Code review is the primary quality gate in modern software development. Poor review practices lead to slow feature velocity, missed defects, team friction, and knowledge silos. This skill codifies proven practices that prevent these failure modes. </context>
<contemplation> Code review exists to keep the codebase getting better over time—balance speed with quality. The goal is not perfection, but continuous improvement. Small, focused PRs reviewed quickly with clear feedback create a virtuous cycle of quality and velocity.Key insights from research:
- Review effectiveness drops dramatically beyond 200-400 LOC or 60-90 minutes
- Fast review turnaround correlates with better delivery performance
- Clear comment classification reduces author-reviewer friction
- Two-pass review (design first, details second) catches more issues
- Modern code review spreads knowledge and raises team awareness—not just defect hunting
The skill balances prescriptive guidance with flexibility—providing clear workflows without being overly rigid. </contemplation>
Core Principles
<principles> 1. **Optimize for codebase health, not perfection**: Reviews exist to keep the system improving over time 2. **Prefer small, scoped PRs**: Small changes are reviewed faster and more thoroughly; large ones cause missed issues 3. **Keep review latency low**: Slow reviews degrade code health and morale; fast turnarounds improve delivery 4. **Limit cognitive load**: Effectiveness drops beyond 200-400 LOC over 60-90 minutes—timebox sessions 5. **Leverage hidden wins**: Code review spreads knowledge and raises team awareness </principles>What Authors Should Do
<methodology type="author"> ### Pre-Flight Checklist <step n="1" validation="tests_pass"> **Run Quality Gates Locally** - Execute: `npm test` or equivalent (all tests must pass) - Execute: `npm run lint` or equivalent (no linting errors) - Execute: `npm run type-check` or TypeScript compile (no type errors) - Remove debug code (console.log, debugger, commented code, TODOs unless tracked) </step> <step n="2" validation="scope_clear"> **Ensure Clean Scope** - Isolate unrelated refactors into separate PRs - Split behavioral changes from mass renames/moves - Each PR has single, clear purpose - Target: < 400 lines changed (justify if larger) </step> <step n="3" validation="description_complete"> **Write Exceptional PR Description**Use this format (skim-friendly):
## Context
<!-- Why is this needed? What problem does it solve? -->
<!-- Link to issue/ticket if applicable -->
## Changes
<!-- High-level summary of what changed (not every line) -->
- Key change 1
- Key change 2
- Key change 3
## Test Plan
<!-- How can reviewers verify this works? -->
- [ ] Unit tests: `npm test path/to/tests`
- [ ] Manual testing: Steps to reproduce
- [ ] Edge cases verified: List specific scenarios tested
## Deployment Notes
- [ ] Database migration: Yes/No (details if yes)
- [ ] Feature flag: Yes/No (name if yes)
- [ ] Configuration changes: Yes/No (what changed)
- [ ] Breaking changes: Yes/No (migration path if yes)
- [ ] Rollback plan: Describe how to safely revert
## Security Considerations
<!-- If touching auth/permissions/data/secrets -->
- Input validation strategy
- Authorization checks
- Data exposure risks addressed
</step>
<step n="4" validation="self_reviewed">
**Perform Self-Review**
- Review your own diff line-by-line before opening PR
- Ask: "Would I approve this if someone else wrote it?"
- Check for: Unintended changes, debug code, commented code, TODOs
- Use draft PRs for early feedback on approach (not implementation)
</step>
<step n="5" validation="reviewers_assigned">
**Assign Appropriate Reviewers**
- Check CODEOWNERS for automatic assignment
- Tag domain experts for specialized areas (security, performance, etc.)
- Don't assign entire team—pick 1-2 relevant reviewers
- Use `/review-orchestrator commit` to run automated checks
</step>
</methodology>
What Reviewers Should Do
<methodology type="reviewer"> ### Two-Pass Review Process <pass n="1" duration="5-10 minutes" focus="design"> **High-Level Review: Design & Approach**Focus on big picture before diving into details:
-
Read PR Description
- Understand context: Why is this needed?
- Verify approach makes sense
- Check scope is appropriate
-
Assess Design & Architecture
- Does this solve the right problem?
- Is the approach sound?
- Any architectural concerns?
- Fits existing patterns or justified deviation?
-
Security & Risk Pass
- Any obvious security vulnerabilities?
- Authentication/authorization correct?
- Data validation present where needed?
- Use
/review-securityfor auth/permissions/data changes
-
Scope Check
- PR focused on single concern?
- Size reasonable (< 400 lines ideal)?
- No unrelated changes?
Decision Point: If major issues found (wrong approach, architectural problems, security flaws), provide feedback and STOP. No need for detailed review if design is flawed. </pass>
<pass n="2" duration="10-20 minutes" focus="implementation"> **Implementation Review: Details & Correctness**Only proceed if Pass 1 looks good:
-
Logic & Correctness
- Logic is correct and handles edge cases
- Error handling is appropriate
- State changes are safe and intentional
- Use
/review-qualityfor TypeScript/logic review
-
Testing Quality
- Tests cover new functionality
- Tests are meaningful (not just for coverage)
- Edge cases and error scenarios tested
- Use
/review-testingfor test quality analysis
-
Code Quality & Readability
- Code is readable and maintainable
- Naming is clear and consistent
- No obvious performance issues
- Use
/review-readabilityfor style/naming analysis
-
Documentation
- Public APIs have JSDoc comments
- Complex logic has explanatory comments
- README/docs updated if needed
Time Management: Set 30-minute timer. If you can't complete review in time:
- Stop and comment: "This is more complex than I can review in one session. Tagging @teammate."
- Or: Request PR be split if too large
- Or: Schedule dedicated review time and let author know </pass>
Comment Classification System
<comment_types> Use these prefixes to clarify feedback severity and reduce friction:
[critical] - Must fix before merge
- Security vulnerabilities
- Data loss or corruption risks
- Breaking changes without migration path
- Incorrect core logic
[issue] - Should fix, discuss if cannot
- Bugs or logic errors
- Missing error handling
- Significant performance problems
- Missing tests for core functionality
[suggestion] - Nice to have, author decides
- Better patterns or approaches
- Performance optimizations
- Refactoring opportunities
- Code organization improvements
[nit] - Purely cosmetic, optional
- Variable naming preferences
- Code style (should be automated)
- Whitespace, formatting
- Comment typos
[question] - Seeking clarification
- Understanding intent
- Asking about edge cases
- Requesting explanation of approach
- Verifying assumptions
[praise] - Calling out good work
- Excellent patterns worth highlighting
- Clever solutions
- Good test coverage
- Clear documentation </comment_types>
Final Decision
After both passes (< 30 minutes total):
- Approve: No blocking issues, ready to merge (or after minor nits addressed)
- Request Changes: Critical or issue-level items must be fixed before merge
- Comment: Leaving feedback but deferring final decision to another reviewer
Batch Nits: Leave all [nit] comments in single commen