code-review

GitHub

提供系统化代码审查方法论,涵盖核心原则、评分标准及PR检查清单。旨在通过自动化与人工结合,提升代码质量、安全性及团队文化,实现高效且人性化的审查流程。

categories/development/code-review/SKILL.md cosmicstack-labs/mercury-agent-skills

Trigger Scenarios

请求进行代码审查 获取PR检查清单 询问代码评审最佳实践

Install

npx skills add cosmicstack-labs/mercury-agent-skills --skill code-review -g -y
More Options

Non-standard path

npx skills add https://github.com/cosmicstack-labs/mercury-agent-skills/tree/main/categories/development/code-review -g -y

Use without installing

npx skills use cosmicstack-labs/mercury-agent-skills@code-review

指定 Agent (Claude Code)

npx skills add cosmicstack-labs/mercury-agent-skills --skill code-review -a claude-code -g -y

安装 repo 全部 skill

npx skills add cosmicstack-labs/mercury-agent-skills --all -g -y

预览 repo 内 skill

npx skills add cosmicstack-labs/mercury-agent-skills --list

SKILL.md

Frontmatter
{
    "name": "code-review",
    "metadata": {
        "tags": [
            "code-review",
            "pull-requests",
            "collaboration",
            "quality-assurance",
            "automation"
        ],
        "author": "cosmicstack-labs",
        "version": "1.0.0",
        "category": "development"
    },
    "description": "Systematic code review methodology, PR checklist, feedback techniques, and review automation patterns"
}

Code Review

Systematic code review methodology for consistent, effective, and humane reviews that improve both code and team culture.

Core Principles

1. Review the Author, Not Just the Code

Every review is a human interaction. The goal is shared understanding and team growth, not ego or gatekeeping. Be constructive, specific, and kind.

2. Catch Problems Early, Fix Them Forever

A bug caught in review costs 10x less than one caught in production. Use each review as an opportunity to add automated checks so the same issue never needs a human review again.

3. Balance Depth with Velocity

Deep reviews catch more issues but slow delivery. Shallow reviews miss things. Adapt depth to risk: security-critical code gets exhaustive review; trivial config changes get a quick skim.

4. Automate Everything You Can

If a reviewer can point out a formatting issue, a lint violation, or a missing test — that check should be automated. Human attention is for design, logic, and tradeoffs.


Code Review Scoring Rubric

Dimension 1 (Poor) 3 (Adequate) 5 (Excellent)
Correctness Obvious bugs missed Catches logic errors Identifies edge cases + security issues
Constructiveness "This is wrong" comments Points to specific lines Suggests alternatives + explains reasoning
Speed Reviews take >5 days Reviews within 48 hours Reviews within 4 hours (same day)
Depth Skims only formatting Checks logic + tests Reviews design, security, performance, test coverage
Automation No CI checks Linting + basic tests Pre-commit hooks, auto-review bots, coverage gates
Consistency Every review is different Team has some standards Defined checklist, shared expectations, documented norms

Target: 4+ in every dimension for a mature review culture.


Actionable Guidance

The PR Checklist

Use this as a template. Adapt to your stack and team norms.

Structure & Design

  • Does the code solve the stated problem? (Check the issue/ticket)
  • Is the change at the right abstraction level? Not over-engineered, not under-designed
  • Does it follow the project's architecture patterns?
  • Are new dependencies justified? Could existing ones be used instead?
  • Is the PR scope contained? No unrelated refactoring mixed in

Correctness

  • Do all edge cases have tests? (Empty states, null inputs, timeouts)
  • Are error paths handled? Not just happy paths
  • Are there race conditions or timing issues? (Async, threading, DB transactions)
  • Does input validation happen at system boundaries?
  • Are state transitions valid? (Status machines, lifecycle changes)

Security

  • Is user input sanitized? (XSS, SQL injection, command injection)
  • Are authentication/authorization checks in place?
  • Are secrets hardcoded? (API keys, passwords, tokens)
  • Is there proper rate limiting or abuse protection?
  • Are dependencies checked for known vulnerabilities?

