{"id":"fcd631ff-490c-4213-b977-f6a1c71a071e","shortId":"XFqhPm","kind":"skill","title":"code-review-web","tagline":"Review web application code for bugs, security issues, performance problems, and stack-specific anti-patterns. Use this skill whenever the user wants to review code, debug a production issue, investigate a build failure, audit security, or check a PR before merging. Triggers on c","description":"# Code Review for Web\n\nReview and debug web application code with a focus on the patterns that actually break production. Stack-agnostic principles in SKILL.md. Stack-specific patterns in references.\n\n---\n\n## When to use\n\n- Reviewing a pull request before merging\n- Debugging a production issue\n- Investigating a build failure\n- Auditing security or performance of existing code\n- Investigating environment variable or configuration issues\n- Triaging a \"the site is broken\" report\n\n## When NOT to use\n\n- Writing a new feature spec (use `pm-spec-writing`)\n- Pre-launch QA against the running site (use `qa-testing`)\n- Performance deep-dive on Core Web Vitals (use `performance-optimization`)\n- Deep accessibility compliance review (use `accessibility-audit`)\n\n---\n\n## Required inputs\n\n- The code, PR, error message, or symptom under review\n- Access to logs (build logs, function logs, server logs) if debugging\n- The stack (framework, hosting, database) - even at high level\n\nIf just a symptom is provided (\"the site is broken\"), the workflow's first step is gathering enough context to investigate.\n\n---\n\n## The framework: 5 review dimensions\n\nEvery code review covers five dimensions. Pick the depth based on the situation.\n\n### 1. Correctness\n\nDoes the code do what it claims to do?\n\n- Logic matches the intent stated in the spec or PR description\n- Edge cases handled (empty states, error states, network failures)\n- Off-by-one errors, null/undefined handling, async race conditions\n- Tests exist for the change, or there's a reason they don't\n- The change does not break existing functionality (regression risk)\n\n### 2. Security\n\nDoes the code expose anything sensitive or open an attack surface?\n\n- **Secrets handling.** No secrets, API keys, or service-role credentials in client-side code or version control\n- **Auth checks.** Every mutation endpoint validates the caller before acting\n- **Input validation.** User input sanitized before use in queries, file paths, or HTML\n- **External requests.** Outbound URLs validated; no SSRF on user-controlled inputs\n- **CSRF protection.** State-changing requests require a token or same-origin policy\n- **Rate limiting.** Public-facing mutation endpoints have rate limits\n- **HTTPS-only.** No HTTP in production code paths\n- **Cookies.** Session cookies have `Secure`, `HttpOnly`, `SameSite` attributes set\n- **Environment variables.** Server-only secrets are not prefixed with anything that exposes them to the client bundle\n\n### 3. Performance\n\nWill this code scale and stay fast?\n\n- **Database queries.** No N+1 patterns. Joins or batch fetches preferred over loops with queries.\n- **Pagination.** Large result sets paginated, never loaded entirely.\n- **Caching.** Appropriate cache strategy for the data freshness needs.\n- **Bundle size.** Client-side dependencies justified. Tree-shaking working.\n- **Image handling.** Modern formats, lazy loading, explicit dimensions.\n- **Background work.** Slow operations moved off the request path.\n- **Cold start sensitivity.** Cold paths optimized if frequently triggered.\n\n### 4. Reliability\n\nWhat happens when this fails?\n\n- **Error handling.** Caught and handled, not swallowed. Errors logged with context.\n- **Retries.** Network calls have retry logic for transient failures.\n- **Timeouts.** External calls have explicit timeouts (no infinite waits).\n- **Graceful degradation.** Failure of non-critical paths does not crash the page.