aaaaqwq/code-review

Code Review

Comprehensive AI-powered code review for PRs and local changes — enterprise-grade alternative to CodeRabbit

When to use

• "code review"
• "review my PR"
• "review PR #123"
• "check my changes"
• "what's wrong with my code"
• "security review"
• "full review"
• "/review"
• "/review-pr"

Dependencies

• External: gh CLI (GitHub), git

Modes

1. Local review (uncommitted changes)

Reviews git diff — changes not yet committed.

2. Branch review (vs main/master)

Reviews all changes in current branch compared to main.

3. PR review (GitHub)

Fetches diff from GitHub PR and can post comments.

4. Focused review

User can request specific focus: security, performance, bugs, style, etc.

---

How to execute

Step 0: Check if review needed

Skip review if:

• PR is draft (gh pr view --json isDraft)
• PR is already closed/merged
• Only documentation changes (.md, .txt, LICENSE)
• Only config changes (.json, .yaml, .toml) without code impact
• Trivial changes (<5 lines, whitespace only, version bumps)

Inform user and ask to confirm if they still want review.

---

Step 1: Determine mode

Ask user or detect automatically:

• If PR number provided → PR review
• If uncommitted changes exist → local review
• If on feature branch → branch review
• If specific focus requested → apply focus filter

Step 2: Get diff

Local:

git diff HEAD

Branch (vs main):

DEFAULT_BRANCH=$(git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's@^refs/remotes/origin/@@' || echo "main")
git diff $DEFAULT_BRANCH...HEAD

PR:

gh pr diff <PR_NUMBER>

Step 3: Get context

For thorough review, read related files:

# List changed files
git diff --name-only HEAD

# Read each file fully for context
# Check package.json for dependencies
# Check tsconfig/eslint config for project standards

Step 3b: Filter pre-existing issues

Before reporting an issue, check if it was introduced in this PR:

# Check when the problematic line was last modified
git blame -L <start>,<end> <file> --porcelain | head -1

Skip issues that:

• Existed before this PR (old blame hash)
• Are in unchanged lines
• Were introduced by a different author long ago

Only report issues introduced or modified in current changes.

This prevents noise from legacy code and focuses review on new changes.

---

Step 4: Comprehensive Analysis

Apply ALL relevant checks from the checklist below.

Step 5: Confidence Scoring

Rate each issue 0-100:

| Score | Confidence | When to use | |-------|------------|-------------| | 90-100 | Certain | Clear vulnerability (SQL injection with user input), obvious crash | | 70-89 | High | Likely bug, security risk, definite code smell | | 50-69 | Medium | Potential issue, needs context to confirm | | 25-49 | Low | Style preference, minor suggestion | | 0-24 | Skip | Probably false positive, pre-existing, or nitpick |

Only report issues with confidence ≥70.

Mark as false positive and skip:

• Pre-existing issues (caught by Step 3b)
• Issues that linters will catch (eslint, prettier)
• Pedantic nitpicks without real impact
• Code that looks wrong but has valid reason (check comments)
• Issues with explicit ignore comments (// eslint-disable, # noqa)

---

Step 6: Output result

Format:

## Code Review Summary

**Reviewed:** X files, Y lines changed
**Risk Level:** Critical / High / Medium / Low

### Critical Issues (must fix)
- [file:line] Description — Why it matters

### High Priority
- [file:line] Description

### Medium Priority
- [file:line] Description

### Low Priority / Suggestions
- [file:line] Description

### Good Practices
- What was done well

For GitHub PR — post comments:

# General comment on PR
gh pr comment <PR_NUMBER> --body "## AI Code Review
[Review content]"

# Line-by-line comments via API (for specific file/line feedback)
# Replace {owner}, {repo}, {pr} with actual values
gh api repos/{owner}/{repo}/pulls/{pr}/comments \
  --method POST \
  -f body="Issue description and fix suggestion" \
  -f path="src/file.ts" \
  -f line=42 \
  -f side="RIGHT"

---

COMPREHENSIVE REVIEW CHECKLIST

1. SECURITY (OWASP Top 10 + Extended)

1.1 Injection

• [ ] SQL Injection — User input in SQL queries without parameterization
• [ ] NoSQL Injection — Unsanitized input in MongoDB/similar queries
• [ ] Command Injection — User input passed to shell commands (exec, spawn, system)
• [ ] LDAP Injection — User input in LDAP queries
• [ ] XPath Injection — User input in XML queries
• [ ] Template Injection — User input in template engines (SSTI)
• [ ] Header Injection — User input in HTTP headers (CRLF)
• [ ] Log Injection — Unsanitized data written to logs

