/review

AI-powered code review with quality suggestions

/review

Perform comprehensive AI-powered code review on pull request changes. Review analyzes code for quality, security, performance, best practices, and provides actionable feedback with specific code examples.

Quick Start

# Review current branch against main
/agileflow:review
 
# Review specific branch
/agileflow:review BRANCH=feature/auth
 
# Review with focus on security
/agileflow:review FOCUS=security

The command will:

Get code changes (git diff)
Analyze across 6 categories (Quality, Security, Performance, Best Practices, Testing, Documentation)
Generate detailed report with issues prioritized by severity
Calculate code quality score
Suggest auto-fixes and follow-up work

Key Features

Comprehensive Analysis

Review examines your code changes across 6 important categories:

Category	Checks
Code Quality	Complexity, duplication, naming, function/file length
Security	SQL injection, XSS, hardcoded secrets, unsafe deserialization
Performance	N+1 queries, inefficient algorithms, memory leaks
Best Practices	Error handling, logging, type safety, async/await
Testing	Missing tests, test quality, coverage gaps
Documentation	Missing JSDoc, outdated comments, README updates

Severity-Based Prioritization

Issues are categorized by impact:

🔴 CRITICAL - Must fix before merge
🟠 HIGH    - Fix before merge (blocks release)
🟡 MEDIUM  - Address soon (technical debt)
⚪ LOW     - Nice to have (style/consistency)

Code Quality Score

Your PR gets a score (0-100) with breakdown by category:

Code Quality Score: 72/100
 
Breakdown:
- Security: 40/100 (critical issues found)
- Performance: 75/100 (one N+1 query)
- Maintainability: 80/100 (some complexity)
- Testing: 65/100 (coverage gaps)
- Style: 90/100 (mostly consistent)

Constructive Feedback

Every issue includes:

Where it is (file, line number)
Why it matters (risk/impact)
How to fix it (specific code examples)
Example of ❌ BAD code
Example of ✅ GOOD code

Usage

Basic - review current branch

/agileflow:review

Reviews changes on current branch against main/master.

Review specific branch

/agileflow:review BRANCH=feature/user-auth

Reviews the named branch against main.

Review against different base

/agileflow:review BRANCH=feature/auth BASE=develop

Compares against a different base branch.

Review with focus area

# Security-only review
/agileflow:review FOCUS=security
 
# Performance-only review
/agileflow:review FOCUS=performance
 
# Testing coverage review
/agileflow:review FOCUS=tests

Filter by severity

# Show only critical/high issues
/agileflow:review SEVERITY=high
 
# Show all issues
/agileflow:review SEVERITY=all

Parameters

Parameter	Required	Default	Options
`BRANCH`	No	Current	Branch name to review
`BASE`	No	main/master	Base branch for comparison
`FOCUS`	No	all	all, security, performance, style, tests
`SEVERITY`	No	all	critical, high, medium, low, all

Examples

Typical PR review

/agileflow:review
 
# Output:
# AI Code Review Report
# Branch: feature/user-auth
# Files Changed: 5
# Critical: 1 | High: 3 | Medium: 5 | Low: 2
# Code Quality Score: 72/100
#
# 🔴 CRITICAL ISSUES
# - Hardcoded API key in stripe.ts:15
#
# 🟠 HIGH ISSUES
# - N+1 query in posts API
# - Missing error handling in login
# ...

Security-focused review

/agileflow:review FOCUS=security
 
# Analyzes only for:
# - Hardcoded secrets
# - SQL injection risks
# - XSS vulnerabilities
# - Authentication issues
# - CORS misconfiguration

Performance review

/agileflow:review FOCUS=performance
 
# Checks for:
# - N+1 database queries
# - Inefficient algorithms
# - Missing indexes
# - Memory leaks
# - Bundle size issues

Review Report Structure

Header

# AI Code Review Report
 
**Branch**: feature/user-auth
**Base**: main
**Files Changed**: 8
**Lines Added**: 245
**Lines Removed**: 32
**Generated**: 2025-10-16T10:30:00Z

Summary

## Summary
 
**Critical**: 2 | **High**: 5 | **Medium**: 12 | **Low**: 8
**Must Fix Before Merge**: 7 issues

Issues by Severity

For each issue:

### 1. Hardcoded API Key (SECURITY)
**File**: src/api/payments/stripe.ts:15
**Severity**: CRITICAL
 
// ❌ BAD
const stripeKey = "sk_live_abc123...";
 
// ✅ GOOD
const stripeKey = process.env.STRIPE_SECRET_KEY;
if (!stripeKey) throw new Error("STRIPE_SECRET_KEY not set");
 
**Risk**: API key exposed in version control.
**Fix**: Move to environment variable. Rotate immediately.
**Priority**: Block merge

Positive Observations

## Positive Observations ✅
 
- ✅ Good use of TypeScript strict mode
- ✅ Consistent error handling pattern
- ✅ Well-structured component separation
- ✅ Clear commit messages

