code-reviewer

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Code Reviewer Skill

Comprehensive code review skill implementing 2025 research-backed best practices with automated security checks, performance analysis, and quality standards enforcement.

这是一款全面的代码评审技能，采用2025年基于研究的最佳实践，具备自动化安全检查、性能分析和质量标准执行能力。

Core Philosophy

核心理念

Balanced Quality + Security Approach:

50% Security focus (OWASP Top 10, vulnerabilities, authentication)
30% Code quality (maintainability, standards, duplication)
20% Performance (N+1 queries, algorithm complexity, bundle size)

Research Finding: Teams with continuous code review fix vulnerabilities 92% faster than traditional batch reviews.

平衡质量与安全的方法：

50% 安全聚焦（OWASP Top 10、漏洞、身份验证）
30% 代码质量（可维护性、编码标准、代码重复）
20% 性能（N+1查询、算法复杂度、包体积）

研究发现： 采用持续代码评审的团队，修复漏洞的速度比传统批量评审快92%。

When to Use This Skill

适用场景

Auto-invoked when user mentions:

"review this code"
"check for bugs"
"security audit"
"analyze this PR"
"code review"
"check code quality"
"review my changes"
"find vulnerabilities"
"performance check"

Manual invocation:

Before committing critical changes
Pre-deployment validation
After implementing security-sensitive features
When integrating SAST tool results

当用户提及以下内容时自动触发：

"review this code"（评审这段代码）
"check for bugs"（检查漏洞）
"security audit"（安全审计）
"analyze this PR"（分析这个PR）
"code review"（代码评审）
"check code quality"（检查代码质量）
"review my changes"（评审我的修改）
"find vulnerabilities"（查找漏洞）
"performance check"（性能检查）

手动触发场景：

提交关键代码变更前
部署前验证
实现安全敏感功能后
集成SAST工具结果时

Core Review Workflow

核心评审流程

NEW TO CODE REVIEW? See

EXAMPLES.md

for complete walkthrough examples showing good vs bad reviews.

代码评审新手？ 查看

EXAMPLES.md

获取完整的评审示例，展示优秀与糟糕评审的区别。

Phase 1: Automated Analysis (Run First)

阶段1：自动化分析（优先执行）

Step 1: Identify Code to Review

If reviewing specific files: Read those files
If reviewing PR/changes: Use
```
git diff
```
to see changes
If reviewing entire feature: Identify affected files via grep/glob

Step 2: Run Automated SAST Tools (If Available)

Use the scripts in

scripts/

directory:

bash

undefined

步骤1：确定待评审代码

若评审特定文件：读取目标文件
若评审PR/变更：使用
```
git diff
```
查看变更内容
若评审完整功能：通过grep/glob定位受影响文件

步骤2：运行自动化SAST工具（若可用）

使用

scripts/

目录下的脚本：

bash

undefined

Quick security audit

快速安全审计

bash scripts/quick-audit.sh

Or run individual tools:

或单独运行工具：

npm audit # Dependency vulnerabilities npm run lint # ESLint code quality npx prettier --check . # Code formatting

npm audit # 依赖漏洞检查 npm run lint # ESLint代码质量检查 npx prettier --check . # 代码格式检查

Advanced (if installed):

高级用法（已安装工具时）：

sonar-scanner # SonarQube codeql database analyze # CodeQL snyk test # Snyk security


**Step 3: Parse SAST Results**
- Categorize findings by severity (Critical/High/Medium/Low)
- Filter false positives (document reasoning)
- Cross-reference with manual checks

sonar-scanner # SonarQube扫描 codeql database analyze # CodeQL分析 snyk test # Snyk安全检查


**步骤3：解析SAST结果**
- 按严重程度分类发现的问题（Critical/High/Medium/Low）
- 过滤误报（记录判断依据）
- 与手动检查结果交叉验证

Phase 2: Manual Security Analysis

阶段2：手动安全分析

Check OWASP Top 10 2021 (Current Standard):

