code-review
This Claude Code skill reviews .NET pull requests and patches for bugs, regressions, architectural drift, missing tests, and framework-specific issues including async/await correctness, disposal patterns, security vulnerabilities, and platform compatibility. Use it when auditing .NET code changes before merge, checking for behavioral regressions or API misuse, or validating architectural and framework-specific correctness against a comprehensive checklist prioritized by risk.
git clone --depth 1 https://github.com/managedcode/dotnet-skills /tmp/code-review && cp -r /tmp/code-review/catalog/Platform/Code-Review/skills/code-review ~/.claude/skills/code-reviewSKILL.md
# .NET Code Review ## Trigger On - reviewing a pull request or patch in a .NET repository - checking for behavioral regressions, API misuse, or missing tests - auditing architectural or framework-specific correctness ## References - [checklist.md](references/checklist.md) - comprehensive code review checklist organized by risk priority - [patterns.md](references/patterns.md) - common patterns and anti-patterns for async, disposal, and security ## Workflow 1. Prioritize correctness, data loss, concurrency, security, lifecycle, and platform-compatibility issues before style concerns. Use the [checklist](references/checklist.md) P0-P2 categories first. 2. Check async flows, cancellation propagation, exception handling, disposal, and transient versus singleton lifetime mistakes. Refer to [patterns.md](references/patterns.md) for common pitfalls. 3. Verify tests cover the changed behavior, not only the happy path or refactored implementation details. 4. Inspect framework-specific boundaries such as EF query translation, ASP.NET middleware order, Blazor render state, or MAUI UI-thread access. 5. Call out missing observability, migration risk, or runtime configuration drift when those are part of the change. 6. Keep findings concrete, reproducible, and tied to specific files or behavior. ## Key Review Patterns ### Async Code - Async must propagate through the entire call chain; never use `.Result`, `.Wait()`, or `.GetAwaiter().GetResult()` in async contexts - Always propagate `CancellationToken` parameters - Use `ConfigureAwait(false)` in library code - Never use `async void` except for event handlers ### Resource Disposal - Use `using` declarations or statements for all `IDisposable` resources - Use `await using` for `IAsyncDisposable` resources - Use `IHttpClientFactory` instead of creating `HttpClient` directly - Unsubscribe event handlers to prevent memory leaks - Validate DI service lifetimes to prevent captured dependencies ### Security - Use parameterized queries or EF to prevent SQL injection - Validate all user input at system boundaries - Prevent path traversal by validating resolved paths stay within allowed directories - Never hardcode secrets; use configuration and secret management - Enforce authorization checks before accessing protected resources ## Deliver - ranked review findings with file references - clear residual risks and test gaps - brief summary of what changed only after findings ## Validate - findings describe user-visible or maintainability-impacting risk - assumptions are stated when repo context is incomplete - no trivial style nit hides a more serious issue
Build, debug, modernize, or review ASP.NET Core applications with correct hosting, middleware, security, configuration, logging, and deployment patterns on current .NET. USE FOR: working on ASP.NET Core apps, services, or middleware; changing auth, routing, configuration, hosting, or deployment behavior; deciding between ASP.NET Core sub-stacks. DO NOT USE FOR: unrelated stacks; generic tasks that do not need this specific guidance. INVOKES: inspect the repository context, edit targeted files, and run relevant build, test, lint, or validation commands when changes are made.
Build, upgrade, and operate .NET Aspire 13.3.x application hosts with current CLI, AppHost, ServiceDefaults, integrations, dashboard, testing, and Azure deployment patterns for distributed apps. USE FOR: Aspire.AppHost.Sdk, Aspire.Hosting.*, DistributedApplication.CreateBuilder, WithReference, WaitFor, AddProject, AddRedis, AddPostgres, aspire run, aspire init, aspire. DO NOT USE FOR: unrelated stacks; generic tasks that do not need this specific guidance. INVOKES: inspect the repository context, edit targeted files, and run relevant build, test, lint, or validation commands when changes are made.
Build, review, or migrate Azure Functions in .NET with correct execution model, isolated worker setup, bindings, DI, and Durable Functions patterns. USE FOR: working on Azure Functions in .NET; migrating from the in-process model to the isolated worker model; adding Durable Functions, bindings, or host configuration. DO NOT USE FOR: unrelated stacks; generic tasks that do not need this specific guidance. INVOKES: inspect the repository context, edit targeted files, and run relevant build, test, lint, or validation commands when changes are made.
Build and review Blazor applications across server, WebAssembly, web app, and hybrid scenarios with correct component design, state flow, rendering, and hosting choices. USE FOR: building interactive web UIs with C# instead of JavaScript; choosing between Server, WebAssembly, or Auto render modes; designing component hierarchies and state. DO NOT USE FOR: unrelated stacks; generic tasks that do not need this specific guidance. INVOKES: inspect the repository context, edit targeted files, and run relevant build, test, lint, or validation commands when changes are made.
Maintain or migrate EF6-based applications with realistic guidance on what to keep, what to modernize, and when EF Core is or is not the right next step. USE FOR: EF6 codebases; runtime versus ORM migration decisions; EDMX, code-first, ObjectContext, and legacy data-access review. DO NOT USE FOR: unrelated stacks; generic tasks that do not need this specific guidance. INVOKES: inspect the repository context, edit targeted files, and run relevant build, test, lint, or validation commands when changes are made.
Design, tune, or review EF Core data access with proper modeling, migrations, query translation, performance, and lifetime management for modern .NET applications. USE FOR: DbContext, migrations, model configuration, EF queries, tracking, loading, performance, transactions, and EF6 migration decisions. DO NOT USE FOR: unrelated stacks; generic tasks that do not need this specific guidance. INVOKES: inspect the repository context, edit targeted files, and run relevant build, test, lint, or validation commands when changes are made.
Build, review, or migrate .NET MAUI applications across Android, iOS, macOS, and Windows with correct cross-platform UI, platform integration, and native packaging assumptions. USE FOR: working on cross-platform mobile or desktop UI in .NET MAUI; integrating device capabilities, navigation, or platform-specific code; migrating Xamarin.Forms or aligning. DO NOT USE FOR: unrelated stacks; generic tasks that do not need this specific guidance. INVOKES: inspect the repository context, edit targeted files, and run relevant build, test, lint, or validation commands when changes are made.
Use ML.NET to train, evaluate, or integrate machine-learning models into .NET applications with realistic data preparation, inference, and deployment expectations. USE FOR: ML.NET integration; local model training or retraining; inference pipelines, model loading, evaluation, and deployment review. DO NOT USE FOR: unrelated stacks; generic tasks that do not need this specific guidance. INVOKES: inspect the repository context, edit targeted files, and run relevant build, test, lint, or validation commands when changes are made.