Code Review Patterns Overview Code reviews catch bugs before they ship. But reviewing code quality before functionality is backwards. Core principle: First verify it works, THEN verify it's good. Signal Quality Rule Flag ONLY when certain. False positives erode trust and waste remediation cycles. Flag Do NOT Flag Will fail to compile/parse (syntax, type, import errors) Style preferences not in project guidelines Logic error producing wrong results for all inputs Potential issues dependent on specific inputs/state Clear guideline violation (quote the exact rule) Subjective improvements or nitpicks Quick Review Checklist (Reference Pattern) For rapid reviews, check these 8 items: Code is simple and readable Functions and variables are well-named No duplicated code Proper error handling No exposed secrets or API keys Input validation implemented Good test coverage Performance considerations addressed The Iron Law NO CODE QUALITY REVIEW BEFORE SPEC COMPLIANCE If you haven't verified the code meets requirements, you cannot review code quality. Two-Stage Review Process Stage 1: Spec Compliance Review Does it do what was asked? Read the Requirements What was requested? What are the acceptance criteria? What are the edge cases? Trace the Implementation Does the code implement each requirement? Are all edge cases handled? Does it match the spec exactly? Test Functionality Run the tests Manual test if needed Verify outputs match expectations Gate: Only proceed to Stage 2 if Stage 1 passes. Stage 2: Code Quality Review Is it well-written? Review in priority order: Security - Vulnerabilities that could be exploited Correctness - Logic errors, edge cases missed Performance - Unnecessary slowness Maintainability - Hard to understand or modify UX - User experience issues (if UI involved) Accessibility - A11y issues (if UI involved) Security Review Checklist Reference: OWASP Top 10 - Check against industry standard vulnerabilities. Check Looking For Example Vulnerability Input validation Unvalidated user input SQL injection, XSS Authentication Missing auth checks Unauthorized access Authorization Missing permission checks Privilege escalation Secrets Hardcoded credentials API key exposure SQL queries String concatenation SQL injection Output encoding Unescaped output XSS attacks CSRF Missing tokens Cross-site request forgery File handling Path traversal Reading arbitrary files Security Quick-Scan Commands Run before any review:
Check for hardcoded secrets
grep -rE "(api[_-]?key|password|secret|token)\s[:=]" --include = ".ts" --include = "*.js" src/
Check for SQL injection risk
grep -rE "(query|exec)\s(" --include = ".ts" src/ | grep -v "parameterized"
Check for dangerous patterns
grep -rE "(eval(|innerHTML\s=|dangerouslySetInnerHTML)" --include = ".ts" --include = "*.tsx" src/
Check for console.log (remove before production)
grep
-rn
"console.log"
--include
=
".ts"
--include
=
".tsx"
src/
LSP-Powered Code Analysis
Use LSP for semantic understanding during reviews:
Task
LSP Tool
Why Better Than Grep
Find all callers of a function
lspCallHierarchy(incoming)
Finds actual calls, not string matches
Find all usages of a type/variable
lspFindReferences
Semantic, not text-based
Navigate to definition
lspGotoDefinition
Jumps to actual definition
Understand what function calls
lspCallHierarchy(outgoing)
Maps call chain
Review Workflow with LSP:
localSearchCode
→ find symbol + get lineHint
lspGotoDefinition(lineHint=N)
→ understand implementation
lspFindReferences(lineHint=N)
→ check all usages for consistency
lspCallHierarchy(incoming)
→ verify callers handle changes
CRITICAL:
Always get lineHint from localSearchCode first. Never guess line numbers.
