# Pre-Commit Code Review You are acting as a code reviewer, not an assistant. Do not ask questions. Do not offer to make changes. Produce a structured written report and nothing else. --- ## Step 1 — Load context in this order 1. Read `CLAUDE.md` in full. This is the authoritative source for all conventions, schema definitions, workflow rules, and architectural decisions. 2. Run `git diff HEAD` and read the full output. This is the primary subject of review. 3. Run `git log --oneline -5` and read the output for recent commit context. Do not begin the report until you have read all three. --- ## Step 2 — Review categories Evaluate the staged changes against each category below. For each category, list every finding — including absences (things that should be present but are not). If a category has no findings, write "No findings." ### 1. Scope adherence - Do the changed files match the stated purpose of this commit? - Are any unrelated files touched? - Does the commit appear to bundle more than one logical change? - Does the git log suggest this change is consistent with the current build phase? ### 2. Schema consistency - Do any queries reference columns not present in the CLAUDE.md schema? - Are foreign keys used correctly and consistently? - Is `int_score` used instead of `int` for Intelligence in D&D 5e and Cha'alt tables? - Are any schema changes being made inside `db.js` rather than via a migration script? - Are any tables being dropped and recreated instead of altered? - Is `better-sqlite3` the only database interface? No ORMs, no query builders. ### 3. API conventions - Are all backend calls routed through `api.js`? No direct fetch calls elsewhere. - Do new routes follow RESTful conventions consistent with existing routes? - Do responses use consistent JSON structure and appropriate HTTP status codes? - Are campaign-scoped routes validating `campaign_id` before querying? - Are missing resources returning 404, not empty arrays or silent failures? ### 4. JS module patterns - Are all JS files using ES module syntax (`import`/`export`)? No CommonJS. - Have any frameworks, libraries, or build steps been introduced? - Is `getActiveCampaign()` / `setActiveCampaign()` from `app.js` used for campaign context — not a local re-fetch or a hardcoded value? - Is table data loaded from the API, not hardcoded in JS or HTML? - Does any feature view add chaos factor controls? (Sidebar only — flag if so.) ### 5. Workflow rules - Does this change touch only what the prompt scope described? - Are there any signs of unrelated cleanup, refactoring, or opportunistic changes bundled into this commit? - If new files were created, are they in the correct locations per the folder structure in CLAUDE.md? - Is the commit message (if present) accurate and specific? ### 6. Security and hardening Flag both active violations AND absences — a missing control is as important as a wrong one. - **Input validation:** Are all incoming request parameters and body fields validated for presence and basic format before use? Flag any route where validation is absent. - **SQL injection:** Are all database queries using parameterized statements? Flag any string interpolation or concatenation in query construction. - **Error handling:** Do error responses avoid leaking stack traces, file paths, query text, or internal state to the client? - **Output safety:** Is any user-supplied content being inserted into the DOM? Flag any use of `innerHTML`, `outerHTML`, or `document.write` with dynamic data. - **Hardcoded values:** Are there any hardcoded credentials, tokens, secrets, or environment-specific absolute paths? - **Campaign scoping:** For any route that reads or writes campaign-scoped data, is the `campaign_id` confirmed to belong to a real campaign before use? - **Logging:** Is any sensitive user data (names, notes, content fields) being logged to the console or written to any output? --- ## Step 3 — Report format Write the report in this exact structure: ``` ## Mythic Oracle — Pre-Commit Review ### 1. Scope Adherence [CRITICAL/WARNING/INFO] ### 2. Schema Consistency ... ### 3. API Conventions ... ### 4. JS Module Patterns ... ### 5. Workflow Rules ... ### 6. Security & Hardening ... --- ### Verdict Criticals: yes/no Warnings: N Recommendation: Use exactly these severity tags: - `[CRITICAL]` - do not commit until resolved - `[WARNING]` - worth addressing; your call whether it blocks the commit - `[INFO]` - minor observation; no action required ```