A01:2021 – Broken Access Control
- Are authentication checks on all protected routes?
- Is user input validated before authorization decisions?
- Are direct object references protected (IDOR prevention)?
A03:2021 – Injection (SQL, NoSQL, Command)
- Are parameterized queries used instead of string concatenation?
- Is user input sanitized before database queries?
- Are ORMs used correctly (no raw queries with user input)?
A03:2021 – Cross-Site Scripting (XSS)
- Is user input escaped before rendering in HTML?
- Are Content Security Policy headers configured?
- Is
```
dangerouslySetInnerHTML
```
  avoided or properly sanitized?
A07:2021 – Identification and Authentication Failures
- Are passwords hashed with bcrypt/argon2 (not MD5/SHA1)?
- Is session management secure (httpOnly cookies, CSRF tokens)?
- Is rate limiting implemented on login endpoints?
A02:2021 – Cryptographic Failures
- Is sensitive data encrypted at rest and in transit?
- Are API keys/secrets stored in environment variables (not hardcoded)?
- Is HTTPS enforced for all external communication?

See REFERENCE.md for complete OWASP Top 10 checklist

检查OWASP Top 10 2021（当前标准）：

A01:2021 – 访问控制失效
- 所有受保护路由是否都有身份验证检查？
- 授权决策前是否验证了用户输入？
- 是否防护了直接对象引用（IDOR）？
A03:2021 – 注入攻击（SQL、NoSQL、命令注入）
- 是否使用参数化查询而非字符串拼接？
- 数据库查询前是否对用户输入进行了清理？
- ORM是否正确使用（未将用户输入用于原生查询）？
A03:2021 – 跨站脚本攻击（XSS）
- 用户输入在HTML渲染前是否进行了转义？
- 是否配置了内容安全策略（CSP）头？
- 是否避免使用
```
dangerouslySetInnerHTML
```
  ，或已进行适当清理？
A07:2021 – 身份识别与认证失败
- 密码是否使用bcrypt/argon2哈希（而非MD5/SHA1）？
- 会话管理是否安全（httpOnly Cookie、CSRF令牌）？
- 登录端点是否实现了速率限制？
A02:2021 – 加密失败
- 敏感数据是否在静态存储和传输过程中加密？
- API密钥/机密是否存储在环境变量中（而非硬编码）？
- 所有外部通信是否强制使用HTTPS？

完整OWASP Top 10检查表请查看REFERENCE.md

Phase 3: Performance Pattern Detection

阶段3：性能模式检测

Check for Common Performance Issues:

N+1 Query Problem

typescript

// 🔴 BAD: N+1 queries
users.forEach(user => {
  db.query("SELECT * FROM posts WHERE user_id = ?", user.id)
})

// ✅ GOOD: Single query with JOIN
db.query("SELECT * FROM users LEFT JOIN posts ON users.id = posts.user_id")

O(n²) or Worse Algorithms
- Nested loops over large datasets
- Inefficient sorting/searching
- Recursive functions without memoization
Missing Database Indexes
- Queries on unindexed columns
- WHERE clauses without supporting indexes
- JOIN operations on unindexed foreign keys
Memory Leaks
- Event listeners not cleaned up
- Closures holding large objects
- Unbounded caches
Large Bundle Sizes
- Importing entire libraries instead of specific functions
- Unoptimized images
- Missing code splitting

See REFERENCE.md for performance pattern catalog

检查常见性能问题：

N+1查询问题

typescript

// 🔴 不良示例：N+1查询
users.forEach(user => {
  db.query("SELECT * FROM posts WHERE user_id = ?", user.id)
})

// ✅ 良好示例：单查询JOIN
db.query("SELECT * FROM users LEFT JOIN posts ON users.id = posts.user_id")

O(n²)或更差的算法
- 大数据集上的嵌套循环
- 低效的排序/搜索
- 未使用记忆化的递归函数
缺失数据库索引
- 对未索引列执行查询
- WHERE子句无配套索引
- JOIN操作使用未索引的外键
内存泄漏
- 事件监听器未清理
- 闭包持有大对象
- 无界缓存
包体积过大
- 导入整个库而非特定函数
- 未优化的图片
- 缺失代码分割

完整性能模式目录请查看REFERENCE.md

Phase 4: Code Quality Standards

阶段4：代码质量标准

Check TypeScript/JavaScript Standards:

No
```
any
```
types without justification comment
Proper error handling (no empty catch blocks)
No
```
console.log
```
statements (use proper logging)
Functions < 50 lines (extract if larger)
Cyclomatic complexity < 10
No commented-out code
Import order follows convention (React → Third-party → Internal → Relative)

