Review Quality Skill

代码审查质量技能

This skill teaches you how to perform thorough, enterprise-grade code reviews using GoodVibes precision tools. A systematic code review catches issues early, ensures consistency, validates security and performance, and maintains high quality standards across the codebase.

本技能将教你如何使用GoodVibes精准工具执行全面的企业级代码审查。系统化的代码审查能够及早发现问题、确保一致性、验证安全性与性能，并在整个代码库中维持高质量标准。

When to Use This Skill

何时使用此技能

Load this skill when:

Reviewing pull requests or merge requests
Performing code quality audits
Validating security and performance of implementations
Checking adherence to architectural patterns
Assessing test coverage and quality
Evaluating accessibility compliance
Providing structured feedback to developers

Trigger phrases: "review this code", "check the PR", "quality audit", "security review", "performance review", "validate implementation".

在以下场景加载此技能：

审查拉取请求（PR）或合并请求
执行代码质量审计
验证实现的安全性与性能
检查是否符合架构模式
评估测试覆盖率与质量
评估可访问性合规性
向开发者提供结构化反馈

触发短语："review this code"、"check the PR"、"quality audit"、"security review"、"performance review"、"validate implementation"。

Core Workflow

核心工作流

Phase 1: Discovery - Understand the Change

阶段1：发现 - 理解变更内容

Before reviewing, understand what changed, why, and the scope of impact.

在审查前，先了解变更的内容、原因以及影响范围。

Step 1.1: Gather Change Context

步骤1.1：收集变更上下文

Use

discover

to map all changed files and identify the type of change.

yaml

discover:
  queries:
    - id: changed_files
      type: glob
      patterns: ["src/**/*"]  # List changed files for review
    - id: new_files
      type: glob
      patterns: ["**/*"]
    - id: test_files
      type: glob
      patterns: ["**/*.test.ts", "**/*.test.tsx", "**/*.spec.ts", "**/*.spec.tsx"]
  verbosity: files_only

Extract from git:

yaml

precision_exec:
  commands:
    - cmd: "git diff --name-only HEAD~1..HEAD"
  verbosity: minimal

What this reveals:

All files modified in the changeset
New vs modified vs deleted files
Test files included (or missing)
Scope of change (frontend, backend, full-stack)

使用

discover

工具映射所有变更文件并确定变更类型。

yaml

discover:
  queries:
    - id: changed_files
      type: glob
      patterns: ["src/**/*"]  # 列出需要审查的变更文件
    - id: new_files
      type: glob
      patterns: ["**/*"]
    - id: test_files
      type: glob
      patterns: ["**/*.test.ts", "**/*.test.tsx", "**/*.spec.ts", "**/*.spec.tsx"]
  verbosity: files_only

从git提取信息：

yaml

precision_exec:
  commands:
    - cmd: "git diff --name-only HEAD~1..HEAD"
  verbosity: minimal

此操作可揭示：

变更集中所有被修改的文件
新增、修改与删除的文件
包含的测试文件（或缺失的测试文件）
变更范围（前端、后端、全栈）

Step 1.2: Analyze Changed Code

步骤1.2：分析变更代码

Use

precision_read

to examine the actual changes.

yaml

precision_read:
  files:
    - path: "src/api/user-routes.ts"  # Example changed file
      extract: content
    - path: "src/components/UserProfile.tsx"
      extract: content
  output:
    max_per_item: 200
  verbosity: standard

Get diff context:

yaml

precision_exec:
  commands:
    - cmd: "git diff HEAD~1..HEAD -- src/api/user-routes.ts"
  verbosity: standard

使用

precision_read

工具检查实际变更内容。

yaml

precision_read:
  files:
    - path: "src/api/user-routes.ts"  # 示例变更文件
      extract: content
    - path: "src/components/UserProfile.tsx"
      extract: content
  output:
    max_per_item: 200
  verbosity: standard

获取差异上下文：

yaml

precision_exec:
  commands:
    - cmd: "git diff HEAD~1..HEAD -- src/api/user-routes.ts"
  verbosity: standard

Step 1.3: Find Related Code

步骤1.3：查找关联代码

Use

discover

to find imports, exports, and usage of changed symbols.

yaml

discover:
  queries:
    - id: function_exports
      type: grep
      pattern: "export (function|const|class) (createUser|updateUser|deleteUser)"
      glob: "**/*.{ts,tsx,js,jsx}"
    - id: usage_sites
      type: grep
      pattern: "(createUser|updateUser|deleteUser)\\("
      glob: "**/*.{ts,tsx,js,jsx}"
    - id: related_tests
      type: grep
      pattern: "(createUser|updateUser|deleteUser)"
      glob: "**/*.test.{ts,tsx}"
  verbosity: locations

What this reveals:

Where changed functions are used
Potential breaking changes
Test coverage for changed code
Ripple effects across the codebase

使用

discover

工具查找变更符号的导入、导出与使用位置。

yaml

discover:
  queries:
    - id: function_exports
      type: grep
      pattern: "export (function|const|class) (createUser|updateUser|deleteUser)"
      glob: "**/*.{ts,tsx,js,jsx}"
    - id: usage_sites
      type: grep
      pattern: "(createUser|updateUser|deleteUser)\\("
      glob: "**/*.{ts,tsx,js,jsx}"
    - id: related_tests
      type: grep
      pattern: "(createUser|updateUser|deleteUser)"
      glob: "**/*.test.{ts,tsx}"
  verbosity: locations

此操作可揭示：

变更函数的使用位置
潜在的破坏性变更
变更代码的测试覆盖率
变更在代码库中的连锁反应

Phase 2: Security Review

阶段2：安全审查

Security issues are critical and must be caught in review.

