0xDarkMatter/review

Review Skill - AI Code Review

Perform comprehensive code reviews on staged changes, specific files, or pull requests. Dispatches general-purpose reviewers that preload the relevant -ops skill based on file types and automatically creates tasks for critical issues.

Architecture

review [target] [--focus] [--depth]
    │
    ├─→ Step 1: Determine Scope
    │     ├─ No args → git diff --cached (staged)
    │     ├─ --all → git diff HEAD (all uncommitted)
    │     ├─ File path → specific file diff
    │     └─ --pr N → gh pr diff N
    │
    ├─→ Step 2: Analyze Changes (parallel)
    │     ├─ delta for syntax-highlighted diff
    │     ├─ difft for semantic diff (structural)
    │     ├─ Categorize: logic, style, test, docs, config
    │     └─ Identify touched modules/components
    │
    ├─→ Step 3: Load Project Standards
    │     ├─ AGENTS.md, CLAUDE.md conventions
    │     ├─ .eslintrc, .prettierrc, pyproject.toml
    │     ├─ Detect test framework
    │     └─ Check CI config for existing linting
    │
    ├─→ Step 4: Route to Reviewers (general-purpose + skill preload)
    │     ├─ TypeScript → general-purpose, preload typescript-ops
    │     ├─ React/JSX → general-purpose, preload react-ops
    │     ├─ Python → general-purpose, preload python-pytest-ops
    │     ├─ Go → general-purpose, preload go-ops
    │     ├─ Rust → general-purpose, preload rust-ops
    │     ├─ Vue → general-purpose, preload vue-ops
    │     ├─ SQL/migrations → general-purpose, preload postgres-ops
    │     ├─ Cypress/E2E → general-purpose, preload cypress-ops
    │     ├─ Cloudflare/Workers → general-purpose, preload cloudflare-ops
    │     ├─ Shell/bash → general-purpose, preload bash-ops
    │     ├─ Claude extensions → general-purpose, preload claude-code-ops
    │     ├─ Multi-domain → parallel general-purpose dispatch
    │     └─ All reviewers preload: security-ops + testing-ops context
    │
    ├─→ Step 5: Generate Review
    │     ├─ Severity: CRITICAL / WARNING / SUGGESTION / PRAISE
    │     ├─ Line-specific comments (file:line refs)
    │     ├─ Suggested fixes as diff blocks
    │     └─ Overall verdict: Ready to commit? Y/N
    │
    └─→ Step 6: Integration
          ├─ Auto-create tasks (TaskCreate) for CRITICAL issues
          ├─ Link to /save for tracking
          └─ Suggest follow-up: /testgen, /explain

Execution Steps

Step 1: Determine Scope

# Default: staged changes
git diff --cached --name-only

# Check if anything is staged
STAGED=$(git diff --cached --name-only | wc -l)
if [ "$STAGED" -eq 0 ]; then
    echo "No staged changes. Use --all for uncommitted or specify a file."
    git status --short
fi

For PR review:

gh pr diff $PR_NUMBER --patch

For specific file:

git diff HEAD -- "$FILE"

For baseline comparison (--base):

git diff $BASE_BRANCH...HEAD

Step 2: Analyze Changes

Run semantic diff analysis (parallel where possible):

With difft (semantic):

command -v difft >/dev/null 2>&1 && git difftool --tool=difftastic --no-prompt HEAD~1 || git diff HEAD~1

With delta (syntax highlighting):

command -v delta >/dev/null 2>&1 && git diff --cached | delta || git diff --cached

Categorize changes:

git diff --cached --name-only | while read file; do
    case "$file" in
        *.test.* | *.spec.*) echo "TEST: $file" ;;
        *.md | docs/*) echo "DOCS: $file" ;;
        *.json | *.yaml | *.toml) echo "CONFIG: $file" ;;
        *) echo "CODE: $file" ;;
    esac
done