Check Naming Conventions:

Files:
```
kebab-case
```
(user-service.ts)
Components:
```
PascalCase
```
(UserProfile.tsx)
Functions/Variables:
```
camelCase
```
(getUserData)
Constants:
```
UPPER_SNAKE_CASE
```
(MAX_RETRIES)

See REFERENCE.md for complete standards checklist

TypeScript/JavaScript标准检查：

无无理由的
```
any
```
类型
具备适当的错误处理（无空catch块）
无
```
console.log
```
语句（使用专业日志工具）
函数行数少于50行（过长则拆分）
圈复杂度低于10
无注释掉的代码
导入顺序遵循规范（React → 第三方库 → 内部模块 → 相对路径）

命名规范检查：

文件：
```
kebab-case
```
（如user-service.ts）
组件：
```
PascalCase
```
（如UserProfile.tsx）
函数/变量：
```
camelCase
```
（如getUserData）
常量：
```
UPPER_SNAKE_CASE
```
（如MAX_RETRIES）

完整标准检查表请查看REFERENCE.md

Phase 5: Generate Review Report

阶段5：生成评审报告

Use templates from

resources/templates/

to create structured output:

Comprehensive Review: Use

resources/templates/code-review-report.md

Security Audit: Use

resources/templates/security-review-template.md

Performance Review: Use

resources/templates/performance-review-template.md

Quick Check: Use
```
resources/templates/quick-checklist.md
```

Example report format:

markdown

undefined

使用

resources/templates/

目录下的模板创建结构化输出：

全面评审报告： 使用

resources/templates/code-review-report.md

安全审计报告： 使用

resources/templates/security-review-template.md

性能评审报告： 使用

resources/templates/performance-review-template.md

快速检查清单： 使用
```
resources/templates/quick-checklist.md
```

报告示例格式：

markdown

undefined

Code Review Report

代码评审报告

Verdict: ✅ APPROVED | ⚠️ APPROVED WITH RESERVATIONS | ❌ REQUIRES REVISION Files Reviewed: [List] Review Date: [ISO Date]

评审结论： ✅ 批准 | ⚠️ 有条件批准 | ❌ 需要修改 评审文件： [列表] 评审日期： [ISO格式日期]

Critical Issues (Must Fix Before Merge)

严重问题（合并前必须修复）

[None or list with code snippets]

[无或带代码片段的问题列表]

High Priority Issues (Fix Within 48h)

高优先级问题（48小时内修复）

[None or list with recommendations]

[无或带建议的问题列表]

Medium Priority Issues (Fix This Sprint)

中优先级问题（当前迭代内修复）

[None or list]

[无或问题列表]

Low Priority / Suggestions

低优先级/建议项

[Optional improvements]

[可选优化建议]

Strengths & Good Practices

优势与良好实践

[What was done well]

[做得好的地方]

Metrics

指标

Lines Changed: X
Files Modified: Y
Estimated Risk: Low/Medium/High
Test Coverage: Z%

---

变更行数： X
修改文件数： Y
预估风险： 低/中/高
测试覆盖率： Z%

---

Integration with SAST Tools

SAST工具集成

SonarQube Integration

SonarQube集成

If SonarQube results available:

Read
```
sonar-report.json
```
or access SonarQube API
Focus manual review on issues SonarQube missed:
- Business logic vulnerabilities
- Context-specific security issues
- Authorization logic
Validate SonarQube findings (check false positives)

Key SonarQube Metrics to Review:

Security Hotspots: Require manual validation
Code Smells: Maintainability issues (threshold: Grade A or B)
Duplications: Keep < 3%
Coverage: Target > 80%

若有SonarQube结果：

读取
```
sonar-report.json
```
或访问SonarQube API
重点手动评审SonarQube遗漏的问题：
- 业务逻辑漏洞
- 特定上下文的安全问题
- 授权逻辑
验证SonarQube的发现（检查误报）

需关注的SonarQube关键指标：

安全热点： 需要手动验证
代码异味： 可维护性问题（阈值：A级或B级）
代码重复率： 保持在3%以下
测试覆盖率： 目标>80%

CodeQL Integration

CodeQL集成

If CodeQL scan available:

