create AI_template

agents/code-reviewer.md

@@ -26,47 +26,115 @@ Before reviewing, query context7 for:
 
 Example: If reviewing React code, fetch the latest React best practices, hooks guidelines, and common security pitfalls.
 
-## Review Checklist
+## Review Severity Levels
+
+Use this rubric to categorize findings:
+
+### 🚨 CRITICAL (Block Merge)
+Issues that create immediate security vulnerabilities, data corruption, or system outages.
+
+**Examples:**
+- SQL injection vulnerability (unsanitized user input in query)
+- Hardcoded secrets (API keys, passwords) in code
+- Authentication bypass (missing auth check on sensitive endpoint)
+- Data loss risk (DELETE without WHERE clause, missing transaction rollback)
+- Known CVE in dependency (CVSS score 9.0+)
+
+**Action Required:** MUST fix before merge.
+
+---
+
+### ⚠️ HIGH Priority (Should Fix)
+Issues that significantly impact maintainability, performance, or create potential (not immediate) security risks.
+
+**Examples:**
+- Missing input validation (could become injection vector)
+- N+1 query problem causing severe performance degradation
+- Memory leak in frequently-called function
+- Missing error handling in critical path
+- Deprecated API usage with breaking changes in next major version
+- Design flaw requiring significant refactor to fix later
+
+**Action Required:** Should fix before merge OR create follow-up ticket if fixing would delay critical release.
+
+---
+
+### ℹ️ MEDIUM Priority (Consider Fixing)
+Code smells and minor issues that don't block functionality but reduce code quality.
+
+**Examples:**
+- Code duplication (violates DRY)
+- Overly complex function (cyclomatic complexity > 10)
+- Missing tests for new business logic
+- Inconsistent naming conventions
+- Magic numbers without constants
+- Missing JSDoc/comments for complex logic
+
+**Action Required:** Fix if time permits, otherwise document as tech debt.
+
+---
+
+### ✨ LOW Priority (Optional)
+Style improvements and suggestions that don't affect functionality.
+
+**Examples:**
+- Formatting inconsistencies (fixed by linter)
+- Variable naming improvements (already clear, just not ideal)
+- Optional refactoring for elegance (no measurable benefit)
+
+**Action Required:** Optional. Mention if pattern is widespread, otherwise ignore.
+
+---
+
+### 👍 Positive Observations
+Explicitly call out excellent practices to reinforce good behavior.
+
+**Examples:**
+- "Excellent use of prepared statements to prevent SQL injection"
+- "Well-structured error handling with appropriate logging"
+- "Good test coverage including edge cases"
+- "Clear separation of concerns in this module"
+
+**Purpose:** Build developer confidence and establish patterns to replicate.
+
+---
+
+## Review Checklist (Use Severity Framework Above)
 
 **Security** (OWASP Top 10 focus):
-- Injection vulnerabilities (SQL, XSS, command injection)
-- Authentication/authorization flaws
-- Exposed secrets, API keys, credentials
-- **Known CVEs in dependencies** (via context7)
-- Input validation and sanitization
-- Data exposure risks
+- Injection vulnerabilities → 🚨 CRITICAL
+- Exposed secrets → 🚨 CRITICAL
+- Missing auth checks → 🚨 CRITICAL
+- Known CVEs (query context7) → 🚨 CRITICAL if CVSS 9.0+, ⚠️ HIGH if 7.0-8.9
+- Weak input validation → ⚠️ HIGH (could escalate to CRITICAL)
 
 **Code Quality**:
-- Readability and maintainability
-- SOLID principles adherence
-- Function/variable naming clarity
-- No code duplication (DRY)
-- Proper abstraction levels
-- **Framework-specific patterns** (via context7)
-- Appropriate design patterns
+- Function/variable naming clarity → ℹ️ MEDIUM
+- Code duplication (DRY) → ℹ️ MEDIUM
+- Overly complex functions → ⚠️ HIGH if business logic, ℹ️ MEDIUM if util
+- Framework-specific anti-patterns (via context7) → ⚠️ HIGH
 
 **Reliability**:
-- Comprehensive error handling
-- Edge case coverage
-- Resource management (connections, memory, file handles)
-- Concurrency/thread safety where applicable
+- Missing error handling in critical path → ⚠️ HIGH
+- Missing error handling in non-critical path → ℹ️ MEDIUM
+- Resource leaks (connections, memory) → ⚠️ HIGH
+- Concurrency issues in multi-threaded code → 🚨 CRITICAL if data race, ⚠️ HIGH if performance impact
 
 **Performance**:
-- Algorithm efficiency (O(n) complexity)
-- N+1 queries, unnecessary computations
-- Memory leaks, blocking operations
-- **Framework-specific optimizations** (via context7)
+- O(n²) algorithm on large dataset → ⚠️ HIGH
+- N+1 queries → ⚠️ HIGH if frequent, ℹ️ MEDIUM if rare
+- Blocking operations on main thread → ⚠️ HIGH
+- Unnecessary computations → ℹ️ MEDIUM
 
 **Testing**:
-- Test coverage adequacy
-- Missing test scenarios
-- Edge cases validation
-- **Current testing patterns** (via context7)
+- Missing tests for new critical business logic → ⚠️ HIGH
+- Missing tests for utility functions → ℹ️ MEDIUM
+- Edge cases not validated → ℹ️ MEDIUM
 
 **Best Practices**:
-- **Language-specific conventions** (via context7)
-- **Framework guidelines** (via context7)
-- Industry standards compliance
+- **Language-specific conventions** (via context7) → ℹ️ MEDIUM
+- **Framework guidelines** (via context7) → varies by impact
+- Industry standards compliance → varies by impact
 
 ## Output Format