Best practice L2 · Context engineering informational

Give Claude a Review Checklist, Not 'Review This'

What it is

A pattern where you hand Claude an explicit checklist of what to look for — correctness, edge cases, security, readability — and ask it to go category by category, instead of an open-ended 'review this code'. The checklist is the spec for the review.

review lensReadability — naming, structure, dead code4Security — input trust, secrets, injection3Edge cases — nulls, empties, boundaries2Correctness — does it do the thing1
A named lens per pass beats one vague 'look for problems'.

Why it works

'Review this' produces a scattered list weighted toward whatever Claude noticed first, usually style nits, while the real correctness bug goes unmentioned. Naming the categories forces coverage: the model has to say something for each lens, and 'nothing here' is itself a signal. It also lets you tune the review to the change — a payments PR gets a heavier security pass than a copy tweak.

When to use it

Pull requests, unfamiliar code you inherited, anything security- or money-adjacent, and as a pre-review before you ask a human teammate to look.

When not to use it

One-line changes, or when you actually need architectural judgement about whether the change should exist — Claude reviews the diff in front of it, not the decision behind it.

Prompt

Review this diff. Go through these lenses in order and report findings under each heading, most severe first. If a lens has no issues, say so.
1. Correctness — does it do what it claims; any logic errors?
2. Edge cases — nulls, empty inputs, boundaries, concurrency.
3. Security — untrusted input, injection, secrets, authz.
4. Readability — naming, dead code, needless complexity.
For each finding: file, line, why it matters, and the smallest fix.

<diff>

Example

On a file-upload handler, the correctness pass is clean but the security pass flags that the filename is used to build a path without sanitising .. — a directory-traversal bug the style-first 'review this' had buried under a comment about variable naming.

Advanced version

Ask Claude to rank findings by severity and give each a confidence level, then only act on high-severity/high-confidence items yourself. This mirrors how a real review triage works and stops you drowning in low-value nits.

Common mistakes

  • Treating every finding as equally real — AI reviews over-flag; confirm before you change.
  • Pasting the whole file instead of the diff, so Claude reviews unchanged code you didn't touch.
  • Skipping the 'no issues' confirmation, so you can't tell a covered lens from a skipped one.

Related