Best practices for conducting effective code reviews that improve code quality, share knowledge, and maintain team standards.

Code Review Standards

Skill Profile

(Select at least one profile to enable specific modules)

DevOps
Backend
Frontend
AI-RAG
Security Critical

Overview

Code Review Standards define how teams review code to catch bugs, share knowledge, maintain quality, and ensure consistency. Good code reviews make teams stronger.

Core Principle: "Code review is about learning, not judging. Review the code, not the person."

Why This Matters

Core Concepts & Rules

1. Core Principles

Follow established patterns and conventions
Maintain consistency across codebase
Document decisions and trade-offs

2. Implementation Guidelines

Start with the simplest viable solution
Iterate based on feedback and requirements
Test thoroughly before deployment

Inputs / Outputs / Contracts

Inputs:
- <e.g., env vars, request payload, file paths, schema>
Entry Conditions:
- <Pre-requisites: e.g., Repo initialized, DB running, specific branch checked out>
Outputs:
- <e.g., artifacts (PR diff, docs, tests, dashboard JSON)>
Artifacts Required (Deliverables):
- <e.g., Code Diff, Unit Tests, Migration Script, API Docs>
Acceptance Evidence:
- <e.g., Test Report (screenshot/log), Benchmark Result, Security Scan Report>
Success Criteria:
- <e.g., p95 < 300ms, coverage ≥ 80%>

Skill Composition

Depends on: None
Compatible with: None
Conflicts with: None
Related Skills: None

Quick Start

Assumptions

Team uses Git for version control
Pull requests are used for code changes
Team has defined coding standards
Automated tests are available

Compatibility

Works with GitHub, GitLab, Bitbucket
Language-agnostic review principles
Can be adapted to any team size

Test Scenario Matrix

Scenario	Expected Behavior	Notes
Small PR (<200 lines)	Quick review (2-4 hours)	Easy to review thoroughly
Large PR (>500 lines)	Request to break up	Hard to review thoroughly
Security vulnerability	Blocking comment	Must fix before merge
Missing tests	Important comment	Should add tests
Style issue	Suggestion	Nice to have
Good code	Praise	Positive reinforcement

Technical Guardrails & Security Threat Model

1. Security & Privacy (Threat Model)

Top Threats: Injection attacks, authentication bypass, data exposure

Data Handling: Sanitize all user inputs to prevent Injection attacks. Never log raw PII
Secrets Management: No hardcoded API keys. Use Env Vars/Secrets Manager
Authorization: Validate user permissions before state changes

2. Performance & Resources

Execution Efficiency: Consider time complexity for algorithms
Memory Management: Use streams/pagination for large data
Resource Cleanup: Close DB connections/file handlers in finally blocks

3. Architecture & Scalability

Design Pattern: Follow SOLID principles, use Dependency Injection
Modularity: Decouple logic from UI/Frameworks

4. Observability & Reliability

Logging Standards: Structured JSON, include trace IDs request_id
Metrics: Track error_rate, latency, queue_depth
Error Handling: Standardized error codes, no bare except
Observability Artifacts:
- Log Fields: timestamp, level, message, request_id
- Metrics: request_count, error_count, response_time
- Dashboards/Alerts: High Error Rate > 5%

Agent Directives & Error Recovery

(ข้อกำหนดสำหรับ AI Agent ในการคิดและแก้ปัญหาเมื่อเกิดข้อผิดพลาด)

Thinking Process: Analyze root cause before fixing. Do not brute-force.
Fallback Strategy: Stop after 3 failed test attempts. Output root cause and ask for human intervention/clarification.
Self-Review: Check against Guardrails & Anti-patterns before finalizing.
Output Constraints: Output ONLY the modified code block. Do not explain unless asked.

Definition of Done

Review process documented
PR template with checklist
Review checklist available
Comment guidelines defined
Severity levels established
PR size guidelines set
Turnaround SLAs defined
Automated checks in place
Metrics dashboard configured
Team trained on standards

Anti-patterns / Pitfalls

⛔ Don't: Log PII, catch-all exception, N+1 queries
⚠️ Watch out for: Common symptoms and quick fixes
💡 Instead: Use proper error handling, pagination, and logging

Reference Links

Versioning & Changelog

Version: 1.0.0
Changelog:
- 2026-02-22: Initial version with complete template structure

Best practices for conducting effective code reviews that improve code quality, share knowledge, and maintain team standards.

Code Review Standards

Skill Profile

(Select at least one profile to enable specific modules)

DevOps
Backend
Frontend
AI-RAG
Security Critical

Overview

Code Review Standards define how teams review code to catch bugs, share knowledge, maintain quality, and ensure consistency. Good code reviews make teams stronger.

Core Principle: "Code review is about learning, not judging. Review the code, not the person."

