quanganh208/ck:code-review

Code Review

Adversarial code review with technical rigor, evidence-based claims, and verification over performative responses. Every review includes red-team analysis that actively tries to break the code.

Input Modes

Auto-detect from arguments. If ambiguous or no arguments, prompt via AskUserQuestion.

| Input | Mode | What Gets Reviewed | |-------|------|--------------------| | #123 or PR URL | PR | Full PR diff fetched via gh pr diff | | abc1234 (7+ hex chars) | Commit | Single commit diff via git show | | --pending | Pending | Staged + unstaged changes via git diff | | (no args, recent changes) | Default | Recent changes in context | | codebase | Codebase | Full codebase scan | | codebase parallel | Codebase+ | Parallel multi-reviewer audit |

Resolution details: references/input-mode-resolution.md

No Arguments

If invoked WITHOUT arguments and no recent changes in context, use AskUserQuestion with header "Review Target", question "What would you like to review?":

| Option | Description | |--------|-------------| | Pending changes | Review staged/unstaged git diff | | Enter PR number | Fetch and review a specific PR | | Enter commit hash | Review a specific commit | | Full codebase scan | Deep codebase analysis | | Parallel codebase audit | Multi-reviewer codebase scan |

Core Principle

YAGNI, KISS, DRY always. Technical correctness over social comfort. Be honest, be brutal, straight to the point, and be concise.

Verify before implementing. Ask before assuming. Evidence before claims.

Practices

| Practice | When | Reference | |----------|------|-----------| | Spec compliance | After implementing from plan/spec, BEFORE quality review | references/spec-compliance-review.md | | Adversarial review | Always-on Stage 3 — actively tries to break the code | references/adversarial-review.md | | Receiving feedback | Unclear feedback, external reviewers, needs prioritization | references/code-review-reception.md | | Requesting review | After tasks, before merge, stuck on problem | references/requesting-code-review.md | | Verification gates | Before any completion claim, commit, PR | references/verification-before-completion.md | | Edge case scouting | After implementation, before review | references/edge-case-scouting.md | | Checklist review | Pre-landing, /ck:ship pipeline, security audit | references/checklist-workflow.md | | Task-managed reviews | Multi-file features (3+ files), parallel reviewers, fix cycles | references/task-management-reviews.md |

Quick Decision Tree

SITUATION?
│
├─ Input mode? → Resolve diff (references/input-mode-resolution.md)
│   ├─ #PR / URL → fetch PR diff
│   ├─ commit hash → git show
│   ├─ --pending → git diff (staged + unstaged)
│   ├─ codebase → full scan (references/codebase-scan-workflow.md)
│   ├─ codebase parallel → parallel audit (references/parallel-review-workflow.md)
│   └─ default → recent changes in context
│
├─ Received feedback → STOP if unclear, verify if external, implement if human partner
├─ Completed work from plan/spec:
│   ├─ Stage 1: Spec compliance review (references/spec-compliance-review.md)
│   │   └─ PASS? → Stage 2 │ FAIL? → Fix → Re-review Stage 1
│   ├─ Stage 2: Code quality review (code-reviewer subagent)
│   │   └─ Scout edge cases → Review standards, performance
│   └─ Stage 3: Adversarial review (references/adversarial-review.md) [ALWAYS-ON]
│       └─ Red-team the code → Adjudicate → Accept/Reject findings
├─ Completed work (no plan) → Scout → Code quality → Adversarial review
├─ Pre-landing / ship → Load checklists → Two-pass review → Adversarial review
├─ Multi-file feature (3+ files) → Create review pipeline tasks (scout→review→adversarial→fix→verify)
└─ About to claim status → RUN verification command FIRST

Three-Stage Review Protocol

Stage 1 — Spec Compliance (load references/spec-compliance-review.md)

• Does code match what was requested?
• Any missing requirements? Any unjustified extras?
• MUST pass before Stage 2

Stage 2 — Code Quality (code-reviewer subagent)

• Only runs AFTER spec compliance passes
• Standards, security, performance, edge cases

Stage 3 — Adversarial Review (load references/adversarial-review.md)

• Runs AFTER Stage 2 passes, subject to scope gate (skip if <=2 files, <=30 lines, no security files)
• Spawn adversarial reviewer with context anchoring (runtime, framework, context files)
• Find: security holes, false assumptions, resource exhaustion, race conditions, supply chain, observability gaps
• Output: Accept (must fix) / Reject (false positive) / Defer (GitHub issue) verdicts per finding
• Critical findings block merge; re-reviews use fix-diff-only optimization

Receiving Feedback

Pattern: READ → UNDERSTAND → VERIFY → EVALUATE → RESPOND → IMPLEMENT No performative agreement. Verify before implementing. Push back if wrong.

