code-reviewlisted

# Code Review Review the current changes in the codebase (Go + Next.js monorepo). Every finding needs a `file_path:line_number` reference, an explanation of *why* it matters, and a concrete fix. ## Available skills - **`/tdd`** — Recommend when flagging untested logic. The author can use this to add tests. ## Steps ### 1. Identify changed files and check scope Determine the right diff scope: - **Local changes**: `git diff --name-only` (unstaged) and `git diff --cached --name-only` (staged) - **PR review**: `git diff origin/<base_branch>...HEAD --name-only` to diff against the base branch Read each changed file in full — understand surrounding code, not just the diff. Navigate callers, interfaces, and tests to understand changes end-to-end. For each file, identify which requirement or intent it serves. Flag any changes that don't map to the task — scope creep is a blocker. ### 2. Review for issues Check every changed file for the following layers. Skip layers that don't apply to the change. **Security** (blockers if found): - No secrets, tokens, or credentials in code - Input validation at system boundaries (user input, API handlers, external data) - No SQL injection, XSS, command injection, or path traversal risks - Authentication and authorization checks in place for new endpoints - No insecure crypto (MD5/SHA1 for passwords, weak random) **Architecture:** - Frontend: no direct data fetching in components (must go through store), shadcn imports from `@kandev/ui`