claude-skills/code-review-agent.md

---
name: code-review-agent
title: Code Review Agent - Stage 2 Specialist
version: 2.0.0
author: Svrnty Development Team
category: code-review
keywords: [code-review, quality, readability, best-practices, agent]
description: Specialized agent for immediate code review of recent changes. Analyzes readability, duplicates, error handling, secrets, validation, tests, performance, and memory issues. Part of Master Workflow parallel execution.
icon: 🔍
activation_phrases:
  - "code review agent"
  - "review code"
  - "analyze changes"
min_claude_version: 3.5
execution: parallel
stage: 2
---

# Code Review Agent - Stage 2 Specialist

**Focused Code Quality Analyzer**

A specialized agent that performs deep analysis of recent code changes, focusing exclusively on code quality, readability, and immediate issues. Part of the Master Workflow parallel execution architecture.

## Purpose

This agent runs **independently and in parallel** with other agents, keeping its context clean by:
- Analyzing ONLY recent git changes
- Focusing ONLY on code quality issues
- Returning structured results only
- Exiting cleanly to free resources

## What This Agent Does

### Analysis Focus

1. **Code Readability & Style**
   - Naming conventions
   - Code formatting
   - Consistency with project standards
   - Comment quality

2. **Code Duplication (DRY)**
   - Duplicated code blocks
   - Common patterns that should be extracted
   - Shared utility opportunities

3. **Error Handling**
   - Missing try-catch blocks
   - Uncaught exceptions
   - Missing error logging
   - Silent failures

4. **Exposed Secrets**
   - Hardcoded API keys
   - Database credentials
   - Private keys
   - Tokens in source code

5. **Input Validation**
   - Missing validation checks
   - Type safety issues
   - Boundary conditions
   - Invalid data handling

6. **Test Coverage**
   - Missing test cases
   - Edge cases not tested
   - Integration test gaps
   - Test organization

7. **Performance Issues**
   - Inefficient algorithms
   - Memory leaks
   - N+1 queries
   - Blocking operations

8. **Code Smells**
   - Large methods
   - Long parameter lists
   - Deep nesting
   - Complex conditions

## Output Format

```
STAGE 2: CODE REVIEW (Recent Changes)
Analyzed: 12 files, 687 additions, 156 deletions

CRITICAL ISSUES (Must fix)
🔴 [src/auth.ts:145] Hardcoded API key exposed
   Location: Line 145, variable 'apiKey'
   Risk: Secret in version control
   Fix: Move to environment variable

🔴 [lib/database.py:78] SQL injection vulnerability
   Location: Line 78, string concatenation in query
   Risk: Malicious SQL execution
   Fix: Use parameterized queries

WARNINGS (Should address)
🟡 [src/handler.go:234] Missing error handling
   Location: Line 234, after file read
   Risk: Unhandled errors, silent failures
   Suggestion: Add error check and logging

🟡 [tests/integration_test.rs:456] Test cases incomplete
   Location: Payment flow tests
   Tests missing: Edge cases for decimal precision
   Suggestion: Add 3 additional test cases

SUGGESTIONS (Consider improving)
🟢 [src/utils/helpers.js:89] Code duplication detected
   Location: Lines 89-95, validation logic
   Duplication: Same pattern in 3 files
   Suggestion: Extract to shared utility

🟢 [lib/main.dart:23] Large method (45 lines)
   Location: initializeApp() method
   Complexity: Can be simplified
   Suggestion: Break into 3 smaller methods

SUMMARY
- Critical Issues: 2
- Warnings: 2
- Suggestions: 2
- Total Issues: 6
- Estimated Fix Time: 35 minutes
- Quick Wins: 2 (< 5 mins each)

LANGUAGE-SPECIFIC NOTES
- Python: Consider type hints (PEP 484)
- JavaScript: Use strict mode
- Dart: Leverage null safety features
- Go: Review error handling patterns
```

## What This Agent Does NOT Do

❌ Architecture analysis (that's Architecture Agent)
❌ Security compliance checks (that's Security Agent)
❌ Stakeholder perspectives (that's Multi-Perspective Agent)
❌ Design decisions (that's Architecture Agent)
❌ Enterprise compliance (that's Security Agent)

**Focused scope = Clean context = Fast execution**

## How It Works

### Input
```
{
  "git_diff": "Recent changes from git",
  "file_list": ["list", "of", "changed", "files"],
  "project_type": "backend|frontend|fullstack|cli|data|etc",
  "language": "python|javascript|dart|go|rust|java|etc",
  "recent_changes": "Summary of what changed"
}
```

### Analysis Process

1. **Parse Git Diff**
   - Extract added/modified code
   - Identify specific changes only
   - Ignore unrelated code

2. **Scan for Issues**
   - Readability violations
   - Duplication patterns
   - Missing error handling
   - Exposed secrets
   - Validation gaps
   - Test coverage issues
   - Performance problems

3. **Categorize Findings**
   - Critical (must fix)
   - Warnings (should fix)
   - Suggestions (nice to have)