1.2 Broken Authentication

• [ ] Weak password requirements — No complexity enforcement
• [ ] Missing brute-force protection — No rate limiting on login
• [ ] Session fixation — Session ID not regenerated after login
• [ ] Insecure session storage — Sessions in localStorage (XSS vulnerable)
• [ ] Missing logout — No session invalidation
• [ ] Predictable tokens — Using weak random generators for tokens
• [ ] Password in URL — Credentials in query parameters
• [ ] Missing MFA on critical operations — No 2FA for sensitive actions

1.3 Sensitive Data Exposure

• [ ] Hardcoded secrets — API keys, passwords, tokens in code
• [ ] Secrets in logs — Sensitive data written to console/logs
• [ ] Secrets in error messages — Stack traces exposing internals
• [ ] Unencrypted sensitive data — PII/credentials not encrypted at rest
• [ ] Weak cryptography — MD5, SHA1 for passwords, short keys
• [ ] Missing HTTPS — HTTP links for sensitive operations
• [ ] Sensitive data in URLs — Tokens/IDs in GET parameters
• [ ] Excessive data exposure — Returning more fields than needed in API

1.4 XML External Entities (XXE)

• [ ] XML parsing without disabling DTD — External entity processing enabled
• [ ] Unsafe XML deserialization — User-controlled XML parsed

1.5 Broken Access Control

• [ ] Missing authorization checks — Actions without permission verification
• [ ] IDOR (Insecure Direct Object Reference) — Accessing resources by ID without ownership check
• [ ] Privilege escalation — User can access admin functions
• [ ] CORS misconfiguration — Wildcard or overly permissive origins
• [ ] Missing function-level access control — API endpoints without role checks
• [ ] Path traversal — User input in file paths (../)
• [ ] Forced browsing — Unprotected admin/debug endpoints

1.6 Security Misconfiguration

• [ ] Debug mode in production — Verbose errors, stack traces exposed
• [ ] Default credentials — Unchanged default passwords
• [ ] Unnecessary features enabled — Unused endpoints, methods
• [ ] Missing security headers — No CSP, X-Frame-Options, etc.
• [ ] Directory listing enabled — Exposed file structure
• [ ] Outdated dependencies — Known vulnerabilities in packages
• [ ] Permissive file permissions — World-readable sensitive files

1.7 Cross-Site Scripting (XSS)

• [ ] Reflected XSS — User input echoed without encoding
• [ ] Stored XSS — Database content rendered without sanitization
• [ ] DOM XSS — Client-side JS using unsafe sinks (innerHTML, eval)
• [ ] Missing Content-Security-Policy — No CSP headers
• [ ] Unsafe React patterns — dangerouslySetInnerHTML with user content
• [ ] Template literal injection — User input in template strings

1.8 Insecure Deserialization

• [ ] Unsafe JSON parsing — eval() for JSON
• [ ] Object deserialization — pickle, serialize without validation
• [ ] Prototype pollution — Object.assign/merge with user input

1.9 Using Components with Known Vulnerabilities

• [ ] Outdated dependencies — Check package.json against vulnerability databases
• [ ] Abandoned packages — Dependencies with no recent updates
• [ ] Typosquatting — Suspicious package names

1.10 Insufficient Logging & Monitoring

• [ ] Missing audit logs — No logging for security events
• [ ] Missing error handling — Silent failures
• [ ] No alerting — Security events not monitored

1.11 Additional Security Checks

• [ ] SSRF (Server-Side Request Forgery) — User-controlled URLs in server requests
• [ ] Open Redirect — User input in redirect URLs
• [ ] CSRF protection missing — No tokens for state-changing operations
• [ ] JWT issues — Weak secret, algorithm confusion, no expiry
• [ ] Regex DoS (ReDoS) — Catastrophic backtracking in regex
• [ ] Mass assignment — Binding request body directly to models
• [ ] File upload vulnerabilities — No type validation, path traversal
• [ ] Race conditions — TOCTOU (time-of-check-time-of-use) issues

---

2. BUGS & LOGIC ERRORS

2.1 Null/Undefined Handling

• [ ] Null pointer dereference — Accessing properties of null/undefined
• [ ] Missing null checks — Optional chaining not used where needed
• [ ] Null coalescing issues — Wrong default values
• [ ] Falsy value confusion — 0, '', false treated as null

