Code Reviewing Skill — Quick Reference

Quick Reference

Specialized: .NET/EF Core Crypto Integration

• references/dotnet-efcore-crypto-rules.md — Complete review rules (correctness, security, async, EF Core, tests, MRs)

• Review only new/modified code in the MR
• Use

  decimal

  for financial values, UTC for dates
• Follow

  CC-SEC-03

  (no secrets in code) and

  CC-OBS-02

  (no sensitive data in logs)
• Async for I/O, pass

  CancellationToken

  , avoid

  .Result

  /

  .Wait()

  (see

  CC-ERR-04

  ,

  CC-FLOW-03

  )
• EF Core:

  AsNoTracking

  for reads, avoid N+1, no dynamic SQL

• Result<T>

  pattern for explicit success/fail

When to Use This Skill

• Review a pull request or diff for issues
• Audit code for security vulnerabilities or injection risks
• Improve readability, structure, and maintainability
• Suggest targeted refactors without changing behavior
• Validate tests and edge-case coverage

When NOT to Use This Skill

• System design or architecture: Use software-architecture-design for greenfield architecture decisions
• Writing new code from scratch: This skill reviews existing code, not authoring new features
• Deep security audits: For penetration testing or comprehensive security assessments, use software-security-appsec
• Deep performance investigations: For profiling/observability, use qa-observability and for SQL/query tuning use data-sql-optimization

Decision Tree: Selecting Review Mode

Code review task: [What to Focus On?]
    ├─ Security-critical changes?
    │   ├─ Auth/access control → Security Review (OWASP, auth patterns)
    │   ├─ User input handling → Input validation, XSS, SQL injection
    │   └─ Smart contracts → Blockchain Review (reentrancy, access control)
    │
    ├─ Performance concerns?
    │   ├─ Database queries → Check for N+1, missing indexes
    │   ├─ Loops/algorithms → Complexity analysis, caching
    │   └─ API response times → Profiling, lazy loading
    │
    ├─ Correctness issues?
    │   ├─ Business logic → Edge cases, error handling, tests
    │   ├─ Data transformations → Boundary conditions, null checks
    │   └─ Integration points → Retry logic, timeouts, fallbacks
    │
    ├─ Maintainability problems?
    │   ├─ Complex code → Naming, function length, duplication
    │   ├─ Hard to understand → Comments, abstractions, clarity
    │   └─ Technical debt → Refactoring suggestions
    │
    ├─ Test coverage gaps?
    │   ├─ New features → Happy path + error cases
    │   ├─ Refactors → Regression tests
    │   └─ Bug fixes → Reproduction tests
    │
    └─ Stack-specific review?
        ├─ Frontend → [frontend-review.md](assets/web-frontend/frontend-review.md)
        ├─ Backend → [api-review.md](assets/backend-api/api-review.md)
        ├─ Mobile → [mobile-review.md](assets/mobile/mobile-review.md)
        ├─ Infrastructure → [infrastructure-review.md](assets/infrastructure/infrastructure-review.md)
        └─ Blockchain → [crypto-review.md](assets/blockchain/crypto-review.md)

1. Security first (P0/P1 issues)
2. Correctness (logic, edge cases)
3. Performance (if applicable)
4. Maintainability (P2/P3 suggestions)

Async Review Workflows (2026)

Timezone-Friendly Reviews

Non-Blocking Reviews

PR Submitted -> Auto-checks (CI) -> Async Review -> Merge
       |              |               |
  Author continues   If green,    Reviewer comments
  on other work      queue for    when available
                     review

• Synchronous review meetings for routine PRs
• Blocking on reviewer availability for non-critical changes
• Single reviewer bottleneck

Review Prioritization Matrix

Optional: AI/Automation Extensions

Note: AI-assisted review tools. Human review remains authoritative.

AI Review Assistants

• AI suggestions are advisory only
• Human reviewer approves/rejects
• AI cannot bypass security review
• AI findings require manual verification

AI Review Checklist

• AI suggestions validated against codebase patterns
• AI-flagged issues manually confirmed
• False positives documented for tool improvement
• Human reviewer explicitly approved

Simplicity and Complexity Control

• Prefer existing, battle-tested libraries over bespoke implementations when behavior is identical.
• Flag avoidable complexity early: remove dead/commented-out code, collapse duplication, and extract single-responsibility helpers.
• Call out premature optimization; favor clarity and measured, evidence-based tuning.
• Encourage incremental refactors alongside reviews to keep modules small, predictable, and aligned to standards.

Operational Playbooks

• ../software-clean-code-standard/references/clean-code-standard.md - Canonical clean code rules (

  CC-*

  ) for citation in reviews
• Legacy playbook: ../software-clean-code-standard/references/code-quality-operational-playbook.md -

  RULE-01

  –

  RULE-13

  , refactoring decision trees, and design patterns

• references/operational-playbook.md — Review scope rules, severity ratings (P0-P3), checklists, modes, and PR workflow patterns

Default Review Output (Agent-Facing)

• Short summary of intent + risk
• Findings grouped by

  P0

  /

  P1

  /

  P2

  /

  P3

  (mark REQUIRED vs OPTIONAL)
• Concrete suggestions (minimal diffs or test cases)
• Follow-up questions when requirements or constraints are unclear

Navigation

• references/operational-playbook.md
• references/review-checklist-comprehensive.md
• references/implementing-effective-code-reviews-checklist.md
• references/looks-good-to-me-checklist.md
• references/automation-tools.md
• references/dotnet-efcore-crypto-rules.md
• references/psychological-safety-guide.md

• assets/core/pull-request-description-template.md
• assets/core/review-checklist-judgment.md
• assets/core/review-comment-guidelines.md
• assets/backend-api/api-review.md
• assets/web-frontend/frontend-review.md
• assets/mobile/mobile-review.md
• assets/infrastructure/infrastructure-review.md
• assets/blockchain/crypto-review.md
• assets/data-ml/data-pipeline-review.md
• assets/data-ml/experiment-tracking-review.md
• assets/data-ml/ml-model-review.md
• assets/data-ml/ml-deployment-review.md

• data/sources.json — Curated external references
• Shared checklists: ../software-clean-code-standard/assets/checklists/secure-code-review-checklist.md, ../software-clean-code-standard/assets/checklists/backend-api-review-checklist.md

Trend Awareness Protocol

Trigger Conditions

• "What's the best code review tool?"
• "What should I use for [automated code review/PR automation]?"
• "What's the latest in code review practices?"
• "Current best practices for [code review/PR workflow]?"
• "Is [GitHub Copilot PR/CodeRabbit] still relevant in 2026?"
• "[CodeRabbit] vs [Graphite] vs [other]?"
• "Best AI code review assistant?"

Required Searches

1. Search:

   "code review best practices 2026"

2. Search:

   "[specific tool] vs alternatives 2026"

3. Search:

   "AI code review tools January 2026"

4. Search:

   "PR automation trends 2026"

What to Report

• Current landscape: What code review tools/practices are popular NOW
• Emerging trends: New AI assistants, PR tools, or review patterns gaining traction
• Deprecated/declining: Tools/approaches losing relevance or support
• Recommendation: Based on fresh data, not just static knowledge

Example Topics (verify with fresh search)

• AI code review (GitHub Copilot PR, CodeRabbit, Cursor)
• PR automation (Graphite, Stacked PRs, merge queues)
• Code review platforms (GitHub, GitLab, Bitbucket)
• Review bots and automation
• Async review practices for distributed teams
• Review metrics and analytics tools