Code Review

What to Look For

• Security: Auth bypass, injection, data exposure, improper access control
• Correctness: Logic errors, off-by-one, nil/null handling, error paths
• Concurrency: Race conditions, deadlocks, missing synchronization
• Resources: Leaks, unclosed handles, missing cleanup
• Error handling: Swallowed errors, missing validation, panic paths

What NOT to Comment On

• Style that matches existing Coder patterns (check AGENTS.md first)
• Code that already exists unchanged
• Theoretical issues without concrete impact
• Changes unrelated to the PR's purpose

Coder-Specific Patterns

Authorization Context

// Public endpoints needing system access
dbauthz.AsSystemRestricted(ctx)

// Authenticated endpoints with user context - just use ctx
api.Database.GetResource(ctx, id)

Error Handling

// OAuth2 endpoints use RFC-compliant errors
writeOAuth2Error(ctx, rw, http.StatusBadRequest, "invalid_grant", "description")

// Regular endpoints use httpapi
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{...})

Shell Scripts

set -u only catches UNDEFINED variables, not empty strings:

unset VAR; echo ${VAR}         # ERROR with set -u
VAR=""; echo ${VAR}            # OK with set -u (empty is fine)
VAR="${INPUT:-}"; echo ${VAR}  # OK - always defined

GitHub Actions context variables (github.*, inputs.*) are always defined.

Review Quality

• Explain impact ("causes crash when X" not "could be better")
• Make observations actionable with specific fixes
• Read the full context before commenting on a line
• Check AGENTS.md for project conventions before flagging style

Comment Standards

• Only comment when confident - If you're not 80%+ sure it's a real issue, don't comment. Verify claims before posting.
• No speculation - Avoid "might", "could", "consider". State facts or skip.
• Verify technical claims - Check documentation or code before asserting how something works. Don't guess at API behavior or syntax rules.