Back to Details

code-review-expert

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Code Review Expert

代码评审专家

Overview

概述

Perform a structured review of the current git changes with focus on SOLID, architecture, removal candidates, and security risks. Default to review-only output unless the user asks to implement changes.
对当前git变更开展结构化评审,重点关注SOLID原则、架构、可移除代码候选以及安全风险。默认仅输出评审结果,除非用户要求实现变更。

Severity Levels

严重等级

LevelNameDescriptionAction
P0CriticalSecurity vulnerability, data loss risk, correctness bugMust block merge
P1HighLogic error, significant SOLID violation, performance regressionShould fix before merge
P2MediumCode smell, maintainability concern, minor SOLID violationFix in this PR or create follow-up
P3LowStyle, naming, minor suggestionOptional improvement
等级名称描述处置方式
P0关键安全漏洞、数据丢失风险、正确性缺陷必须阻止合并
P1逻辑错误、严重SOLID原则违例、性能回退应在合并前修复
P2代码坏味道、可维护性隐患、轻微SOLID原则违例可在本PR中修复或创建后续任务处理
P3样式、命名、微小建议可选改进项

Workflow

工作流

1) Preflight context

1) 前置上下文检查

  • Use 
    git status -sb
    , 
    git diff --stat
    , and 
    git diff
    to scope changes.
  • If needed, use 
    rg
    or 
    grep
    to find related modules, usages, and contracts.
  • Identify entry points, ownership boundaries, and critical paths (auth, payments, data writes, network).
Edge cases:
  • No changes: If 
    git diff
    is empty, inform user and ask if they want to review staged changes or a specific commit range.
  • Large diff (>500 lines): Summarize by file first, then review in batches by module/feature area.
  • Mixed concerns: Group findings by logical feature, not just file order.
  • 使用
    git status -sb
    git diff --stat
    git diff
    确定变更范围。
  • 必要时使用
    rg
    grep
    查找相关模块、调用情况和契约。
  • 识别入口点、所有权边界和关键路径(认证、支付、数据写入、网络)。
边界情况:
  • 无变更:如果
    git diff
    为空,告知用户并询问是否要评审暂存变更或特定提交区间。
  • 大量变更(>500行):先按文件汇总,再按模块/功能领域分批评审。
  • 混合关注点:按逻辑功能分组展示发现,而非仅按文件顺序。

2) SOLID + architecture smells

2) SOLID + 架构坏味道检查

  • Load 
    references/solid-checklist.md
    for specific prompts.
  • Look for:
    • SRP: Overloaded modules with unrelated responsibilities.
    • OCP: Frequent edits to add behavior instead of extension points.
    • LSP: Subclasses that break expectations or require type checks.
    • ISP: Wide interfaces with unused methods.
    • DIP: High-level logic tied to low-level implementations.
  • When you propose a refactor, explain why it improves cohesion/coupling and outline a minimal, safe split.
  • If refactor is non-trivial, propose an incremental plan instead of a large rewrite.
  • 加载
    references/solid-checklist.md
    获取具体提示。
  • 重点查找:
    • SRP:承载无关职责的过载模块。
    • OCP:需要频繁修改来新增行为而非通过扩展点实现的模块。
    • LSP:打破预期或需要类型检查的子类。
    • ISP:包含大量未使用方法的宽接口。
    • DIP:高层逻辑与底层实现强绑定的情况。
  • 当你提出重构建议时,要解释为什么它能提升内聚/降低耦合,并给出最小化、安全的拆分方案。
  • 如果重构复杂度较高,建议采用渐进式方案而非大规模重写。

3) Removal candidates + iteration plan

3) 可移除代码候选 + 迭代计划

  • Load 
    references/removal-plan.md
    for template.
  • Identify code that is unused, redundant, or feature-flagged off.
  • Distinguish safe delete now vs defer with plan.
  • Provide a follow-up plan with concrete steps and checkpoints (tests/metrics).
  • 加载
    references/removal-plan.md
    获取模板。
  • 识别未使用、冗余或已通过特性开关关闭的代码。
  • 区分可立即安全删除按计划延后处理的代码。
  • 提供包含具体步骤和检查点(测试/指标)的后续跟进计划。

4) Security and reliability scan

4) 安全与可靠性扫描

  • Load 
    references/security-checklist.md
    for coverage.
  • Check for:
    • XSS, injection (SQL/NoSQL/command), SSRF, path traversal
    • AuthZ/AuthN gaps, missing tenancy checks
    • Secret leakage or API keys in logs/env/files
    • Rate limits, unbounded loops, CPU/memory hotspots
    • Unsafe deserialization, weak crypto, insecure defaults
    • Race conditions: concurrent access, check-then-act, TOCTOU, missing locks
  • Call out both exploitability and impact.
  • 加载
    references/security-checklist.md
    覆盖检查项。
  • 检查以下内容:
    • XSS、注入(SQL/NoSQL/命令)、SSRF、路径遍历
    • AuthZ/AuthN漏洞、缺失多租户检查
    • 日志/环境变量/文件中的密钥泄露或API密钥
    • 限流缺失、无限循环、CPU/内存热点
    • 不安全的反序列化、弱加密、不安全默认配置
    • 竞态条件:并发访问、先检查后执行、TOCTOU、缺失锁
  • 同时说明可利用性影响范围