Performance

  • Are there N+1 queries? (Especially in ORM code)
  • Is there unnecessary computation in hot paths?
  • Are resources properly released? (File handles, DB connections, memory)
  • Could this change cause a regression under load?
  • Are caching opportunities considered?

Testing

  • Are there tests for new functionality?
  • Do existing tests adequately cover the change?
  • Are tests deterministic? (No flaky tests)
  • Do tests test behavior, not implementation?
  • Is there appropriate coverage of error cases?

Readability & Maintainability

  • Are names clear and descriptive?
  • Is there unnecessary complexity? (Over-abstracted, over-patterned)
  • Is documentation updated? (README, API docs, inline comments)
  • Are there TODO/FIXME/HACK comments that need addressing?
  • Will this be understandable in 6 months?

Feedback Techniques

The SBI Model (Situation-Behavior-Impact)

**Situation**: In the `calculateDiscount()` function (line 42-58)
**Behavior**: You're using floating-point arithmetic for currency values
**Impact**: This can cause precision errors — 0.1 + 0.2 !== 0.3 in IEEE 754
**Suggestion**: Consider using `Decimal` from the standard library instead

Classification Tags

Prefix review comments for clarity:

Prefix Meaning Example
nit: Minor preference, non-blocking nit: trailing whitespace on line 12
suggestion: Alternative approach suggestion: consider extracting this validation to a shared utility
blocking: Must be resolved before merge blocking: this SQL query is vulnerable to injection
question: Seeking understanding question: why is the timeout set to 30s here?
praise: Positive reinforcement praise: great use of the strategy pattern here — very extensible

The Feedback Sandwich (Use Sparingly)

Praise:  "Great approach using the observer pattern here."
Constructive: "One concern — the unsubscribe logic isn't cleaning up listeners."
Praise:  "Overall this is solid. Thanks for the thorough test coverage."

Caution: The sandwich can feel manipulative. Sometimes direct feedback is better.

Code Review as Conversation

// Reviewer: "I'm worried about this early return — what happens if data is null?"
// Author: "Good catch — data shouldn't be null here but adding a guard makes it safer."
// Reviewer: "Yeah, and maybe log a warning so we can monitor it in prod?"

// Final code:
function processUserData(data) {
  if (!data) {
    logger.warn('processUserData called with null data');
    return { error: 'No data provided' };
  }
  // ... rest of processing
}

Review Automation Patterns

Automated Pre-Checks (Run on PR Open)

# .github/workflows/review-checks.yml
name: Pre-review Checks
on: [pull_request]
jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - run: npm ci
      - run: npm run lint
      - run: npm run type-check
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - run: npm ci
      - run: npm run test -- --coverage
      - uses: actions/comment-on-pr@v1
        if: failure()
        with:
          message: '⚠️ Tests failed. Please check the CI logs.'
  size:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/labeler@v4
      - run: |
          SIZE=$(git diff --stat main...HEAD | tail -1 | awk '{print $4}')
          if [ $SIZE -gt 400 ]; then
            echo "⚠️ PR exceeds 400 lines — consider splitting"
          fi

Danger.js / Danger.swift / Danger-Kotlin

Danger runs rules in CI to automate common review comments:

// dangerfile.js
import { danger, warn, fail, message } from 'danger'

const { modified, created } = danger.git

// Enforce PR description
if (!danger.github.pr.body || danger.github.pr.body.length < 10) {
  warn('Please provide a more detailed PR description.')
}

// Enforce changelog entry
const hasChangelog = modified.includes('CHANGELOG.md')
if (!hasChangelog && !danger.github.pr.labels.includes('no-changelog')) {
  warn('Changes should be documented in CHANGELOG.md')
}

// Warn on large PRs
const totalLines = danger.github.pr.additions + danger.github.pr.deletions
if (totalLines > 400) {
  warn(`Large PR (${totalLines} lines). Consider splitting into smaller PRs.`)
}

// Check for test files
const hasTests = created.some(f => f.includes('.test.') || f.includes('.spec.'))
if (!hasTests && modified.some(f => f.endsWith('.ts') && !f.endsWith('.test.ts'))) {
  warn('No test files found — consider adding tests for new/modified code')
}