安全问题属于关键问题，必须在审查中发现。

Step 2.1: Check for Common Vulnerabilities

步骤2.1：检查常见漏洞

Use

discover

to find security anti-patterns.

yaml

discover:
  queries:
    # SQL Injection
    - id: sql_injection
      type: grep
      pattern: '(query|execute|sql).*[`$].*\$\{'
      glob: "**/*.{ts,tsx,js,jsx}"
    # XSS vulnerabilities
    - id: dangerous_html
      type: grep
      pattern: "(dangerouslySetInnerHTML|innerHTML|outerHTML)"
      glob: "**/*.{ts,tsx,jsx}"
    # Hardcoded secrets
    - id: hardcoded_secrets
      type: grep
      pattern: '(password|secret|api[_-]?key|token)\s*=\s*["''][^"'']+["'']'
      glob: "**/*.{ts,tsx,js,jsx,json}"
    # Missing authentication
    - id: unauthed_routes
      type: grep
      pattern: "export (async )?function (GET|POST|PUT|DELETE|PATCH)"
      glob: "src/app/api/**/*.ts"
  verbosity: locations

Critical patterns to check:

Pattern	Severity	Why It Matters
SQL injection	Critical	Allows attackers to read/modify database
XSS vulnerabilities	Critical	Allows script injection, session hijacking
Hardcoded secrets	Critical	Exposes credentials in source code
Missing auth checks	Critical	Exposes protected resources
Unsafe deserialization	Critical	Remote code execution
CORS misconfiguration	Major	Allows unauthorized origins
Weak password rules	Major	Account compromise
Missing input validation	Major	Data corruption, injection

使用

discover

工具查找安全反模式。

yaml

discover:
  queries:
    # SQL注入
    - id: sql_injection
      type: grep
      pattern: '(query|execute|sql).*[`$].*\$\{'
      glob: "**/*.{ts,tsx,js,jsx}"
    # XSS漏洞
    - id: dangerous_html
      type: grep
      pattern: "(dangerouslySetInnerHTML|innerHTML|outerHTML)"
      glob: "**/*.{ts,tsx,jsx}"
    # 硬编码密钥
    - id: hardcoded_secrets
      type: grep
      pattern: '(password|secret|api[_-]?key|token)\s*=\s*["''][^"'']+["'']'
      glob: "**/*.{ts,tsx,js,jsx,json}"
    # 缺失身份验证
    - id: unauthed_routes
      type: grep
      pattern: "export (async )?function (GET|POST|PUT|DELETE|PATCH)"
      glob: "src/app/api/**/*.ts"
  verbosity: locations

需检查的关键模式：

模式	严重程度	重要性
SQL注入	关键	允许攻击者读取/修改数据库
XSS漏洞	关键	允许脚本注入、会话劫持
硬编码密钥	关键	在源代码中暴露凭据
缺失身份验证检查	关键	暴露受保护资源
不安全的反序列化	关键	远程代码执行
CORS配置错误	主要	允许未授权来源访问
弱密码规则	主要	账户被攻陷
缺失输入验证	主要	数据损坏、注入攻击

Step 2.2: Validate Input Handling

步骤2.2：验证输入处理

All external input must be validated.

yaml

discover:
  queries:
    # Check for validation schemas
    - id: zod_schemas
      type: grep
      pattern: "z\\.(object|string|number|array|enum)"
      glob: "**/*.{ts,tsx}"
    # Check for direct request.json() without validation
    - id: unvalidated_input
      type: grep
      pattern: "(await request\\.json\\(\\)|req\\.body)(?!.*safeParse)"
      glob: "src/app/api/**/*.ts"
    # Check for SQL parameterization
    - id: parameterized_queries
      type: grep
      pattern: "(db\\.(query|execute)|prisma\\.|sql`)"
      glob: "**/*.{ts,js}"
  verbosity: locations

Best practices to validate:

All API routes validate input with Zod, Joi, or equivalent
All database queries use parameterized queries (Prisma, prepared statements)
File uploads validate content type and size
URLs and redirects are validated against allowlists

所有外部输入必须经过验证。

yaml

discover:
  queries:
    # 检查验证模式
    - id: zod_schemas
      type: grep
      pattern: "z\\.(object|string|number|array|enum)"
      glob: "**/*.{ts,tsx}"
    # 检查未验证的request.json()使用
    - id: unvalidated_input
      type: grep
      pattern: "(await request\\.json\\(\\)|req\\.body)(?!.*safeParse)"
      glob: "src/app/api/**/*.ts"
    # 检查SQL参数化
    - id: parameterized_queries
      type: grep
      pattern: "(db\\.(query|execute)|prisma\\.|sql`)"
      glob: "**/*.{ts,js}"
  verbosity: locations

需验证的最佳实践：

所有API路由使用Zod、Joi或等效工具验证输入
所有数据库查询使用参数化查询（Prisma、预处理语句）
文件上传验证内容类型与大小
URL与重定向验证是否在允许列表中

Step 2.3: Check Authentication & Authorization

步骤2.3：检查身份验证与授权

Verify that protected resources require authentication.

yaml

discover:
  queries:
    # Find auth middleware usage
    - id: auth_middleware
      type: grep
      pattern: "(getServerSession|auth\\(\\)|requireAuth|withAuth)"
      glob: "src/app/api/**/*.ts"
    # Find resource ownership checks
    - id: ownership_checks
      type: grep
      pattern: "(userId|authorId|ownerId)\s*===\s*(session|user|currentUser)"
      glob: "**/*.{ts,tsx}"
    # Find RBAC checks
    - id: rbac_checks
      type: grep
      pattern: "(role|permission|can)\s*===\s*"
      glob: "**/*.{ts,tsx}"
  verbosity: locations

Critical checks:

Protected API routes call auth middleware
User can only modify their own resources (ownership checks)
Admin-only actions check for admin role
JWTs are validated with proper secret
Session tokens are rotated and have expiration

验证受保护资源是否需要身份验证。

yaml

discover:
  queries:
    # 查找认证中间件的使用
    - id: auth_middleware
      type: grep
      pattern: "(getServerSession|auth\\(\\)|requireAuth|withAuth)"
      glob: "src/app/api/**/*.ts"
    # 查找资源所有权检查
    - id: ownership_checks
      type: grep
      pattern: "(userId|authorId|ownerId)\s*===\s*(session|user|currentUser)"
      glob: "**/*.{ts,tsx}"
    # 查找RBAC检查
    - id: rbac_checks
      type: grep
      pattern: "(role|permission|can)\s*===\s*"
      glob: "**/*.{ts,tsx}"
  verbosity: locations

关键检查项：

受保护的API路由调用认证中间件
用户只能修改自己的资源（所有权检查）
仅管理员可执行的操作需检查管理员角色
JWT使用正确的密钥验证
会话令牌定期轮换并设置过期时间

Phase 3: Performance Review

阶段3：性能审查

Performance issues cause poor UX and cost scalability.

