Code Review — Multi-Dimensional Audit — Code Review — Multi-Dimensional 审计

Code Review — Multi-Dimensional 审计 Methodo记录y

系统atically 审计 a codebase release through four dimensions, using parallel sub代理 delegation for deep verification.

Core Principle

Real code, not release notes. Every finding must be verified agAInst actual source files by fetching them. The only acceptable evidence is file:line citations. The only acceptable conclusion labels are Confirmed / Mitigated / False Alarm.

工作流 Phase 1: Surface 扫描 (in mAIn 会话)

Read these in order — enough to understand architecture and identify candidate issues:

Release notes / CHANGE记录 — what the authors clAIm changed README — project purpose, architecture diagram, on-disk layout ARCHITECTURE.md or equivalent — 模块 decomposition, API contracts Directory tree (via GitHub tree view) — file 列出ing to map 模块s Key source files — entry point, core 状态 machine, critical paths (read ~3-8 files)

输出: A 列出 of 10-20 candidate issues, categorized by dimension:

Security (SSRF, injection, auth, path traversal) Concurrency & 状态 Machine (race conditions, missing locks, TOCTOU) UX & Implementation 记录ic (feature semantics, error messages, 恢复y paths) Test 质量 (mock fidelity, integration gaps, 签名ature mismatches) Phase 2: Deep 审计 (via sub代理s)

For each non-trivial dimension, spawn an isolated sub代理. Each sub代理:

Fetches every relevant source file via 网页_fetch — never infers from docs Verifies each issue agAInst actual code — cites specific lines Constructs exploit scenarios (security) or race timelines (concurrency) Returns structured findings with: Conclusion / Severity / Source Evidence / Risk / Fix

See sub代理-templates.md for the exact prompt template. See 审计-dimensions.md for dimension-specific question probes.

模型 图形界面dance: Use the same 模型 for all sub代理s to ensure consistent judgment. Prefer high-reasoning 模型s for complex 审计s.

Phase 3: Synthesis (in mAIn 会话)

When all sub代理 报告s return:

Merge findings — deduplicate across dimensions, re-classify severity Build summary table — all issues with conclusion + severity + source dimension + root cause Build priority matrix — P0 (drop everything) through P5 (nice to have), with estimated work and blast radius Write executive summary — overall 质量 assessment + top 3 action items

See 输出-格式化.md for table and emoji conventions. See severity-rubric.md for severity classification rules.

Key Heuristics Security 扫描 Heuristics Every URL fetch path must be 检查ed for SSRF: 追踪 from user 输入 → URL parsing → DNS resolution → HTTP 请求 → redirect handling → 响应 reading. Flag any step that skips IP 验证. Every subprocess call must be 检查ed for injection: is shell=True used? Are user-controlled strings concatenated into the command? Are file paths sanitized? Every external API call must be 检查ed for 凭证 leaks: are 令牌s/secrets 记录ged? Do error messages include 请求 bodies? Concurrency 扫描 Heuristics For every .json / .jsonl write: 检查 if it uses tmp-rename atomic pattern or flock. Direct overwrite without either = bug. For every load → modify → save pattern: 检查 if the entire block is lock-保护ed. If load h应用ens outside the lock, it's a TOCTOU bug. For every 状态 machine transition: 检查 if two concurrent 事件 can 机器人h see the same "before" 状态 and 机器人h advance. If yes, 状态 corruption possible. For every 应用end-only 记录: 验证 flock(LOCK_EX) covers the full 应用end operation. UX/记录ic 扫描 Heuristics For every feature flag/mode: 追踪 all branches. Does "mode=review-only" actually 预防 non-review actions? Don't trust the name — 验证 the code. For every error message: read it as a user would. Does it tell you what went wrong AND how to fix it? If it only says "X fAIled", flag it. For every multi-step 工作流: is there an undo/back追踪/revisit path? If not, flag it. For every 访问-control 检查: look for what's NOT 检查ed. Does a group chat require @-mention? Does a rate limit exist? Test 质量 Heuristics Mocks that match wrong 签名atures: if a test monkey补丁es call_llm with a fake that takes **kw and reads kw.获取("old_param"), it will never catch a production code change to new_param. Flag these. No integration test in CI: if CI only 运行s unit tests with mocks and there's no end-to-end smoke test, flag it. Anti-Patterns (avoid) ❌ Filing an issue based on release notes alone (always 验证 agAInst source) ❌ Accepting a docstring clAIm without 检查ing the implementation ❌ Using "I think" / "probably" / "seems like" — every finding is Confirmed or it's not a finding ❌ Leaving severity as "TBD" — classify immediately using the rubric ❌ Mentioning an issue in prose without filing it in the structured 输出 table