Back to Details

comprehensive-review

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Comprehensive Review

全面代码审查

Overview

概述

Review code against 7 criteria before considering it complete.
Core principle: Self-review catches issues before they reach others.
HARD REQUIREMENT: Review artifact MUST be posted to the GitHub issue. This is enforced by hooks.
Announce at start: "I'm performing a comprehensive code review."
在认为代码完成前,需对照7项标准进行审查。
核心原则: 自我审查能在问题传递给他人之前发现问题。
硬性要求: 必须将审查成果发布至GitHub Issue。这一要求由钩子(hooks)强制执行。
开始时需声明: "我正在执行全面代码审查。"

Review Artifact Requirement

审查成果要求

This is not optional. Before a PR can be created:
  1. Complete review against all 7 criteria
  2. Document all findings
  3. Post artifact to issue comment using EXACT format below
  4. Address all findings (fix or defer with tracking issues)
  5. Update artifact to show "Unaddressed: 0"
The 
review-gate
skill and 
PreToolUse
hook will BLOCK PR creation without this artifact.
此项要求为强制项。 在创建PR之前:
  1. 对照全部7项标准完成审查
  2. 记录所有发现的问题
  3. 使用以下精确格式将审查成果发布至Issue评论区
  4. 处理所有发现的问题(修复或通过跟踪Issue延期处理)
  5. 更新审查成果,显示“未处理问题:0”
若未提交该审查成果,
review-gate
skill和
PreToolUse
钩子将阻止创建PR

The 7 Criteria

7项审查标准

1. Blindspots

1. 盲点检查

Question: What am I missing?
CheckAsk Yourself
Edge casesWhat happens at boundaries? Empty input? Max values?
Error pathsWhat if external services fail? Network issues?
ConcurrencyMultiple users/threads? Race conditions?
StateWhat if called in wrong order? Invalid state?
DependenciesWhat if dependency behavior changes?
typescript
// Blindspot example: What if items is empty?
function calculateAverage(items: number[]): number {
  return items.reduce((a, b) => a + b, 0) / items.length;
  // Blindspot: Division by zero when items is empty!
}

// Fixed
function calculateAverage(items: number[]): number {
  if (items.length === 0) {
    throw new Error('Cannot calculate average of empty array');
  }
  return items.reduce((a, b) => a + b, 0) / items.length;
}
问题: 我遗漏了什么?
检查项自我提问
边缘情况在边界条件下会发生什么?空输入?最大值?
错误路径若外部服务故障会怎样?网络问题?
并发情况多用户/多线程场景?竞态条件?
状态问题若调用顺序错误会怎样?无效状态?
依赖问题若依赖项行为变更会怎样?
typescript
// Blindspot example: What if items is empty?
function calculateAverage(items: number[]): number {
  return items.reduce((a, b) => a + b, 0) / items.length;
  // Blindspot: Division by zero when items is empty!
}

// Fixed
function calculateAverage(items: number[]): number {
  if (items.length === 0) {
    throw new Error('Cannot calculate average of empty array');
  }
  return items.reduce((a, b) => a + b, 0) / items.length;
}

2. Clarity/Consistency

2. 清晰度/一致性

Question: Will someone else understand this?
CheckAsk Yourself
NamesDo names describe what things do/are?
StructureIs code organized logically?
ComplexityCan this be simplified?
PatternsDoes this match existing patterns?
SurprisesWould anything surprise a reader?
问题: 其他人能理解这段代码吗?
检查项自我提问
命名命名是否准确描述了功能/事物本身?
结构代码组织是否逻辑清晰?
复杂度这段代码能否简化?
模式是否与现有代码模式一致?
意外情况是否存在会让读者感到意外的内容?

3. Maintainability

3. 可维护性

Question: Can this be changed safely?
CheckAsk Yourself
CouplingIs this tightly bound to other code?
CohesionDoes this do one thing well?
DuplicationIs logic repeated anywhere?
TestsDo tests cover this adequately?
ExtensibilityCan new features be added easily?
问题: 能否安全地修改这段代码?
检查项自我提问
耦合度是否与其他代码高度绑定?
内聚性是否专注完成单一功能?
重复代码逻辑是否存在重复?
测试测试是否充分覆盖了这段代码?
可扩展性是否易于添加新功能?