\n- **Idempotency.** Mutations that might be retried are safe to retry.\n- **Logging.** Enough context in logs to diagnose without reproducing.\n\n### 5. Maintainability\n\nWill the next person (or future you) understand this in six months?\n\n- **Naming.** Functions and variables named for what they do, not how.\n- **Comments.** Explain why, not what. The code says what.\n- **Complexity.** Functions do one thing. If a function takes 200 lines, it's doing too much.\n- **Duplication.** Same logic in multiple places gets extracted.\n- **Dependencies.** New dependencies justified. Each one is a maintenance burden.\n- **Magic values.** No literal `60000` in code. Use named constants.\n\n---\n\n## Common bug patterns (stack-agnostic)\n\nPatterns that recur across stacks and are worth checking on every review.\n\n### Build and deploy\n\n- **Build-time data fetches that timeout.** Routes that query a database during static generation can fail at scale. Mark them as runtime-rendered if the data must be fresh.\n- **Environment variables not propagating.** A var that works locally but breaks in production usually means it was not added to the production environment.\n- **Mismatched env between preview and production.** Deploys that work in preview but break on the production domain often have stack-specific URLs hardcoded.\n\n### URL and domain issues\n\n- **Canonical pointing at staging or preview URL.** Caused by client-exposed environment variables that pick up the wrong domain. Canonical domain should come from a server-only environment variable.\n- **API URL pointing at the main domain that loops back.** After a DNS cutover, the main domain may now serve a different application. APIs should live on dedicated subdomains.\n- **HTTPS upgrade issues.** Mixed content (HTTP resources loaded into HTTPS pages) breaks browsers' security model.\n\n### Cache invalidation\n\n- **Stale content after deploy.** Either the cache was not invalidated, or the invalidation requires a manual trigger that did not run.\n- **CDN serving old asset under same filename.** Always use a new filename or cache-bust query string when replacing assets.\n- **Cache headers too aggressive.** Long max-age on resources that change frequently leads to users seeing stale content for hours or days.\n\n### Database and data\n\n- **N+1 queries.** Loop with a query inside the loop. Replace with batch fetch or join.\n- **Missing limits on table scans.** Forgetting `LIMIT` on queries that hit large tables.\n- **Connection pool exhaustion.** Too many concurrent connections, often from build-time fetches in parallel routes.\n- **Schema migration without backfill.** Adding a NOT NULL column without populating it for existing rows.\n\n### Image handling\n\n- **Image not loading after upload.** CDN cached the previous filename. Use new filenames for replacements.\n- **Layout shift from images.** Missing width/height attributes. Always specify both.\n- **Slow LCP from large images.** Hero images not optimized for size or format.\n\n### External integrations\n\n- **Bot mitigation blocking server-to-server calls.** CDN or firewall is challenging legitimate automated traffic. Whitelist server IPs or disable challenges for API endpoints.\n- **API rate limit triggered in production.** Worked locally where traffic was tiny. Add backoff and rate limiting awareness.\n\n### Security\n\n- **Unprotected revalidation or admin endpoints.** Always require a secret token.\n- **PII in URLs.** Visible in server logs, browser history, referrer headers.\n- **Secrets exposed in client bundle.** Anything that gets sent to the browser is public.\n\n---\n\n## Workflow\n\n1. **Gather context.** What stack? What's broken or under review? Logs available?\n2. **Pick the depth.** Quick scan for a small PR. Full review for a major change. Deep dive for a production incident.\n3. **Run through the 5 dimensions.