init
This commit is contained in:
100
.opencode/skills/code-review/references/checklists/base.md
Normal file
100
.opencode/skills/code-review/references/checklists/base.md
Normal file
@@ -0,0 +1,100 @@
|
||||
# Base Review Checklist
|
||||
|
||||
Universal checklist for all project types. Two-pass model: critical (blocking) + informational (non-blocking).
|
||||
|
||||
## Instructions
|
||||
|
||||
Review `git diff origin/main` for the issues below. Be specific — cite `file:line` and suggest fixes. Skip anything that's fine. Only flag real problems.
|
||||
|
||||
**Output format:**
|
||||
|
||||
```
|
||||
Pre-Landing Review: N issues (X critical, Y informational)
|
||||
|
||||
**CRITICAL** (blocking):
|
||||
- [file:line] Problem description
|
||||
Fix: suggested fix
|
||||
|
||||
**Issues** (non-blocking):
|
||||
- [file:line] Problem description
|
||||
Fix: suggested fix
|
||||
```
|
||||
|
||||
If no issues: `Pre-Landing Review: No issues found.`
|
||||
|
||||
Be terse. One line problem, one line fix. No preamble.
|
||||
|
||||
---
|
||||
|
||||
## Pass 1 — CRITICAL (blocking)
|
||||
|
||||
### Injection & Data Safety
|
||||
- String interpolation in SQL/database queries (even with type casting — use parameterized queries)
|
||||
- Unsanitized user input written to database or rendered in HTML
|
||||
- Raw HTML output from user-controlled data (`innerHTML`, `dangerouslySetInnerHTML`, `html_safe`, `raw()`, `| safe`)
|
||||
- Command injection via string concatenation in shell commands (use argument arrays)
|
||||
- Path traversal via user input in file operations
|
||||
|
||||
### Race Conditions & Concurrency
|
||||
- Read-check-write without atomic operations (check-then-set should be atomic WHERE + UPDATE)
|
||||
- Find-or-create without unique database constraint (concurrent calls create duplicates)
|
||||
- Status transitions without atomic WHERE old_status + UPDATE new_status
|
||||
- Shared mutable state accessed without synchronization
|
||||
|
||||
### Security Boundaries
|
||||
- Missing authentication checks on new endpoints/routes
|
||||
- Privilege escalation paths (user can access/modify another user's data — IDOR)
|
||||
- Secrets in logs, error responses, or client-side code
|
||||
- LLM/AI output written to database or used in queries without validation
|
||||
- JWT/token comparison using `==` instead of constant-time comparison
|
||||
|
||||
### Auth & Access Control
|
||||
- New API endpoints without auth middleware
|
||||
- Missing authorization check (authenticated but not authorized)
|
||||
- Admin-only operations accessible to regular users
|
||||
- Session fixation or token reuse vulnerabilities
|
||||
|
||||
---
|
||||
|
||||
## Pass 2 — INFORMATIONAL (non-blocking)
|
||||
|
||||
### Conditional Side Effects
|
||||
- Code branches on condition but forgets side effect on one branch (e.g., sets status but not associated data)
|
||||
- Log messages claiming action happened but action was conditionally skipped
|
||||
|
||||
### Magic Numbers & String Coupling
|
||||
- Bare numeric literals used in multiple files — should be named constants
|
||||
- Error message strings used as query filters elsewhere (grep for the string)
|
||||
|
||||
### Dead Code & Consistency
|
||||
- Variables assigned but never read
|
||||
- Stale comments describing old behavior after code changed
|
||||
- Import/require statements for unused modules
|
||||
|
||||
### Test Gaps
|
||||
- Missing negative-path tests (error cases, validation failures)
|
||||
- Assertions on type/status but not side effects (e.g., checks status but not that email was sent)
|
||||
- Missing integration tests for security enforcement (auth, rate limiting, access control)
|
||||
|
||||
### Type Coercion at Boundaries
|
||||
- Values crossing language/system boundaries where type could change (string vs number)
|
||||
- Hash/digest inputs that don't normalize types before serialization
|
||||
|
||||
### Performance
|
||||
- O(n*m) lookups in views/templates (array search inside loops — use hash/map lookup)
|
||||
- Missing pagination on list endpoints returning unbounded results
|
||||
- N+1 queries: loading associations inside loops without eager loading
|
||||
- Unbounded queries without LIMIT
|
||||
|
||||
---
|
||||
|
||||
## Suppressions — DO NOT flag these
|
||||
|
||||
- Redundancy that aids readability (e.g., `present?` redundant with length check)
|
||||
- "Add comment explaining why this threshold was chosen" — thresholds change, comments rot
|
||||
- "This assertion could be tighter" when assertion already covers the behavior
|
||||
- Consistency-only changes (wrapping a value to match how another constant is guarded)
|
||||
- Harmless no-ops (e.g., `.filter()` on array that never contains the filtered value)
|
||||
- ANYTHING already addressed in the diff being reviewed — read the FULL diff before commenting
|
||||
- Style/formatting issues (use a linter for that)
|
||||
- "Consider using X instead of Y" when Y works fine
|
||||
Reference in New Issue
Block a user