Code Review

Process

• Determine scope — identify what to review:

• PR number given → gh pr diff <number>

• "my changes" / no target specified → git diff HEAD (unstaged + staged)

• Specific files mentioned → read those files directly

• Read each changed file fully before reviewing

• Load references/checklist.md and apply sections matching the changed file paths:

Path pattern Checklist sections

server/api/**

API Route, Security, Error Handling

app/components/** , app/pages/**

Vue Component, Security

server/database/schema/**

Database & Schema

shared/schemas/** , shared/constants.ts

Validation & Types

app/composables/**

Vue Component (data fetching), Performance

server/utils/** , server/middleware/**

API Route (auth), Security, Error Handling

• Always apply Security Review regardless of file type

• Report findings using the output format below

Instant Red Flags

Flag these on sight — the most frequent mistakes in this codebase:

• server/api/projects/[projectId]/** route missing getAccessibleProject() call

• Raw string where a shared constant exists ('Open' instead of IssueStatus.Open )

• v-html with user-controlled content

Output Format

Code Review: [brief description]

Summary

[1-2 sentence overview and assessment]

Findings

🔴 Critical

• [file:line]: [description and fix]

🟡 Suggestions

• [file:line]: [description and suggestion]

🟢 Good Patterns

• [positive patterns worth noting]

Verdict

[APPROVE / REQUEST_CHANGES / COMMENT — with brief rationale]

Omit empty severity sections. If no issues found, state the code looks good with brief justification.