** Note issues by severity (blocker, important, minor).\n4. **Check stack-specific patterns.** Reference the appropriate stack guide.\n5. **For incidents:** identify the smallest hypothesis-driven fix. Reproduce locally if possible.\n6. **Write the review.** Use the template in [`references/review-template.md`](references/review-template.md) for formal reviews.\n\n---\n\n## Failure patterns\n\n- **\"Looks good to me\" on a 500-line PR.** If the review takes 5 minutes on a large PR, the review didn't happen.\n- **Reviewing without running the code.** Some bugs only surface at runtime. Pull the branch and run it.\n- **Over-indexing on style.** Bikeshedding on formatting while missing logic bugs.\n- **Skipping security review on \"internal\" features.** Internal becomes external faster than expected.\n- **Treating warnings as decoration.** Build warnings often become production errors after a dependency update.\n- **Debugging without reading the full error message.** First line of the stack trace is often not the actual cause. Read all of it.\n\n---\n\n## Debugging workflow\n\nWhen a production issue is reported:\n\n1. **Read the full error message.** Including the stack trace.\n2. **Check hosting build and function logs.** The exact failing line is usually here.\n3. **Identify the last working version.** `git log --oneline` and check recent commits.\n4. **Reproduce locally.** Confirms it's a code issue and not an environment issue.\n5. **Check environment variables.** Especially after deploys or DNS changes.\n6. **Check cache state.** Force a cache invalidation before concluding it's a code bug.\n7. **Make the minimal fix.** Big refactors during incidents create more incidents.\n8. **Verify in production.** Check the actual fix worked, not just that the deploy succeeded.\n9. **Document.** What was the root cause? What would have prevented it? File the learnings.\n\n---\n\n## Output format\n\nFor PR reviews: comments inline on the PR, plus a summary if needed.\n\nFor formal code reviews: a markdown document at `code-review-[date].md` with:\n1. Scope (what was reviewed)\n2. Summary (overall assessment)\n3. Critical issues (blockers)\n4. Important issues\n5. Minor issues\n6. Suggestions for follow-up\n\nFor incidents: a postmortem document. See `after-action-report` for that format.\n\n---\n\n## Reference files\n\n- [`references/review-template.md`](references/review-template.md) - Markdown template for formal code reviews.\n- [`references/nextjs-patterns.md`](references/nextjs-patterns.md) - Stack-specific patterns for Next.js (App Router, ISR, Server Components, common bugs).\n- [`references/wordpress-headless-patterns.md`](references/wordpress-headless-patterns.md) - Stack-specific patterns for headless WordPress integrations.","tags":["code","review","web","claude","skills","rampstackco","agent-skills","anthropic","awesome-claude-code","awesome-claude-prompts","awesome-claude-skills","claude-code"],"capabilities":["skill","source-rampstackco","skill-code-review-web","topic-agent-skills","topic-anthropic","topic-awesome-claude-code","topic-awesome-claude-prompts","topic-awesome-claude-skills","topic-claude","topic-claude-code","topic-claude-skills","topic-good-first-issue","topic-mcp","topic-product-management","topic-seo"],"categories":["claude-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/rampstackco/claude-skills/code-review-web","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add rampstackco/claude-skills","source_repo":"https://github.com/rampstackco/claude-skills","install_from":"skills.sh"}},"qualityScore":"0.540","qualityRationale":"deterministic score 0.54 from registry signals: · indexed on github topic:agent-skills · 181 github stars · SKILL.md body (9,975 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T18:55:13.522Z","embedding":null,"createdAt":"2026-04-30T01:01:27.311Z","updatedAt":"2026-05-18T18:55:13.522Z","lastSeenAt":"2026-05-18T18:55:13.522Z","tsv":"'+1':439,899 '1':236,1080,1278,1425 '2':299,1093,1288,1430 '200':615 '3':426,1115,1302,1434 '4':504,1128,1315,1438 '5':220,572,1119,1139,1181,1329,1441 '500':1174 '6':1153,1339,1444 '60000':644 '7':1354 '8':1366 '9':1381 'access':159,164,177 'accessibility-audit':163 'across':659 'act':340 'action':1458 'actual':68,1264,1372 'ad':720,947 'add':1037 'admin':1047 'after-action-report':1456 'age':879 'aggress':875 'agnost':73,655 'alway':858,982,1049 'anti':20 'anti-pattern':19 'anyth':305,418,1070 'api':316,784,807,1023,1025 'app':1481 'applic':7,59,806 'appropri':459,1136 'assess':1433 'asset':854,871 'async':274 'attack':310 'attribut':406,981 'audit':40,100,165 'auth':331 'autom':1014 'avail':1092 'awar':1042 'back':793 'backfil':946 'background':486 'backoff':1038 'base':232 'batch':443,910 'becom':1228,1240 'big':1359 'bikeshed':1214 'block':1002 'blocker':1125,1437 'bot':1000 'branch':1205 'break':69,294,712,737,824 'broken':118,206,1087 'browser':825,1061,1076 'bug':10,651,1198,1220,1353,1487 'build':38,98,180,668,672,937,1237,1291 'build-tim':671,936 'bundl':425,467,1069 'burden':639 'bust':866 'c':50 'cach':458,460,828,836,865,872,966,1341,1345 'cache-bust':864 'call':524,533,1007 'caller':338 'canon':753,773 'case':259 'caught':513 'caus':760,1265,1387 'cdn':851,965,1008 'challeng':1012,1021 'chang':281,291,370,883,1108,1338 'check':43,332,664,1129,1289,1312,1330,1340,1370 'claim':244 'client':325,424,470,763,1068 'client-expos':762 'client-sid':324,469 'code':2,8,31,51,60,106,169,224,240,303,327,397,430,603,646,1196,1322,1352,1413,1420,1471 'code-review':1419 'code-review-web':1 'cold':495,498 'column':951 'come':776 'comment':597,1401 'commit':1314 'common':650,1486 'complex':606 'complianc':160 'compon':1485 'conclud':1348 'concurr':932 'condit':276 'configur':111 'confirm':1318 'connect':927,933 'constant':649 'content':817,831,890 'context':215,521,565,1082 'control':330,364 'cooki':399,401 'core':151 'correct':237 'cover':226 'crash':550 'creat':1363 'credenti':322 'critic':546,1435 'csrf':366 'cutov':797 'data':464,674,698,897 'databas':192,435,682,895 'date':1422 'day':894 'debug':32,57,92,187,1247,1270 'decor':1236 'dedic':811 'deep':148,158,1109 'deep-div':147 'degrad':541 'depend':472,630,632,1245 'deploy':670,731,833,1335,1379 'depth':231,1096 'descript':257 'diagnos':569 'didn':1189 'differ':805 'dimens':222,228,485,1120 'disabl':1020 'dive':149,1110 'dns':796,1337 'document':1382,1417,1454 'domain':741,751,772,774,790,800 'driven':1147 'duplic':622 'edg':258 'either':834 'empti':261 'endpoint':335,386,1024,1048 'enough':214,564 'entir':457 'env':726 'environ':108,408,702,724,765,782,1327,1331 'error':171,263,271,511,518,1242,1252,1282 'especi':1333 'even':193 'everi':223,333,666 'exact':1296 'exhaust':929 'exist':105,278,295,956 'expect':1232 'explain':598 'explicit':484,535 'expos':304,420,764,1066 'extern':354,532,998,1229 'extract':629 'face':384 'fail':510,687,1297 'failur':39,99,266,530,542,1166 'fast':434 'faster':1230 'featur':127,1226 'fetch':444,675,911,939 'file':350,1393,1464 'filenam':857,862,969,972 'firewal':1010 'first':210,1254 'five':227 'fix':1148,1358,1373 'focus':63 'follow':1448 'follow-up':1447 'forc':1343 'forget':919 'formal':1164,1412,1470 'format':481,997,1216,1397,1462 'framework':190,219 'frequent':502,884 'fresh':465,701 'full':1103,1251,1281 'function':182,296,587,607,613,1293 'futur':579 'gather':213,1081 'generat':685 'get':628,1072 'git':1308 'good':1169 'grace':540 'guid':1138 'handl':260,273,313,479,512,515,959 'happen':507,1191 'hardcod':748 'header':873,1064 'headless':1495 'hero':990 'high':195 'histori':1062 'hit':924 'host':191,1290 'hour':892 'html':353 'http':394,818 'httpon':404 'https':391,813,822 'https-on':390 'hypothesi':1146 'hypothesis-driven':1145 'idempot':553 'identifi':1142,1303 'imag':478,958,960,978,989,991 