性能问题会导致糟糕的用户体验并增加扩展成本。

Step 3.1: Check for N+1 Queries

步骤3.1：检查N+1查询

N+1 queries are the #1 database performance killer.

yaml

discover:
  queries:
    # Find loops with database calls
    - id: n_plus_one
      type: grep
      pattern: "(for|forEach|map).*await.*(prisma|db|query|find)"
      glob: "**/*.{ts,tsx,js,jsx}"
    # Find Prisma include usage
    - id: prisma_includes
      type: grep
      pattern: "(findMany|findUnique|findFirst).*include:"
      glob: "**/*.{ts,js}"
  verbosity: locations

How to fix:

Use
```
include
```
to eager load related records (Prisma)
Use joins or
```
SELECT IN
```
for batch loading
Implement DataLoader for GraphQL
Cache frequently accessed data

N+1查询是数据库性能的头号杀手。

yaml

discover:
  queries:
    # 查找包含数据库调用的循环
    - id: n_plus_one
      type: grep
      pattern: "(for|forEach|map).*await.*(prisma|db|query|find)"
      glob: "**/*.{ts,tsx,js,jsx}"
    # 查找Prisma include的使用
    - id: prisma_includes
      type: grep
      pattern: "(findMany|findUnique|findFirst).*include:"
      glob: "**/*.{ts,js}"
  verbosity: locations

修复方法：

使用
```
include
```
预加载关联记录（Prisma）
使用连接或
```
SELECT IN
```
进行批量加载
为GraphQL实现DataLoader
缓存频繁访问的数据

Step 3.2: Check for Unnecessary Re-renders

步骤3.2：检查不必要的重渲染

React re-render issues harm frontend performance.

yaml

discover:
  queries:
    # Find inline object/array creation in JSX
    - id: inline_objects
      type: grep
      pattern: "(onClick|onChange|style)=\\{\\{|=\\{\\["
      glob: "**/*.{tsx,jsx}"
    # Find missing useMemo/useCallback
    - id: missing_memoization
      type: grep
      pattern: "(map|filter|reduce)\\("
      glob: "**/*.{tsx,jsx}"
    # Find useEffect without dependencies
    - id: missing_deps
      type: grep
      pattern: "useEffect\\([^)]+\\)\\s*$"
      glob: "**/*.{tsx,jsx}"
  verbosity: locations

Common issues:

Anti-pattern	Fix
Inline object in props	Extract to constant or useMemo
Inline function in props	Wrap in useCallback
Large list without key	Add stable key prop
useEffect missing deps	Add all used variables to deps array
Context re-renders everything	Split context or use state managers

React重渲染问题会损害前端性能。

yaml

discover:
  queries:
    # 查找JSX中的内联对象/数组创建
    - id: inline_objects
      type: grep
      pattern: "(onClick|onChange|style)=\\{\\{|=\\{\\["
      glob: "**/*.{tsx,jsx}"
    # 查找缺失的useMemo/useCallback
    - id: missing_memoization
      type: grep
      pattern: "(map|filter|reduce)\\("
      glob: "**/*.{tsx,jsx}"
    # 查找缺失依赖的useEffect
    - id: missing_deps
      type: grep
      pattern: "useEffect\\([^)]+\\)\\s*$"
      glob: "**/*.{tsx,jsx}"
  verbosity: locations

常见问题：

反模式	修复方法
props中的内联对象	提取为常量或使用useMemo
props中的内联函数	使用useCallback包裹
大型列表缺失key	添加稳定的key属性
useEffect缺失依赖	将所有使用的变量添加到依赖数组
Context导致全局重渲染	拆分Context或使用状态管理器

Step 3.3: Check Database Indexes

步骤3.3：检查数据库索引

Missing indexes cause slow queries.

yaml

precision_read:
  files:
    - path: "prisma/schema.prisma"
      extract: content
  output:
    max_per_item: 500
  verbosity: standard

Validate indexes exist for:

Foreign keys (userId, postId, etc.)
Frequently filtered fields (status, createdAt, published)
Fields used in WHERE clauses
Compound indexes for multi-column queries

缺失索引会导致查询缓慢。

yaml

precision_read:
  files:
    - path: "prisma/schema.prisma"
      extract: content
  output:
    max_per_item: 500
  verbosity: standard

验证以下场景是否存在索引：

外键（userId、postId等）
频繁过滤的字段（status、createdAt、published）
WHERE子句中使用的字段
多列查询的复合索引

Phase 4: Code Quality Review

阶段4：代码质量审查

Code quality affects maintainability and reliability.

代码质量影响可维护性与可靠性。

Step 4.1: Check Type Safety

步骤4.1：检查类型安全

TypeScript should catch errors at compile time, not runtime.

yaml

discover:
  queries:
    # Find any types
    - id: any_usage
      type: grep
      pattern: ":\s*any(\\s|;|,|\\))"
      glob: "**/*.{ts,tsx}"
    # Find type assertions (as)
    - id: type_assertions
      type: grep
      pattern: "as (unknown|any|string|number)"
      glob: "**/*.{ts,tsx}"
    # Find non-null assertions (!)
    - id: non_null_assertions
      type: grep
      pattern: "![.;,)\\]]"
      glob: "**/*.{ts,tsx}"
    # Find unsafe member access
    - id: unsafe_access
      type: grep
      pattern: "\\?\\."
      glob: "**/*.{ts,tsx}"
  verbosity: locations

Type safety issues:

Issue	Severity	Fix
`any` type usage	Major	Use proper types or unknown
`as any` assertions	Major	Fix the underlying type issue
`!` non-null assertion	Minor	Add null checks
Missing return types	Minor	Explicitly type function returns
Implicit any params	Major	Add parameter types

TypeScript应在编译时捕获错误，而非运行时。

yaml

discover:
  queries:
    # 查找any类型的使用
    - id: any_usage
      type: grep
      pattern: ":\s*any(\\s|;|,|\\))"
      glob: "**/*.{ts,tsx}"
    # 查找类型断言（as）
    - id: type_assertions
      type: grep
      pattern: "as (unknown|any|string|number)"
      glob: "**/*.{ts,tsx}"
    # 查找非空断言（!）
    - id: non_null_assertions
      type: grep
      pattern: "![.;,)\\]]"
      glob: "**/*.{ts,tsx}"
    # 查找不安全的成员访问
    - id: unsafe_access
      type: grep
      pattern: "\\?\\."
      glob: "**/*.{ts,tsx}"
  verbosity: locations

类型安全问题：

问题	严重程度	修复方法
`any` 类型的使用	主要	使用正确的类型或unknown
`as any` 断言	主要	修复底层类型问题
`!` 非空断言	次要	添加空值检查
缺失返回类型	次要	显式声明函数返回类型
隐式any参数	主要	添加参数类型

Step 4.2: Check Error Handling

步骤4.2：检查错误处理

All async operations and API calls must handle errors.