Critical Security Patterns:
Pattern
Risk
Detection
Fix
Hardcoded secret
API key exposure
grep -r "sk-" src/
Use env var
SQL concatenation
SQL injection
query(\
SELECT...${id})
Parameterized query
innerHTML = userInput
XSS
grep for innerHTML
Use textContent
eval(userInput)
Code injection
grep for eval
Never eval user input
Missing auth check
Unauthorized access
Review API routes
Add middleware
CORS
*
Cross-origin attacks
Check CORS config
Whitelist origins
OWASP Top 10 Quick Reference:
Injection (SQL, Command, XSS)
Broken Authentication
Sensitive Data Exposure
XXE (XML External Entities)
Broken Access Control
Security Misconfiguration
Cross-Site Scripting (XSS)
Insecure Deserialization
Using Vulnerable Components
Insufficient Logging
Full security review:
See
OWASP Top 10
For each security issue found:
-
[CRITICAL] SQL injection at
src/api/users.ts:45
-
Problem: User input concatenated into query
-
Fix: Use parameterized query
-
Code:
db.query(\
SELECT * FROM users WHERE id = ?`, [userId])`
Quality Review Checklist
Check
Good
Bad
Naming
calculateTotalPrice()
calc()
,
doStuff()
Functions
Does one thing
Multiple responsibilities
Complexity
Linear flow
Nested conditions
Duplication
DRY where sensible
Copy-paste code
Error handling
Graceful failures
Silent failures
Clarity
Explicit, readable flow
Nested ternaries, dense one-liners
Testability
Injectable dependencies
Global state
Type Design Red Flags (Typed Languages)
Anti-Pattern
Problem
Fix
Exposed mutable internals
External code breaks invariants
Return copies or readonly
No constructor validation
Invalid instances created
Validate at construction
Invariants in docs only
Not enforced, easily broken
Encode in type system
Anemic domain model
Data without behavior
Add methods enforcing rules
Hidden Failure Patterns
Pattern
Why It Hides Failures
?.
chains without logging
Silently skips failed operations
?? defaultValue
masking
Hides null/undefined source errors
Catch-log-continue
User never sees the failure
Retry exhaustion without notice
Fails silently after N attempts
Fallback chains without explanation
Masks root cause with alternatives
Clarity Over Brevity
Nested ternary
a ? b ? c : d : e
→ Use if/else or switch
Dense one-liner saving 2 lines → 3 clear lines over 1 clever line
Chained
.map().filter().reduce()
with complex callbacks → Named intermediates
Pattern Recognition Criteria
During reviews, identify patterns worth documenting:
Criteria
What to Look For
Example
Tribal
Knowledge new devs wouldn't know
"All API responses use envelope structure"
Opinionated
Specific choices that could differ
"We use snake_case for DB, camelCase for JS"
Unusual
Not standard framework patterns
"Custom retry logic with backoff"
Consistent
Repeated across multiple files
"All services have health check endpoint"
If you spot these during review:
Note the pattern in review feedback
Include in your
Memory Notes (Patterns section)
- router will persist to patterns.md via Memory Update task
Flag inconsistencies from established patterns
Performance Review Checklist
Pattern
Problem
Fix
N+1 queries
Loop with DB call
Batch query
Unnecessary loops
Iterating full list
Early return
Missing cache
Repeated expensive ops
Add caching
Memory leaks
Objects never cleaned
Cleanup on dispose
Sync blocking
Blocking main thread
Async operation
UX Review Checklist (UI Code)
Check
Verify
Loading states
Shows loading indicator
Error states
Shows helpful error message
Empty states
Shows appropriate empty message
Success feedback
Confirms action completed
Form validation
Shows inline errors
Responsive
Works on mobile/tablet
Accessibility Review Checklist (UI Code)
Check
Verify
Semantic HTML
Uses correct elements (button, not div)
Alt text
Images have meaningful alt text
Keyboard
All interactions keyboard accessible
Focus
Focus visible and logical order
Color contrast
Meets WCAG AA (4.5:1 text)
Screen reader
Labels and ARIA where needed
Severity Classification
Severity
Definition
Action
CRITICAL
Security vulnerability or blocks functionality
Must fix before merge
MAJOR
Affects functionality or significant quality issue
Should fix before merge
MINOR
Style issues, small improvements
Can merge, fix later
NIT
Purely stylistic preferences
Optional
Multi-Signal Review Methodology
Each Stage 2 pass produces an independent signal. Score each dimension separately.