4. Security Risks

4. 安全风险

Question: Can this be exploited?
CheckAsk Yourself
Input validationIs all input validated and sanitized?
AuthenticationIs access properly controlled?
AuthorizationAre permissions checked?
Data exposureIs sensitive data protected?
InjectionSQL, XSS, command injection possible?
DependenciesAre dependencies secure and updated?
NOTE: If security-sensitive files are changed (auth, api, middleware, etc.), invoke 
security-review
skill for deeper analysis.
问题: 这段代码是否存在被利用的风险?
检查项自我提问
输入验证所有输入是否都经过验证和清理?
身份认证访问控制是否得当?
权限授权是否检查了权限?
数据暴露敏感数据是否得到保护?
注入风险是否存在SQL、XSS、命令注入的可能?
依赖项安全依赖项是否安全且已更新?
注意: 若修改了安全敏感文件(认证、API、中间件等),需调用
security-review
skill进行深度分析。

5. Performance Implications

5. 性能影响

Question: Will this scale?
CheckAsk Yourself
AlgorithmsIs complexity appropriate? O(n²) when O(n) possible?
DatabaseN+1 queries? Missing indexes? Full table scans?
MemoryLarge objects in memory? Memory leaks?
NetworkUnnecessary requests? Large payloads?
CachingShould results be cached?
问题: 这段代码能否横向扩展?
检查项自我提问
算法复杂度是否合适?是否存在可用O(n)实现却用了O(n²)的情况?
数据库是否存在N+1查询?缺少索引?全表扫描?
内存是否在内存中存储大型对象?是否存在内存泄漏?
网络是否存在不必要的请求? payload过大?
缓存是否应该对结果进行缓存?

6. Documentation

6. 文档

Question: Is this documented adequately?
CheckAsk Yourself
Public APIsAre all public functions documented?
ParametersAre parameter types and purposes clear?
ReturnsIs return value documented?
ErrorsAre thrown errors documented?
ExamplesAre complex usages demonstrated?
WhyAre non-obvious decisions explained?
See 
inline-documentation
skill for documentation standards.
问题: 文档是否足够充分?
检查项自我提问
公共API所有公共函数是否都有文档?
参数参数类型和用途是否清晰?
返回值返回值是否有文档说明?
错误抛出的错误是否有文档说明?
示例是否展示了复杂用法的示例?
决策依据非显而易见的决策是否有解释?
文档标准可参考
inline-documentation
skill。

7. Standards and Style

7. 标准与风格

Question: Does this follow project conventions?
CheckAsk Yourself
NamingFollows project naming conventions?
FormattingMatches project formatting?
PatternsUses established patterns?
TypesFully typed (no 
any
)?
LanguageUses inclusive language?
IPv6-firstNetwork code uses IPv6 by default? IPv4 only for documented legacy?
LintingPasses all linters?
See 
style-guide-adherence
, 
strict-typing
, 
inclusive-language
, 
ipv6-first
skills.
问题: 是否遵循项目约定?
检查项自我提问
命名是否遵循项目命名规范?
格式是否与项目格式一致?
模式是否使用已确立的模式?
类型是否完全类型化(无
any
)?
语言是否使用包容性语言?
IPv6优先网络代码是否默认使用IPv6?仅在有文档说明的遗留场景下使用IPv4?
代码检查是否通过所有代码检查工具的校验?
相关参考:
style-guide-adherence
strict-typing
inclusive-language
ipv6-first
skill。

Review Process

审查流程

Step 1: Prepare

步骤1:准备

bash
undefined
bash
undefined

Get list of changed files

Get list of changed files

git diff --name-only HEAD~1
git diff --name-only HEAD~1

Get full diff

Get full diff

git diff HEAD~1
git diff HEAD~1

Check for security-sensitive files

Check for security-sensitive files

git diff --name-only HEAD~1 | grep -E '(auth|security|middleware|api|password|token|secret)'
git diff --name-only HEAD~1 | grep -E '(auth|security|middleware|api|password|token|secret)'

If matches found, security-review skill is MANDATORY

If matches found, security-review skill is MANDATORY

undefined
undefined

Step 2: Review Each Criterion

步骤2:逐一审查各项标准

For each of the 7 criteria:
  1. Review all changed code
  2. Note any issues found
  3. Determine severity (Critical/Major/Minor)
针对每一项标准:
  1. 审查所有变更的代码
  2. 记录发现的所有问题
  3. 确定严重程度(Critical/Major/Minor)