yaml

discover:
  queries:
    # Find floating promises
    - id: floating_promises
      type: grep
      pattern: "^\\s+[a-z][a-zA-Z]*\\(.*\\);$"
      glob: "**/*.{ts,tsx,js,jsx}"
    # Find empty catch blocks
    - id: empty_catch
      type: grep
      pattern: "catch.*\\{\\s*\\}"
      glob: "**/*.{ts,tsx,js,jsx}"
    # Find console.error (should use logger)
    - id: console_error
      type: grep
      pattern: "console\\.(error|warn|log)"
      glob: "**/*.{ts,tsx,js,jsx}"
  verbosity: locations

Error handling checklist:

All promises have
```
.catch()
```
or
```
try/catch
```
Errors are logged with context (user ID, request ID)
User-facing errors are sanitized (no stack traces)
API errors return proper HTTP status codes
Retry logic for transient failures

所有异步操作与API调用必须处理错误。

yaml

discover:
  queries:
    # 查找浮动Promise
    - id: floating_promises
      type: grep
      pattern: "^\\s+[a-z][a-zA-Z]*\\(.*\\);$"
      glob: "**/*.{ts,tsx,js,jsx}"
    # 查找空catch块
    - id: empty_catch
      type: grep
      pattern: "catch.*\\{\\s*\\}"
      glob: "**/*.{ts,tsx,js,jsx}"
    # 查找console.error（应使用日志工具）
    - id: console_error
      type: grep
      pattern: "console\\.(error|warn|log)"
      glob: "**/*.{ts,tsx,js,jsx}"
  verbosity: locations

错误处理检查清单：

所有Promise都有
```
.catch()
```
或
```
try/catch
```
错误记录包含上下文（用户ID、请求ID）
面向用户的错误已脱敏（无堆栈跟踪）
API错误返回正确的HTTP状态码
临时故障的重试逻辑

Step 4.3: Check Code Organization

步骤4.3：检查代码组织

Large files and high complexity make code hard to maintain.

yaml

precision_exec:
  commands:
    - cmd: "find src -not -path '*/node_modules/*' -not -path '*/dist/*' -name '*.ts' -o -name '*.tsx' -print0 | xargs -0 wc -l | sort -rn | head -20"
  verbosity: standard

Code organization rules:

Files should be < 300 lines (exception: generated code)
Functions should be < 50 lines
Cyclomatic complexity < 10
Max nesting depth: 3 levels
Extract helpers to separate files

大文件与高复杂度会导致代码难以维护。

yaml

precision_exec:
  commands:
    - cmd: "find src -not -path '*/node_modules/*' -not -path '*/dist/*' -name '*.ts' -o -name '*.tsx' -print0 | xargs -0 wc -l | sort -rn | head -20"
  verbosity: standard

代码组织规则：

文件行数应少于300行（自动生成的代码除外）
函数行数应少于50行
圈复杂度小于10
最大嵌套深度：3层
将辅助函数提取到单独文件

Phase 5: Testing Review

阶段5：测试审查

Tests validate correctness and prevent regressions.

测试验证正确性并防止回归问题。

Step 5.1: Check Test Coverage

步骤5.1：检查测试覆盖率

Every changed file should have tests.

yaml

discover:
  queries:
    # Find test files
    - id: test_files
      type: glob
      patterns: ["**/*.test.{ts,tsx}", "**/*.spec.{ts,tsx}"]
    # Find files without tests
    - id: source_files
      type: glob
      patterns: ["src/**/*.{ts,tsx}"]
    # Check test imports
    - id: test_imports
      type: grep
      pattern: "from ['\"].*/(api|lib|components)/"
      glob: "**/*.test.{ts,tsx}"
  verbosity: files_only

Compare source files to test files:

javascript

// Pseudo-logic (implement with precision tools)
const sourceFiles = results.source_files.files;
const testFiles = results.test_files.files;
const missingTests = sourceFiles.filter(f => !testFiles.some(t => t.includes(f.replace('.ts', ''))));

每个变更文件都应有对应的测试。

yaml

discover:
  queries:
    # 查找测试文件
    - id: test_files
      type: glob
      patterns: ["**/*.test.{ts,tsx}", "**/*.spec.{ts,tsx}"]
    # 查找无测试的文件
    - id: source_files
      type: glob
      patterns: ["src/**/*.{ts,tsx}"]
    # 检查测试导入
    - id: test_imports
      type: grep
      pattern: "from ['\"].*/(api|lib|components)/"
      glob: "**/*.test.{ts,tsx}"
  verbosity: files_only

比较源文件与测试文件：

javascript

// 伪逻辑（使用精准工具实现）
const sourceFiles = results.source_files.files;
const testFiles = results.test_files.files;
const missingTests = sourceFiles.filter(f => !testFiles.some(t => t.includes(f.replace('.ts', ''))));

Step 5.2: Check Test Quality

步骤5.2：检查测试质量

Tests should test behavior, not implementation.

yaml

discover:
  queries:
    # Find skipped tests
    - id: skipped_tests
      type: grep
      pattern: "(it\\.skip|test\\.skip|describe\\.skip)"
      glob: "**/*.test.{ts,tsx}"
    # Find focused tests (.only)
    - id: focused_tests
      type: grep
      pattern: "(it\\.only|test\\.only|describe\\.only)"
      glob: "**/*.test.{ts,tsx}"
    # Find expect assertions
    - id: assertions
      type: grep
      pattern: "expect\\("
      glob: "**/*.test.{ts,tsx}"
    # Find mock usage
    - id: mocks
      type: grep
      pattern: "(vi\\.mock|jest\\.mock|vi\\.fn)"
      glob: "**/*.test.{ts,tsx}"
  verbosity: locations

Test quality checklist:

No
```
.skip
```
or
```
.only
```
(should be removed before merge)
Each test has at least one assertion
Tests have descriptive names ("it should...", "when...then...")
Tests are isolated (no shared state)
Mocks are used sparingly (prefer real implementations)
Edge cases are tested (null, empty, large values)

测试应验证行为，而非实现细节。

yaml

discover:
  queries:
    # 查找跳过的测试
    - id: skipped_tests
      type: grep
      pattern: "(it\\.skip|test\\.skip|describe\\.skip)"
      glob: "**/*.test.{ts,tsx}"
    # 查找聚焦的测试（.only）
    - id: focused_tests
      type: grep
      pattern: "(it\\.only|test\\.only|describe\\.only)"
      glob: "**/*.test.{ts,tsx}"
    # 查找expect断言
    - id: assertions
      type: grep
      pattern: "expect\\("
      glob: "**/*.test.{ts,tsx}"
    # 查找mock的使用
    - id: mocks
      type: grep
      pattern: "(vi\\.mock|jest\\.mock|vi\\.fn)"
      glob: "**/*.test.{ts,tsx}"
  verbosity: locations

测试质量检查清单：

无
```
.skip
```
或
```
.only
```
（合并前应移除）
每个测试至少有一个断言
测试具有描述性名称（"it should..."、"when...then..."）
测试相互隔离（无共享状态）
谨慎使用mock（优先使用真实实现）
测试边缘情况（null、空值、大值）

Phase 6: Architecture Review

阶段6：架构审查

Architecture violations create technical debt.