HARD signals
(any failure blocks approval):
Security:
One real vulnerability = dimension score 0
Correctness:
One logic error producing wrong output = dimension score 0
SOFT signals
(concerns noted, don't block alone):
Performance:
Scaling concern without immediate impact
Maintainability:
Complex but functional code
UX/A11y:
Missing states but core flow works
Aggregation rule:
If ANY HARD signal = 0 → STATUS: CHANGES_REQUESTED (non-negotiable)
CONFIDENCE = min(HARD scores), reduced by max 10 if SOFT signals are low
Include per-signal breakdown in Router Handoff for targeted remediation
Evidence requirement per signal:
Each signal MUST cite specific file:line. A signal without evidence = not reported.
Do NOT Flag (False Positive Prevention)
Pre-existing issues not introduced by this change
Correct code that merely looks suspicious
Pedantic nitpicks a senior engineer would not flag
Issues linters already catch (don't duplicate tooling)
General quality concerns not required by project guidelines
Issues explicitly silenced via lint-ignore comments
Priority Output Format (Feedback Grouping)
Organize feedback by priority (from reference pattern):
Code Review Feedback
Critical (must fix before merge)
[95] SQL injection at
src/api/users.ts:45
→ Fix: Use parameterized query
db.query('SELECT...', [userId])
Warnings (should fix)
[85] N+1 query at
src/services/posts.ts:23
→ Fix: Batch query with WHERE IN clause
Suggestions (consider improving)
[70] Function
calc()
could be renamed to
calculateTotal()
→ More descriptive naming
ALWAYS include specific examples of how to fix each issue.
Don't just say "this is wrong" - show the correct approach.
Red Flags - STOP and Re-review
If you find yourself:
Reviewing code style before checking functionality
Not running the tests
Skipping the security checklist
Giving generic feedback ("looks good")
Not providing file:line citations
Not explaining WHY something is wrong
Not providing fix recommendations
STOP. Start over with Stage 1.
Rationalization Prevention
Excuse
Reality
"Tests pass so it's fine"
Tests can miss requirements. Check spec compliance.
"Code looks clean"
Clean code can still be wrong. Verify functionality.
"I trust this developer"
Trust but verify. Everyone makes mistakes.
"It's a small change"
Small changes cause big bugs. Review thoroughly.
"No time for full review"
Bugs take more time than reviews. Do it properly.
"Security is overkill"
One vulnerability can sink the company. Check it.
Output Format
Code Review: [PR Title/Component]
Stage 1: Spec Compliance ✅/❌
**
Requirements:
**
-
[x] Requirement 1 - implemented at
file:line
-
[x] Requirement 2 - implemented at
file:line
-
[ ] Requirement 3 - NOT IMPLEMENTED
**
Tests:
**
PASS (24/24)
**
Verdict:
**
[Meets spec / Missing requirements]
Stage 2: Code Quality
**
Security:
**
-
[CRITICAL] Issue at
file:line
- Fix: [recommendation]
-
No issues found ✅
**
Performance:
**
-
[MAJOR] N+1 query at
file:line
- Fix: Use batch query
-
No issues found ✅
**
Quality:
**
-
[MINOR] Unclear naming at
file:line
- Suggestion: rename to X
-
No issues found ✅
**
UX/A11y:
**
(if UI code)
-
[MAJOR] Missing loading state - Fix: Add spinner
-
No issues found ✅
Summary ** Decision: ** Approve / Request Changes ** Critical: ** [count] ** Major: ** [count] ** Minor: ** [count] ** Required fixes before merge: ** 1. [Most important fix] 2. [Second fix] Review Loop Protocol After requesting changes: Wait for fixes - Developer addresses issues Re-review - Check that fixes actually fix the issues Verify no regressions - Run tests again Approve or request more changes - Repeat if needed Never approve without verifying fixes work. Final Check Before approving: Stage 1 complete (spec compliance verified) Stage 2 complete (all checklists reviewed) All critical/major issues addressed Tests pass No regressions introduced Evidence captured for each claim