Get diff statistics:

git diff --cached --stat

Step 3: Load Project Standards

# Claude Code conventions
cat AGENTS.md 2>/dev/null | head -50
cat CLAUDE.md 2>/dev/null | head -50

# Linting configs
cat .eslintrc* 2>/dev/null | head -30
cat .prettierrc* 2>/dev/null
cat pyproject.toml 2>/dev/null | head -30

# Test framework detection
cat package.json 2>/dev/null | jq '.devDependencies | keys | map(select(test("jest|vitest|mocha|cypress|playwright")))' 2>/dev/null

Check CI for existing linting:

cat .github/workflows/*.yml 2>/dev/null | grep -E "eslint|prettier|pylint|ruff" | head -10

Step 4: Route to Reviewers

Dispatch is skills-first: domain knowledge lives in -ops skills, and the generic general-purpose subagent preloads the relevant SKILL.md before reviewing.

| File Pattern | Dispatch | Preload | |--------------|----------|---------| | *.ts | general-purpose | skills/typescript-ops/SKILL.md | | *.tsx | general-purpose | skills/react-ops/SKILL.md + skills/typescript-ops/SKILL.md | | *.vue | general-purpose | skills/vue-ops/SKILL.md + skills/typescript-ops/SKILL.md | | *.py | general-purpose | skills/python-pytest-ops/SKILL.md (+ skills/sql-ops/SKILL.md if ORM) | | *.go | general-purpose | skills/go-ops/SKILL.md | | *.rs | general-purpose | skills/rust-ops/SKILL.md | | *.sql, migrations/* | general-purpose | skills/postgres-ops/SKILL.md | | agents/*.md, skills/*, commands/* | general-purpose | skills/claude-code-ops/SKILL.md | | *.test.*, *.spec.* | general-purpose | (framework skill by file type) | | *.cy.ts, cypress/* | general-purpose | skills/cypress-ops/SKILL.md + skills/typescript-ops/SKILL.md | | *.spec.ts (Playwright) | general-purpose | skills/playwright-ops/SKILL.md + skills/typescript-ops/SKILL.md | | playwright/*, e2e/* | general-purpose | skills/playwright-ops/SKILL.md + skills/typescript-ops/SKILL.md | | wrangler.toml, workers/* | general-purpose | skills/cloudflare-ops/SKILL.md | | *.sh, *.bash | general-purpose | skills/bash-ops/SKILL.md |

Invoke via Task tool:

Task tool with subagent_type: "general-purpose" (or surviving specialist from table)
model: "sonnet"
Prompt includes:
  - Skill preloading (domain knowledge):
    "First, read these files for review context:
     - Read: skills/security-ops/references/owasp-detailed.md
     - Read: skills/testing-ops/SKILL.md
     - Read: [Preload column for the matched file pattern]"
  - Diff content
  - Project conventions from AGENTS.md
  - Linting config summaries
  - Requested focus area
  - Request for structured review output

Language-specific preloads (append to the preloading section above):

| Language | Additional Preload | Why | |----------|-------------------|-----| | Python | skills/python-pytest-ops/SKILL.md | Python test patterns for coverage review | | Go | skills/go-ops/SKILL.md | Go idioms, concurrency gotchas | | Rust | skills/rust-ops/SKILL.md | Ownership patterns, unsafe review | | TypeScript | skills/typescript-ops/SKILL.md | Type safety patterns |

Step 5: Generate Review

The reviewer produces a structured review:

# Code Review: [scope description]

## Summary

| Metric | Value |
|--------|-------|
| Files reviewed | N |
| Lines changed | +X / -Y |
| Issues found | N (X critical, Y warnings) |

## Verdict

**Ready to commit?** Yes / No

[1-2 sentence summary of overall quality]

