# Code Review Checklist

Invoke with: /review

## Security
- [ ] No hardcoded secrets or API keys
- [ ] Input validation on all user inputs
- [ ] SQL injection prevention (parameterized queries)
- [ ] XSS prevention (output encoding)
- [ ] CSRF protection on state-changing endpoints
- [ ] Authentication checks on protected routes
- [ ] Authorization checks (user can access this resource?)

## Performance
- [ ] No N+1 query patterns
- [ ] Appropriate database indexes for queries
- [ ] No unnecessary re-renders (React)
- [ ] Large lists use virtualization
- [ ] Images are optimized and lazy-loaded

## Maintainability
- [ ] Functions are under 30 lines
- [ ] No duplicated logic (DRY)
- [ ] Clear naming (no abbreviations except common ones)
- [ ] Error handling is consistent
- [ ] Edge cases are handled

## Testing
- [ ] Happy path is tested
- [ ] Error cases are tested
- [ ] Edge cases are tested
- [ ] No flaky tests (no timing dependencies)