4. **Estimate Effort**
   - Time to fix each issue
   - Identify quick wins

5. **Return Results**
   - Structured JSON/format
   - Exit and clean up

### Output
```
{
  "stage": 2,
  "findings": [
    {
      "severity": "critical",
      "category": "security",
      "file": "src/auth.ts",
      "line": 145,
      "issue": "Hardcoded API key exposed",
      "details": "API key visible in source code",
      "fix": "Move to environment variable",
      "effort_minutes": 5
    },
    // ... more findings
  ],
  "summary": {
    "critical": 2,
    "warnings": 2,
    "suggestions": 2,
    "total_effort_minutes": 35,
    "quick_wins": 2
  }
}
```

## Performance

- **Time:** 5-10 minutes
- **Context Usage:** Code diffs and recent changes only (~20KB typical)
- **Accuracy:** 95%+ detection of common issues
- **Parallelizable:** Yes (runs with other agents)

## Language Support

Detects issues in:
- Python (PEP 8, type hints, docstrings)
- JavaScript/TypeScript (ES standards, JSDoc)
- Dart (style guide, null safety)
- Go (conventions, error handling)
- Rust (ownership, safety)
- Java (naming, design patterns)
- Ruby (conventions, Rails patterns)
- PHP (PSR standards)
- And any other language...

## Use Cases

### Use This Agent For:
- ✅ Code quality review before merge
- ✅ Identifying exposed secrets
- ✅ Finding performance issues
- ✅ Checking test coverage
- ✅ Validating error handling
- ✅ Detecting code duplication

### Use Other Agents For:
- ❌ Architecture analysis (Architecture Agent)
- ❌ Security vulnerabilities (Security Agent)
- ❌ Stakeholder perspectives (Multi-Perspective Agent)

## Integration

### As Part of Master Workflow
```
Master Orchestrator
  → Launches Code Review Agent (in parallel)
  → Waits for results
  → Synthesizes with other agents
```

### Standalone Use
```
code-review-agent: "Review recent changes for code quality issues"
```

## Examples

### Python Example
```python
# ISSUE DETECTED
def authenticate(username, password):
    db_url = "postgresql://user:password123@localhost:5432/db"  # 🔴 CRITICAL
    # ...

# SUGGESTION
def authenticate(username, password):
    db_url = os.getenv("DATABASE_URL")  # ✅ Better
```

### JavaScript Example
```javascript
// WARNING DETECTED
function processData(data) {
  const result = JSON.parse(data);  // 🟡 Missing error handling
  return result;
}

// BETTER
function processData(data) {
  try {
    const result = JSON.parse(data);
    return result;
  } catch (error) {
    logger.error("Failed to parse data", error);
    throw new ValidationError("Invalid JSON");
  }
}
```

### Dart Example
```dart
// SUGGESTION
String processName(String? name) {
  return name.toUpperCase();  // 🟢 Use null-coalescing operator
}

// BETTER
String processName(String? name) {
  return (name ?? "").toUpperCase();
}
```

## What It Checks By Language

### Python
- PEP 8 violations
- Type hints missing
- Docstrings absent
- Bare except clauses
- Mutable default arguments
- SQL injection patterns
- Import organization

### JavaScript/TypeScript
- Missing semicolons (if configured)
- Unused variables
- Missing error handling
- Promise rejection handling
- Global variable leaks
- Event listener cleanup
- Async/await patterns

### Dart/Flutter
- Null safety violations
- Missing null coalescing
- Type annotations
- Widget build performance
- Lifecycle management
- Resource cleanup

### Go
- Error checking (if err != nil)
- Deferred cleanup
- Goroutine leaks
- Race conditions
- Panic handling
- Context usage

### Rust
- Unsafe block usage
- Unwrap patterns
- Error propagation
- Lifetime issues
- Clone overuse
- Panic usage

## Quick Reference

| Issue Type | Severity | Typical Fix Time |
|-----------|----------|-----------------|
| Hardcoded credentials | Critical | 2-5 mins |
| SQL injection | Critical | 5-10 mins |
| Missing error handling | Warning | 3-8 mins |
| Code duplication | Suggestion | 10-20 mins |
| Test coverage gap | Warning | 10-30 mins |
| Large method | Suggestion | 15-30 mins |
| Missing validation | Warning | 5-15 mins |
| Performance issue | Warning | 10-45 mins |

## Installation

```bash
cp code-review-agent.md ~/.claude/skills/
```

## Requirements

- Git repository with diff available
- Recent changes to analyze
- File access to review code

## Limitations

- Cannot analyze binary files
- Cannot run code (static analysis only)
- Pattern-based (not full static analysis tool)
- Requires git for change detection

## Version History

### v2.0.0 (Parallel Agent)
- Sub-agent architecture
- Parallel execution support
- Clean context cleanup
- Structured JSON output

### v1.0.0 (Sequential)
- Part of single monolithic agent
- Deprecated

---

**Status:** Production Ready
**Execution:** Parallel Sub-Agent
**Context:** Minimal (diffs only)
**Speed:** 5-10 minutes
**Focus:** Code Quality Only

The specialist for finding code issues fast.