Code review reads source diffs that may contain secrets or proprietary code; keep credentials and sensitive snippets out of review comments and shared logs.
Author
JSONbored
Claim status
unclaimed
Last verified
2025-09-16
Decision playbook
Review trust signals before you adopt
Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.
Required checks are still incomplete. Finish source and safety verification before adopting this resource.
Compare context
Selected
0
Current score
68
Baseline
—
Delta
No baseline selected
No major trust-signal divergence detected in the current selection.
Source and provenance checks
Complete
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Done
Source provenance statusRequired
Marked as source-backed.
Done
Metadata reviewed
Registry metadata indicates a reviewed listing.
Done
Safety and privacy checks
Required checks missing
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
No safety notes listed.
Pending
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Done
Trust level risk gateRequired
Trust level does not block evaluation.
Done
Package and install checks
Needs review
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Done
Package verification flag
No package verification flag provided.
Pending
Checksum metadata
No checksum provided for downloaded artifact.
Pending
Compare-driven decision checks
Needs review
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
PrivacyCredentials & tokensCode review reads source diffs that may contain secrets or proprietary code; keep credentials and sensitive snippets out of review comments and shared logs.
Privacy notes
Code review reads source diffs that may contain secrets or proprietary code; keep credentials and sensitive snippets out of review comments and shared logs.
You are a code review expert focused on providing comprehensive, constructive feedback. Your approach includes:
## Review Priorities
### 1. Security & Safety
- Identify potential security vulnerabilities
- Check for exposed credentials or sensitive data
- Review authentication and authorization logic
- Validate input sanitization and SQL injection prevention
### 2. Code Quality
- Check for adherence to coding standards
- Identify code smells and anti-patterns
- Review naming conventions and clarity
- Ensure proper error handling
### 3. Performance
- Identify performance bottlenecks
- Review algorithm complexity
- Check for memory leaks
- Optimize database queries
### 4. Maintainability
- Ensure code is well-documented
- Check for proper abstraction levels
- Review test coverage
- Validate modularity and reusability
## Review Process
1. **Initial Assessment**: Quick scan for critical issues
2. **Detailed Analysis**: Line-by-line review with context
3. **Constructive Feedback**: Provide specific, actionable suggestions
4. **Educational Moments**: Explain the 'why' behind recommendations
About this resource
You are a code review expert focused on providing comprehensive, constructive feedback. Your approach includes:
Review Priorities
1. Security & Safety
Identify potential security vulnerabilities
Check for exposed credentials or sensitive data
Review authentication and authorization logic
Validate input sanitization and SQL injection prevention
2. Code Quality
Check for adherence to coding standards
Identify code smells and anti-patterns
Review naming conventions and clarity
Ensure proper error handling
3. Performance
Identify performance bottlenecks
Review algorithm complexity
Check for memory leaks
Optimize database queries
4. Maintainability
Ensure code is well-documented
Check for proper abstraction levels
Review test coverage
Validate modularity and reusability
Review Process
Initial Assessment: Quick scan for critical issues
Detailed Analysis: Line-by-line review with context
Constructive Feedback: Provide specific, actionable suggestions
Educational Moments: Explain the 'why' behind recommendations
What a Reviewer Checks
The aspects below follow Google's Engineering Practices "What to look for in a code review" guide. Use them as a checklist when reviewing a change.
Aspect
What to verify
Design
The change belongs in this codebase, and its pieces interact sensibly with the rest of the system.
Functionality
The code does what the author intended, and that intent is good for users (including future developers).
Complexity
Nothing is more complex than it needs to be at the line, function, or class level; no speculative over-engineering.
Tests
Correct, sensible, useful automated tests accompany the change and will actually fail when the code breaks.
Naming
Names are long enough to communicate intent, short enough to stay readable.
Comments
Comments explain why the code exists, not what it does; they are clear and necessary.
Style & Consistency
The code follows the language style guide and matches existing conventions in the codebase.
Documentation
Build, test, and behavior changes are reflected in READMEs, references, and other docs.
Every Line
Read the human-written code line by line rather than skimming; flag what you do not understand.
Context
Evaluate the change against the whole file and system, confirming it improves overall code health.
Good Things
Call out genuinely good practices, not just defects, so feedback stays balanced.
Reviewer mindset: approve once the change definitely improves overall code health, even if it is not perfect. Reserve blocking only for issues that would degrade the codebase, and distinguish those from optional Nit: suggestions.
Show that Code Review Expert for Claude is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/rules/code-review-expert)
How it compares
Code Review Expert for Claude side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
1 trust signal differ across this comparison (Submitter).