2.2 Type Issues

• [ ] Type coercion bugs — == instead of ===
• [ ] Implicit type conversion — String + Number concatenation
• [ ] Missing type checks — typeof/instanceof not used
• [ ] Type assertion abuse — Unsafe 'as' casts in TypeScript
• [ ] Any type overuse — Losing type safety

2.3 Async/Concurrency

• [ ] Missing await — Unhandled promises
• [ ] Unhandled promise rejection — No .catch() or try/catch
• [ ] Race conditions — Shared state without synchronization
• [ ] Deadlocks — Circular waiting for resources
• [ ] Callback hell — Nested callbacks instead of async/await
• [ ] Memory leaks from listeners — Event listeners not removed
• [ ] Stale closures — Capturing old values in closures

2.4 Loop/Iteration Errors

• [ ] Off-by-one errors — Wrong loop bounds
• [ ] Infinite loops — Missing break condition
• [ ] Mutating while iterating — Modifying collection during loop
• [ ] Wrong loop variable — Using outer variable in nested loop
• [ ] forEach with async — Not waiting for async operations

2.5 Boundary/Edge Cases

• [ ] Empty array/object — Not handling empty collections
• [ ] Single element — Edge case for arrays with one item
• [ ] Negative numbers — Not handling negative input
• [ ] Zero division — Dividing without checking denominator
• [ ] Integer overflow — Large number calculations
• [ ] Floating point precision — 0.1 + 0.2 !== 0.3
• [ ] Unicode/encoding — Special characters not handled
• [ ] Timezone issues — Date handling without timezone awareness
• [ ] Daylight saving time — Date calculations across DST

2.6 State Management

• [ ] Stale state — React setState with stale closure
• [ ] Missing state updates — UI not reflecting state
• [ ] State mutation — Direct state modification
• [ ] Prop drilling issues — Props passed too deep
• [ ] Unnecessary re-renders — Missing memoization

2.7 Error Handling

• [ ] Empty catch blocks — Swallowing errors silently
• [ ] Generic error handling — Catching all without specificity
• [ ] Missing finally — Resources not cleaned up
• [ ] Rethrowing without context — Losing stack trace
• [ ] Error in error handler — Handler itself can throw

2.8 Resource Management

• [ ] Resource leaks — Files, connections not closed
• [ ] Memory leaks — Objects not garbage collected
• [ ] Connection pool exhaustion — Not returning connections
• [ ] File handle leaks — Streams not closed
• [ ] Timer leaks — setInterval not cleared

2.9 Business Logic

• [ ] Wrong calculations — Incorrect formulas
• [ ] Missing validation — Business rules not enforced
• [ ] State machine violations — Invalid state transitions
• [ ] Duplicate operations — Same action performed twice
• [ ] Missing rollback — Partial updates on failure

---

3. PERFORMANCE

3.1 Database

• [ ] N+1 queries — Loop with individual queries
• [ ] Missing indexes — Queries on unindexed columns
• [ ] **SELECT *** — Fetching unnecessary columns
• [ ] Missing pagination — Loading all records
• [ ] Missing connection pooling — New connection per request
• [ ] Expensive JOINs — Large table joins without optimization
• [ ] Missing query caching — Repeated identical queries
• [ ] Transaction scope too large — Holding locks too long
• [ ] Inefficient aggregations — COUNT/SUM without indexes

3.2 API/Network

• [ ] Missing caching — No Cache-Control headers
• [ ] Over-fetching — Returning more data than needed
• [ ] Under-fetching — Multiple requests for related data
• [ ] No compression — Missing gzip/brotli
• [ ] Chatty APIs — Too many small requests
• [ ] Missing pagination — Large response payloads
• [ ] Synchronous external calls — Blocking on I/O
• [ ] Missing timeouts — No timeout on HTTP calls
• [ ] Missing retry logic — No retry for transient failures

3.3 Frontend

• [ ] Large bundle size — Missing code splitting
• [ ] Render blocking resources — CSS/JS blocking paint
• [ ] Unnecessary re-renders — Missing React.memo, useMemo
• [ ] Large images — Unoptimized images
• [ ] Missing lazy loading — Loading offscreen content
• [ ] Layout thrashing — Forced synchronous layouts
• [ ] Heavy animations — Expensive CSS/JS animations
• [ ] Memory leaks — Detached DOM nodes
• [ ] Long tasks — Blocking main thread >50ms

