You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Boundary conditions — empty arrays, null inputs, zero values, maximum values.
53
54
- Error handling — swallowed errors, missing error propagation, unhelpful error messages. Do not flag missing error handling for internal code that cannot reasonably fail.
55
+
- Streaming/multipart handlers — verify a request cannot send multiple responses (e.g., multi-file parts triggering repeated `res.json()` calls). If a route expects one file, ensure parser limits and single-response guards exist.
54
56
55
57
#### Security
58
+
56
59
- Injection risks (SQL, command, XSS) when handling user input.
57
60
- Hardcoded secrets — API keys, passwords, tokens in code.
58
61
- Missing input validation at system boundaries (user input, external APIs). Not for internal function calls.
59
62
- Auth bypass, privilege escalation, or missing authorization checks.
63
+
- Filesystem path confinement — when IDs/paths come from requests, verify storage layers enforce root containment via resolved-path checks; do not rely only on caller-side sanitization.
60
64
61
65
#### API Compatibility
66
+
62
67
- Breaking changes to API response schemas or status codes without migration path.
63
68
- Removed or renamed API endpoints, query parameters, or response fields that existing consumers depend on.
64
69
- Database schema changes that require migration or backfill.
- HTTP status semantics — ensure client/input errors are 4xx and unexpected internal failures are 5xx; blanket 400 handling in catch-all paths is a correctness/API contract issue.
66
72
67
73
#### Tests for Changed Behavior
74
+
68
75
- New behavior must have corresponding tests covering core functionality and error handling.
69
76
- Bug fixes must include a regression test that would have caught the original bug.
70
77
- Changed behavior must have updated tests reflecting the new expectations.
71
78
- If tests are present but brittle (testing implementation details rather than behavior), flag it.
79
+
- For single-file upload endpoints, look for regression coverage of multi-file/malformed multipart inputs and confirm no double-response behavior.
72
80
73
81
Missing tests for changed behavior are blockers (`🔴 Bug`) only when the change affects user-facing behavior, API contracts, or data integrity. Missing tests for internal refactors or trivial changes are `🟡 Issue`.
74
82
75
83
### Pass 2: Maintainability
76
84
77
85
#### Code Bloat and Unnecessary Complexity
86
+
78
87
-**Excessive code** — More lines than necessary. Could this be done in fewer lines without sacrificing clarity?
79
88
-**Over-engineering** — Abstractions, helpers, or utilities for one-time operations. Premature generalization. Feature flags or config for things that could just be code.
-**Duplicate code** — Same logic repeated instead of extracted. But do not suggest extraction for only 2-3 similar lines — that is premature abstraction.
83
92
84
93
#### Readability and Naming
94
+
85
95
-**Confusing variable/function names** — Names that don't describe what the thing is or does. Generic names like `data`, `result`, `item`, `temp`, `val` when a specific name would be clearer.
86
96
-**Misleading names** — Names that suggest different behavior than what the code does.
87
97
-**Inconsistent naming** — Not following conventions in the rest of the codebase.
@@ -91,20 +101,25 @@ Missing tests for changed behavior are blockers (`🔴 Bug`) only when the chang
91
101
-**Unclear control flow** — Complex conditionals that could be simplified or decomposed.
92
102
93
103
#### Architecture and Pattern Violations
104
+
94
105
-**Inline validation instead of Zod schemas** — Validation logic written in code (if/else checks, manual type coercion) instead of using Zod schemas in `openAPIRoute()`. All request validation belongs in the schema, not handler code. This applies to both API routes and MCP tool `inputSchema`.
95
106
-**Missing `openAPIRoute()` wrapper** — API endpoints defined without the OpenAPI wrapper.
96
107
-**Wrong import paths in tests** — Tests importing from `src/` instead of `dist/`.
97
108
-**Missing test categories** — Tests without "Core Functionality" and "Error Handling" describe blocks.
98
109
-**Mixing concerns** — Route handlers doing business logic, database queries in API handlers, etc.
110
+
-**Cross-provider behavior drift** — When multiple providers/implementations exist, verify shared options and output semantics behave consistently unless explicitly documented otherwise.
99
111
100
112
#### Hardcoded Values and Magic Constants
113
+
101
114
Flag only when the value is:
115
+
102
116
-**Reused 3+ times** in touched files or the diff — should be a named constant.
103
117
-**Domain-significant** — timeout values, retry counts, port numbers, API URLs, status messages. Even if used once, these belong in constants or environment variables.
104
118
105
119
Do not flag one-off numeric literals that are self-explanatory in context (e.g., `array.slice(0, 2)`, `Math.round(x * 100) / 100`).
106
120
107
121
#### Performance (Only Obvious Issues)
122
+
108
123
- N+1 queries — database queries inside loops.
109
124
- Blocking operations in async contexts — synchronous I/O in async code.
110
125
- Unnecessary work in hot paths — redundant allocations, repeated computations.
@@ -120,6 +135,7 @@ Do not flag one-off numeric literals that are self-explanatory in context (e.g.,
120
135
## Comment Format
121
136
122
137
Use severity prefixes:
138
+
123
139
-`🔴 Bug:` — Correctness error, security issue, API break, data integrity risk. Will cause incorrect behavior.
124
140
-`🟡 Issue:` — Code quality problem that should be fixed. Bloated code, bad naming, pattern violation, missing tests.
0 commit comments