Source-backed rules for deciding when an AI-assisted code review must escalate high-risk changes to security, infrastructure, data, release, or domain owners before merge.
Source-backed rules for reviewing AI-generated request handlers and forms before merge for cross-site request forgery risk, covering state-changing method discipline, anti-CSRF token correctness, SameSite cookie posture, origin and referer checks, and safe handling of cookie-based sessions.
Source-backed rules for reviewing AI-generated endpoints and data-access code before merge for insecure direct object reference risk, covering per-request object-level authorization checks, scoped database lookups, identifier exposure, and consistent enforcement across read, write, and admin operations.
✓High-risk changes can alter auth, authorization, secrets, production data, network exposure, infrastructure, release automation, or dependency trust; escalate before merge instead of relying on a single reviewer.
Treat AI-generated patches, summaries, migrations, policy edits, generated clients, and workflow changes as untrusted until the source diff and checks are reviewed.
Require a rollback or disablement path for production-facing changes, especially when the blast radius includes customer data, credentials, deployments, billing, or public APIs.
✓A missing CSRF defense lets a malicious page perform state-changing actions as a logged-in user — transferring funds, changing email or password, or deleting data — using the victim's ambient cookies.
AI assistants often generate handlers that work in tests yet omit token validation or perform state changes on GET, because the happy path succeeds without any forged cross-site request.
Relying on SameSite cookies alone is not sufficient: defaults vary, Lax still allows top-level GET navigations, and some clients or legacy browsers do not enforce it.
✓A missing object-level authorization check lets any authenticated (or sometimes unauthenticated) user read, modify, or delete another user's data by changing an identifier in the request — accounts, documents, orders, invoices, and support tickets are common targets.
AI assistants often generate a correct-looking handler for the current user's own data and skip the cross-user check entirely, because the happy-path test only ever exercises the requester's own objects.
Switching to random/UUID identifiers reduces guessability but is not an authorization control; do not accept it as a substitute for a server-side ownership or permission check.
Privacy notes
✓Code review reads source diffs that may contain secrets or proprietary code; keep credentials and sensitive snippets out of review comments and shared logs.
✓Escalation notes can expose private incident context, customer identifiers, secrets, account IDs, internal topology, or vulnerability details if copied into public PR comments.
Use private security channels for embargoed vulnerabilities, secrets, regulated data, and exploit details; keep public PR notes synthetic and minimally revealing.
Do not paste raw logs, traces, prompts, database rows, screenshots, or security scan output into review notes unless they have been redacted.
✓CSRF tokens are security credentials; do not paste real tokens, session cookies, or production request captures into public PR comments or issues.
Use synthetic accounts and redacted requests when demonstrating a CSRF proof of concept, and avoid attaching real user identifiers.
Be careful that anti-CSRF tokens are not written into URLs, analytics, or logs, where they can leak through referer headers or shared dashboards.
✓IDOR proof-of-concept testing can expose another account's real data; use synthetic test accounts and synthetic objects rather than real user records when demonstrating the issue.
Do not paste real user identifiers, documents, or other objects retrieved during testing into a public PR or issue; redact or replace them with placeholders.
Server-side logs and error messages for a denied access attempt should avoid echoing back the unauthorized object's contents, only that access was denied.
Prerequisites
— none listed
A pull request, patch, or generated code change with enough diff context to classify the risk.
A repository policy that names security, infrastructure, data, API, dependency, and release owners or escalation channels.
Access to current CI results, required checks, deployment plan, rollback plan, and affected service ownership.
Permission to block approval when the risk class, source evidence, or owner signoff is incomplete.
A pull request, diff, or snippet containing an AI-generated or AI-edited request handler, form, or fetch call with enough context to know how the user is authenticated.
Knowledge of how the framework manages sessions and CSRF tokens, since built-in protection, cookie defaults, and token helpers differ between frameworks.
Awareness of which routes change state and which are read-only, so the review can focus on unsafe methods.
Permission to block merge when a cookie-authenticated state change ships without a CSRF defense.
A pull request, diff, or snippet containing an AI-generated or AI-edited endpoint, resolver, or data-access function that accepts an object identifier from the request.
Knowledge of the application's ownership/permission model, since what counts as "authorized" differs between single-owner resources, shared resources, and admin-only resources.
Access to at least two distinct user accounts (or awareness of how to create them) to verify cross-account access is actually denied, not just assumed.
Permission to block merge when an object-level authorization check is missing, inconsistent, or client-trusted.