Code Review
Shipping code to a client without a proper review is the fastest way to erode trust. But under outsourcing deadlines, the senior engineer who should be reviewing is often the one who wrote the code. Sun Agent Kit’s code review agents act as an always-available senior reviewer — checking logic, security, performance, and style so you can merge with confidence even when the team is stretched thin.
Overview
Goal: Catch bugs, security issues, and performance problems before code reaches the client’s production branch
Time: 5–15 minutes (vs 30–60 minutes of manual review)
Agents used: reviewer, scout, debugger
Commands: /sk:code-review, /sk:code-review #47, /sk:code-review --pending, /sk:code-review codebase
Prerequisites
- Sun Agent Kit installed and authenticated (installation guide)
- Git repository with at least one commit (reviews work on diffs)
- For PR reviews: GitHub, GitLab, or Bitbucket remote configured and accessible
Step-by-Step Workflow
Step 1: Review the current working diff
Before committing, get instant feedback on everything you have changed since the last commit.
/sk:code-review --pendingWhat happens: The agent:
- Resolves the diff scope from staged and unstaged changes
- Runs static analysis checking for logic errors, null safety issues, and dead code
- Checks style conventions and identifies functions missing test coverage
- Generates inline review comments with file and line references
- Saves the review report to
plans/reports/
Step 2: Review a pull request
Point the agent at an open PR to get a structured review with inline comments.
/sk:code-review #47What happens: The agent:
- Fetches the PR diff from the remote repository
- Analyzes code changes for business logic issues, error handling gaps, and security patterns
- Checks test coverage delta against the new code
- Reviews commit messages and PR description quality
- Produces a report with categorized findings
Step 3: Focus on security and performance
When time is short, narrow the review scope through the prompt.
/sk:code-review "focus on security and performance patterns in the checkout feature branch"What happens: The agent:
- Scopes the review to security and performance concerns
- Checks for OWASP Top 10 patterns, N+1 queries, blocking I/O, and memory leaks
- Generates a prioritized remediation list with code suggestions
Step 4: Run a codebase-wide scan
For pre-release audits, run a full codebase review.
/sk:code-review codebaseWhat happens: The agent:
- Scans the entire codebase for code quality, security, and performance issues
- Categorizes findings by severity
- Produces a comprehensive report suitable for delivery documentation
Step 5: Generate a review summary for the client record
Produce a clean summary document that demonstrates your team’s QA process — useful for Japanese clients who require delivery checklists.
/sk:code-review "generate delivery checklist summary for the current branch"What happens: The agent reviews the branch and produces a structured summary covering findings resolved, test coverage status, and security review status.
Complete Example: Review PR Before Merging to Production Branch
Scenario
It is 5 PM on a Thursday. Your team has been working on a feature branch for two weeks — a complete rewrite of the checkout flow for a Vietnamese e-commerce client. The client’s CTO wants it live Friday morning. Your senior engineer is on another engagement. The junior who wrote most of it is confident it works, but “it works on my machine” has burned this team before.
Commands chained
# 1. Full PR review to understand the scope of risk
/sk:code-review #112
# 2. Security-focused pass — checkout = payment data = non-negotiable
/sk:code-review "security-focused review of PR #112 — check for input validation and injection issues in checkout flow"
# 3. Fix anything the review flagged
/sk:fix "apply fixes from the code review findings"
# 4. Final review pass
/sk:code-review --pendingResult
The review surfaces two HIGH findings: a missing try/catch around the payment gateway call that would silently swallow errors, and a user-supplied redirect_url parameter that was passed to res.redirect() without validation (open redirect vulnerability). Both are fixed in 20 minutes with the agent’s suggested patches. The client’s CTO merges Friday morning with the review record on file.
Time Comparison
| Task | Manual | With Sun Agent Kit |
|---|---|---|
| Reading a multi-file diff and taking notes | 25 min | minutes |
| Logic and null-safety check | 15 min | minutes |
| Security pattern review | 10 min | minutes |
| Performance anti-pattern check | 10 min | minutes |
| Writing inline review comments | 15 min | minutes |
| Total | ~75 minutes | ~10 minutes |
Best Practices
1. Run /sk:code-review before every PR, not just large ones ✅
Small PRs are where logic bugs hide. A two-file change that “obviously works” is exactly where an unvalidated input or a missing error handler slips through. Make the review a habit, not a special occasion.
2. Use a security-focused prompt on any PR that touches authentication, payments, or user data ✅
Not every PR needs the full treatment. When a change touches sensitive code paths, a focused security review takes seconds to request and can prevent a data breach. The ROI is asymmetric — it costs almost nothing, and the downside of skipping it is enormous.
3. Do not treat a clean review as a substitute for tests ❌
Static analysis cannot verify runtime behavior. A clean /sk:code-review means the code is structurally sound — it does not mean the feature works correctly under all conditions. Keep your test suite running; the review is a complement, not a replacement.
4. Always read HIGH severity findings before acting on them ❌
HIGH findings often involve business logic decisions — the agent will suggest a fix, but the suggestion may not match your domain requirements. Always read HIGH findings before applying.
Troubleshooting
Problem: Review generates hundreds of style findings drowning out real bugs
Solution: Provide a focused prompt that excludes style: /sk:code-review "focus on logic errors, security, and performance — skip style and formatting". This lets you see critical findings clearly.
Problem: PR review fails with “cannot fetch diff — authentication error”
Solution: Check your Git credentials — run gh auth status for GitHub or verify your SSH key. Token-based access expires; the agent needs valid credentials to fetch PR diffs from private repositories.
Problem: Agent flags a false positive on an intentional pattern
Solution: Explain the context in your prompt: /sk:code-review "this raw query in the admin route is intentional — focus on other security concerns". The agent adjusts its analysis based on your guidance.
Problem: Review takes too long on a very large codebase
Solution: Scope the review to specific directories: /sk:code-review "review only src/api/ and src/services/ directories". You can run multiple targeted reviews rather than one massive scan.
Next Steps
- Security Audit & Scan — Pair with code review for a complete pre-delivery quality gate
- Optimize Performance — Drill into the performance findings the reviewer surfaces
- Generate Documentation — Create a handoff package that includes the review record
Key takeaway: An AI-powered code review does not replace engineering judgment — it ensures that no PR reaches the client’s production branch with a known bug, security hole, or performance landmine that a reviewer with time would have caught.