---

## Critical Issues

### `src/auth/login.ts:42`

**Issue:** SQL injection vulnerability in user input handling

**Risk:** Attacker can execute arbitrary SQL queries

**Fix:**
```diff
- const query = `SELECT * FROM users WHERE id = ${userId}`;
+ const query = `SELECT * FROM users WHERE id = $1`;
+ const result = await db.query(query, [userId]);

---

Warnings

src/components/Form.tsx:89

Issue: Missing dependency in useEffect

Suggestion: Add userId to dependency array

- useEffect(() => { fetchUser(userId) }, []);
+ useEffect(() => { fetchUser(userId) }, [userId]);

---

Suggestions

[Style improvements, optional enhancements]

---

Praise

[Good patterns worth noting]

---

Files Reviewed

| File | Changes | Issues | |------|---------|--------| | src/auth/login.ts | +42/-8 | 1 critical |

### Step 6: Integration

**Auto-create tasks for CRITICAL issues:**

TaskCreate: subject: "Fix: SQL injection in login.ts:42" description: "SQL injection vulnerability found in user input handling." activeForm: "Fixing SQL injection in login.ts:42"

**Link with dependencies for related issues:**

TaskCreate: #1 "Fix SQL injection in login.ts" TaskCreate: #2 "Fix SQL injection in register.ts" TaskUpdate: taskId: "2", addBlockedBy: ["1"]

**After fixing issues:**

TaskUpdate: taskId: "1" status: "completed"

---

## Severity System

| Level | Icon | Meaning | Action | Auto-Task? |
|-------|------|---------|--------|------------|
| CRITICAL | :red_circle: | Security bug, data loss risk, crashes | Must fix before merge | Yes |
| WARNING | :yellow_circle: | Logic issues, performance problems | Should address | No |
| SUGGESTION | :blue_circle: | Style, minor improvements | Optional | No |
| PRAISE | :star: | Good patterns worth noting | Recognition | No |

---

## Focus Modes

| Mode | What It Checks |
|------|----------------|
| `--security` | OWASP top 10, secrets in code, injection, auth issues |
| `--perf` | N+1 queries, unnecessary re-renders, complexity, memory |
| `--types` | Type safety, `any` usage, generics, null handling |
| `--tests` | Coverage gaps, test quality, mocking patterns |
| `--style` | Naming, organization, dead code, comments |
| (default) | All of the above |

---

## Depth Modes

| Mode | Behavior |
|------|----------|
| `--quick` | Surface-level scan, obvious issues only |
| `--normal` | Standard review, all severity levels (default) |
| `--thorough` | Deep analysis, traces data flow, checks edge cases |

---

## Advanced Flags

### `--base <branch>` - Baseline Comparison

Compare changes against a specific branch instead of HEAD:

```bash
/review --base main
/review src/ --base develop --thorough

--json - CI/CD Integration

Output review results as JSON:

{
  "summary": {
    "files_reviewed": 3,
    "lines_changed": { "added": 42, "removed": 8 },
    "issues": { "critical": 1, "warning": 2, "suggestion": 1 }
  },
  "verdict": {
    "ready_to_commit": false,
    "reason": "1 critical issue requires attention"
  },
  "issues": [...]
}

CI/CD usage:

- name: Code Review
  run: |
    claude "/review --json" > review.json
    if jq -e '.issues[] | select(.severity == "critical")' review.json; then
      exit 1
    fi

--fix - Auto-Apply Fixes

Automatically apply suggested fixes:

1. Performs standard review
2. For each fixable issue, prompts for confirmation
3. Uses Edit tool to apply approved fixes
4. Creates TaskUpdate for resolved issues

Non-interactive mode:

/review --fix --auto-approve

---

CLI Tool Integration

| Tool | Purpose | Fallback | |------|---------|----------| | delta | Syntax-highlighted diffs | git diff | | difft | Semantic/structural diffs | git diff | | gh | GitHub PR operations | Manual diff | | rg | Search for patterns | Grep tool | | jq | Parse JSON configs | Read manually |

Graceful degradation:

command -v delta >/dev/null 2>&1 && git diff --cached | delta || git diff --cached

---

Reference Files

For framework-specific checks, see:

• framework-checks.md - React, TypeScript, Python, Go, Rust, Vue, SQL patterns

---

Integration

| Command | Relationship | |---------|--------------| | /explain | Deep dive into flagged code | | /testgen | Generate tests for issues found | | /save | Persist review findings to session state |