// Flag debug code
const debugStatements = ['console.log', 'debugger', 'print(']
const changes = [...danger.git.created_files, ...danger.git.modified_files]
changes.forEach(file => {
  // Check file content for debug statements
})

Review Bot Rules

// review-bot-rules.json
{
  "rules": [
    {
      "name": "no-debugger",
      "pattern": "debugger;?",
      "message": "🚫 Remove `debugger` statement before merging",
      "severity": "error"
    },
    {
      "name": "no-console-log",
      "pattern": "console\\.(log|debug|info)\\(",
      "message": "⚠️ Use a proper logger instead of console.log",
      "severity": "warning",
      "exceptions": ["src/cli/", "scripts/"]
    },
    {
      "name": "todo-left",
      "pattern": "TODO|FIXME|HACK",
      "message": "📝 TODO/FIXME found — is this intentional?",
      "severity": "warning"
    },
    {
      "name": "hardcoded-secret",
      "pattern": "(?:api[_-]?key|secret|password|token)\\s*[:=]\\s*['\"][A-Za-z0-9]{16,}",
      "message": "🔑 Possible hardcoded secret detected",
      "severity": "error"
    }
  ]
}

Reviewing by Type

New Feature Review

  1. Understand the requirements first — read the linked issue/ticket
  2. Check that the feature does what was requested, no more, no less
  3. Verify test coverage for the new functionality
  4. Check for regressions in existing behavior
  5. Review the API surface — is it consistent with the rest of the system?

Bug Fix Review

  1. Read the bug report — understand the reproduction steps
  2. Verify that the fix actually resolves the reported issue
  3. Check that there's a regression test that would catch this bug
  4. Look for the same bug pattern elsewhere in the codebase
  5. Consider whether the fix addresses the root cause or just the symptom

Refactoring Review

  1. Verify behavior preservation — tests should pass without modification
  2. Check that the refactoring actually improves the code (not just changes it)
  3. Look for missing abstractions or extracted patterns
  4. Ensure the refactoring scope is contained (no feature bugs hidden in refactor)
  5. Confirm documentation is updated for renamed/moved code

Dependency Update Review

  1. Read the changelog of the updated dependency
  2. Check for breaking changes and API differences
  3. Verify that tests pass with the new version
  4. Consider security implications and vulnerability fixes
  5. Audit whether the new version introduces new transitive dependencies

Building a Review Culture

Team Standards Document

# Our Team's Code Review Standards

## Expectations
- Review requests within 4 hours during working hours
- PRs < 400 lines get reviewed within 24 hours
- PRs < 100 lines get reviewed within 4 hours
- No PR merged without at least one approval
- Critical fixes can skip review but need post-merge review

## What We Review In Depth
- Security-sensitive code (auth, payments, PII)
- Public API changes
- Database schema changes
- Concurrency/async code

## What We Skim
- Generated code
- Configuration files
- Test-only changes (if trivial)
- Dependency bumps (if lockfile-only)

Review Velocity Metrics

Track these to improve your team's review culture:

Metric Target How to Measure
Time to first review <4 hours GitHub API: first review timestamp - PR open timestamp
Time to merge <24 hours for small PRs GitHub API: merge timestamp - PR open timestamp
Review depth >2 comments per 100 lines Count comments vs line count
Review latency <1 hour for blocking comments Time between blocking comment and response
Approval ratio >80% PRs approved on first review Count PRs approved vs PRs with revisions requested

Handling Disagreements

## When You Disagree With a Review

1. **Ask clarifying questions** — "I'm not sure I understand the concern, could you elaborate?"
2. **Explain your reasoning** — "I chose this approach because..."
3. **Acknowledge valid points** — "That's a good point about edge cases, I hadn't considered that."
4. **Propose compromises** — "How about I keep the current structure but add better documentation?"
5. **Escalate if needed** — "We have two valid approaches here. Let's get a third opinion or make a team decision."

## When An Author Disagrees With Your Review

1. **Re-evaluate** — Are you being too strict? Is this truly important?
2. **Accept good counter-arguments** — "You're right, the performance concern is negligible here."
3. **Agree to disagree with documentation** — "Let's document this tradeoff and move on."
4. **Use blocking sparingly** — Only block for correctness, security, or maintainability issues.