架构违规会产生技术债务。

Step 6.1: Check Dependency Direction

步骤6.1：检查依赖方向

Dependencies should flow from outer layers to inner layers.

yaml

discover:
  queries:
    # Find domain imports in UI
    - id: ui_imports_domain
      type: grep
      pattern: "from ['\"].*/(domain|core|lib)/"
      glob: "src/components/**/*.{ts,tsx}"
    # Find UI imports in domain
    - id: domain_imports_ui
      type: grep
      pattern: "from ['\"].*/(components|pages|app)/"
      glob: "src/domain/**/*.{ts,tsx}"
    # Find circular dependencies
    - id: imports
      type: grep
      pattern: "^import.*from"
      glob: "src/**/*.{ts,tsx}"
  verbosity: locations

Dependency rules:

UI components can import hooks, utils, domain logic
Domain logic should NOT import UI components
API routes can import domain logic, not UI
Shared utils should have zero dependencies

依赖应从外层流向内层。

yaml

discover:
  queries:
    # 查找UI中导入的领域代码
    - id: ui_imports_domain
      type: grep
      pattern: "from ['\"].*/(domain|core|lib)/"
      glob: "src/components/**/*.{ts,tsx}"
    # 查找领域代码中导入的UI
    - id: domain_imports_ui
      type: grep
      pattern: "from ['\"].*/(components|pages|app)/"
      glob: "src/domain/**/*.{ts,tsx}"
    # 查找循环依赖
    - id: imports
      type: grep
      pattern: "^import.*from"
      glob: "src/**/*.{ts,tsx}"
  verbosity: locations

依赖规则：

UI组件可以导入hooks、工具函数、领域逻辑
领域逻辑不应导入UI组件
API路由可以导入领域逻辑，不能导入UI
共享工具函数应无依赖

Step 6.2: Check for Layering Violations

步骤6.2：检查分层违规

yaml

discover:
  queries:
    # Database access in components
    - id: db_in_components
      type: grep
      pattern: "(prisma|db\\.(query|execute))"
      glob: "src/components/**/*.{ts,tsx}"
    # Business logic in API routes
    - id: logic_in_routes
      type: grep
      pattern: "export (async )?function (GET|POST)"
      glob: "src/app/api/**/*.ts"
  verbosity: files_only

Read the route handlers to check:

Route handlers should be < 30 lines (delegate to services)
No database queries in components (use server actions or API routes)
No business logic in routes (extract to service layer)

yaml

discover:
  queries:
    # 组件中的数据库访问
    - id: db_in_components
      type: grep
      pattern: "(prisma|db\\.(query|execute))"
      glob: "src/components/**/*.{ts,tsx}"
    # API路由中的业务逻辑
    - id: logic_in_routes
      type: grep
      pattern: "export (async )?function (GET|POST)"
      glob: "src/app/api/**/*.ts"
  verbosity: files_only

阅读路由处理程序以检查：

路由处理程序应少于30行（委托给服务层）
组件中无数据库查询（使用server actions或API路由）
路由中无业务逻辑（提取到服务层）

Phase 7: Accessibility Review

阶段7：可访问性审查

Accessibility ensures your app is usable by everyone.

可访问性确保应用对所有人可用。

Step 7.1: Check Semantic HTML

步骤7.1：检查语义化HTML

Use proper HTML elements for accessibility.

yaml

discover:
  queries:
    # Find div buttons (should be <button>)
    - id: div_buttons
      type: grep
      pattern: "<div.*(onClick|onKeyDown)"
      glob: "**/*.{tsx,jsx}"
    # Find missing alt text
    - id: missing_alt
      type: grep
      pattern: "<img(?![^>]*alt=)"
      glob: "**/*.{tsx,jsx}"
    # Find missing labels
    - id: missing_labels
      type: grep
      pattern: "<input(?![^>]*aria-label)(?![^>]*id=)"
      glob: "**/*.{tsx,jsx}"
    # Find missing ARIA roles
    - id: missing_roles
      type: grep
      pattern: "<(nav|header|footer|main)(?![^>]*role=)"
      glob: "**/*.{tsx,jsx}"
  verbosity: locations

Accessibility checklist:

Buttons use
```
<button>
```
, not
```
<div onClick>
```
Images have descriptive
```
alt
```
text
Form inputs have labels or
```
aria-label
```
Focus states are visible (no
```
outline: none
```
without replacement)
Color contrast meets WCAG AA (4.5:1 for text)
Keyboard navigation works (tab order, Enter/Space)

使用合适的HTML元素以确保可访问性。

yaml

discover:
  queries:
    # 查找div按钮（应使用<button>）
    - id: div_buttons
      type: grep
      pattern: "<div.*(onClick|onKeyDown)"
      glob: "**/*.{tsx,jsx}"
    # 查找缺失的alt文本
    - id: missing_alt
      type: grep
      pattern: "<img(?![^>]*alt=)"
      glob: "**/*.{tsx,jsx}"
    # 查找缺失的标签
    - id: missing_labels
      type: grep
      pattern: "<input(?![^>]*aria-label)(?![^>]*id=)"
      glob: "**/*.{tsx,jsx}"
    # 查找缺失的ARIA角色
    - id: missing_roles
      type: grep
      pattern: "<(nav|header|footer|main)(?![^>]*role=)"
      glob: "**/*.{tsx,jsx}"
  verbosity: locations

可访问性检查清单：

按钮使用
```
<button>
```
，而非
```
<div onClick>
```
图片具有描述性的
```
alt
```
文本
表单输入有标签或
```
aria-label
```
焦点状态可见（无
```
outline: none
```
，除非有替代方案）
颜色对比度符合WCAG AA标准（文本为4.5:1）
键盘导航可用（Tab顺序、Enter/Space键）

Step 7.2: Check ARIA Patterns

步骤7.2：检查ARIA模式

yaml

discover:
  queries:
    # Find custom components
    - id: custom_components
      type: grep
      pattern: "(Accordion|Dialog|Dropdown|Tabs|Tooltip)"
      glob: "src/components/**/*.{tsx,jsx}"
  verbosity: files_only

Read components to validate:

Modals trap focus and close on Escape
Dropdowns support arrow keys
Tabs support arrow keys and Home/End
Tooltips are accessible (not just on hover)

yaml

discover:
  queries:
    # 查找自定义组件
    - id: custom_components
      type: grep
      pattern: "(Accordion|Dialog|Dropdown|Tabs|Tooltip)"
      glob: "src/components/**/*.{tsx,jsx}"
  verbosity: files_only

阅读组件以验证：

模态框捕获焦点并可通过Escape键关闭
下拉菜单支持方向键
标签页支持方向键与Home/End键
工具提示可访问（不仅支持悬停）

Phase 8: Review Scoring

阶段8：审查评分

Use the review-scoring skill to provide structured feedback.

