feat: 集成code-review skill到项目
- 项目级 skill: .claude/skills/code-review/ (398行SKILL.md + 参考文件) - 自动触发: AI修改.py/.cbl/.cpy/.lark后自动review - CLAUDE.md: 定义触发规则、review流程、严重级别 - .code-review.yaml: tier=standard, 高风险模块配置 效果: clone即用, 每次代码变更后自动审查, 防止低质量代码入库 Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
NB-076
@@ -0,0 +1,45 @@
|
||||
# Node.js Express Review Checklist
|
||||
|
||||
Extends the generic checklist with Node.js/Express-specific items.
|
||||
|
||||
## Interface Layer (Express Routes)
|
||||
|
||||
- [ ] Request validation middleware (Joi, Zod, express-validator)
|
||||
- [ ] Response format consistent across all routes
|
||||
- [ ] `express.json()` with size limit configured
|
||||
- [ ] Route handlers are async with try/catch or wrapped with async handler
|
||||
|
||||
## Business Layer
|
||||
|
||||
- [ ] Business logic in service modules, not in route handlers
|
||||
- [ ] Dependency injection or factory pattern for testability
|
||||
- [ ] Config loaded from environment, not hardcoded
|
||||
|
||||
## Data Layer (Sequelize / Prisma / Knex)
|
||||
|
||||
- [ ] Sequelize: eager loading uses `include` with proper scoping
|
||||
- [ ] Prisma: `select` or `include` to avoid over-fetching
|
||||
- [ ] Raw queries always parameterized (`$1`, `?` placeholders)
|
||||
- [ ] Connection pool configured (`max`, `min`, `idleTimeoutMillis`)
|
||||
|
||||
## Error Handling
|
||||
|
||||
- [ ] Global error handler middleware `(err, req, res, next)`
|
||||
- [ ] Async route handlers wrapped (express-async-errors or manual wrapper)
|
||||
- [ ] Error responses never expose stack traces in production
|
||||
- [ ] `uncaughtException` and `unhandledRejection` handlers
|
||||
|
||||
## Security
|
||||
|
||||
- [ ] `helmet` middleware configured
|
||||
- [ ] `cors` with specific origin allowlist
|
||||
- [ ] `express-rate-limit` on auth and sensitive endpoints
|
||||
- [ ] `httpOnly`, `secure`, `sameSite` flags on cookies
|
||||
- [ ] No `eval()` or `Function()` with user input
|
||||
|
||||
## Performance
|
||||
|
||||
- [ ] Compression middleware (`compression`)
|
||||
- [ ] Database queries have limits and pagination
|
||||
- [ ] Heavy operations offloaded to worker threads or queue
|
||||
- [ ] Static assets served via CDN or reverse proxy, not Express
|
||||
Reference in New Issue
Block a user