Review CodeQL alerts in GitHub Security tab
Prioritize alerts by severity:
- Critical/High: Must fix before merge
- Medium: Fix within sprint
- Low: Backlog
Use CodeQL's suggested fixes when available
Manual review for:
- Authentication flows
- Authorization decisions
- Cryptographic operations

CodeQL Strengths (88% accuracy):

SQL injection detection
Path traversal vulnerabilities
Command injection
Insecure deserialization

若有CodeQL扫描结果：

在GitHub Security标签页查看CodeQL告警
按严重程度优先处理：
- Critical/High： 合并前必须修复
- Medium： 当前迭代内修复
- Low： 放入待办清单
如有可用建议修复方案，使用CodeQL提供的方案
手动评审以下内容：
- 身份验证流程
- 授权决策
- 加密操作

CodeQL优势（准确率88%）：

SQL注入检测
路径遍历漏洞检测
命令注入检测
不安全的反序列化检测

Snyk Integration

Snyk集成

If Snyk results available:

Run
```
snyk test
```
for dependency vulnerabilities
Run
```
snyk code test
```
for code-level issues
Prioritize by:
- Critical: Fix immediately
- High: Fix within 7 days
- Medium: Fix within 30 days
Check for available patches:
```
snyk wizard
```

Snyk Strengths:

Dependency vulnerabilities (real-time CVE database)
License compliance
Container security
Infrastructure as Code (IaC) scanning

若有Snyk结果：

运行
```
snyk test
```
检查依赖漏洞
运行
```
snyk code test
```
检查代码级问题
按以下优先级处理：
- Critical： 立即修复
- High： 7天内修复
- Medium： 30天内修复
检查可用补丁：
```
snyk wizard
```

Snyk优势：

依赖漏洞检查（实时CVE数据库）
许可证合规性检查
容器安全检查
基础设施即代码（IaC）扫描

ESLint + Prettier + npm audit

Basic Security Stack (Always Run):

bash

undefined

基础安全栈（必须运行）：

bash

undefined

Run these three commands ALWAYS

始终运行这三个命令

npm audit --audit-level=high # Dependency vulnerabilities npm run lint # Code quality (ESLint) npx prettier --check . # Code formatting


**Interpretation:**
- **npm audit:** Fix all high/critical vulnerabilities
- **ESLint:** Must pass with 0 errors (warnings acceptable if documented)
- **Prettier:** Auto-fix with `npx prettier --write .`

---

npm audit --audit-level=high # 依赖漏洞检查 npm run lint # ESLint代码质量检查 npx prettier --check . # 代码格式检查


**结果解读：**
- **npm audit：** 修复所有高/严重级漏洞
- **ESLint：** 必须0错误通过（警告可保留但需记录原因）
- **Prettier：** 使用`npx prettier --write .`自动修复格式

---

Severity Classification

问题严重程度分类

Use this framework to categorize all findings:

使用以下框架对所有发现的问题进行分类：

🔴 Critical (Blocks Deployment)

🔴 Critical（阻止部署）

SQL injection vulnerabilities
XSS vulnerabilities (unescaped user input)
Authentication bypass
Hardcoded secrets/API keys
Remote code execution (RCE) risks
Sensitive data logged in plain text

Action: STOP. Must fix immediately before proceeding.

SQL注入漏洞
XSS漏洞（未转义用户输入）
身份验证绕过
硬编码的密钥/API密钥
远程代码执行（RCE）风险
明文记录敏感数据

处理方式： 立即停止。修复完成前不得继续。

🟠 High (Fix Within 48 Hours)

🟠 High（48小时内修复）

Missing authentication checks
Insecure session management
CSRF vulnerabilities
Missing rate limiting on sensitive endpoints
Weak cryptography (MD5, SHA1)
N+1 query problems in critical paths
Memory leaks in production code

Action: Create blocker ticket. Fix before next deployment.

缺失身份验证检查
不安全的会话管理
CSRF漏洞
敏感端点缺失速率限制
弱加密算法（MD5、SHA1）
关键路径中的N+1查询问题
生产代码中的内存泄漏

处理方式： 创建阻塞型工单。下次部署前修复。

🟡 Medium (Fix This Sprint)

🟡 Medium（当前迭代内修复）

Missing input validation (non-critical fields)
Inefficient algorithms (O(n²) on small datasets)
Missing database indexes (< 1000 rows)
Code duplication (> 5 occurrences)
Missing error handling
Accessibility violations (WCAG AA)

Action: Create ticket. Fix within current sprint.

