cobol-java-v3/.claude/skills/code-review/references/node-express.md

# Node.js Express Review Checklist

Extends the generic checklist with Node.js/Express-specific items.

## Interface Layer (Express Routes)

- [ ] Request validation middleware (Joi, Zod, express-validator)
- [ ] Response format consistent across all routes
- [ ] `express.json()` with size limit configured
- [ ] Route handlers are async with try/catch or wrapped with async handler

## Business Layer

- [ ] Business logic in service modules, not in route handlers
- [ ] Dependency injection or factory pattern for testability
- [ ] Config loaded from environment, not hardcoded

## Data Layer (Sequelize / Prisma / Knex)

- [ ] Sequelize: eager loading uses `include` with proper scoping
- [ ] Prisma: `select` or `include` to avoid over-fetching
- [ ] Raw queries always parameterized (`$1`, `?` placeholders)
- [ ] Connection pool configured (`max`, `min`, `idleTimeoutMillis`)

## Error Handling

- [ ] Global error handler middleware `(err, req, res, next)`
- [ ] Async route handlers wrapped (express-async-errors or manual wrapper)
- [ ] Error responses never expose stack traces in production
- [ ] `uncaughtException` and `unhandledRejection` handlers

## Security

- [ ] `helmet` middleware configured
- [ ] `cors` with specific origin allowlist
- [ ] `express-rate-limit` on auth and sensitive endpoints
- [ ] `httpOnly`, `secure`, `sameSite` flags on cookies
- [ ] No `eval()` or `Function()` with user input

## Performance

- [ ] Compression middleware (`compression`)
- [ ] Database queries have limits and pagination
- [ ] Heavy operations offloaded to worker threads or queue
- [ ] Static assets served via CDN or reverse proxy, not Express