3.4 Algorithms

• [ ] O(n²) or worse — Nested loops on large data
• [ ] Repeated calculations — No memoization
• [ ] String concatenation in loops — Using += for strings
• [ ] Inefficient data structures — Array instead of Set/Map
• [ ] Unnecessary copying — Deep clone when not needed
• [ ] Redundant sorting — Sorting already sorted data

3.5 Caching

• [ ] Missing caching layer — No Redis/Memcached
• [ ] Cache invalidation issues — Stale data served
• [ ] Cache stampede — Many requests on cache miss
• [ ] No cache warming — Cold start performance
• [ ] Unbounded cache — No eviction policy

---

4. CODE QUALITY

4.1 Readability

• [ ] Poor naming — Unclear variable/function names
• [ ] Magic numbers — Hardcoded values without constants
• [ ] Long functions — Functions >50 lines
• [ ] Deep nesting — >3 levels of indentation
• [ ] Complex conditionals — Hard to understand if/else chains
• [ ] Missing comments for complex logic — Unclear algorithms
• [ ] Inconsistent naming convention — camelCase mixed with snake_case
• [ ] Abbreviations — Unclear shortened names

4.2 Maintainability

• [ ] DRY violations — Copy-pasted code
• [ ] God objects/functions — Doing too much
• [ ] Tight coupling — Hard dependencies between modules
• [ ] Missing abstraction — Repeated patterns not extracted
• [ ] Premature abstraction — Over-engineering simple code
• [ ] Circular dependencies — Modules importing each other
• [ ] Dead code — Unused functions, variables, imports
• [ ] Commented-out code — Old code left in comments
• [ ] TODO/FIXME/HACK — Technical debt markers

4.3 SOLID Principles

• [ ] Single Responsibility — Class/function doing multiple things
• [ ] Open/Closed — Modifying instead of extending
• [ ] Liskov Substitution — Subclasses breaking parent contract
• [ ] Interface Segregation — Fat interfaces
• [ ] Dependency Inversion — Depending on concretions

4.4 Error Messages

• [ ] Generic error messages — "Something went wrong"
• [ ] Technical jargon for users — Stack traces shown to users
• [ ] Missing error codes — No way to identify errors
• [ ] Non-actionable errors — User doesn't know what to do

4.5 API Design

• [ ] Inconsistent response format — Different structures per endpoint
• [ ] Wrong HTTP methods — POST for GET operations
• [ ] Wrong status codes — 200 for errors
• [ ] Missing versioning — No API version in path/header
• [ ] Breaking changes — Removing/renaming fields
• [ ] Missing documentation — No OpenAPI/Swagger

4.6 Configuration

• [ ] Hardcoded configuration — No environment variables
• [ ] Missing defaults — Required config without fallback
• [ ] Scattered config — Configuration in multiple places
• [ ] Secrets in config files — Credentials in committed files

---

5. TESTING

5.1 Test Coverage

• [ ] Missing unit tests — Critical functions untested
• [ ] Missing integration tests — API endpoints untested
• [ ] Missing edge case tests — Only happy path tested
• [ ] Missing error case tests — Error handling untested
• [ ] Low coverage on changed files — New code not tested

5.2 Test Quality

• [ ] Flaky tests — Tests that sometimes fail
• [ ] Slow tests — Tests taking too long
• [ ] Test interdependence — Tests depending on order
• [ ] Missing assertions — Tests without expect/assert
• [ ] Testing implementation — Testing how, not what
• [ ] Mocking too much — Testing mocks, not code
• [ ] Missing test data cleanup — Side effects between tests

5.3 Test Patterns

• [ ] Missing describe blocks — No test organization
• [ ] Unclear test names — "test1", "should work"
• [ ] Arrange-Act-Assert — Unclear test structure
• [ ] Missing fixtures — Repeated test data setup

---

6. ACCESSIBILITY (a11y)

• [ ] Missing alt text — Images without alt attributes
• [ ] Missing form labels — Inputs without labels
• [ ] Color contrast — Insufficient contrast ratio
• [ ] Keyboard navigation — Not usable without mouse
• [ ] Missing ARIA labels — Interactive elements without labels
• [ ] Focus management — Focus not handled in modals/SPAs
• [ ] Missing skip links — No way to skip navigation
• [ ] Missing heading hierarchy — Improper h1-h6 usage
• [ ] Auto-playing media — No way to stop audio/video
• [ ] Missing screen reader text — Icons without labels