See

plugins/goodvibes/skills/protocol/review-scoring/SKILL.md

for the full rubric.

The 10 Dimensions (weighted):

Correctness (15%) - Does it work? Does it meet requirements?
Type Safety (10%) - Proper TypeScript usage, no
```
any
```
Security (15%) - No vulnerabilities, input validation, auth checks
Performance (10%) - No N+1 queries, proper indexes, memoization
Error Handling (10%) - All errors caught, logged, and handled
Testing (10%) - Adequate test coverage, quality assertions
Code Quality (10%) - Readable, maintainable, follows patterns
Architecture (10%) - Proper layering, no violations
Accessibility (5%) - Semantic HTML, ARIA, keyboard nav
Documentation (5%) - JSDoc, README, inline comments where needed

Score each dimension 1-10:

1-3: Needs major work
4-6: Needs improvement
7-8: Good, minor issues
9-10: Excellent

Overall score = weighted average

Pass/fail thresholds:

9.5+: Excellent (approve immediately)
8.0-9.4: Good (approve with minor suggestions)
7.0-7.9: Acceptable (request changes - minor issues)
5.0-6.9: Needs work (request changes - major issues)
< 5.0: Reject (needs significant rework)

使用review-scoring技能提供结构化反馈。

完整的评分准则请查看

plugins/goodvibes/skills/protocol/review-scoring/SKILL.md

。

10个加权维度：

正确性（15%）- 功能正常吗？是否符合需求？
类型安全（10%）- TypeScript使用规范，无
```
any
```
类型
安全性（15%）- 无漏洞、输入验证、身份验证检查
性能（10%）- 无N+1查询、索引合理、 memoization正确
错误处理（10%）- 所有错误被捕获、记录与处理
测试（10%）- 测试覆盖率充足、断言质量高
代码质量（10%）- 可读性强、可维护、符合模式
架构（10%）- 分层合理、无违规
可访问性（5%）- 语义化HTML、ARIA、键盘导航
文档（5%）- JSDoc、README、必要的内联注释

每个维度评分1-10：

1-3：需要重大改进
4-6：需要改进
7-8：良好，存在小问题
9-10：优秀

总分 = 加权平均分

通过/不通过阈值：

9.5+：优秀（立即批准）
8.0-9.4：良好（批准并给出小建议）
7.0-7.9：可接受（要求修改 - 小问题）
5.0-6.9：需要改进（要求修改 - 大问题）
< 5.0：拒绝（需要重大重构）

Phase 9: Automated Validation

阶段9：自动化验证

Run automated checks to catch issues.

yaml

precision_exec:
  commands:
    # Type check
    - cmd: "npm run typecheck"
    # Lint
    - cmd: "npm run lint"
    # Tests
    - cmd: "npm run test"
    # Security audit
    - cmd: "npm audit --audit-level=moderate"
  verbosity: standard

All checks must pass before approval.

运行自动化检查以发现问题。

yaml

precision_exec:
  commands:
    # 类型检查
    - cmd: "npm run typecheck"
    # 代码规范检查
    - cmd: "npm run lint"
    # 测试
    - cmd: "npm run test"
    # 安全审计
    - cmd: "npm audit --audit-level=moderate"
  verbosity: standard

所有检查必须通过才能批准。

Phase 10: Provide Feedback

阶段10：提供反馈

Structured feedback is actionable and specific.

Review output format:

markdown

undefined

结构化反馈应具体且可操作。

审查输出格式：

markdown

undefined

Review Summary

审查摘要

Overall Score: 8.2/10 Verdict: APPROVE with suggestions

What changed: Added user profile API with authentication Files reviewed: 8 files (5 source, 3 test)

总分: 8.2/10 结论: 批准并给出建议

变更内容: 添加带身份验证的用户资料API 审查文件: 8个文件（5个源文件，3个测试文件）

Dimension Scores

维度评分

Correctness: 9/10
Type Safety: 7/10
Security: 9/10
Performance: 8/10
Error Handling: 7/10
Testing: 8/10
Code Quality: 9/10
Architecture: 8/10
Accessibility: 8/10
Documentation: 7/10

正确性: 9/10
类型安全: 7/10
安全性: 9/10
性能: 8/10
错误处理: 7/10
测试: 8/10
代码质量: 9/10
架构: 8/10
可访问性: 8/10
文档: 7/10

Issues Found

发现的问题

Major (should fix)

主要问题（应修复）

FILE:LINE - Type safety: Function
```
updateProfile
```
has implicit
```
any
```
return type
- Fix: Add explicit return type
```
Promise<User>
```
- Impact: TypeScript can't catch type errors in callers

文件:行 - 类型安全: 函数
```
updateProfile
```
的返回类型为隐式
```
any
```
- 修复方法: 添加显式返回类型
```
Promise<User>
```
- 影响: TypeScript无法捕获调用方的类型错误

Minor (nice to fix)

次要问题（建议修复）

src/api/profile.ts:42 - Error handling: Empty catch block swallows errors
- Fix: Log error with context before re-throwing
- Impact: Makes debugging harder

src/api/profile.ts:42 - 错误处理: 空catch块吞噬错误
- 修复方法: 记录包含上下文的错误后重新抛出
- 影响: 增加调试难度

What Was Done Well

亮点

Excellent input validation with Zod schemas
Comprehensive test coverage (95%)
Proper authentication checks on all routes
Clean separation of concerns (route -> service -> repository)


**Feedback guidelines:**

- Be specific: Include file path and line number
- Be actionable: Explain exactly how to fix
- Explain impact: Why does this matter?
- Acknowledge good work: Highlight what was done well
- Categorize by severity: Critical > Major > Minor

使用Zod模式实现了出色的输入验证
全面的测试覆盖率（95%）
所有路由都有正确的身份验证检查
清晰的关注点分离（路由 -> 服务 -> 仓库）


**反馈准则：**

- 具体：包含文件路径与行号
- 可操作：明确说明修复方法
- 解释影响：说明问题的重要性
- 认可优秀工作：突出做得好的部分
- 按严重程度分类：关键 > 主要 > 次要

Common Review Patterns

常见审查模式

See

references/review-patterns.md

for detailed anti-patterns organized by category.

