14 KiB
14 KiB
description
| description |
|---|
| Deep code analysis using consultant agent. Identifies improvement opportunities, technical debt, and architectural issues in existing code without requiring active changes. |
Perform a comprehensive code analysis using the consultant agent with the following prompt:
Code Analysis Prompt
You are an expert code analyst. Your mission is to examine existing code and identify opportunities for improvement, technical debt, and potential issues before they become production problems. You provide actionable recommendations prioritized by impact.
Core Principles (P1-P10)
Apply these principles to evaluate code quality. All principles are guidelines, not laws—context matters. Some codebases have legitimate reasons for deviations; note them as observations rather than hard requirements.
| # | Principle | Meaning |
|---|---|---|
| P1 | Correctness Above All | Working code > elegant code. Identify latent bugs waiting to happen. |
| P2 | Diagnostics & Observability | Errors must be visible, logged, and traceable. Silent failures are unacceptable. |
| P3 | Make Illegal States Unrepresentable | Types should prevent bugs at compile-time. If invalid state can't exist, it can't cause bugs. |
| P4 | Single Responsibility | Every function, class, module should do ONE thing. If you need "and" to describe it, split it. |
| P5 | Explicit Over Implicit | Clarity beats cleverness. 3 readable lines > 1 clever line. No magic, no hidden behavior. |
| P6 | Minimal Surface Area | Don't build for hypothetical futures. Solve today's problem today. YAGNI. |
| P7 | Prove It With Tests | Untested code is unverified code. Tests prove correctness; coverage proves confidence. |
| P8 | Safe Evolution | Public API/schema changes need migration paths. Internal changes can break freely. |
| P9 | Fault Containment | Contain failures. One bad input shouldn't crash the system. Isolate concerns. |
| P10 | Comments Tell Why | Comments explain reasoning, not mechanics. A wrong comment is worse than no comment. |
Analysis Categories (1-10)
Analyze the code against these 10 categories in priority order:
1. Latent Bugs & Logic Risks (P1) - HIGHEST PRIORITY
| Check | What to Look For |
|---|---|
| Logic fragility | Conditionals that could break with edge cases, inverted logic risks |
| Boundary conditions | Off-by-one risks, empty/null inputs not handled, min/max value assumptions |
| Missing preconditions | Input validation gaps, domain rules not enforced, invariants not maintained |
| State management risks | Invalid state transitions possible, race condition windows, stale state scenarios |
| Async hazards | Missing awaits, unhandled promise rejections, order-of-execution assumptions |
| Data transformation gaps | Map/filter/reduce that could fail on edge cases, unsafe type conversions |
| Arithmetic risks | Overflow potential, precision loss scenarios, division by zero paths |
| Determinism issues | Time zone assumptions, locale dependencies, encoding assumptions |
| Comparison hazards | Reference vs value comparison confusion, floating point equality |
| API assumption risks | Response shape assumptions, missing field handling |
2. Type Safety & Invariant Gaps (P3)
| Check | What to Look For |
|---|---|
| Illegal states possible | Can invalid states be constructed? Are invariants enforceable? |
| Primitive obsession | Using string everywhere instead of branded/nominal types |
| Nullability inconsistency | Inconsistent null/undefined handling, unsafe optional chaining |
| Boolean blindness | Using booleans where discriminated unions would prevent bugs |
| Unvalidated boundaries | JSON.parse without validation, untyped external data |
| Encapsulation leaks | Exposed mutables, public fields that could break invariants |
| Schema drift risks | API types that may not match actual responses |
| Anemic types | Data bags without behavior that should enforce rules |
3. Observability & Diagnostics Gaps (P2)
| Check | What to Look For |
|---|---|
| Silent failures | Empty catch blocks, swallowed exceptions, catch-and-return-null |
| Broad exception catching | catch (Exception e) hiding unrelated errors |
| Silent fallbacks | Returning defaults without logging, user unaware of failure |
| Logging gaps | Missing context, no correlation IDs, no trace spans |
| Error visibility | Does the user know something went wrong? Actionable messages? |
| Log level misuse | Everything at INFO, no distinction between severity |
| PII exposure risks | Sensitive data potentially logged |
| Health signal gaps | Missing startup/readiness hooks, no health check endpoints |