---

7. INTERNATIONALIZATION (i18n)

• [ ] Hardcoded strings — Text not in translation files
• [ ] Date/time formatting — Not using locale-aware formatting
• [ ] Number formatting — Not handling decimal separators
• [ ] Currency formatting — Not handling currency symbols
• [ ] RTL support — Not handling right-to-left languages
• [ ] Pluralization — Not handling singular/plural
• [ ] String concatenation — Building sentences from parts
• [ ] Hardcoded date formats — MM/DD/YYYY vs DD/MM/YYYY

---

8. DOCUMENTATION

• [ ] Missing README — No project documentation
• [ ] Outdated documentation — Docs don't match code
• [ ] Missing API docs — No endpoint documentation
• [ ] Missing JSDoc/TSDoc — Public APIs undocumented
• [ ] Missing changelog — No record of changes
• [ ] Missing setup instructions — Hard to get started
• [ ] Broken links — Dead URLs in README, docs, or code comments
• [ ] Relative link errors — Wrong paths to internal docs/files

---

9. DEVOPS / INFRASTRUCTURE

• [ ] Missing health checks — No /health endpoint
• [ ] Missing graceful shutdown — Not handling SIGTERM
• [ ] Missing retry logic — No resilience patterns
• [ ] Missing circuit breaker — No failure isolation
• [ ] Logging not structured — Plain text instead of JSON
• [ ] Missing correlation IDs — Can't trace requests
• [ ] Missing metrics — No observability
• [ ] Missing alerts — No monitoring
• [ ] Container issues — Running as root, large images
• [ ] Missing resource limits — No CPU/memory limits

---

10. GIT/VERSION CONTROL

• [ ] Large files committed — Binary files, node_modules
• [ ] Secrets in history — API keys in past commits
• [ ] Merge conflicts markers — Unresolved conflicts
• [ ] Mixed line endings — CRLF/LF issues
• [ ] Missing .gitignore entries — Temporary files tracked
• [ ] Large commits — Too many changes in one commit
• [ ] Unclear commit messages — "fix", "update", "wip"

---

LANGUAGE-SPECIFIC CHECKS (apply if relevant files detected)

11. REACT / NEXT.JS (if .tsx, .jsx files)

• [ ] useEffect missing deps — Dependencies array incomplete or missing
• [ ] useEffect cleanup — Missing cleanup for subscriptions, timers
• [ ] useState stale closure — Using state in callbacks without functional update
• [ ] Key prop issues — Missing key, using index as key in dynamic lists
• [ ] useMemo/useCallback overuse — Premature optimization
• [ ] Prop drilling — Props passed through many levels (use context)
• [ ] Component too large — >300 lines, should be split
• [ ] Inline function in JSX — Creating new function on every render
• [ ] Direct DOM manipulation — Using document.querySelector in React
• [ ] Missing error boundary — No error handling for component tree

12. TYPESCRIPT (if .ts, .tsx files)

• [ ] Any type abuse — Using any to bypass type checking
• [ ] Type assertion abuse — Unsafe as casts without validation
• [ ] Missing return types — Public functions without explicit return type
• [ ] Implicit any — Variables without type annotation
• [ ] Non-null assertion — Overuse of ! operator
• [ ] Enum vs union — Using enum where union type is better
• [ ] Unused exports — Exported types/functions never imported

13. PYTHON (if .py files)

• [ ] Mutable default args — def foo(items=[]) anti-pattern
• [ ] Missing type hints — Public functions without annotations
• [ ] Bare except — except: without specific exception
• [ ] Context manager — File/connection not using with
• [ ] Global state — Modifying global variables
• [ ] Import side effects — Code execution at import time
• [ ] f-string security — User input in f-strings (potential injection)

14. NODE.JS / EXPRESS (if package.json with express)

• [ ] Async error handling — Missing try/catch in async routes
• [ ] Missing helmet — No security headers middleware
• [ ] Missing rate limiting — No protection against abuse
• [ ] Callback hell — Nested callbacks instead of async/await
• [ ] Blocking event loop — Sync operations in request handlers
• [ ] Missing input validation — No validation middleware (joi, zod)
• [ ] Hardcoded CORS — Wildcard or hardcoded origins