Quick reference:

按类别组织的详细反模式请查看

references/review-patterns.md

。

快速参考：

Security Patterns

安全模式

SQL injection: String concatenation in queries
XSS: Unsafe HTML rendering
Auth bypass: Missing auth checks
Secrets exposure: Hardcoded API keys

SQL注入: 查询中的字符串拼接
XSS: 不安全的HTML渲染
身份验证绕过: 缺失身份验证检查
密钥泄露: 硬编码的API密钥

Performance Patterns

性能模式

N+1 queries: Loops with database calls
Missing indexes: WHERE clauses without indexes
Unnecessary re-renders: Inline objects in React
Memory leaks: Event listeners not cleaned up

N+1查询: 包含数据库调用的循环
缺失索引: WHERE子句无索引
不必要的重渲染: React中的内联对象
内存泄漏: 未清理的事件监听器

Code Quality Patterns

代码质量模式

Type unsafety:
```
any
```
types, type assertions
Error handling: Floating promises, empty catches
Complexity: Functions > 50 lines, nesting > 3
Duplication: Copy-paste code

类型不安全:
```
any
```
类型、类型断言
错误处理: 浮动Promise、空catch块
复杂度: 函数行数>50、嵌套>3层
重复: 复制粘贴的代码

Testing Patterns

测试模式

Missing tests: Changed files without tests
Poor assertions:
```
expect(result).toBeTruthy()
```
Test pollution: Shared state between tests
Skipped tests:
```
.skip
```
or
```
.only
```
left in

缺失测试: 变更文件无对应测试
断言质量差:
```
expect(result).toBeTruthy()
```
测试污染: 测试间共享状态
跳过的测试: 遗留的
```
.skip
```
或
```
.only
```

Precision Tools for Review

审查用精准工具

Discover Tool

Discover工具

Run multiple grep/glob queries in parallel to find patterns.

Example: Find security issues

yaml

discover:
  queries:
    - id: sql_injection
      type: grep
      pattern: 'query.*\$\{'
    - id: hardcoded_secrets
      type: grep
      pattern: 'api[_-]?key\s*=\s*["''][^"'']+'
    - id: xss
      type: grep
      pattern: 'dangerouslySetInnerHTML'
  verbosity: locations

并行运行多个grep/glob查询以查找模式。

示例：查找安全问题

yaml

discover:
  queries:
    - id: sql_injection
      type: grep
      pattern: 'query.*\$\{'
    - id: hardcoded_secrets
      type: grep
      pattern: 'api[_-]?key\s*=\s*["''][^"'']+'
    - id: xss
      type: grep
      pattern: 'dangerouslySetInnerHTML'
  verbosity: locations

Precision Grep

Search with context, multiline support, and token limits.

Example: Find error handling

yaml

precision_grep:
  queries:
    - id: catch_blocks
      pattern: "try\\s*\\{[\\s\\S]*?\\}\\s*catch"
  output:
    format: context
    context_after: 3
    context_before: 1
  verbosity: standard

带上下文、多行支持与令牌限制的搜索工具。

示例：查找错误处理

yaml

precision_grep:
  queries:
    - id: catch_blocks
      pattern: "try\\s*\\{[\\s\\S]*?\\}\\s*catch"
  output:
    format: context
    context_after: 3
    context_before: 1
  verbosity: standard

Precision Exec

Run validation commands.

yaml

precision_exec:
  commands:
    - cmd: "npm run typecheck"
    - cmd: "npm run lint"
    - cmd: "npm test -- --coverage"
  verbosity: standard

运行验证命令。

yaml

precision_exec:
  commands:
    - cmd: "npm run typecheck"
    - cmd: "npm run lint"
    - cmd: "npm test -- --coverage"
  verbosity: standard

Validation Script

验证脚本

Use

scripts/validate-code-review.sh

to validate review completeness.

bash

./scripts/validate-code-review.sh /path/to/review-output.md

The script checks:

Security patterns were checked
Performance patterns were checked
Test coverage was reviewed
All changed files were reviewed
Review includes scoring with rubric
Feedback is specific with file/line references

使用

scripts/validate-code-review.sh

验证审查的完整性。

bash

./scripts/validate-code-review.sh /path/to/review-output.md

脚本检查项：

已检查安全模式
已检查性能模式
已审查测试覆盖率
已审查所有变更文件
审查包含基于准则的评分
反馈包含具体的文件/行引用

Quick Reference

快速参考

Review Checklist

审查检查清单

Before reviewing:

Understand the change (read PR description, commits)
Get the diff (
```
git diff
```
or GitHub PR)
Identify changed files and their purpose

During review:

Security: Check for vulnerabilities, auth, validation
Performance: Check for N+1, indexes, re-renders
Type safety: Check for
```
any
```
, assertions, return types
Error handling: Check for floating promises, empty catches
Testing: Check coverage, quality, skipped tests
Architecture: Check layering, dependencies, organization
Accessibility: Check semantic HTML, ARIA, keyboard nav

After review:

Run automated validation (typecheck, lint, test)
Score all 10 dimensions
Calculate weighted score
Provide verdict (approve/request changes/reject)
Write actionable feedback with file/line references

审查前：

理解变更内容（阅读PR描述、提交记录）
获取差异（
```
git diff
```
或GitHub PR）
确定变更文件及其用途

审查中：

安全性：检查漏洞、身份验证、验证
性能：检查N+1查询、索引、重渲染
类型安全：检查
```
any
```
类型、断言、返回类型
错误处理：检查浮动Promise、空catch块
测试：检查覆盖率、质量、跳过的测试
架构：检查分层、依赖、组织
可访问性：检查语义化HTML、ARIA、键盘导航

审查后：

运行自动化验证（类型检查、代码规范、测试）
为所有10个维度评分
计算加权总分
给出结论（批准/要求修改/拒绝）
撰写包含文件/行引用的可操作反馈

Severity Guidelines

严重程度准则

Critical (must fix before merge):

Security vulnerabilities (SQL injection, XSS, auth bypass)
Data loss bugs
Compilation/runtime errors
Breaking changes to public API

Major (should fix before merge):

Type safety issues (
```
any
```
usage, missing types)
Performance issues (N+1 queries, missing indexes)
Missing error handling
Missing tests for critical paths
Architecture violations

Minor (nice to fix, or address in follow-up):

Code style inconsistencies
Missing documentation
Non-critical accessibility issues
Refactoring opportunities
Low test coverage on edge cases

