code-review-checklist
Provides a comprehensive code review checklist for pull requests covering security, performance, maintainability, and testing. Use as a reference during code reviews or when the user asks for a review checklist.
git clone --depth 1 https://github.com/tranhieutt/software_development_department /tmp/code-review-checklist && cp -r /tmp/code-review-checklist/.claude/skills/code-review-checklist ~/.claude/skills/code-review-checklistSKILL.md
# Code Review Checklist
## Pre-review (always start here)
- [ ] Read PR description and linked issue — understand the *why*
- [ ] Check CI passes before spending time on review
- [ ] Pull branch locally if logic is complex
## Functionality
- [ ] Solves stated problem and meets acceptance criteria
- [ ] Edge cases: null/empty inputs, concurrent calls, network failure
- [ ] Error handling: errors caught, message doesn't expose internals
- [ ] No off-by-one, loop termination, or race conditions
## Security (block if any fail)
- [ ] No SQL injection — use parameterized queries, not string concat
- [ ] No XSS — escape all user-controlled output in DOM
- [ ] No hardcoded secrets — use environment variables
- [ ] Authentication required on all protected routes
- [ ] Authorization checks presence AND ownership (not just auth)
- [ ] File uploads validated: type, size, content
```javascript
// ❌ SQL injection
const q = `SELECT * FROM users WHERE email = '${email}'`;
// ✅ Parameterized
db.query("SELECT * FROM users WHERE email = $1", [email]);
// ❌ Hardcoded secret
const KEY = "sk_live_abc123";
// ✅ Env variable
const KEY = process.env.API_KEY;
if (!KEY) throw new Error("API_KEY is required");
```
## Performance
- [ ] No N+1 queries — check ORM calls inside loops
- [ ] Database queries use indexes for filter/sort columns
- [ ] No unbounded queries — always paginate or limit
- [ ] No blocking main thread with sync I/O (Node.js)
- [ ] Caching used for repeated expensive operations
## Code quality
- [ ] Names describe intent (`calculateTotalPrice` not `calc`)
- [ ] Functions have single responsibility (< ~30 lines is a signal)
- [ ] No dead code or commented-out blocks
- [ ] DRY — no copy-paste of more than 3 lines
- [ ] Follows existing project conventions and patterns
- [ ] Abstractions are deep enough to justify themselves; thin pass-through wrappers fail the deletion test
## Tests
- [ ] New behavior has test coverage
- [ ] Happy path + at least 1 failure/edge case tested
- [ ] Tests use real assertions, not just "doesn't throw"
- [ ] No brittle tests that break on unrelated changes
## Documentation
- [ ] Complex logic has `// why` comment (not `// what`)
- [ ] Public API changes documented
- [ ] Breaking changes documented in CHANGELOG or PR body
## Review comment format
```markdown
**Issue:** [What's wrong]
**Current:** `problematic code`
**Suggested:** `improved code`
**Why:** [reason]
```
## Verdict
- **APPROVED** — all sections pass
- **APPROVED WITH CONDITIONS** — minor items, non-blocking
- **CHANGES REQUIRED** — blocking security, correctness, or test coverage issues
Output: checklist score (X/Y passing) + blocking items with file:line refs + verdictThe Accessibility Specialist ensures the software is accessible to the widest possible audience. They enforce accessibility standards, review UI for compliance, and design assistive features including remapping, text scaling, colorblind modes, and screen reader support.
The AI Programmer implements intelligent system features: recommendation engines, classification pipelines, LLM integrations, decision logic, and autonomous agent behavior. Use this agent for AI/ML feature implementation, model integration, intelligent automation, or AI system debugging.
The Analytics Engineer designs telemetry systems, user behavior tracking, A/B test frameworks, and data analysis pipelines. Use this agent for event tracking design, dashboard specification, A/B test design, or user behavior analysis methodology.
The Backend Developer builds and maintains server-side logic, APIs, databases, authentication, and integrations. Use this agent for REST/GraphQL API implementation, database operations, authentication systems, background jobs, microservices, server performance, and backend testing. Works from API design contracts and PRDs.
The Community Manager handles user-facing communications, feedback synthesis, support escalation, and community engagement. Use this agent for drafting release announcements, synthesizing user feedback into actionable insights, writing support documentation, or coordinating community-facing communication around releases and incidents.
The CTO (Chief Technical Officer) owns the high-level technical vision, architecture decisions, technology choices, and technical strategy. Use this agent for architecture-level decisions, technology evaluations, cross-system conflicts, and when a technical choice will constrain or enable product possibilities. This is the highest technical authority in the department.
The Data Engineer designs database schemas, builds data pipelines, manages migrations, and owns the data infrastructure. Use this agent for schema design, complex migrations, data modeling, ETL/ELT pipelines, database performance optimization, analytics infrastructure, and data integrity strategies.
The DevOps Engineer maintains build pipelines, CI/CD configuration, version control workflow, and deployment infrastructure. Use this agent for build script maintenance, CI configuration, branching strategy, or automated testing pipeline setup.