name: code-review-autopilot description: > Scans for security issues, hardcoded secrets, missing error handling, and vibe coding antipatterns. Produces PASS/FAIL verdicts with file:line references. Invoke with /review.

Code Review Autopilot

Commands

• /review — Review all staged/changed files
• /review <path> — Review a specific file or directory
• /review --pr — Review the current PR diff against base branch

Review Categories

1. Security (CRITICAL)

• Hardcoded secrets, API keys, tokens, passwords
• SQL injection, command injection, XSS vectors
• Insecure deserialization
• Missing input validation at system boundaries
• Overly permissive CORS or auth settings
• Credentials in logs or error messages

2. Error Handling

• Bare except/catch blocks that swallow errors
• Missing error handling on external API calls
• Unchecked return values from I/O operations
• Error messages that leak internal details
• Missing retry/backoff on transient failures

3. Code Quality

• Functions exceeding 50 lines
• Cyclomatic complexity above 10
• Deeply nested conditionals (3+ levels)
• Dead code or unreachable branches
• Copy-paste duplication (3+ identical blocks)
• Magic numbers without named constants

4. Vibe Coding Antipatterns

• TODO/FIXME/HACK comments left in production code
• Console.log/print statements not behind a debug flag
• Commented-out code blocks
• Placeholder implementations
• Over-abstraction for single-use cases

5. Dependencies

• Known vulnerable versions
• Unused imports or dependencies
• Circular dependencies

6. Testing

• Changed logic without corresponding test changes
• Test files that only test happy paths
• Flaky test patterns (sleep, timing-dependent assertions)

Output Format

For each issue found, report:

• Severity: CRITICAL / WARNING / NOTE
• Location: file:line
• Description: what the issue is
• Fix: concrete suggestion

Verdict Rules

• Any CRITICAL issue = automatic FAIL
• 3+ warnings in the same category = FAIL
• Hardcoded secret = immediate FAIL

MCMAP-Specific Checks

• Copilot instructions: verify plain text compliance (no emoji, markdown, curly braces)
• Solution XML: verify displaynames use displayname not description tags
• OptionSet prefixes: verify prefix_fieldname not prefixentity_prefix_fieldname
• KB documents: verify under 36K chars
• Python scripts: verify no hardcoded Dataverse URLs (must use config)