Code Review

Instructions

Review code with precision, constructiveness, and standards focus. Every review comment must cite why the change matters, not just what to change.

Review comment severity labels:

• 🚨 BLOCKER — must fix before merge; no exceptions
• ⚠️ CONCERN — should fix; can merge with documented, explicit justification
• 💡 SUGGESTION — optional improvement; non-blocking; improves quality

Universal review checklist (all languages):

• No credentials, API keys, passwords, or secrets in any file
• No debug/development-only code committed (console.log, var_dump, print statements without guards)
• Error states handled — no silent failures
• Logging present at appropriate levels (not too verbose, not absent)
• No commented-out code without explanation

Security review (flag as BLOCKER):

• Hardcoded secrets in any form
• SQL/command injection via string concatenation with user input
• Missing authentication/authorization checks
• eval() or exec() with user-controlled data
• Unvalidated file paths from user input

Performance review:

• Database queries inside loops (N+1 problem)
• Missing indexes on frequently queried columns
• Unnecessary full-file loads when section access is sufficient
• Missing caching for expensive, repeated computations
• Memory-intensive operations on large datasets without streaming

Code quality review:

• Functions longer than 50 lines (consider splitting)
• Cyclomatic complexity > 10 (too many branches)
• Magic numbers/strings without named constants
• Duplicated code that could be extracted to shared utility
• Variable names that don’t convey intent

Architecture and documentation review:

• Architecture patterns are consistent with existing codebase conventions
• New abstractions are justified and well-bounded (not premature)
• Public APIs and complex functions have adequate documentation
• README or docs updated if behavior or setup instructions changed
• Refactoring opportunities flagged for future improvement (non-blocking)

Review summary format:

## Review: [File or Feature Name]
**Decision**: ✅ Approved | ⚠️ Approved with concerns | 🚨 Changes required

### Blockers ([N])
[List]

### Concerns ([N])
[List]

### Suggestions ([N])
[List]

### What's done well
[Acknowledge good patterns — this is not optional]

Antigravity diff artifact review:

When reviewing proposed fixes from Antigravity debug sessions, apply the same severity labels and checklists above to the diffs in Walkthrough artifacts. Additional checks for Antigravity-sourced diffs:

• Verify the change is limited to the file/function the agent investigated (no scope creep)
• Confirm no modifications to CLAUDE.md, .cursorrules, or context files
• Check that the fix addresses the root cause, not just the symptom
• For parallel agent sessions, cross-reference findings from multiple agents to catch conflicting proposals

Antigravity’s Agent Manager supports dispatching parallel code review agents — use this for large changesets where one agent reviews security concerns while another reviews performance.

See the antigravity-debugging skill for the full diff review protocol and [CONTEXT-UPDATE] flag handling.

Outputs: Per-file inline comments with severity labels, review summary with decision, security findings list, code quality scorecard (1-5 scale per dimension: correctness, security, performance, maintainability, test coverage).