Enterprise Systematic Code Review Orchestrator v4.0.0
Skill Metadata
| Field | Value | | ----- | ----- | | Skill Name | moai-alfred-code-reviewer | | Version | 4.0.0 Enterprise (2025-11-12) | | Core Framework | TRUST 5 principles, Context7 integration | | AI Integration | ✅ Context7 MCP, AI quality checks, pattern matching | | Auto-load | When conducting code reviews or quality checks | | Languages | 25+ (Python, JavaScript, Go, Rust, Java, etc.) | | Lines of Content | 950+ with 15+ production examples | | Progressive Disclosure | 3-level (framework, patterns, advanced) |
What It Does
Provides systematic guidance for enterprise-grade code review processes applying TRUST 5 principles, validating SOLID principles, identifying security issues, ensuring maintainability, and automating quality gates across all programming languages.
The TRUST 5 Review Framework
T - Test First
Focus: Test coverage, quality, comprehensiveness
Key Questions:
- Are tests comprehensive? Do they cover happy path + edge cases?
- Test coverage ≥ 85%?
- Tests verify behavior, not just implementation?
- Edge cases handled: null, empty, boundary values?
- Async/concurrent scenarios tested?
Tools: pytest coverage, jest --coverage, go test -cover, cargo test
Examples:
# ❌ Bad: Tests implementation, not behavior
def test_add():
assert add(2, 2) == 4
# ✅ Good: Tests behavior with edge cases
def test_add_positive_numbers():
assert add(2, 2) == 4
assert add(-1, 1) == 0
assert add(0, 0) == 0
def test_add_boundary():
assert add(int.max, 1) == overflow_behavior()
R - Readable
Focus: Code clarity, self-documentation, maintainability
Key Questions:
- Are function/variable names meaningful and clear?
- Can a new team member understand the intent?
- Comments explain WHY, not WHAT (code shows what)?
- Cyclomatic complexity reasonable (<10)?
- Functions single responsibility?
- Magic numbers extracted as constants?
Tools: linters, code formatters, readability checkers
Examples:
# ❌ Bad: Unclear intent
def calc(x, y, z):
return x * (1 + y / 100) - z * 0.05
# ✅ Good: Clear intent with constants
DISCOUNT_RATE = 0.05
TAX_RATE = 0.05
def calculate_final_price(base_price: float, tax_percent: float, discount: float) -> float:
"""Calculate final price after tax and discount.
Args:
base_price: Original product price
tax_percent: Tax percentage (0-100)
discount: Discount amount to subtract
"""
with_tax = base_price * (1 + tax_percent / 100)
return with_tax - (discount * DISCOUNT_RATE)
U - Unified
Focus: Consistency, patterns, architectural cohesion
Key Questions:
- Does code follow team patterns and conventions?
- Consistent with codebase style?
- Uses established error handling patterns?
- Logging strategy aligned?
- Database access follows repository pattern?
- API design consistent with existing endpoints?
Tools: style guides, architectural patterns, linters
Examples:
# ❌ Bad: Inconsistent error handling
def get_user(user_id):
try:
return fetch_from_db(user_id)
except Exception as e:
return None # Inconsistent with rest of codebase
# ✅ Good: Consistent error handling
def get_user(user_id: int) -> User:
"""Get user by ID.
Raises:
UserNotFoundError: If user doesn't exist
DatabaseError: If database connection fails
"""
try:
return self.user_repository.find_by_id(user_id)
except DatabaseConnectionError as e:
logger.error(f"Database error: {e}")
raise DatabaseError(str(e)) from e
except Exception as e:
logger.error(f"Unexpected error: {e}")
raise
S - Secured
Focus: Security vulnerabilities, input validation, secret handling
Key Questions:
- Are inputs validated before use?
- No hardcoded credentials, API keys, or secrets?
- SQL injection prevention (parameterized queries)?
- XSS prevention (output escaping)?
- CSRF tokens used for state-changing operations?
- Authentication required for sensitive operations?
- Rate limiting on public endpoints?
- Dependency vulnerabilities scanned?
Tools: bandit, safety, npm audit, go vet, security scanners
Examples:
# ❌ Bad: SQL injection vulnerability
def get_user(user_id):
query = f"SELECT * FROM users WHERE id = {user_id}" # Vulnerable!
return db.execute(query)
# ✅ Good: Parameterized query
def get_user(user_id: int) -> User:
query = "SELECT * FROM users WHERE id = ?"
return db.execute(query, [user_id])
T - Trackable
Key Questions:
- Changelog entry added?
