Quick Start

For code:

Review this for security and reliability issues:
[paste code/diff]
Environment: Python 3.9, production API, handles user input

For n8n:

Review this workflow for errors and improvements:
[paste n8n JSON or describe nodes]
Volume: 100 items/day, needs idempotency

Workflow

Mode Selection:

• Code Review Mode: source code, diffs, system components
• n8n Workflow Mode: n8n JSON, node descriptions, automation requirements
• Hybrid: both code and workflow review

Review Process:

1. Identify mode and key assumptions
2. Assess severity using Impact × Likelihood
3. Group findings by category (Security → Correctness → Performance → Maintainability)
4. Provide actionable fixes with examples
5. Create validation plan

Risk Severity Scale

• Critical: Auth bypass, data loss, RCE, production outage likely
• High: Major impact or high likelihood; significant performance regression
• Medium: Moderate impact; edge cases, reliability issues
• Low: Minor impact; maintainability improvements
• Info: Suggestions, not required

Output Format

Selected: [Code Review | n8n Workflow | Hybrid] Environment: [language/runtime, deployment, constraints] Assumptions: [trust boundaries, data sensitivity]

Must fix (blockers):

• [Critical/High severity issues]

Should fix soon:

• [Medium severity issues]

Nice to have:

• [Low/Info improvements]

Security

Finding: [Issue description] Severity: High (High Impact × Medium Likelihood) Why: [Business/technical risk] Evidence: Line 15: user_input.execute() Fix: Use parameterized queries Example:

Python
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))

[Other categories: Correctness, Performance, Architecture, Maintainability]

• Unit tests: [specific test cases]
• Integration: [end-to-end scenarios]
• Staging: [production-like validation]

• [Only questions that change severity/solution]

# Code Review Checklist

**Security:**
- Input validation, SQL injection, XSS, CSRF
- Authentication/authorization boundaries  
- Secret handling, PII exposure
- SSRF, unsafe deserialization

**Correctness:**
- Edge cases, null handling, error conditions
- Concurrency, race conditions, atomic operations
- Data consistency, invariants

**Performance:**
- Algorithmic complexity, N+1 queries
- Memory allocations, blocking operations
- Caching strategies, hot paths

**Architecture:**
- Separation of concerns, coupling
- Interface design, dependency direction
- Scalability patterns

# n8n Workflow Checklist

**Trigger & Security:**
- Webhook authentication, signature verification
- PII handling, credential scope
- Input validation, schema enforcement

**Reliability:**
- Retry strategy with exponential backoff
- Timeout configuration
- Idempotency keys, deduplication
- Error handling workflows

**Performance:**
- Batching large datasets (Split In Batches)
- Rate limiting, concurrency controls
- Payload optimization

**Observability:**
- Error alerting (Slack/Email)
- Correlation IDs, run metadata
- Dead letter handling

# Examples

**Example 1 - Code Security Issue:**
Input:
```python
def get_user(user_id):
    query = f"SELECT * FROM users WHERE id = {user_id}"
    return db.execute(query).fetchone()

Output: Finding: SQL injection vulnerability Severity: Critical (High Impact × High Likelihood) Why: Allows arbitrary database access Evidence: Line 2: Direct string interpolation in SQL Fix: Use parameterized queries Example:

Python
def get_user(user_id):
    query = "SELECT * FROM users WHERE id = %s"
    return db.execute(query, (user_id,)).fetchone()

Example 2 - n8n Reliability Issue: Input: HTTP node calling API without retry logic

Output: Finding: Missing retry strategy for API calls Severity: High (High Impact × Medium Likelihood)
Why: Temporary API failures cause workflow failures Evidence: HTTP Request node lacks retry configuration Fix: Add retry with exponential backoff Example: Set "Retry On Fail: 3 times, Wait Between Tries: 1000ms, Backoff: exponential"

Best Practices

• State assumptions explicitly when context is missing
• Focus on actionable fixes over theoretical problems
• Prioritize by risk - security and correctness first
• Provide concrete examples for every recommendation
• Use minimal code snippets that demonstrate the fix
• Default to safe configurations (timeouts, retries, auth)

Common Pitfalls

• Don't review style/formatting without automated tooling gaps
• Don't assume requirements - state assumptions instead
• Don't suggest major redesigns without clear justification
• Don't include real secrets in n8n JSON examples
• Don't overlook error handling and observability
• Don't ignore scalability for high-volume workflows

For n8n workflows over 20 nodes, consider suggesting sub-workflow extraction for maintainability.