Step 3: Check Security-Sensitive

步骤3:检查安全敏感文件

If ANY security-sensitive files were changed:
  1. Invoke 
    security-review
    skill OR 
    security-reviewer
    subagent
  2. Include security review results in artifact
  3. Mark "Security-Sensitive: YES" in artifact
任何安全敏感文件被修改:
  1. 调用
    security-review
    skill 或 
    security-reviewer
    子Agent
  2. 将安全审查结果纳入审查成果
  3. 在审查成果中标记“安全敏感:是”

Step 4: Document Findings

步骤4:记录发现的问题

markdown
undefined
markdown
undefined

Code Review Findings

Code Review Findings

1. Blindspots

1. Blindspots

  • Critical: No handling for empty array in 
    calculateAverage()
  • Minor: Missing null check in 
    formatUser()
  • Critical: No handling for empty array in 
    calculateAverage()
  • Minor: Missing null check in 
    formatUser()

2. Clarity/Consistency

2. Clarity/Consistency

  • Major: Variable 
    x
    should have descriptive name
  • Major: Variable 
    x
    should have descriptive name

3. Maintainability

3. Maintainability

  • No issues found
  • No issues found

4. Security Risks

4. Security Risks

  • Critical: SQL injection possible in 
    findUser()
  • Critical: SQL injection possible in 
    findUser()

5. Performance Implications

5. Performance Implications

  • Major: N+1 query in 
    getOrdersWithUsers()
  • Major: N+1 query in 
    getOrdersWithUsers()

6. Documentation

6. Documentation

  • Minor: Missing JSDoc on 
    processOrder()
  • Minor: Missing JSDoc on 
    processOrder()

7. Standards and Style

7. Standards and Style

  • Passes all checks
undefined
  • Passes all checks
undefined

Step 5: Address All Findings

步骤5:处理所有发现的问题

Use 
apply-all-findings
skill to address every issue.
For findings that cannot be fixed:
  1. Use 
    deferred-finding
    skill to create tracking issue
  2. Link tracking issue in artifact
  3. "Deferred without tracking issue" is NOT PERMITTED
使用
apply-all-findings
skill处理所有问题。
对于无法修复的问题:
  1. 使用
    deferred-finding
    skill创建跟踪Issue
  2. 在审查成果中关联该跟踪Issue
  3. 不允许“未关联跟踪Issue的延期处理”

Step 6: Post Artifact to Issue (MANDATORY)

步骤6:将审查成果发布至Issue(强制要求)

Post review artifact as comment on the GitHub issue:
bash
ISSUE_NUMBER=123
gh issue comment $ISSUE_NUMBER --body "$(cat <<'EOF'
<!-- REVIEW:START -->
将审查成果作为评论发布至GitHub Issue:
bash
ISSUE_NUMBER=123
gh issue comment $ISSUE_NUMBER --body "$(cat <<'EOF'
<!-- REVIEW:START -->

Code Review Complete

Code Review Complete

PropertyValue
Worker
[WORKER_ID]
Issue#123
Scope[MINOR
Security-Sensitive[YES
Reviewed[ISO_TIMESTAMP]
PropertyValue
Worker
[WORKER_ID]
Issue#123
Scope[MINOR
Security-Sensitive[YES
Reviewed[ISO_TIMESTAMP]

Criteria Results

Criteria Results

#CriterionStatusFindings
1Blindspots[✅ PASS✅ FIXED
2Clarity[✅ PASS✅ FIXED
3Maintainability[✅ PASS✅ FIXED
4Security[✅ PASS✅ FIXED
5Performance[✅ PASS✅ FIXED
6Documentation[✅ PASS✅ FIXED
7Style[✅ PASS✅ FIXED
#CriterionStatusFindings
1Blindspots[✅ PASS✅ FIXED
2Clarity[✅ PASS✅ FIXED
3Maintainability[✅ PASS✅ FIXED
4Security[✅ PASS✅ FIXED
5Performance[✅ PASS✅ FIXED
6Documentation[✅ PASS✅ FIXED
7Style[✅ PASS✅ FIXED

Findings Fixed in This PR

Findings Fixed in This PR

#SeverityFindingResolution
1[SEVERITY][DESCRIPTION][HOW_FIXED]
#SeverityFindingResolution
1[SEVERITY][DESCRIPTION][HOW_FIXED]