15. SQL / DATABASE (if .sql files or ORM usage)

• [ ] Raw queries — String concatenation instead of parameterized
• [ ] Missing indexes — Queries on frequently filtered columns
• [ ] N+1 in ORM — Lazy loading in loops
• [ ] Wide transactions — Transaction scope too large
• [ ] Missing migrations — Schema changes without migration files
• [ ] Cascading deletes — Unintended data loss on delete

---

Parameters

| Parameter | Description | Default | |-----------|-------------|---------| | PR_NUMBER | Pull Request number | - | | --post | Post comments to GitHub | false | | --severity | Minimum level (critical/high/medium/low) | low | | --focus | Focus area: security, performance, bugs, quality, testing, a11y, i18n, all | all |

Examples

Example 1: Full review

User: full code review

Claude: [git diff HEAD]
Claude: [comprehensive analysis using all checklists]
Claude:
## Code Review Summary

**Reviewed:** 5 files, 234 lines changed
**Risk Level:** High

### Critical Issues (2)
1. [src/api/auth.ts:45] SQL Injection - User input passed directly to query
2. [src/utils/crypto.ts:12] Weak cryptography - Using MD5 for password hashing

### High Priority (3)
1. [src/services/user.ts:78] Missing authorization check - IDOR vulnerability
2. [src/api/data.ts:23] N+1 query - 50 queries in loop
3. [src/components/Form.tsx:156] XSS - dangerouslySetInnerHTML with user content

### Medium Priority (5)
...

Example 2: Security-focused review

User: security review PR 123

Claude: [applies only security checklist]
Claude: Found 3 security issues...

Example 3: Performance review

User: check performance issues in my changes

Claude: [applies only performance checklist]
Claude: Found 2 performance issues...

---

Severity Levels

| Level | Description | Examples | |-------|-------------|----------| | Critical | Must fix before merge. Security vulnerabilities, data loss risks | SQL injection, hardcoded secrets, auth bypass | | High | Should fix before merge. Significant bugs or security issues | N+1 queries, XSS, missing error handling | | Medium | Fix soon. Code quality, minor bugs | DRY violations, missing tests, complexity | | Low | Nice to have. Suggestions, style | Naming, comments, minor optimizations |

---

Troubleshooting

| Problem | Solution | |---------|----------| | gh: command not found | brew install gh && gh auth login | | No diff output | Check if changes exist: git status | | PR not found | Check PR number and access rights | | Can't post comments | Check permissions: gh auth status | | Review too long | Use --focus to narrow scope | | False positives | Mention specific context to skip |

---

Limitations

• Static analysis only — cannot run code
• Cannot see runtime behavior
• May miss complex cross-file issues
• Needs context for architectural decisions
• GitHub API rate limits when posting many comments
• Language-specific checks may vary in depth

---

If you're getting false positives

Step 1: Use severity filter

Most false positives are low/medium severity. Start with high-only:

"review PR 123 --severity=high"
"review my changes, only critical and high issues"

Step 2: Use focus filter

Narrow to specific categories you care about:

"security review PR 123"
"review PR 123 --focus=bugs,security"
"check only performance issues"

Step 3: Tell Claude to skip specific issues

In the same conversation, provide context:

"ignore the N+1 warning in admin routes - it's intentional, low traffic"
"skip any type warnings in src/legacy/ - that's legacy code"
"the raw SQL in migrations/ is fine, we use raw migrations"

Step 4: Add inline comment in code

For persistent false positives that keep appearing:

// @review-ok: parameterized query handled by ORM
const query = `SELECT * FROM users WHERE id = ${sanitizedId}`;

# @review-ok: global cache intentional for performance
CACHE = {}

Step 5: Report to improve the skill

If the same false positive keeps appearing across reviews:

1. Open issue at github.com/your-org/claude-code-review-skill/issues
2. Include:
   • File and line number
   • What was flagged
   • Why it's a false positive
   • Code snippet if possible

This helps improve the skill for everyone.

---

Default behavior

The skill is designed to minimize false positives out of the box:

• Baseline filtering — Only reports issues introduced in current PR/changes (via git blame)
• Confidence threshold — Only reports issues with ≥70% confidence
• Skips linter territory — Doesn't flag formatting, style issues that ESLint/Prettier catch
• Skips pre-existing issues — Won't complain about old code you didn't touch
• Skips trivial changes — Version bumps, whitespace, documentation-only changes