'import':1126,1439 'incid':1114,1141,1362,1365,1451 'includ':1284 'index':1211 'infinit':538 'inlin':1402 'input':167,341,344,365 'insid':905 'integr':999,1497 'intent':250 'intern':1225,1227 'invalid':829,839,842,1346 'investig':36,96,107,217 'ip':1018 'isr':1483 'issu':12,35,95,112,752,815,1122,1275,1323,1328,1436,1440,1443 'join':441,913 'justifi':473,633 'key':317 'larg':451,925,988,1185 'last':1305 'launch':136 'layout':975 'lazi':482 'lcp':986 'lead':885 'learn':1395 'legitim':1013 'level':196 'limit':381,389,915,920,1027,1041 'line':616,1175,1255,1298 'liter':643 'live':809 'load':456,483,820,962 'local':710,1032,1150,1317 'log':179,181,183,185,519,563,567,1060,1091,1294,1309 'logic':247,527,624,1219 'long':876 'look':1168 'loop':447,792,901,907 'magic':640 'main':789,799 'maintain':573 'mainten':638 'major':1107 'make':1355 'mani':931 'manual':845 'mark':690 'markdown':1416,1467 'match':248 'max':878 'max-ag':877 'may':801 'md':1423 'mean':716 'merg':47,91 'messag':172,1253,1283 'might':556 'migrat':944 'minim':1357 'minor':1127,1442 'minut':1182 'mismatch':725 'miss':914,979,1218 'mitig':1001 'mix':816 'model':827 'modern':480 'month':585 'move':490 'much':621 'multipl':626 'must':699 'mutat':334,385,554 'n':438,898 'name':586,590,648 'need':466,1410 'network':265,523 'never':455 'new':126,631,861,971 'next':576 'next.js':1480 'non':545 'non-crit':544 'note':1121 'null':950 'null/undefined':272 'off-by-on':267 'often':742,934,1239,1261 'old':853 'one':270,609,635 'onelin':1310 'open':308 'oper':489 'optim':157,500,993 'origin':378 'outbound':356 'output':1396 'over-index':1209 'overal':1432 'page':552,823 'pagin':450,454 'parallel':941 'path':351,398,494,499,547 'pattern':21,66,80,440,652,656,1133,1167,1478,1493 'perform':13,103,146,156,427 'performance-optim':155 'person':577 'pick':229,768,1094 'pii':1054 'place':627 'plus':1406 'pm':131 'pm-spec-writ':130 'point':754,786 'polici':379 'pool':928 'popul':953 'possibl':1152 'postmortem':1453 'pr':45,170,256,1102,1176,1186,1399,1405 'pre':135 'pre-launch':134 'prefer':445 'prefix':416 'prevent':1391 'preview':728,735,758 'previous':968 'principl':74 'problem':14 'product':34,70,94,396,714,723,730,740,1030,1113,1241,1274,1369 'propag':705 'protect':367 'provid':202 'public':383,1078 'public-fac':382 'pull':88,1203 'qa':137,144 'qa-test':143 'queri':349,436,449,680,867,900,904,922 'quick':1097 'race':275 'rate':380,388,1026,1040 'read':1249,1266,1279 'reason':286 'recent':1313 'recur':658 'refactor':1360 'refer':82,1134,1463 'references/nextjs-patterns.md':1473,1474 'references/review-template.md':1161,1162,1465,1466 'references/wordpress-headless-patterns.md':1488,1489 'referr':1063 'regress':297 'reliabl':505 'render':695 'replac':870,908,974 'report':119,1277,1459 'reproduc':571,1149,1316 'request':89,355,371,493 'requir':166,372,843,1050 'resourc':819,881 'result':452 'retri':522,526,558,562 'revalid':1045 'review':3,5,30,52,55,86,161,176,221,225,667,1090,1104,1156,1165,1179,1188,1192,1223,1400,1414,1421,1429,1472 'risk':298 'role':321 'root':1386 'rout':678,942 'router':1482 'row':957 'run':140,850,1116,1194,1207 'runtim':694,1202 'runtime-rend':693 'safe':560 'same-origin':376 'samesit':405 'sanit':345 'say':604 'scale':431,689 'scan':918,1098 'schema':943 'scope':1426 'secret':312,315,413,1052,1065 'secur':11,41,101,300,403,826,1043,1222 'see':888,1455 'sensit':306,497 'sent':1073 'serv':803,852 'server':184,411,780,1004,1006,1017,1059,1484 'server-on':410,779 'server-to-serv':1003 'servic':320 'service-rol':319 'session':400 'set':407,453 'sever':1124 'shake':476 'shift':976 'side':326,471 'site':116,141,204 'situat':235 'six':584 'size':468,995 'skill':24 'skill-code-review-web' 'skill.md':76 'skip':1221 'slow':488,985 'small':1101 'smallest':1144 'source-rampstackco' 'spec':128,132,254 'specif':18,79,746,1132,1477,1492 'specifi':983 'ssrf':360 