关键（合并前必须修复）：

安全漏洞（SQL注入、XSS、身份验证绕过）
数据丢失bug
编译/运行时错误
公共API的破坏性变更

主要（合并前应修复）：

类型安全问题（
```
any
```
类型使用、缺失类型）
性能问题（N+1查询、缺失索引）
缺失错误处理
关键路径缺失测试
架构违规

次要（建议修复，或后续处理）：

代码风格不一致
缺失文档
非关键可访问性问题
重构机会
边缘情况测试覆盖率低

Common Mistakes to Avoid

需避免的常见错误

Score inflation:

Don't give 9-10 scores when issues exist
Be honest about quality gaps
Critical issues should fail review

Vague feedback:

BAD: "Fix the types"
GOOD: "src/api/user.ts:42 - Add return type
```
Promise<User>
```
to function
```
getUser
```
"

Ignoring positives:

Always acknowledge what was done well
Positive feedback motivates improvement

Inconsistent severity:

Security issues are always Critical
Missing tests are Major, not Minor
Style issues are Minor, not Major

评分膨胀：

存在问题时不要给9-10分
诚实地评估质量差距
关键问题应导致审查不通过

模糊反馈：

错误示例: "修复类型"
正确示例: "src/api/user.ts:42 - 为函数
```
getUser
```
添加返回类型
```
Promise<User>
```
"

忽略优点：

始终认可做得好的部分
正面反馈能激励改进

严重程度不一致：

安全问题始终为关键
缺失测试为主要问题，非次要
风格问题为次要问题，非主要

Advanced Techniques

高级技巧

Batch Review with Discover

使用Discover批量审查

Review multiple PRs or files in parallel.

yaml

discover:
  queries:
    - id: all_changes
      type: grep
      pattern: ".*"
      path: "src/"
  verbosity: files_only

Then read files in batch:

yaml

precision_read:
  files:
    - path: "src/changed-file-1.ts"
    - path: "src/changed-file-2.ts"
  extract: content
  output:
    max_per_item: 100
  verbosity: standard

并行审查多个PR或文件。

yaml

discover:
  queries:
    - id: all_changes
      type: grep
      pattern: ".*"
      path: "src/"
  verbosity: files_only

然后批量读取文件：

yaml

precision_read:
  files:
    - path: "src/changed-file-1.ts"
    - path: "src/changed-file-2.ts"
  extract: content
  output:
    max_per_item: 100
  verbosity: standard

Contextual Review

上下文审查

Use

precision_grep

with context to understand surrounding code.

yaml

precision_grep:
  queries:
    - id: auth_checks
      pattern: "getServerSession|auth\\(\\)"
  output:
    format: context
    context_before: 5
    context_after: 10
  verbosity: standard

使用

precision_grep

结合上下文理解周边代码。

yaml

precision_grep:
  queries:
    - id: auth_checks
      pattern: "getServerSession|auth\\(\\)"
  output:
    format: context
    context_before: 5
    context_after: 10
  verbosity: standard

Differential Review

差异审查

Focus on changed lines only.

yaml

precision_exec:
  commands:
    - cmd: "git diff HEAD~1..HEAD --unified=5"
  verbosity: standard

Parse the diff and review only changed sections.

仅关注变更行。

yaml

precision_exec:
  commands:
    - cmd: "git diff HEAD~1..HEAD --unified=5"
  verbosity: standard

解析差异并仅审查变更部分。

Automated Pattern Detection

自动模式检测

Create a batch of security/performance checks.

yaml

discover:
  queries:
    # Security
    - { id: sql_injection, type: grep, pattern: 'query.*\$\{' }
    - { id: xss, type: grep, pattern: 'dangerouslySetInnerHTML' }
    - { id: secrets, type: grep, pattern: 'password\s*=\s*["''][^"'']+' }
    # Performance
    - { id: n_plus_one, type: grep, pattern: 'for.*await.*prisma' }
    - { id: inline_objects, type: grep, pattern: 'onClick=\{\{', glob: '**/*.tsx' }
    # Quality
    - { id: any_usage, type: grep, pattern: ':\s*any', glob: '**/*.ts' }
    - { id: empty_catch, type: grep, pattern: 'catch.*\{\s*\}' }
  verbosity: locations

Aggregate results and score based on findings.

创建批量的安全/性能检查。

yaml

discover:
  queries:
    # 安全
    - { id: sql_injection, type: grep, pattern: 'query.*\$\{' }
    - { id: xss, type: grep, pattern: 'dangerouslySetInnerHTML' }
    - { id: secrets, type: grep, pattern: 'password\s*=\s*["''][^"'']+' }
    # 性能
    - { id: n_plus_one, type: grep, pattern: 'for.*await.*prisma' }
    - { id: inline_objects, type: grep, pattern: 'onClick=\{\{', glob: '**/*.tsx' }
    # 质量
    - { id: any_usage, type: grep, pattern: ':\s*any', glob: '**/*.ts' }
    - { id: empty_catch, type: grep, pattern: 'catch.*\{\s*\}' }
  verbosity: locations

汇总结果并基于发现内容评分。

Integration with Other Skills

与其他技能的集成

Use review-scoring for structured feedback with the 10-dimension rubric
Use error-recovery when fix attempts fail during review remediation
Use precision-mastery for advanced precision tool usage
Use testing-strategy to validate test quality
Use component-architecture when reviewing UI components
Use api-design when reviewing API routes
Use database-layer when reviewing database queries and schemas

使用review-scoring技能提供基于10维度准则的结构化反馈
审查修复失败时使用error-recovery技能
高级精准工具使用时使用precision-mastery技能
验证测试质量时使用testing-strategy技能
审查UI组件时使用component-architecture技能
审查API路由时使用api-design技能
审查数据库查询与模式时使用database-layer技能

Resources

资源

```
references/review-patterns.md
```
- Common anti-patterns by category
```
scripts/validate-code-review.sh
```
- Automated review validation

plugins/goodvibes/skills/protocol/review-scoring/SKILL.md

- Scoring rubric details

OWASP Top 10 - https://owasp.org/www-project-top-ten/
WCAG Guidelines - https://www.w3.org/WAI/WCAG21/quickref/

```
references/review-patterns.md
```
- 按类别组织的常见反模式
```
scripts/validate-code-review.sh
```
- 自动化审查验证

plugins/goodvibes/skills/protocol/review-scoring/SKILL.md

- 评分准则详情

OWASP Top 10 - https://owasp.org/www-project-top-ten/
WCAG指南 - https://www.w3.org/WAI/WCAG21/quickref/