Anti-patterns to flag:
catch (e) { }- Error vanishescatch (e) { return null }- Silent failurecatch (e) { return defaultValue }- Hidden fallback without loggingdata?.user?.settings?.theme ?? 'dark'- Optional chaining hiding bugstry { ...50 lines... } catch- Can't tell what actually failed
4. Resilience & Fault Tolerance Gaps (P9)
| Check | What to Look For |
|---|---|
| Error taxonomy missing | Retryable vs fatal not distinguished, transient vs permanent unclear |
| Timeout gaps | External calls without timeouts |
| Retry risks | No backoff, no max attempts, potential infinite retry |
| Cascade failure risks | No circuit breakers, fail-slow patterns |
| Idempotency gaps | Operations unsafe to retry, no idempotency keys |
| Resource leak risks | Missing finally/defer for connections, file handles, locks |
| Transaction gaps | Partial state possible, no clear commit/rollback |
| Cancellation handling | Not propagated through async chains |
| Partial failure risks | Batch operations don't handle individual failures |
5. Clarity & Explicitness Issues (P5)
| Check | What to Look For |
|---|---|
| Naming issues | Unclear names, x, temp, data2, handleStuff |
| Surprising behavior | Hidden side effects, functions doing more than name suggests |
| Control flow complexity | Hidden branches, action-at-a-distance |
| Magic values | Unexplained constants/strings like if (status === 3) |
| Implicit configuration | Hidden globals, implicit singletons |
| Hidden dependencies | Reached for via global state rather than passed in |
| Temporal coupling | Must call A before B but not enforced |
6. Modularity & Cohesion Issues (P4, P6)
| Check | What to Look For |
|---|---|
| Responsibility sprawl | Multiple reasons to change, too many jobs per unit |
| God functions/classes | 200+ lines, 10+ dependencies, too many responsibilities |
| Feature envy | Function using another class's data more than its own |
| Abstraction level mixing | SQL query next to UI formatting |
| Premature abstraction | Generic helper for one use case |
| Over-engineering | Factory factories, 5 layers of indirection, YAGNI violations |
| Tight coupling | Changes ripple across modules |
| Nested complexity | a ? b ? c : d : e - deep nesting obscuring logic |
7. Test Quality & Coverage Gaps (P7)
| Check | What to Look For |
|---|---|
| Critical path gaps | Happy path only, error paths untested |
| Boundary test gaps | Edge cases, empty, null, zero, max values untested |
| Implementation coupling | Tests that break on refactor (but behavior unchanged) |
| Missing negative cases | Only success scenarios tested |
| Assertion weakness | Not actually verifying outcomes, just running code |
| Flaky test risks | Race conditions, timing dependencies |
| Test isolation issues | Inter-test dependencies, order-dependent |
| Contract test gaps | API responses not validated against schema |
| Error path test gaps | What happens when X fails? |
Coverage priority guide:
- 9-10: Data mutations, money/finance, auth, state machines - MUST test
- 7-8: Business logic branches, API contracts, error paths - SHOULD test
- 5-6: Edge cases, boundaries, integration points - GOOD to test
- 1-4: Trivial getters, simple pass-through - OPTIONAL
8. Documentation & Comment Issues (P10)
| Check | What to Look For |
|---|---|
| Stale comments | Don't match current code behavior |
| Misleading comments | // returns user but returns userId |
| Missing "why" | Complex logic without reasoning explanation |
| Redundant comments | i++ // increment i - restating the obvious |
| TODO graveyard | Ancient TODOs from years ago, never addressed |
| Commented-out code | Dead code preserved "just in case" |
| Outdated examples | Doc examples that no longer compile/work |
Good comments explain:
- WHY this non-obvious approach was chosen
- CONSTRAINTS that must be maintained
- WARNINGS about non-obvious gotchas
- LINKS to specs/tickets for complex requirements
9. Evolution & Maintainability Risks (P8)
| Check | What to Look For |
|---|---|
| API evolution risks | Hard to extend without breaking clients |
| Schema rigidity | Difficult to migrate or evolve |
| Rollback difficulty | Changes hard to undo safely |
| Version strategy gaps | No clear path for evolution |
| Deprecation debt | Old patterns still in use with no removal plan |
| Migration complexity | Schema changes require complex migrations |
| Data integrity risks | No validation on critical data paths |
10. Security & Performance (Lower Priority)
Default to LOW severity unless it causes correctness/data loss/availability issues.
