/cf-review | Coding Friend

Context footprint: ⚡⚡ (medium) — what does this mean?

The /cf-review skill performs comprehensive code review using a dedicated subagent. It examines code from multiple angles — security, performance, style, and test coverage — with review depth automatically scaled to the size and sensitivity of your changes.

Usage

/cf-review [target]

Different behavior is expected based on the value of [target]:

No arguments — reviews all uncommitted changes (git diff + git diff --staged)
File or directory — reviews that specific path
Commit range — reviews a range of commits
Natural language description — reviews all uncommitted changes, focused on the described area

Examples

# Review all uncommitted changes
/cf-review

# Review a specific directory
/cf-review src/auth/

# Review a single file
/cf-review src/api/handlers/user-controller.ts

# Review the last 3 commits
/cf-review HEAD~3..HEAD

# Review changes related to a specific topic
/cf-review the changes related to the auth logic

# Force a deep or quick review
/cf-review src/auth/ --deep
/cf-review README.md --quick

Workflow

Identify target — Determine what to review based on [target] (see Usage)
Gather diff — Collect changes via git diff and assess change size
Select review mode — Auto-detect QUICK, STANDARD, or DEEP based on size and sensitivity
Dispatch to orchestrator — Fork a cf-reviewer orchestrator agent in an isolated context (clean, unbiased, token-efficient)
Parallel multi-agent review — The orchestrator dispatches 5 specialist agents in parallel (plan alignment, security, code quality + slop detection, test coverage, project rules), then merges results via a reducer agent that deduplicates and severity-ranks findings
Run dedicated security scan — Invoke Claude Code's built-in /security-review for an additional security-focused pass, then merge and deduplicate findings with Layer 3 results
Report findings — All findings from every layer collected into 4 categories (🚨 Critical / ⚠️ Important / 💡 Suggestion / 📋 Summary), each tagged with source layer

Review Modes

Mode	When	What Happens
QUICK	≤3 files, ≤50 lines, no sensitive paths	Secret scan + obvious issues only. Fast.
STANDARD	4–10 files or 51–300 lines	Full 5-layer review. All security phases, concise.
DEEP	>10 files, >300 lines, or sensitive paths touched	Full 5-layer + extended security. Data flow tracing. Exploit scenarios.

If any changed file matches sensitive patterns (auth, crypto, token, session, password, .env), the review always escalates to DEEP. Override with --deep or --quick flags.

5-Layer Review

Layer	Focus
0. Project Rules	CLAUDE.md compliance — MUST/SHOULD rule violations
1. Plan Alignment	Does the code match the intended design? Missing pieces?
2. Code Quality	Clarity, naming, consistency, complexity, performance, slop detection
3. Security	Injection, auth bypasses, secrets, data flow — depth scaled by mode
4. Testing	Coverage gaps, edge cases, error paths, integration tests

All findings are confidence-scored (0–1). Only findings above 0.8 are reported, reducing false positives.

Output

Findings from all 5 layers are collected and organized into 4 severity categories — no separate layer headings. Each finding is tagged with its source layer inline (e.g., [L3] for Security):

## 🔍 Code Review: src/auth/ (DEEP mode)

### 🚨 Critical Issues
- **[L3]** db/queries.ts:42 — Unsanitized SQL in query builder (confidence: 0.95)
  **[Injection]** — attacker can bypass auth via crafted email field
  → Use parameterized queries instead of string interpolation

### ⚠️ Important Issues
- **[L4]** api/auth.ts:18 — Missing rate limit test on login endpoint (confidence: 0.85)

### 💡 Suggestions
- **[L2]** src/auth/validators.ts:30 — Consider extracting validation logic into shared util

### 📋 Summary
Auth module is functional but has one critical SQL injection vulnerability.

Auto-Triggered

/cf-review is automatically invoked by other skills — you don't always need to run it manually:

/cf-plan — runs /cf-review after all implementation tasks complete
/cf-fix — runs /cf-review after the fix is verified
/cf-optimize — runs /cf-review after the optimization is measured and verified

When to Use

Before merging — catch issues before they reach main
After implementing a feature — verify quality before /cf-commit
Security-sensitive code — auth, payments, data handling, crypto
Performance-critical paths — database queries, hot loops, API endpoints
Unfamiliar code — code you inherited or haven't touched in a while
Learning — see what a thorough review looks like for mentorship

Part of the Workflow

/cf-review fits naturally into the Coding Friend pipeline:

/cf-plan → implement (TDD) → (auto) /cf-review → /cf-ship
/cf-fix → (auto) /cf-review → /cf-commit
/cf-optimize → measure → optimize → (auto) /cf-review → /cf-commit

You can also use it standalone at any point. Combined with /cf-ship (which runs verification + commit + push + PR), it forms a complete quality gate before code reaches production.

Defense in Depth

/cf-review is one layer in Coding Friend's multi-layer security approach:

Layer	Component	When	What
1	`privacy-block` hook	Every tool call	Blocks reading `.env`, secrets, keys
2	`/cf-commit` secret scan	On commit	Scans staged diff for leaked secrets
3	`/cf-review` Layer 3	On review	Deep security analysis with confidence scoring

Built-in Security Scan

After the 5-layer review, /cf-review automatically invokes Claude Code's built-in /security-review — a dedicated security audit skill from Anthropic. This means every /cf-review run gets two layers of security analysis:

Pass	Source	Focus
Layer 3	Coding Friend's 5-layer review	Injection, auth bypasses, secrets, data flow — confidence-scored
`/security-review`	Anthropic's security-review	Multi-phase vulnerability hunting with strict false-positive filtering

Findings from both passes are merged and deduplicated — when both flag the same issue, the higher-severity entry is kept. This gives you comprehensive security coverage without running a separate command.