5) Code quality scan

5) 代码质量扫描

  • Load 
    references/code-quality-checklist.md
    for coverage.
  • Check for:
    • Error handling: swallowed exceptions, overly broad catch, missing error handling, async errors
    • Performance: N+1 queries, CPU-intensive ops in hot paths, missing cache, unbounded memory
    • Boundary conditions: null/undefined handling, empty collections, numeric boundaries, off-by-one
  • Flag issues that may cause silent failures or production incidents.
  • 加载
    references/code-quality-checklist.md
    覆盖检查项。
  • 检查以下内容:
    • 错误处理:吞掉的异常、过宽的catch语句、缺失错误处理、异步错误
    • 性能:N+1查询、热点路径中的CPU密集型操作、缺失缓存、内存无限制增长
    • 边界条件:null/undefined处理、空集合、数值边界、差一错误
  • 标记可能导致静默失败或生产事故的问题。

6) Output format

6) 输出格式

Structure your review as follows:
markdown
undefined
按照如下结构组织评审结果:
markdown
undefined

Code Review Summary

Code Review Summary

Files reviewed: X files, Y lines changed Overall assessment: [APPROVE / REQUEST_CHANGES / COMMENT]
Files reviewed: X files, Y lines changed Overall assessment: [APPROVE / REQUEST_CHANGES / COMMENT]

Findings

Findings

P0 - Critical

P0 - Critical

(none or list)
(none or list)

P1 - High

P1 - High

  1. [file:line] Brief title
  • Description of issue
  • Suggested fix
  1. [file:line] Brief title
  • Description of issue
  • Suggested fix

P2 - Medium

P2 - Medium

  1. (continue numbering across sections)
  • ...
  1. (continue numbering across sections)
  • ...

P3 - Low

P3 - Low

...
...

Removal/Iteration Plan

Removal/Iteration Plan

(if applicable)
(if applicable)

Additional Suggestions

Additional Suggestions

(optional improvements, not blocking)

**Inline comments**: Use this format for file-specific findings:
::code-comment{file="path/to/file.ts" line="42" severity="P1"} Description of the issue and suggested fix. ::

**Clean review**: If no issues found, explicitly state:
- What was checked
- Any areas not covered (e.g., "Did not verify database migrations")
- Residual risks or recommended follow-up tests
(optional improvements, not blocking)

**行内注释**:针对特定文件的发现使用如下格式:
::code-comment{file="path/to/file.ts" line="42" severity="P1"} Description of the issue and suggested fix. ::

**无问题评审**:如果未发现任何问题,明确说明:
- 已检查的内容
- 未覆盖的领域(例如:"Did not verify database migrations")
- 残余风险或推荐的后续测试

7) Next steps confirmation

7) 下一步确认

After presenting findings, ask user how to proceed:
markdown
---
展示评审发现后,询问用户后续操作:
markdown
---

Next Steps

Next Steps

I found X issues (P0: _, P1: _, P2: _, P3: _).
How would you like to proceed?
  1. Fix all - I'll implement all suggested fixes
  2. Fix P0/P1 only - Address critical and high priority issues
  3. Fix specific items - Tell me which issues to fix
  4. No changes - Review complete, no implementation needed
Please choose an option or provide specific instructions.

**Important**: Do NOT implement any changes until user explicitly confirms. This is a review-first workflow.
I found X issues (P0: _, P1: _, P2: _, P3: _).
How would you like to proceed?
  1. Fix all - I'll implement all suggested fixes
  2. Fix P0/P1 only - Address critical and high priority issues
  3. Fix specific items - Tell me which issues to fix
  4. No changes - Review complete, no implementation needed
Please choose an option or provide specific instructions.

**重要提示**:在用户明确确认前,请勿执行任何变更。本流程优先评审。

Resources

资源

references/

references/

FilePurpose
solid-checklist.md
SOLID smell prompts and refactor heuristics
security-checklist.md
Web/app security and runtime risk checklist
code-quality-checklist.md
Error handling, performance, boundary conditions
removal-plan.md
Template for deletion candidates and follow-up plan
文件用途
solid-checklist.md
SOLID坏味道提示和重构启发式规则
security-checklist.md
Web/应用安全和运行时风险检查清单
code-quality-checklist.md
错误处理、性能、边界条件检查清单
removal-plan.md
可删除代码候选和后续计划模板