groupzer0

code-review-checklist

@groupzer0/code-review-checklist
groupzer0
129
16 forks
Updated 1/6/2026
View on GitHub

Structured code review criteria for pre-implementation plan review (Critic) and post-implementation security/quality review. Covers security, performance, maintainability, and correctness with severity ratings.

Installation

$skills install @groupzer0/code-review-checklist
Claude Code
Cursor
Copilot
Codex
Antigravity

Details

Repositorygroupzer0/vs-code-agents
Pathvs-code-agents/skills/code-review-checklist/SKILL.md
Branchmain
Scoped Name@groupzer0/code-review-checklist

Usage

After installing, this skill will be available to your AI coding assistant.

Verify installation:

skills list

Skill Instructions

name: code-review-checklist description: Structured code review criteria for pre-implementation plan review (Critic) and post-implementation security/quality review. Covers security, performance, maintainability, and correctness with severity ratings. license: MIT metadata: author: groupzer0 version: "1.0"

Code Review Checklist

Systematic review criteria for evaluating code and plans. Use this skill when:

  • Critic reviews plans before implementation
  • Security agent conducts code audits
  • Architect reviews architectural compliance
  • UAT validates implementation quality

Review Context

This skill supports two review phases:

PhaseAgentFocusDocuments
Pre-ImplementationCriticPlan quality, clarity, completenessplanning/*.md
Post-ImplementationSecurity, ArchitectCode quality, security, architectureSource code

Pre-Implementation Review (Critic)

Value Statement Assessment (MUST START HERE)

CheckQuestionFinding Severity
PresenceDoes plan have clear value statement in user story format?CRITICAL if missing
ClarityIs "So that" outcome measurable or verifiable?HIGH if vague
AlignmentDoes value support Master Product Objective?CRITICAL if drift
DirectnessIs value delivered directly, not deferred?HIGH if deferred

Plan Completeness

CheckQuestionFinding Severity
ScopeAre boundaries clearly defined?MEDIUM
DeliverablesAre all deliverables listed with acceptance criteria?HIGH
DependenciesAre dependencies identified and sequenced?MEDIUM
RisksAre risks documented with mitigations?LOW
VersionIs semver bump specified with rationale?MEDIUM

Constraint Compliance

CheckQuestionFinding Severity
No CodeDoes plan avoid prescriptive code?LOW
No HowDoes plan focus on WHAT/WHY, not HOW?LOW
ArchitectureDoes plan respect architectural constraints?HIGH

Post-Implementation Review (Security/Architect)

Security Checklist

CategoryCheckSeverity
Input ValidationAll user input validated server-side?CRITICAL
AuthenticationAuth checks on all protected routes?CRITICAL
AuthorizationRBAC/ownership verified before access?CRITICAL
SecretsNo hardcoded credentials or keys?CRITICAL
SQL/InjectionParameterized queries used?CRITICAL
XSSOutput encoding applied?HIGH
CSRFTokens on state-changing requests?HIGH
LoggingSecurity events logged without sensitive data?MEDIUM
DependenciesNo known CVEs in dependencies?Varies

Performance Checklist

CategoryCheckSeverity
N+1 QueriesBatch fetches instead of loops?HIGH
PaginationLarge datasets paginated?HIGH
CachingAppropriate caching strategy?MEDIUM
AsyncLong operations non-blocking?MEDIUM
Resource LimitsBounded allocations?HIGH

Maintainability Checklist

CategoryCheckSeverity
NamingClear, descriptive names?LOW
ComplexityCyclomatic complexity < 10?MEDIUM
CouplingLow coupling between modules?MEDIUM
DocumentationPublic APIs documented?LOW
Error HandlingErrors handled, not swallowed?HIGH
TestsAdequate coverage for changes?HIGH

Architectural Compliance

CategoryCheckSeverity
BoundariesModule boundaries respected?HIGH
PatternsEstablished patterns followed?MEDIUM
DependenciesDependency direction correct?HIGH
Single ResponsibilityClasses/modules focused?MEDIUM

Severity Definitions

SeverityResponseExamples
CRITICALBlock until fixedAuth bypass, SQL injection, no value statement
HIGHFix before mergeMissing validation, N+1 queries, unclear scope
MEDIUMFix in current cycleCode smells, missing docs, minor coupling
LOWTrack for laterStyle issues, optimization opportunities

Finding Format

Document findings consistently:

### [ID]: [Brief Title]
- **Severity**: CRITICAL / HIGH / MEDIUM / LOW
- **Status**: OPEN / ADDRESSED / RESOLVED / DEFERRED
- **Location**: [file:line or plan section]
- **Description**: [What is the issue?]
- **Impact**: [Why does this matter?]
- **Recommendation**: [How to fix?]

Agent-Specific Guidance

For Critic Agent

  • Focus on plan quality, not implementation details
  • Value statement assessment is mandatory first step
  • Reference Planner constraints when reviewing
  • Create critique in agent-output/critiques/

For Security Agent

  • Focus on OWASP Top 10 and injection patterns
  • Reference security-patterns skill for detection
  • Create audit in agent-output/security/
  • Use CVSS-aligned severity

For Architect Agent

  • Focus on system-level design compliance
  • Reference architecture-patterns skill
  • Update system-architecture.md when issues found
  • Include ADR updates if decisions affected

More by groupzer0

View all
document-lifecycle
129

Unified document lifecycle management. Defines terminal statuses, unified numbering via .next-id, close procedures, and orphan detection. Load at session start.

release-procedures
129

Version management, release verification, and deployment procedures for software releases. Includes semver guidance, version consistency checks, and platform-specific constraints.

testing-patterns
129

TDD workflow and test strategy patterns including test pyramid, coverage strategies, mocking approaches, and anti-patterns. Load when writing tests, designing test strategies, or reviewing test coverage.

engineering-standards
129

Core software engineering principles (SOLID, DRY, YAGNI, KISS) with detection patterns and refactoring guidance. Load when reviewing code quality, planning architecture, or identifying technical debt.