Skill

code-review-checklist

Structured code review covering OWASP security, Core Web Vitals performance, Firebase best practices, and TypeScript types

From jm-adk

Install

Run in your terminal

npx claudepluginhub javimontano/jm-adk-alfa

Tool Access

This skill uses the workspace's default tool permissions.

Supporting Assets

View in Repository

agents/guardian.md

agents/lead.md

agents/specialist.md

agents/support.md

evals/evals.json

knowledge/body-of-knowledge.md

knowledge/knowledge-graph.md

prompts/meta.md

prompts/primary.md

prompts/variations/deep.md

prompts/variations/quick.md

templates/output.docx.md

templates/output.html

Skill Content

083 — Code Review Checklist {Testing}

Purpose

Provide a deterministic, repeatable code review process that catches security vulnerabilities, performance regressions, Firebase anti-patterns, and type safety issues before merge. [EXPLICIT]

Physics — 3 Immutable Laws

Law of Objectivity: Every review item is a binary pass/fail check — no subjective opinions. The checklist is the standard. [EXPLICIT]
Law of Shift Left: Catch defects at review time, not in production. A review that misses a security flaw is a review failure. [EXPLICIT]
Law of Knowledge Transfer: Reviews spread codebase knowledge. Every review must have at least one comment explaining WHY, not just WHAT. [EXPLICIT]

Protocol

Phase 1 — Security Review (OWASP)

No secrets in code (API keys, tokens, passwords) — use env vars or Secret Manager. [EXPLICIT]
User input sanitized — XSS prevention via React's default escaping + DOMPurify for dangerouslySetInnerHTML. [EXPLICIT]
Firestore rules enforce auth — no open read/write rules in production. [EXPLICIT]
CORS configured restrictively — no * origins. [EXPLICIT]
Dependencies audited — npm audit shows zero high/critical. [EXPLICIT]

Phase 2 — Performance & Firebase

No unbounded Firestore queries — limit() on every getDocs(). [EXPLICIT]
No Firestore reads in loops — batch or use in queries. [EXPLICIT]
Images optimized — WebP format, lazy loading, responsive srcset. [EXPLICIT]
Bundle impact assessed — no new dependency > 50KB without justification. [EXPLICIT]
Cloud Functions cold start mitigated — minimal imports, lazy initialization. [EXPLICIT]

Phase 3 — Code Quality & Types

No any types — use unknown + type guards if type is uncertain. [EXPLICIT]
No eslint-disable without JIRA ticket comment. [EXPLICIT]
Functions < 50 lines, files < 300 lines — extract if exceeding. [EXPLICIT]
Naming is intention-revealing — no abbreviations, no single-letter variables (except loops). [EXPLICIT]
Error handling explicit — no swallowed catches, user-facing errors use error boundary. [EXPLICIT]

I/O

Input	Output
Pull request diff	Completed checklist (pass/fail per item)
Changed files list	Security, performance, quality scores
Dependency changes	`npm audit` report
Firestore rule changes	Rule coverage verification

Quality Gates — 5 Checks

Zero OWASP Top 10 violations — any finding blocks merge. [EXPLICIT]
No unbounded Firestore queries — every query has limit() or pagination. [EXPLICIT]
TypeScript strict mode — no any, no @ts-ignore without ticket. [EXPLICIT]
Bundle size delta < 50KB — justify or code-split if exceeding. [EXPLICIT]
All review items addressed — no unresolved comments at merge. [EXPLICIT]

Edge Cases

Hotfix PRs: Run abbreviated checklist (security + critical performance only). Full review within 48h.
Dependency-only PRs: Focus on npm audit, license check, bundle size delta.
Firestore rule changes: Require integration test proof (skill 080) in PR.
Generated code: Exclude from line-count rules but include in security review.

Self-Correction Triggers

Production incident traced to missed review item → add to checklist permanently.
Review turnaround > 24h → escalate or split PR into smaller changes.
Same defect found 3x → add automated lint rule to prevent it.
Reviewer approves without checklist completion → flag in team retro.

Usage

Example invocations:

"/code-review-checklist" — Run the full code review checklist workflow
"code review checklist on this project" — Apply to current context

Assumptions & Limits

Assumes access to project artifacts (code, docs, configs) [EXPLICIT]
Requires English-language output unless otherwise specified [EXPLICIT]
Does not replace domain expert judgment for final decisions [EXPLICIT]

Similar Skills

skill-lookup

Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.

prompts.chat

157.5k

prompt-lookup

Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.

prompts.chat

157.5k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

everything-claude-code

138.0k

Stats

Stars1

Forks0

Last CommitMar 28, 2026

Actions

View Source View Plugin View on GitHub View README

Physics — 3 Immutable Laws

Law of Objectivity: Every review item is a binary pass/fail check — no subjective opinions. The checklist is the standard. [EXPLICIT]

Law of Shift Left: Catch defects at review time, not in production. A review that misses a security flaw is a review failure. [EXPLICIT]

Law of Knowledge Transfer: Reviews spread codebase knowledge. Every review must have at least one comment explaining WHY, not just WHAT. [EXPLICIT]

Protocol

Phase 1 — Security Review (OWASP)

No secrets in code (API keys, tokens, passwords) — use env vars or Secret Manager. [EXPLICIT]

User input sanitized — XSS prevention via React's default escaping + DOMPurify for dangerouslySetInnerHTML. [EXPLICIT]

Firestore rules enforce auth — no open read/write rules in production. [EXPLICIT]

CORS configured restrictively — no * origins. [EXPLICIT]

Dependencies audited — npm audit shows zero high/critical. [EXPLICIT]

Phase 2 — Performance & Firebase

No unbounded Firestore queries — limit() on every getDocs(). [EXPLICIT]

No Firestore reads in loops — batch or use in queries. [EXPLICIT]

Images optimized — WebP format, lazy loading, responsive srcset. [EXPLICIT]

Bundle impact assessed — no new dependency > 50KB without justification. [EXPLICIT]

Cloud Functions cold start mitigated — minimal imports, lazy initialization. [EXPLICIT]

Phase 3 — Code Quality & Types

No any types — use unknown + type guards if type is uncertain. [EXPLICIT]

No eslint-disable without JIRA ticket comment. [EXPLICIT]

Functions < 50 lines, files < 300 lines — extract if exceeding. [EXPLICIT]

Naming is intention-revealing — no abbreviations, no single-letter variables (except loops). [EXPLICIT]

Error handling explicit — no swallowed catches, user-facing errors use error boundary. [EXPLICIT]

Input

Output

Pull request diff

Completed checklist (pass/fail per item)

Changed files list

Security, performance, quality scores

Dependency changes

npm audit report

Firestore rule changes

Rule coverage verification

Quality Gates — 5 Checks

Zero OWASP Top 10 violations — any finding blocks merge. [EXPLICIT]

No unbounded Firestore queries — every query has limit() or pagination. [EXPLICIT]

TypeScript strict mode — no any, no @ts-ignore without ticket. [EXPLICIT]

Bundle size delta < 50KB — justify or code-split if exceeding. [EXPLICIT]

All review items addressed — no unresolved comments at merge. [EXPLICIT]

Edge Cases

Hotfix PRs: Run abbreviated checklist (security + critical performance only). Full review within 48h.

Dependency-only PRs: Focus on npm audit, license check, bundle size delta.

Firestore rule changes: Require integration test proof (skill 080) in PR.

Generated code: Exclude from line-count rules but include in security review.