Why This Matters

Core Concepts & Rules

1. Core Principles

Follow established patterns and conventions
Maintain consistency across codebase
Document decisions and trade-offs

2. Implementation Guidelines

Start with the simplest viable solution
Iterate based on feedback and requirements
Test thoroughly before deployment

Inputs / Outputs / Contracts

Inputs:
- <e.g., env vars, request payload, file paths, schema>
Entry Conditions:
- <Pre-requisites: e.g., Repo initialized, DB running, specific branch checked out>
Outputs:
- <e.g., artifacts (PR diff, docs, tests, dashboard JSON)>
Artifacts Required (Deliverables):
- <e.g., Code Diff, Unit Tests, Migration Script, API Docs>
Acceptance Evidence:
- <e.g., Test Report (screenshot/log), Benchmark Result, Security Scan Report>
Success Criteria:
- <e.g., p95 < 300ms, coverage ≥ 80%>

Skill Composition

Depends on: None
Compatible with: None
Conflicts with: None
Related Skills: None

Quick Start

Assumptions

Team uses Git for version control
Pull requests are used for code changes
Team has defined coding standards
Automated tests are available

Compatibility

Works with GitHub, GitLab, Bitbucket
Language-agnostic review principles
Can be adapted to any team size

Test Scenario Matrix

Scenario	Expected Behavior	Notes
Small PR (<200 lines)	Quick review (2-4 hours)	Easy to review thoroughly
Large PR (>500 lines)	Request to break up	Hard to review thoroughly
Security vulnerability	Blocking comment	Must fix before merge
Missing tests	Important comment	Should add tests
Style issue	Suggestion	Nice to have
Good code	Praise	Positive reinforcement

Technical Guardrails & Security Threat Model

1. Security & Privacy (Threat Model)

Top Threats: Injection attacks, authentication bypass, data exposure

Data Handling: Sanitize all user inputs to prevent Injection attacks. Never log raw PII
Secrets Management: No hardcoded API keys. Use Env Vars/Secrets Manager
Authorization: Validate user permissions before state changes

2. Performance & Resources

Execution Efficiency: Consider time complexity for algorithms
Memory Management: Use streams/pagination for large data
Resource Cleanup: Close DB connections/file handlers in finally blocks

3. Architecture & Scalability

Design Pattern: Follow SOLID principles, use Dependency Injection
Modularity: Decouple logic from UI/Frameworks

4. Observability & Reliability

Logging Standards: Structured JSON, include trace IDs request_id
Metrics: Track error_rate, latency, queue_depth
Error Handling: Standardized error codes, no bare except
Observability Artifacts:
- Log Fields: timestamp, level, message, request_id
- Metrics: request_count, error_count, response_time
- Dashboards/Alerts: High Error Rate > 5%

Agent Directives & Error Recovery

(ข้อกำหนดสำหรับ AI Agent ในการคิดและแก้ปัญหาเมื่อเกิดข้อผิดพลาด)

Thinking Process: Analyze root cause before fixing. Do not brute-force.
Fallback Strategy: Stop after 3 failed test attempts. Output root cause and ask for human intervention/clarification.
Self-Review: Check against Guardrails & Anti-patterns before finalizing.
Output Constraints: Output ONLY the modified code block. Do not explain unless asked.

Definition of Done

Review process documented
PR template with checklist
Review checklist available
Comment guidelines defined
Severity levels established
PR size guidelines set
Turnaround SLAs defined
Automated checks in place
Metrics dashboard configured
Team trained on standards

code-review-standards

About

SKILL.md

code-review-standards

About

SKILL.md

Code Review Standards

Skill Profile

Overview

Why This Matters

Core Concepts & Rules

1. Core Principles

2. Implementation Guidelines

Inputs / Outputs / Contracts

Skill Composition

Quick Start

Assumptions

Compatibility

Test Scenario Matrix

Technical Guardrails & Security Threat Model

1. Security & Privacy (Threat Model)

2. Performance & Resources

3. Architecture & Scalability

4. Observability & Reliability

Agent Directives & Error Recovery

Definition of Done

Anti-patterns / Pitfalls

Reference Links

Versioning & Changelog

About

SKILL.md

About

SKILL.md

Code Review Standards

Skill Profile

Overview

Why This Matters

Core Concepts & Rules

1. Core Principles

2. Implementation Guidelines

Inputs / Outputs / Contracts

Skill Composition

Quick Start

Assumptions

Compatibility

Test Scenario Matrix

Technical Guardrails & Security Threat Model

1. Security & Privacy (Threat Model)

2. Performance & Resources

3. Architecture & Scalability

4. Observability & Reliability

Agent Directives & Error Recovery

Definition of Done

Anti-patterns / Pitfalls

Reference Links

Versioning & Changelog