when-reviewing-code-comprehensively-use-code-review-assistant

What this skill does

# Comprehensive Code Review Assistant

## Purpose

Orchestrate multi-agent swarm review of pull requests with specialized reviewers for security, performance, style, test coverage, and documentation. Provides detailed feedback with auto-fix suggestions and merge readiness assessment.

## Core Principles

- **Multi-Agent Specialization**: Dedicated agents for each review dimension
- **Parallel Analysis**: Concurrent review across all quality vectors
- **Evidence-Based**: Measurable quality metrics and validation gates
- **Auto-Fix Capability**: Automated corrections where possible
- **Merge Readiness**: Clear approval/rejection criteria

## Phase 1: Security Review

### Objective
Identify and report security vulnerabilities, OWASP violations, and authentication/authorization issues.

### Agent Configuration
```yaml
agent: security-manager
specialization: security-audit
validation: OWASP-Top-10
```

### Execution Steps

**1. Initialize Security Scan**
```bash
# Pre-task setup
npx claude-flow@alpha hooks pre-task \
  --agent-id "security-manager" \
  --description "Security vulnerability scanning" \
  --task-type "security-audit"

# Restore session context
npx claude-flow@alpha hooks session-restore \
  --session-id "code-review-swarm-${PR_ID}" \
  --agent-id "security-manager"
```

**2. OWASP Top 10 Scan**
```bash
# Scan for OWASP vulnerabilities
npx eslint . --format json --config .eslintrc-security.json > security-report.json

# Check for dependency vulnerabilities
npm audit --json > npm-audit.json

# Scan for secrets and credentials
npx gitleaks detect --source . --report-path gitleaks-report.json
```

**3. Authentication/Authorization Review**
```javascript
// Analyze authentication patterns
const authPatterns = {
  jwt_validation: /jwt\.verify\(/g,
  password_hashing: /bcrypt|argon2|scrypt/g,
  sql_injection: /\$\{.*\}/g,
  xss_prevention: /sanitize|escape|DOMPurify/g,
  csrf_protection: /csrf|csurf/g
};

// Validate security controls
const securityChecks = {
  has_jwt_validation: false,
  has_password_hashing: false,
  has_sql_parameterization: false,
  has_xss_prevention: false,
  has_csrf_protection: false
};
```

**4. Store Security Findings**
```bash
# Store results in memory
npx claude-flow@alpha hooks post-edit \
  --file "security-report.json" \
  --memory-key "swarm/security-manager/findings" \
  --metadata "{\"critical\": ${CRITICAL_COUNT}, \"high\": ${HIGH_COUNT}}"
```

**5. Generate Security Report**
```markdown
## Security Review Results

### Critical Issues (Blocking)
- [ ] SQL injection vulnerability in user.controller.js:45
- [ ] Hardcoded API key in config/production.js:12

### High Priority Issues
- [ ] Missing JWT expiration validation
- [ ] Weak password hashing (MD5 detected)

### Recommendations
1. Implement parameterized queries for all database operations
2. Move credentials to environment variables
3. Add JWT expiration checks (max 1 hour)
4. Upgrade to bcrypt with work factor 12+
```

**6. Post-Task Cleanup**
```bash
npx claude-flow@alpha hooks post-task \
  --task-id "security-review-${PR_ID}" \
  --status "complete" \
  --metrics "{\"issues_found\": ${TOTAL_ISSUES}, \"critical\": ${CRITICAL_COUNT}}"
```

### Validation Gates
- ✅ No critical security issues
- ✅ All OWASP Top 10 checks pass
- ✅ No hardcoded secrets detected
- ✅ Authentication properly implemented

### Expected Outputs
- `security-report.json` - Detailed security findings
- `security-score.json` - Security quality metrics (0-100)
- `auto-fix-suggestions.json` - Automated fix recommendations

---

## Phase 2: Performance Review

### Objective
Analyze code efficiency, detect bottlenecks, and recommend performance optimizations.

### Agent Configuration
```yaml
agent: performance-analyzer
specialization: performance-audit
metrics: latency, memory, cpu
```

### Execution Steps

**1. Initialize Performance Analysis**
```bash
npx claude-flow@alpha hooks pre-task \
  --agent-id "performance-analyzer" \
  --description "Performance bottleneck analysis" \
  --task-type "performance-audit"
```