Common Mistakes

  1. Nitpicking style while missing logic bugs: Style is automatable. Logic isn't. Prioritize your attention.
  2. Rubber-stamping without reviewing: Trust but verify. Even good developers make mistakes.
  3. Being overly critical on the first pass: Start with the big picture, then zoom in. Don't overwhelm the author.
  4. Not reviewing at all: "LGTM" without review is not code review — it's code abandonment.
  5. Reviewing too late: Stale PRs accumulate merge conflicts and context loss. Review promptly.
  6. Forgetting positive feedback: Review isn't just for finding problems. Acknowledge good solutions.
  7. Applying personal style preferences as rules: Team conventions > personal preferences. Don't block over tabs vs spaces.
  8. Merging failing CI: Never override CI failures without explicit team agreement.
  9. Not automating the automatable: If a human can write a regex for it, a bot can check it forever.

Version History

  • 38e2523 Current 2026-07-05 19:38

Same Skill Collection

categories/ai-ml/agent-audit-logging/SKILL.md
categories/ai-ml/agent-handoff-protocols/SKILL.md
categories/ai-ml/agent-health-monitoring/SKILL.md
categories/ai-ml/agent-task-delegation/SKILL.md
categories/ai-ml/ai-agent-design/SKILL.md
categories/ai-ml/error-recovery-retry/SKILL.md
categories/ai-ml/memory-management/SKILL.md
categories/ai-ml/prompt-engineering/SKILL.md
categories/ai-ml/prompt-version-management/SKILL.md
categories/ai-ml/token-budget-tracking/SKILL.md
categories/automation/daily-briefing/SKILL.md
categories/automation/screenshot/SKILL.md
categories/automation/shell-scripting/SKILL.md
categories/automation/twitter-account-manager/SKILL.md
categories/automation/workflow-automation/SKILL.md
categories/automation/x-twitter-automation/SKILL.md
categories/backend/api-design/SKILL.md
categories/backend/authentication-authorization/SKILL.md
categories/backend/caching-strategies/SKILL.md
categories/backend/database-design/SKILL.md
categories/backend/message-queues/SKILL.md
categories/backend/microservices/SKILL.md
categories/backend/nodejs-patterns/SKILL.md
categories/backend/python-patterns/SKILL.md
categories/backend/serverless-patterns/SKILL.md
categories/business/event-staffing-compliance/SKILL.md
categories/business/event-staffing-ordering/SKILL.md
categories/business/negotiation/SKILL.md
categories/business/startup-strategy/SKILL.md
categories/career/career-planning/SKILL.md
categories/career/interview-prep/SKILL.md
categories/career/linkedin-optimization/SKILL.md
categories/career/resume-writing/SKILL.md
categories/career/salary-negotiation/SKILL.md
categories/creative-personal-development/content-repurposer/SKILL.md
categories/creative-personal-development/daily-standup-journal/SKILL.md
categories/creative-personal-development/decision-matrix/SKILL.md
categories/creative-personal-development/idea-validator/SKILL.md
categories/creative-personal-development/meeting-note-summarizer/SKILL.md
categories/creative-personal-development/personal-branding-statement/SKILL.md
categories/creative-personal-development/storytelling-advisor/SKILL.md
categories/creative-personal-development/time-blocking-scheduler/SKILL.md
categories/data/data-pipeline/SKILL.md
categories/design/accessibility/SKILL.md
categories/design/ui-design-system/SKILL.md
categories/development/api-documentation/SKILL.md
categories/development/architecture-decision-records/SKILL.md
categories/development/clean-code/SKILL.md
categories/development/debugging-mastery/SKILL.md
categories/development/dependency-management/SKILL.md
categories/development/documentation-generation/SKILL.md
categories/development/git-workflow/SKILL.md
categories/development/hyperframes-cli/SKILL.md
categories/development/hyperframes-media/SKILL.md
categories/development/knowledge-base/SKILL.md
categories/development/markdown-mastery/SKILL.md