Findings Deferred (With Tracking Issues)

Findings Deferred (With Tracking Issues)

#SeverityFindingTracking IssueJustification
1[SEVERITY][DESCRIPTION]#[ISSUE][WHY]
#SeverityFindingTracking IssueJustification
1[SEVERITY][DESCRIPTION]#[ISSUE][WHY]

Summary

Summary

CategoryCount
Fixed in PR[N]
Deferred (with tracking)[N]
Unaddressed0
Review Status: ✅ COMPLETE
<!-- REVIEW:END -->
EOF )"

**CRITICAL:** "Unaddressed" MUST be 0. "Review Status" MUST be "COMPLETE".
CategoryCount
Fixed in PR[N]
Deferred (with tracking)[N]
Unaddressed0
Review Status: ✅ COMPLETE
<!-- REVIEW:END -->
EOF )"

**关键要求:** “未处理问题”必须为0。“审查状态”必须为“COMPLETE”。

Severity Levels

严重程度等级

SeverityDescriptionAction
CriticalSecurity issue, data loss, crashMust fix before merge
MajorSignificant bug, performance issueMust fix before merge
MinorStyle, clarity, small improvementShould fix before merge
严重程度描述处理方式
Critical(严重)安全问题、数据丢失、程序崩溃合并前必须修复
Major(主要)重大bug、性能问题合并前必须修复
Minor(次要)风格、清晰度、小改进合并前应修复

Checklist

检查清单

Complete for every code review:
  • Blindspots: Edge cases, errors, concurrency checked
  • Clarity: Names, structure, complexity reviewed
  • Maintainability: Coupling, cohesion, tests evaluated
  • Security: Input, auth, injection, exposure checked (MANDATORY for sensitive files)
  • Performance: Algorithms, queries, memory reviewed
  • Documentation: Public APIs documented
  • Style: Conventions followed
  • All findings documented
  • All findings addressed OR deferred with tracking issues
  • Review artifact posted to issue (exact format)
  • "Unaddressed: 0" in artifact
  • "Review Status: COMPLETE" in artifact
每次代码审查都需完成以下内容:
  • 盲点检查:已检查边缘情况、错误路径、并发情况
  • 清晰度:已审查命名、结构、复杂度
  • 可维护性:已评估耦合度、内聚性、测试
  • 安全:已检查输入、认证、注入、数据暴露(敏感文件修改时为强制要求)
  • 性能:已审查算法、查询、内存
  • 文档:公共API已添加文档
  • 风格:已遵循项目约定
  • 所有发现的问题已记录
  • 所有发现的问题已处理或通过跟踪Issue延期处理
  • 审查成果已发布至Issue(精确格式)
  • 审查成果中“未处理问题:0”
  • 审查成果中“审查状态:COMPLETE”

Integration

集成

This skill is called by:
  • issue-driven-development
    - Step 9
This skill uses:
  • review-scope
    - Determine review breadth
  • apply-all-findings
    - Address issues
  • security-review
    - For security-sensitive changes
  • deferred-finding
    - For creating tracking issues
This skill is enforced by:
  • review-gate
    - Verifies artifact before PR
  • PreToolUse
    hook - Blocks PR without artifact
This skill references:
  • inline-documentation
    - Documentation standards
  • strict-typing
    - Type requirements
  • style-guide-adherence
    - Style requirements
  • inclusive-language
    - Language requirements
  • ipv6-first
    - Network code requirements (IPv6 primary, IPv4 legacy)
本skill由以下模块调用:
  • issue-driven-development
    - 步骤9
本skill使用以下模块:
  • review-scope
    - 确定审查范围
  • apply-all-findings
    - 处理问题
  • security-review
    - 针对安全敏感变更
  • deferred-finding
    - 创建跟踪Issue
本skill由以下模块强制执行:
  • review-gate
    - PR创建前验证审查成果
  • PreToolUse
    钩子 - 无审查成果时阻止创建PR
本skill参考以下模块:
  • inline-documentation
    - 文档标准
  • strict-typing
    - 类型要求
  • style-guide-adherence
    - 风格要求
  • inclusive-language
    - 语言要求
  • ipv6-first
    - 网络代码要求(IPv6优先,IPv4仅用于遗留场景)