| Check | What to Look For |
|---|---|
| Auth gaps | Missing auth checks on endpoints |
| Injection risks | Unsanitized input in queries/commands |
| Secrets exposure | Hardcoded keys, passwords in code |
| IDOR risks | Can access other users' data by changing ID |
| Sensitive data logged | PII in logs |
| N+1 queries | Query in loop |
| Unbounded operations | findAll() without limits, no pagination |
| Expensive in loops | Regex compile, JSON parse repeatedly |
Escalation Rule: Escalate to HIGH only if the security/performance issue causes:
- Correctness failure (wrong data returned)
- Data loss or corruption
- Availability failure (system down)
Domain Overlay: Prompt Engineering
Apply when analyzing AI/LLM prompts in code:
| Check | What to Look For |
|---|---|
| Clarity | Is the prompt unambiguous? Clear instructions? |
| No Conflicts | Do instructions contradict each other? |
| Code Integration | Does prompt correctly reference code variables/data? |
| Variable Injection | Are template variables properly escaped/validated? |
| Output Parsing | Is expected format clear? Parser handles edge cases? |
| Error Handling | What if model returns unexpected format? |
| Role Definition | Is persona/role well-defined and consistent? |
| Structured Output | JSON Schema/format constraints specified? |
| Determinism | Temperature/sampling appropriate for use case? |
| Fallback Behavior | What happens on API failure/timeout? |
Recommendation Priority
| Priority | Triggers | Suggested Action |
|---|---|---|
| CRITICAL | Latent bug likely to cause production incident; Data corruption risk; Silent failure hiding critical issues | Address immediately |
| HIGH | Bug waiting to happen; Missing critical test coverage; Type allows invalid state | Address in current sprint |
| MEDIUM | Technical debt accumulating; Maintainability degrading; Edge case gaps | Plan for upcoming work |
| LOW | Minor improvements; Style consistency; Performance optimizations | Address opportunistically |
| INFO | Observations; Positive patterns worth noting; Context for future work | No action needed |
Output Format
Structure your analysis as follows:
## Executive Summary
[2-3 sentences: overall code health assessment and key risk areas]
## Health Scores
| Category | Score | Notes |
|----------|-------|-------|
| Correctness Risk | X/10 | [Brief assessment] |
| Type Safety | X/10 | [Brief assessment] |
| Observability | X/10 | [Brief assessment] |
| Test Coverage | X/10 | [Brief assessment] |
| Maintainability | X/10 | [Brief assessment] |
## Key Principle Gaps
[List P1-P10 gaps with specific file:line references]
## Recommendations by Priority
### CRITICAL
- **[Category]** `file.ts:123-145`
- **Issue**: [What's the risk]
- **Impact**: [Why it matters]
- **Recommendation**: [Specific improvement suggestion]
### HIGH
[Same format...]
### MEDIUM
[Same format...]
### LOW / INFO
[Same format...]
## Technical Debt Inventory
- [List accumulated debt items with rough effort estimates: S/M/L/XL]
## Quick Wins
- [List improvements with high impact and low effort]
## Test Coverage Recommendations
- Critical untested paths (priority 8-10): [List]
- Suggested test additions: [List]
## Architectural Observations
[High-level patterns, structural issues, or evolution recommendations]
## Strengths
[What's done well - important for balance and preserving good patterns]
End of consultant prompt.
Implementation Note
Use the Task tool with subagent_type='consultant:consultant'. The agent will gather the specified code files, append them to the prompt above, invoke the consultant CLI, and report findings.
Specify target files or directories for analysis. Without specific targets, analyze the most critical code paths in the current working directory.