categories/development/refactoring-patterns/SKILL.md
categories/development/technical-writing/SKILL.md
categories/development/testing-strategies/SKILL.md
categories/devops/ci-cd-pipeline/SKILL.md
categories/devops/cloud-architecture/SKILL.md
categories/devops/docker-patterns/SKILL.md
categories/devops/kubernetes-patterns/SKILL.md
categories/devops/monitoring-observability/SKILL.md
categories/devops/sre-practices/SKILL.md
categories/devops/terraform-iac/SKILL.md
categories/education-learning/assessment-design/SKILL.md
categories/education-learning/learning-science/SKILL.md
categories/education-learning/micro-learning/SKILL.md
categories/education-learning/teaching-methods/SKILL.md
categories/finance-legal/budgeting-forecasting/SKILL.md
categories/finance-legal/contract-review/SKILL.md
categories/finance-legal/financial-analysis/SKILL.md
categories/finance-legal/privacy-compliance/SKILL.md
categories/finance-legal/risk-management/SKILL.md
categories/frontend/component-design-systems/SKILL.md
categories/frontend/frontend-testing/SKILL.md
categories/frontend/nextjs-patterns/SKILL.md
categories/frontend/react-patterns/SKILL.md
categories/frontend/responsive-design/SKILL.md
categories/frontend/state-management/SKILL.md
categories/frontend/tailwind-css/SKILL.md
categories/frontend/web-performance/SKILL.md
categories/health-wellness/fitness-planning/SKILL.md
categories/health-wellness/habit-formation/SKILL.md
categories/health-wellness/mental-health/SKILL.md
categories/health-wellness/nutrition-planning/SKILL.md
categories/health-wellness/sleep-optimization/SKILL.md
categories/marketing/content-creation/SKILL.md
categories/marketing/local-business-growth/SKILL.md
categories/marketing/seo-strategy/SKILL.md
categories/media-download/audio-extraction/SKILL.md
categories/media-download/github-repo-promo/SKILL.md
categories/media-download/github-repo-tour/SKILL.md
categories/media-download/legal-downloading/SKILL.md
categories/media-download/playlist-archiver/SKILL.md
categories/media-download/video-downloader/SKILL.md
categories/mobile/android-kotlin-patterns/SKILL.md
categories/mobile/app-store-optimization/SKILL.md
categories/mobile/ios-swift-patterns/SKILL.md
categories/mobile/mobile-performance/SKILL.md
categories/mobile/react-native-patterns/SKILL.md
categories/pdf-generation/invoice-document-pdf/SKILL.md
categories/pdf-generation/markdown-to-pdf/SKILL.md
categories/pdf-generation/report-generation/SKILL.md
categories/pdf-generation/typesetting-latex/SKILL.md
categories/presentation/data-storytelling/SKILL.md
categories/presentation/pitch-deck-creation/SKILL.md
categories/presentation/presentation-automation/SKILL.md
categories/presentation/presentation-design/SKILL.md
categories/product/product-strategy/SKILL.md
categories/product/user-research/SKILL.md
categories/security/security-audit/SKILL.md
categories/shop-restaurant/amazon-assistant/SKILL.md
categories/shop-restaurant/daily-pulse/SKILL.md
categories/shop-restaurant/inventory-optimizer/SKILL.md
categories/shop-restaurant/menu-engineer/SKILL.md
categories/shop-restaurant/price-scout/SKILL.md
categories/shop-restaurant/review-responder/SKILL.md
categories/shop-restaurant/social-post/SKILL.md
categories/shop-restaurant/staff-scheduler/SKILL.md
categories/shop-restaurant/table-manager/SKILL.md
categories/shop-restaurant/zomato-order/SKILL.md
categories/testing-qa/accessibility-testing/SKILL.md
categories/testing-qa/api-testing/SKILL.md
categories/testing-qa/e2e-testing/SKILL.md
categories/testing-qa/performance-testing/SKILL.md
categories/testing-qa/test-strategy/SKILL.md
categories/ai-ml/gbrain-lite/SKILL.md
categories/development/hyperframes/SKILL.md
categories/pdf-generation/any2pdf/SKILL.md

Metadata

Files
0
Version
38e2523
Hash
5474df75
Indexed
2026-07-05 19:38

Главная - Вики-сайт
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-09 03:41
浙ICP备14020137号-1 $Гость$