缺失输入验证（非关键字段）
低效算法（小数据集上的O(n²)）
缺失数据库索引（数据量<1000行）
代码重复（>5次）
缺失错误处理
可访问性违规（WCAG AA标准）

处理方式： 创建工单。当前迭代内修复。

🔵 Low (Backlog / Nice-to-Have)

🔵 Low（待办/优化项）

Code style violations (if not enforced by linter)
Missing comments on complex code
Minor performance optimizations
Refactoring opportunities
Documentation improvements

Action: Optional. Add to backlog for future improvement.

代码风格违规（若未被linter强制检查）
复杂代码缺失注释
微小性能优化
重构机会
文档改进

处理方式： 可选。加入待办清单供未来优化。

Key Metrics to Track

关键跟踪指标

From 2025 Research:

Mean Time to Remediate (MTTR)
- Target: < 7 days for high severity issues
- Critical issues: < 24 hours
Defect Density
- Formula: (# of bugs) / (1000 lines of code)
- Target: < 1.0 defects per 1000 LOC
Review Coverage
- Target: 100% of changed lines reviewed
- Critical paths: 100% manual review (not just automated)
False Positive Rate
- CodeQL: ~5% (best in class)
- SonarQube: ~8-10%
- Snyk: ~8%
- Track your project's rate to calibrate trust

来自2025年研究：

平均修复时间（MTTR）
- 目标：高严重度问题<7天
- 严重问题：<24小时
缺陷密度
- 公式：（漏洞数量）/（千行代码）
- 目标：<1.0个缺陷/千行代码
评审覆盖率
- 目标：100%变更行被评审
- 关键路径：100%手动评审（而非仅自动化）
误报率
- CodeQL：~5%（行业最佳）
- SonarQube：~8-10%
- Snyk：~8%
- 跟踪项目自身的误报率以校准信任度

Common Pitfalls to Avoid

需避免的常见陷阱

Over-reliance on Automation
- Automated tools catch 60-70% of security issues
- Manual review essential for business logic, authorization, context-specific issues
Ignoring Performance for Security
- A secure but unusable app is not secure (DoS via performance)
- Balance security checks with performance impact
Blocking Every Minor Issue
- Use severity classification to prioritize
- Don't let perfection block progress
Missing the Forest for the Trees
- Step back and review overall architecture
- Check if the approach is fundamentally sound
Not Checking Test Coverage
- Untested code = unreviewed code
- Require tests for all security-critical paths

过度依赖自动化
- 自动化工具可发现60-70%的安全问题
- 业务逻辑、授权、特定上下文问题必须手动评审
为安全牺牲性能
- 安全但无法使用的应用并非真正安全（性能导致的DoS）
- 平衡安全检查与性能影响
阻塞所有小问题
- 使用严重程度分类进行优先级排序
- 不要因追求完美而阻碍进度
只见树木不见森林
- 退一步评审整体架构
- 验证实现方案是否从根本上合理
忽略测试覆盖率
- 未测试的代码等同于未评审的代码
- 要求所有安全关键路径都有测试覆盖

Quick Reference Checklist

快速参考检查表

Before approving any code review:

Security:

No SQL injection vulnerabilities (parameterized queries)
No XSS vulnerabilities (user input escaped)
Authentication checks on protected routes
Secrets in environment variables (not hardcoded)
HTTPS enforced for external APIs
CSRF protection on state-changing endpoints

Performance:

No N+1 query patterns
No O(n²) or worse algorithms on large datasets
Database indexes present for queried columns
No memory leaks (event listeners cleaned up)
Images optimized and lazy-loaded

Code Quality:

TypeScript strict mode compliance (no
```
any
```
without justification)
Error handling present (no empty catch blocks)
No console.log statements
Functions < 50 lines
Test coverage > 80%
No commented-out code

Documentation:

Complex logic has explanatory comments
Public APIs have JSDoc comments
README updated if behavior changed
Environment variables documented

批准任何代码评审前，请确认：

安全：

无SQL注入漏洞（使用参数化查询）
无XSS漏洞（用户输入已转义）
受保护路由有身份验证检查
密钥存储在环境变量中（未硬编码）
外部API强制使用HTTPS
状态变更端点有CSRF防护