- Git history clear and atomic?
- Breaking changes documented?
- Migration guides for version updates?
Examples:
# ❌ Bad: No traceability
def calculate_discount(price, customer_type):
if customer_type == "vip":
return price * 0.8
return price
# ✅ Good: Full traceability
def calculate_discount(price: float, customer_type: str) -> float:
"""Calculate discount based on customer type.
Implements SPEC-042: VIP customers receive 20% discount
Linked to:
- SPEC-042: VIP pricing requirements
- TEST-042-001: VIP discount validation
- PR #1234: Feature implementation
"""
VIP_DISCOUNT_RATE = 0.20
if customer_type == "vip":
return price * (1 - VIP_DISCOUNT_RATE)
return price
SOLID Principles Checklist
| Principle | Focus | Review Question | |-----------|-------|-----------------| | Single Responsibility | One reason to change | Does this class/function do one thing? | | Open/Closed | Open for extension, closed for modification | Can behavior be extended without modifying? | | Liskov Substitution | Substitutable subtypes | Can derived classes replace base without breaking? | | Interface Segregation | Minimal, specific interfaces | Are clients forced to depend on methods they don't use? | | Dependency Inversion | Depend on abstractions, not concretions | Do high-level modules depend on low-level implementations? |
Code Review Process (4-Step)
Step 1: Automated Checks (5 min)
✓ Linting & formatting
✓ Security scanning (bandit, safety, npm audit)
✓ Dependency vulnerabilities
✓ Test coverage ≥85%
✓ Type checking (mypy, TypeScript, etc.)
Step 2: Architecture Review (15 min)
✓ SOLID principles
✓ Design patterns appropriate?
✓ Consistency with codebase
✓ Scalability implications?
✓ Performance implications?
Step 3: Security Audit (10 min)
✓ Input validation
✓ No hardcoded secrets
✓ Authentication/authorization correct?
✓ SQL injection prevention
✓ XSS prevention
✓ CSRF tokens present
Step 4: Implementation Review (20 min)
✓ TRUST 5 checklist
✓ Edge cases handled?
✓ Error messages helpful?
✓ Documentation complete?
Review Depth Matrix
| Change Type | Severity | Automation | Review Time | Focus Areas | |-------------|----------|-----------|------------|------------| | Security fix | 🔴 Critical | Full scan | 30+ min | Vulnerabilities, test coverage, audit trail | | Core architecture | 🔴 Critical | Partial | 45+ min | Design patterns, scalability, consistency | | Feature (new) | 🟡 Major | Full scan | 30 min | Completeness, TRUST 5, documentation | | Bug fix | 🟢 Minor | Partial | 15 min | Root cause, test coverage, regressions | | Documentation | 🟢 Minor | Basic | 5 min | Accuracy, completeness, examples | | Configuration | 🟡 Medium | Full | 10 min | Security, best practices, side effects | | Refactoring | 🟢 Minor | Full | 15 min | Behavior preservation, performance |
Best Practices
DO
- Automate repetitive checks: Linting, coverage, formatting
- Focus human review on high-value areas: Architecture, security, design
- Be constructive: Review code, not people
- Explain WHY: Help reviewer understand the reasoning
- Request specific changes: Not vague "improve this"
- Provide examples: Show the better approach
- Flag trade-offs: Explain choices made
- Document decisions: Comment on why certain patterns chosen
DON'T
- Nitpick style: Let linters handle formatting
- Reject without alternatives: Always suggest improvements
- Make personal comments: Focus on code quality
- Review when tired: Quality suffers
- Block on minor issues: Distinguish critical from nice-to-have
- Skip security review: Always check authentication, validation, secrets
- Ignore test coverage: Enforce ≥85% requirement
Integration with Context7
Live Security Scanning: Get latest vulnerability patterns from official databases
Best Practice Integration: Apply latest security recommendations from official docs
Version-Aware Checks: Context7 provides version-specific security guidance
Automated Fix Suggestions: Context7 patterns for common vulnerability fixes
Related Skills
moai-alfred-practices(Code patterns and best practices)moai-essentials-refactor(Refactoring strategies)
For detailed review checklists: reference.md
For real-world examples: examples.md
Last Updated: 2025-11-12
Status: Production Ready (Enterprise v4.0.0)