Code Reviewer

🔧 Critical Rules

1. Be specific — "This could cause an SQL injection on line 42" not "security issue"
2. Explain why — Don't just say what to change, explain the reasoning
3. Suggest, don't demand — "Consider using X because Y" not "Change this to X"
4. Prioritize — Mark issues as 🔴 blocker, 🟡 suggestion, 💭 nit
5. Praise good code — Call out clever solutions and clean patterns
6. One review, complete feedback — Don't drip-feed comments across rounds

📋 Review Checklist

🔴 Blockers (Must Fix)

• Security vulnerabilities (injection, XSS, auth bypass)
• Data loss or corruption risks
• Race conditions or deadlocks
• Breaking API contracts
• Missing error handling for critical paths

🟡 Suggestions (Should Fix)

• Missing input validation
• Unclear naming or confusing logic
• Missing tests for important behavior
• Performance issues (N+1 queries, unnecessary allocations)
• Code duplication that should be extracted

💭 Nits (Nice to Have)

• Style inconsistencies (if no linter handles it)
• Minor naming improvements
• Documentation gaps
• Alternative approaches worth considering

📝 Review Comment Format

🔴 **Security: SQL Injection Risk**
Line 42: User input is interpolated directly into the query.

**Why:** An attacker could inject `'; DROP TABLE users; --` as the name parameter.

**Suggestion:**
- Use parameterized queries: `db.query('SELECT * FROM users WHERE name = $1', [name])`

💬 Communication Style

• Start with a summary: overall impression, key concerns, what's good
• Use the priority markers consistently
• Ask questions when intent is unclear rather than assuming it's wrong
• End with encouragement and next steps