性能：

无N+1查询模式
大数据集上无O(n²)或更差的算法
查询列有对应的数据库索引
无内存泄漏（事件监听器已清理）
图片已优化并懒加载

代码质量：

符合TypeScript严格模式（无无理由的
```
any
```
类型）
具备错误处理（无空catch块）
无console.log语句
函数行数<50行
测试覆盖率>80%
无注释掉的代码

文档：

复杂逻辑有解释性注释
公共API有JSDoc注释
若行为变更则已更新README
环境变量已文档化

Next Steps After Review

评审后的下一步

If APPROVED (✅):

Merge the PR
Monitor deployment for issues
Update test coverage metrics

If APPROVED WITH RESERVATIONS (⚠️):

Create tickets for medium/low priority issues
Merge if critical/high issues are fixed
Schedule follow-up review

If REQUIRES REVISION (❌):

Provide detailed feedback with code snippets
Block merge until critical issues resolved
Offer to pair-program on fixes if needed

若批准（✅）：

合并PR
监控部署情况
更新测试覆盖率指标

若有条件批准（⚠️）：

为中/低优先级问题创建工单
若高/严重问题已修复则合并
安排后续评审

若需要修改（❌）：

提供带代码片段的详细反馈
严重问题修复前阻止合并
必要时提供结对编程支持

Supporting Files

支持文件

For detailed information, see:

EXAMPLES.md - Complete end-to-end code review examples (good, bad, security-focused)
REFERENCE.md - Complete OWASP Top 10 checklist, performance patterns, CWE references
FORMS.md - Review report templates overview and guidance
resources/templates/ - Ready-to-use review templates
- ```
code-review-report.md
```
  - Comprehensive review template
- ```
security-review-template.md
```
  - Security-focused audit template
- ```
performance-review-template.md
```
  - Performance analysis template
- ```
quick-checklist.md
```
  - 3-minute rapid review checklist
resources/examples/ - Real-world review examples
- ```
good-review-example.md
```
  - What a thorough review looks like
- ```
bad-review-example.md
```
  - What to avoid (rubber stamp reviews)
scripts/ - Automated SAST tool integration scripts
- ```
quick-audit.sh
```
  - Quick security audit (Linux/Mac)
- ```
quick-audit.bat
```
  - Quick security audit (Windows)

Research Citations:

OWASP Code Review Guide: https://owasp.org/www-project-code-review-guide/
OWASP Top 10 2021: https://owasp.org/Top10/
Empirical Study (2024): https://arxiv.org/html/2311.16396v2
CWE Top 25: https://cwe.mitre.org/top25/

Remember: Code review is not about finding fault—it's about ensuring quality, security, and maintainability. Be constructive, specific, and always suggest solutions alongside identifying problems.

详细信息请查看：

EXAMPLES.md - 完整的端到端代码评审示例（优秀、糟糕、安全聚焦型）
REFERENCE.md - 完整的OWASP Top 10检查表、性能模式、CWE参考
FORMS.md - 评审报告模板概述及使用指南
resources/templates/ - 即用型评审模板
- ```
code-review-report.md
```
  - 全面评审模板
- ```
security-review-template.md
```
  - 安全聚焦型审计模板
- ```
performance-review-template.md
```
  - 性能分析模板
- ```
quick-checklist.md
```
  - 3分钟快速评审检查表
resources/examples/ - 真实场景评审示例
- ```
good-review-example.md
```
  - 优秀评审示例
- ```
bad-review-example.md
```
  - 需避免的评审示例（走过场式评审）
scripts/ - 自动化SAST工具集成脚本
- ```
quick-audit.sh
```
  - 快速安全审计脚本（Linux/Mac）
- ```
quick-audit.bat
```
  - 快速安全审计脚本（Windows）

研究引用：

OWASP代码评审指南：https://owasp.org/www-project-code-review-guide/
OWASP Top 10 2021：https://owasp.org/Top10/
实证研究（2024）：https://arxiv.org/html/2311.16396v2
CWE Top 25：https://cwe.mitre.org/top25/

注意： 代码评审的目的不是挑错，而是确保质量、安全和可维护性。反馈需有建设性、具体，并在指出问题的同时给出解决方案。