Code Quality Breakdown

## Code Quality Score: 72/100
 
**Breakdown**:
- Security: 40/100 (2 critical issues)
- Performance: 75/100 (1 N+1 query)
- Maintainability: 80/100 (some complexity)
- Testing: 65/100 (coverage gaps)
- Style: 90/100 (mostly consistent)

Customization

Project-specific rules

Create custom review rules in:

.agileflow/review-rules.md
docs/02-practices/code-standards.md

Example:

# Code Review Rules
 
## Critical
- No console.log in production code
- All API endpoints must have rate limiting
- All database queries must use ORM
 
## High
- Functions >30 lines should be refactored
- Test coverage must be >85%

Actions After Review

Auto-fix issues

Review asks: "Fix auto-fixable issues? (YES/NO)"
 
If YES:
  - Runs npm run lint -- --fix
  - Fixes 8 style issues automatically
  - Shows which issues were fixed

Create follow-up stories

Review asks: "Create stories for follow-up work?"
 
If YES:
  - Creates story for each medium/low issue
  - Adds to your backlog
  - Links to code review report

Block merge for critical issues

Review asks: "Block merge for critical/high issues?"
 
If YES:
  - Marks merge as blocked
  - Provides failure reason
  - Suggests resolution steps

Save report

Report automatically saved to:

docs/08-project/code-reviews/<YYYYMMDD>-<BRANCH>.md

Example:

docs/08-project/code-reviews/20251016-feature-user-auth.md

Security Checks

Review automatically checks for:

Secrets & Credentials

Hardcoded API keys
Database passwords
OAuth tokens
JWT secrets
AWS credentials

Common Vulnerabilities

SQL injection (unparameterized queries)
XSS attacks (unescaped output)
Unsafe deserialization
CSRF vulnerabilities
Missing CORS validation

Insecure Patterns

eval() or Function()
Unsafe string concatenation
Missing input validation
Weak encryption
Insecure dependencies

Performance Checks

Review looks for:

Database

N+1 query problems
Missing indexes
Inefficient joins
Unnecessary queries

Algorithms

O(n²) when O(n) possible
Nested loops that could be flat
Repeated calculations
Unoptimized recursion

Memory

Memory leaks
Large objects not freed
Circular references
Memory hogging data structures

Testing Coverage

Review checks:

New Code

Is there a test for new functionality?
Are edge cases covered?
Is test quality good?

Coverage Gaps

Lines added without tests
Functions with no test coverage
Error paths not tested

Test Quality

Are assertions meaningful?
Do tests verify behavior?
Are tests maintainable?

Output & Recommendations

Immediate Actions (Block Merge)

1. Remove hardcoded API key (critical)
2. Fix SQL injection (critical)
3. Add error handling to login (high)

Before Merge

4. Add tests for auth endpoints (high)
5. Fix N+1 query in posts API (high)
6. Reduce complexity in validator.ts (medium)

Follow-up (Create Stories)

7. Standardize naming conventions (medium)
8. Add ESLint rule for secrets (medium)
9. Set up automated security scanning (low)

Integration with CI

Suggest adding to .github/workflows/pr.yml:

- name: AI Code Review
  run: npx claude-code /agileflow:review BRANCH=${{ github.head_ref }}
 
- name: Check for critical issues
  run: |
    if grep -q "CRITICAL" code-review-report.md; then
      echo "::error::Critical issues found."
      exit 1
    fi

Tips

Before submitting PR

/agileflow:review
# Fix any CRITICAL or HIGH issues
# Address MEDIUM issues if possible
# Then submit PR with confidence

Iterative improvement

# After feedback, run review again
/agileflow:review
 
# See if score improved
# Ensure critical issues fixed
# Check test coverage

Security-first approach

# Always check security first
/agileflow:review FOCUS=security
 
# Fix any CRITICAL security issues
# Then review other categories

Principles

Be constructive - Provide actionable feedback, not just criticism
Show examples - Include ❌ BAD and ✅ GOOD code
Prioritize - Critical issues first, style last
Celebrate - Include positive observations
Suggest fixes - Don't just identify problems
No force commits - Always ask before auto-fixing

/pr - Generate PR description (review before submitting)
/impact - Analyze change impact
/babysit - Implementation guidance (runs review before PR)
/verify - Verify tests passing
/baseline - Create verified checkpoint

/verify /pr

On This Page

/review Quick Start Key Features Comprehensive Analysis Severity-Based Prioritization Code Quality Score Constructive Feedback Usage Basic - review current branch Review specific branch Review against different base Review with focus area Filter by severity Parameters Examples Typical PR review Security-focused review Performance review Review Report Structure Header Summary Issues by Severity Positive Observations Code Quality Breakdown Customization Project-specific rules Actions After Review Auto-fix issues Create follow-up stories Block merge for critical issues Save report Security Checks Secrets & Credentials Common Vulnerabilities Insecure Patterns Performance Checks Database Algorithms Memory Testing Coverage New Code Coverage Gaps Test Quality Output & Recommendations Immediate Actions (Block Merge)Before Merge Follow-up (Create Stories)Integration with CI Tips Before submitting PR Iterative improvement Security-first approach Principles Related Commands