'stack':17,72,78,189,654,660,745,1084,1131,1137,1258,1286,1476,1491 'stack-agnost':71,653 'stack-specif':16,77,744,1130,1475,1490 'stage':756 'stale':830,889 'start':496 'state':251,262,264,369,1342 'state-chang':368 'static':684 'stay':433 'step':211 'strategi':461 'string':868 'style':1213 'subdomain':812 'succeed':1380 'suggest':1445 'summari':1408,1431 'surfac':311,1200 'swallow':517 'symptom':174,200 'tabl':917,926 'take':614,1180 'templat':1159,1468 'test':145,277 'thing':610 'time':673,938 'timeout':531,536,677 'tini':1036 'token':374,1053 'topic-agent-skills' 'topic-anthropic' 'topic-awesome-claude-code' 'topic-awesome-claude-prompts' 'topic-awesome-claude-skills' 'topic-claude' 'topic-claude-code' 'topic-claude-skills' 'topic-good-first-issue' 'topic-mcp' 'topic-product-management' 'topic-seo' 'trace':1259,1287 'traffic':1015,1034 'transient':529 'treat':1233 'tree':475 'tree-shak':474 'triag':113 'trigger':48,503,846,1028 'understand':581 'unprotect':1044 'updat':1246 'upgrad':814 'upload':964 'url':357,747,749,759,785,1056 'use':22,85,123,129,142,154,162,347,647,859,970,1157 'user':27,343,363,887 'user-control':362 'usual':715,1300 'valid':336,342,358 'valu':641 'var':707 'variabl':109,409,589,703,766,783,1332 'verifi':1367 'version':329,1307 'visibl':1057 'vital':153 'wait':539 'want':28 'warn':1234,1238 'web':4,6,54,58,152 'whenev':25 'whitelist':1016 'width/height':980 'without':570,945,952,1193,1248 'wordpress':1496 'work':477,487,709,733,1031,1306,1374 'workflow':208,1079,1271 'worth':663 'would':1389 'write':124,133,1154 'wrong':771","prices":[{"id":"eb53a9a8-5883-41df-b4e9-2a4e3286f9cc","listingId":"fcd631ff-490c-4213-b977-f6a1c71a071e","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"rampstackco","category":"claude-skills","install_from":"skills.sh"},"createdAt":"2026-04-30T01:01:27.311Z"}],"sources":[{"listingId":"fcd631ff-490c-4213-b977-f6a1c71a071e","source":"github","sourceId":"rampstackco/claude-skills/code-review-web","sourceUrl":"https://github.com/rampstackco/claude-skills/tree/main/skills/code-review-web","isPrimary":false,"firstSeenAt":"2026-04-30T01:01:27.311Z","lastSeenAt":"2026-05-18T18:55:13.522Z"}],"details":{"listingId":"fcd631ff-490c-4213-b977-f6a1c71a071e","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"rampstackco","slug":"code-review-web","github":{"repo":"rampstackco/claude-skills","stars":181,"topics":["agent-skills","anthropic","awesome-claude-code","awesome-claude-prompts","awesome-claude-skills","claude","claude-code","claude-skills","good-first-issue","mcp","product-management","seo","show-hn","showcase","showdev","web-design","web-development"],"license":"mit","html_url":"https://github.com/rampstackco/claude-skills","pushed_at":"2026-05-10T22:40:22Z","description":"Stack-agnostic Claude Skills covering the full website lifecycle: brand, design, content, SEO, dev, ops, growth, and research. Build, ship, audit, optimize.","skill_md_sha":"0edae4722871080094adc79775bf701cd816d0d4","skill_md_path":"skills/code-review-web/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/rampstackco/claude-skills/tree/main/skills/code-review-web"},"layout":"multi","source":"github","category":"claude-skills","frontmatter":{"name":"code-review-web","description":"Review web application code for bugs, security issues, performance problems, and stack-specific anti-patterns. Use this skill whenever the user wants to review code, debug a production issue, investigate a build failure, audit security, or check a PR before merging. Triggers on code review, review my code, debug, build error, broken, not working, why is X failing, check this code, security check, PR review, audit code, refactor. Also triggers when investigating 4xx or 5xx errors, deploy failures, environment variable issues, and CMS integration problems."},"skills_sh_url":"https://skills.sh/rampstackco/claude-skills/code-review-web"},"updatedAt":"2026-05-18T18:55:13.522Z"}}