# Code Review Checklist Use this checklist for the Code Reviewer role. Guard IDs live in `.agents/checks/guard-catalog.json` (guards where `reviewer` = `code`). ## Architecture & Conventions - `GR-CORE-003` request input via requestInput(); no $_POST/$_GET/$_FILES - `GR-CORE-007` OpenAPI updated when API endpoints changed - `GR-CORE-010` DB schema changes shipped as idempotent scripts in db/updates/ - `GR-CORE-011` new settings in DB settings table, not config files - `GR-CORE-012` successful mutating POSTs use PRG pattern; flash before redirect ## Testing - `GR-TEST-001` new/changed Service/Gateway logic has PHPUnit tests (happy + edge case) - `GR-TEST-002` new code uses constructor injection; no hidden global state ## UI (skip if backend-only) - `GR-UI-014` new views/components handle loading, empty, error, success states - `GR-UI-LIST` list/grid standards preserved (row actions, page size, initStandardListPage) - `GR-UI-DETAIL` detail page contracts, shared partials, no inline confirm, layout system - `GR-UI-A11Y` no a11y regression; new components use semantic HTML, keyboard-operable - `GR-UI-I18N` all visible text uses t(); keys present in all language files - `GR-UI-REUSE` existing JS/CSS checked before adding new functions/rules ## Quality Gates - required always (per `enforcement-policy.json`): `QG-001`, `QG-002`, `QG-003`, `QG-006`, `QG-008`, `QG-009` - `QG-004` structural checks reported when relevant - `QG-005` JS smoke for JS-touching changes - `QG-007` composer-unused is periodic / non-blocking # Security Review Checklist Use this checklist for the Security Reviewer role. Guard IDs live in `.agents/checks/guard-catalog.json` (guards where `reviewer` = `security`). ## Security - `GR-SEC-001` CSRF token verified on every POST before processing - `GR-SEC-002` no PII or secrets in logs/audit metadata - `GR-SEC-003` all SQL via Repository with prepared statements - `GR-SEC-004` no external CDN or remote asset loading - `GR-SEC-005` encryption only via core/Support/Crypto.php - `GR-SEC-006` file uploads in storage/ only; authz-gated serving; MIME validated - `GR-SEC-007` API requests do not start sessions - `GR-SEC-008` authorization enforced server-side - `GR-SEC-009` tenant scope enforced server-side; tenant_id filtering on all scoped queries