**2. Static Performance Analysis**
```javascript
// Detect anti-patterns
const performanceAntiPatterns = {
  nested_loops: /for.*for.*for/gs,
  blocking_operations: /fs\.readFileSync|execSync/g,
  memory_leaks: /global\.|window\./g,
  inefficient_queries: /SELECT \*/gi,
  n_plus_one: /\.map\(.*await/gs
};

// Analyze complexity
const complexityMetrics = {
  cyclomatic_complexity: [], // McCabe complexity
  cognitive_complexity: [],   // Sonar cognitive
  nesting_depth: [],          // Max nesting level
  function_length: []         // Lines per function
};
```

**3. Runtime Performance Profiling**
```bash
# Run performance benchmarks
npm run test:perf -- --profile

# Analyze bundle size
npx webpack-bundle-analyzer stats.json --mode static -r bundle-analysis.html

# Check memory usage
node --inspect --expose-gc performance-test.js
```

**4. Bottleneck Detection**
```javascript
// Identify slow operations
const bottlenecks = [
  {
    file: "api/users.controller.js",
    function: "getUsersList",
    issue: "N+1 query pattern",
    current_latency: "1250ms",
    optimized_latency: "45ms",
    fix: "Use JOIN or eager loading"
  },
  {
    file: "utils/processor.js",
    function: "processData",
    issue: "Synchronous file operations",
    current_latency: "800ms",
    optimized_latency: "120ms",
    fix: "Use fs.promises.readFile"
  }
];
```

**5. Generate Performance Report**
```markdown
## Performance Review Results

### Critical Bottlenecks (P0)
- **N+1 Query Pattern** (api/users.controller.js:67)
  - Impact: 1250ms → 45ms (27.7x improvement)
  - Fix: Replace `.map(await)` with single JOIN query

### Performance Metrics
| Metric | Current | Target | Status |
|--------|---------|--------|--------|
| API Response Time | 850ms | <200ms | ⚠️ FAIL |
| Memory Usage | 512MB | <256MB | ⚠️ FAIL |
| Bundle Size | 2.4MB | <1MB | ⚠️ FAIL |
| Lighthouse Score | 62 | >90 | ⚠️ FAIL |

### Optimization Recommendations
1. Implement query result caching (Redis)
2. Use async/await for file operations
3. Code splitting for bundle size reduction
4. Lazy load non-critical components
```

**6. Store Performance Data**
```bash
npx claude-flow@alpha hooks post-edit \
  --file "performance-report.json" \
  --memory-key "swarm/performance-analyzer/metrics" \
  --metadata "{\"bottlenecks\": ${BOTTLENECK_COUNT}, \"avg_latency\": ${AVG_LATENCY}}"
```

### Validation Gates
- ✅ API response time <200ms
- ✅ Memory usage <256MB
- ✅ No O(n²) or worse algorithms
- ✅ Bundle size <1MB

### Expected Outputs
- `performance-report.json` - Performance analysis
- `bottlenecks.json` - Identified slow operations
- `optimization-plan.json` - Recommended fixes

---

## Phase 3: Style Review

### Objective
Verify code conventions, linting rules, and consistent formatting across the codebase.

### Agent Configuration
```yaml
agent: code-review-swarm
specialization: style-audit
standards: ESLint, Prettier, TypeScript
```

### Execution Steps

**1. Initialize Style Check**
```bash
npx claude-flow@alpha hooks pre-task \
  --agent-id "code-review-swarm" \
  --description "Code style and conventions audit" \
  --task-type "style-audit"
```

**2. Run Linting Tools**
```bash
# ESLint for JavaScript/TypeScript
npx eslint . --ext .js,.jsx,.ts,.tsx --format json > eslint-report.json

# Prettier for formatting
npx prettier --check "**/*.{js,jsx,ts,tsx,json,css,md}" --list-different > prettier-report.txt

# TypeScript compiler for type checks
npx tsc --noEmit --pretty false 2> typescript-errors.txt
```

**3. Analyze Naming Conventions**
```javascript
// Check naming patterns
const namingConventions = {
  classes: /^[A-Z][a-zA-Z0-9]*$/,        // PascalCase
  functions: /^[a-z][a-zA-Z0-9]*$/,      // camelCase
  constants: /^[A-Z][A-Z0-9_]*$/,        // UPPER_SNAKE_CASE
  components: /^[A-Z][a-zA-Z0-9]*$/,     // PascalCase (React)
  files: /^[a-z][a-z0-9-]*\.(js|ts)$/   // kebab-case
};

// Validate naming compliance
const namingVi