Full protocol: references/code-review-reception.md

Requesting Review

When: After each task, major features, before merge

Process:

1. Scout edge cases first (see below)
2. Get SHAs: BASE_SHA=$(git rev-parse HEAD~1) and HEAD_SHA=$(git rev-parse HEAD)
3. Dispatch code-reviewer subagent with: WHAT, PLAN, BASE_SHA, HEAD_SHA, DESCRIPTION
4. Fix Critical immediately, Important before proceeding

Full protocol: references/requesting-code-review.md

Edge Case Scouting

When: After implementation, before requesting code-reviewer

Process:

1. Invoke /ck:scout with edge-case-focused prompt
2. Scout analyzes: affected files, data flows, error paths, boundary conditions
3. Review scout findings for potential issues
4. Address critical gaps before code review

Full protocol: references/edge-case-scouting.md

Task-Managed Review Pipeline

When: Multi-file features (3+ changed files), parallel code-reviewer scopes, review cycles with Critical fix iterations.

Fallback: Task tools (TaskCreate/TaskUpdate/TaskGet/TaskList) are CLI-only — unavailable in VSCode extension. If they error, use TodoWrite for tracking and run pipeline sequentially. Review quality is identical.

Pipeline: scout → review → adversarial → fix → verify (each a Task with dependency chain)

TaskCreate: "Scout edge cases"         → pending
TaskCreate: "Review implementation"    → pending, blockedBy: [scout]
TaskCreate: "Adversarial review"       → pending, blockedBy: [review]
TaskCreate: "Fix critical issues"      → pending, blockedBy: [adversarial]
TaskCreate: "Verify fixes pass"        → pending, blockedBy: [fix]

Parallel reviews: Spawn scoped code-reviewer subagents for independent file groups (e.g., backend + frontend). Fix task blocks on all reviewers completing.

Re-review cycles: If fixes introduce new issues, create cycle-2 review task. Limit 3 cycles, escalate to user after.

Full protocol: references/task-management-reviews.md

Verification Gates

Iron Law: NO COMPLETION CLAIMS WITHOUT FRESH VERIFICATION EVIDENCE

Gate: IDENTIFY command → RUN full → READ output → VERIFY confirms → THEN claim

Requirements:

• Tests pass: Output shows 0 failures
• Build succeeds: Exit 0
• Bug fixed: Original symptom passes
• Requirements met: Checklist verified

Red Flags: "should"/"probably"/"seems to", satisfaction before verification, trusting agent reports

Full protocol: references/verification-before-completion.md

Integration with Workflows

• Subagent-Driven: Scout → Review → Adversarial → Verify before next task
• Pull Requests: Scout → Code quality → Adversarial → Merge
• Task Pipeline: Create review tasks with dependencies → auto-unblock through chain
• Cook Handoff: Cook completes phase → review pipeline tasks (incl. adversarial) → all complete → cook proceeds
• PR Review: /code-review #123 → fetch diff → full 3-stage review on PR changes
• Commit Review: /code-review abc1234 → review specific commit with full pipeline

Codebase Analysis Subcommands

| Subcommand | Reference | Purpose | |------------|-----------|---------| | /ck:code-review codebase | references/codebase-scan-workflow.md | Scan & analyze the codebase | | /ck:code-review codebase parallel | references/parallel-review-workflow.md | Ultrathink edge cases, then parallel verify |

Bottom Line

1. Resolve input mode first — know WHAT you're reviewing
2. Technical rigor over social performance
3. Scout edge cases before review
4. Adversarial review on EVERY review — no exceptions
5. Evidence before claims

Verify. Scout. Red-team. Question. Then implement. Evidence. Then claim.