review-ailisted

# Step 5: Review (อย่าไว้ใจทาง อย่าวางใจ AI) **Habit**: H4 — Think Win-Win | **Anti-pattern**: Shipping AI-generated code without reading it ## Process 1. **Get the diff**: `git diff --name-only HEAD` to see what changed. 2. **Read the tests first** — before judging the implementation, open the new or changed test files. Tests declare the _intended_ behavior; reading them first gives you the specification to review the code against. If new logic has no corresponding test, record that as a Completeness finding in step 6. 3. **Security check** (CRITICAL — block if found): - Hardcoded secrets (API keys, passwords, tokens) - SQL injection (string interpolation in queries) - Missing input validation on new endpoints - XSS vulnerabilities (unsanitized HTML output) 4. **Quality check** (HIGH): - Functions >50 lines → break down - Files >800 lines → extract - Nesting >4 levels → simplify - Missing error handling on external calls - `console.log` or `print()` in production code 5. **Performance check** (HIGH): - N+1 queries, unbounded loops, or sync blocking in hot paths - Missing pagination on list endpoints - Unindexed queries on large tables - Memory leaks (unclosed streams, unbounded caches, retained references) Performance findings follow the same evidence standard as the other axes: cite `file:line` with the measured or obvious-on-inspection cost. 6. **Completeness check** (MEDIUM): - Edge cases handled (null, empty, malforme