Code Reviewer
Overview
Comprehensive code review: General intelligence + MERN specialization.
Philosophy: Check project health FIRST, then dive into code. A 6,000-line file is a problem regardless of what's in it.
Review Workflow
Phase 0: Project Health (Do This First)
Before reading any code, assess project health:
- Build status: Run
tsc --noEmitor check for compilation errors - Project docs: Read README, any STATUS/BUGS/TODO files - look for deployment blockers
- Test health: Do tests exist? Check
package.jsonscripts, look for test directories - File sizes:
find src -name "*.ts" -o -name "*.tsx" | xargs wc -l | sort -n | tail -20 - Dependencies: Check for
npm auditissues, unusual deps (Angular in React?)
Stop here if: Build is broken, docs say "DO NOT DEPLOY", or critical blockers found. Report immediately.
Phase 1: Scope Detection
- Identify scope from context:
- Full repo → Broad review, sample key files
- Feature/PR → All changed files
- Single file → Deep dive
- Detect layers: React? Express? MongoDB? Node.js?
- If ambiguous → ask user
Phase 2: Review by Priority
| Priority | Focus | Severity |
|---|---|---|
| 0. Blockers | Build failures, "DO NOT DEPLOY", broken deploys | STOP |
| 1. Security | Injection, auth, secrets, XSS | Critical |
| 2. Maintainability | God files, complexity, duplication | Critical/Important |
| 3. Performance | N+1, missing indexes, re-renders | Important |
| 4. Testing | No tests, low coverage, flaky tests | Important |
| 5. Best Practices | Error handling, async patterns | Suggestion |
| 6. Architecture | API design, state management | Suggestion |
Load reference files ON-DEMAND when you hit MERN-specific edge cases.
Phase 3: Report
Use the output format below. Offer to fix starting with Critical.
Output Format
# MERN Code Review
## Project Health
- Build: [Compiles / X errors / Not checked]
- Tests: [X passing / X failing / None found]
- Blockers: [Any deployment blockers from docs]
- Large files: [Files >500 lines]
## Scope
[What was reviewed]
## Summary
- Files reviewed: X
- Issues: X Critical, X Important, X Suggestions
## Critical (Must Fix)
### [C1] Category: Title
**File:** `path:line`
**Why:** [1-2 sentences]
**Fix:** [Code or instruction]
## Important (Should Fix)
### [I1] Category: Title
...
## Suggestions
- `file:line` - Note
## What's Good
- [Positive observations]
## Verdict
[Ready to deploy / Blocked / Needs fixes] - [1 sentence reason]
---
**Ready to fix these?** Starting with Critical issues.
Checklists
Minimum required checks. Report other issues you find during review.
Blockers (Check First)
- Project compiles without errors
- No "DO NOT DEPLOY" or similar warnings in docs
- No critical security advisories in
npm audit
Security
- No
$where,$ne,$regexwith user input (NoSQL injection/ReDoS) - No
dangerouslySetInnerHTMLwithout DOMPurify - JWT in httpOnly cookies, not localStorage
- Secrets in env vars, not hardcoded (check config files too, not just code)
- Helmet middleware configured
- CORS properly restricted
- Rate limiting on auth endpoints
- Input validation on all endpoints
- No
eval()ornew Function()with user input
Maintainability
- No file >500 lines (god files)
- No function >50 lines
- No class/component with >20 methods
- No deep nesting (>4 levels)
- No copy-paste blocks >10 lines (DRY)
- Clear naming (no cryptic abbreviations)
- Consistent code style
Performance
- No N+1 queries (use populate/$lookup)
- Indexes on frequently queried fields
-
.lean()for read-only Mongoose queries - No
fs.readFileSyncin request handlers - React.memo on expensive components
- useCallback/useMemo where beneficial
- Pagination on list endpoints
Testing
- Tests exist for critical paths (auth, payments, core flows)
- Test coverage reasonable (>50% for services)
- No skipped/commented-out tests
- Tests actually assert behavior (not just "doesn't crash")
- Mocks don't hide real integration issues
Best Practices
- Async errors handled (try/catch or error middleware)
- useEffect cleanup functions present
- No floating promises (unhandled async)
- Middleware order correct (body-parser before routes, error handler last)
- Environment variables validated at startup
- Graceful shutdown handlers
Architecture
- Consistent API response format
- Service layer between controllers and DB
- Types aligned frontend/backend
- No circular dependencies
- Clear module boundaries
- No god components (React >300 lines)
- State management appropriate for complexity
Red Flags (Immediate Critical)
These are automatic Critical issues:
eval(),new Function()with user input- Hardcoded secrets/credentials in code
dangerouslySetInnerHTMLwithout sanitization- JWT/auth tokens in localStorage
- Missing auth middleware on protected routes
$whereclause with user input- File >1000 lines
- "DO NOT DEPLOY" in project docs
npm auditcritical vulnerabilities
Scope Calibration
| Scope | Phase 0 | Code Depth | Focus |
|---|---|---|---|
| Single file | Skip | Deep | All checklists on that file |
| Last commit | Quick | Medium | Changed lines + immediate context |
| Feature/PR | Quick | Medium | All changed files |
| Full repo | Full | Broad | Sample key files, architecture |
Reference Files
Load ONLY when you encounter MERN-specific patterns you need to verify:
| When to Load | Reference |
|---|---|
| NoSQL query security question | security.md |
| React hooks/re-render issue | react.md |
| Express middleware question | express.md |
| MongoDB schema/index question | mongodb.md |
| Node.js async/memory issue | nodejs.md |
| API design/auth flow question | fullstack.md |
Do NOT load all references upfront. They're for edge cases, not general review.
Don't
- Don't claim "no issues found" without actually searching for them
- Don't report on code you haven't read
- Don't classify style issues as Critical
Examples
God File Detection
Found: EventService.ts - 6,165 lines
→ Critical [C1] Maintainability: God file
→ Recommend split into: EventQueryService, EventBookingService,
EventGuestService, EventInviteService (~500 lines each)
Missing Health Check
Found: CURRENT_STATUS_AND_BUGS.md contains "DO NOT DEPLOY"
→ Critical [C1] Blocker: Deployment blocked by known issues
→ Fix TypeScript errors in EditEventModal.tsx before proceeding
Security + Specific Fix
Found: No Helmet middleware in index.ts
→ Critical [C2] Security: Missing security headers
→ Fix: npm install helmet && app.use(helmet())