Revieko — Review Playbooks (PR)

high structural risk (high struct),

high control risk (high control),

effectful tails (IO/NET/DB/EXEC/LOG),

USER_INPUT → (NET/DB/EXEC/LOG) adjacency,

partial analysis due to limits/fallbacks.

Accept + explain

Simplify

Isolate

Add tests / invariants

Split PR / rerun with full analysis

High risk does not mean the code is wrong.

Low risk does not mean the code is safe or bug-free.

The point of the report is to give you 3–10 places to inspect first.

Simplify — when complexity appeared “along the way” with no clear architectural reason.

Isolate — when the change looks like a new subsystem/pattern/algorithm.

Accept + explain — when complexity is justified, but must be stated and recorded (contract/test/comment).

“fix it”, or

“explicitly exempt/override the rule”,

analysis=partial → Playbook: Partial analysis (scope)

risk_level=high and hotspots are mostly struct_pattern_break / depth_spike → Playbook: High struct

control_risk_level=high or hotspots include control_outlier → Playbook: High control

Hotspots show Effects/Taint, and JSON includes effect_density_tail / dangerous_flow_score →

• if the tail is “densely effectful” → Playbook: Effect tails

• if USER_INPUT appears near NET/DB/EXEC/LOG → Playbook: USER_INPUT → Effects

risk_level=high and/or high struct_risk

hotspots are mostly:

• struct_pattern_break

• depth_spike

• mixed (when shape/depth dominates)

control_risk_level can be low — that’s normal: “shape is atypical, branching isn’t overheated”.

increased cognitive load,

“hidden architecture” inside a file,

atypical patterns introduced without a contract (hard to maintain later).

Which file is the main contributor in Per-file structural risk?

In the top-3 hotspots, what was introduced?

• new entities (class/subsystem/mini-DSL),

• generators / yield,

• lambdas / functional constructs,

• atypical math/algorithm,

• sharp nesting growth.

Decide: feature architecture or accidental complexity?

the change adds real value (new algorithm/mode),

there are tests/contract,

the area is localized, readable, and explained.

add a short comment explaining why the pattern is needed,

add test(s) for contract/edge cases,

if it’s a “mode” — add an explicit flag/config and document it.

the pattern is “clever” but not necessary,

it can be expressed more simply and closer to the repo style.

replace lambdas with named functions,

remove generators: use a simple next_* function,

reduce nesting (guard clauses, early returns),

separate “computation” from “effects” (IO separately),

make algorithm steps explicit (variables, names).

a mini-architecture landed inside the file (strategy/state/manager),

a new reusable algorithm appears,

the change introduces a new operating mode and needs an explicit interface.

extract into a dedicated module/class,

provide an explicit API,

add minimal docs/README for the module,

add tests for the interface, not internals.

control_risk_level=high (even if struct_risk is medium/low)

hotspots of type control_outlier

in control_summary high values:

• branch_cond_risk

• error_path_risk

• return_path_risk

branch_cond_effect_density

error_path_effect_density

return_path_effect_density

mistakes due to complex conditions,

“programs inside error handling”,

unexpected side effects right before exit (before return/raise),

poor testability and unpredictable behavior.

Which axis is overheated?

• BRANCH_COND: conditions are too complex

• ERROR_PATH: error handling got complex

• RETURN_PATH: logic/effects happen right before return/raise

Are there effects inside those paths? If yes — priority #1.

long if with computation + IO,

elif chains as a mini state machine,

complex unnamed conditions.

extract predicates into named functions (is_*, should_*),

break into guard clauses,

replace elif chains with a decision table/state map,

move effects (IO/NET/DB) out of condition expressions.

except does half the business logic,

many effects inside error handlers,

mixed compensations/logging/retries.

minimize work in except: capture context → call handle_error(...),

unify error handling (one coherent path),

make retry/backoff policies explicit,

add tests for failure scenarios (mandatory if behavior changes).

effects before return (logging/writes/network),

tail changes the function contract “at exit”.

split: compute result → perform effects → return,

document the exit contract (what’s guaranteed before returning),

add tests for “exit contract”.

high effect_density_tail in JSON/Full report (per file or global)

TL;DR hints like “Tail contains NET/DB/FILE effects…”

hotspots include Effects (e.g., NET_IO+DB+LOG) without explicit Taint

complex, poorly testable effect-heavy endings of functions/modules,

hidden dependency on operation order,

implicit transactional behavior (partial success),

instability under errors (partial state).

What effects are in the tail?

• DB / NET_IO / EXEC — highest priority

• LOG — depends, but high volume can become noise

Is there a clear boundary “pure → effects”?

What happens if an error occurs mid-tail?

Is there idempotency / transactional behavior / compensations?

extract effects into a dedicated layer/function (persist_*, send_*, exec_*)

make operation order explicit (and document it)

add tests:

• partial failure handling,

• reruns (idempotency),

• timeouts/retries (for network).

dangerous_flow_score > 0

hotspot has taint_hint=USER_INPUT and effect_hint includes NET_IO/DB/EXEC/LOG

TL;DR hints like “USER_INPUT near NET/DB/LOG…”

input may reach network/DB/exec/log without proper validation,

risk of injections/leaks/log spam/unexpected side effects.

Where is the trust boundary?

• validation, normalization, limits, escaping

Is there an allowlist (params/commands/fields)?

Is user input logged? If yes — any PII/secrets risk?

For DB/NET/EXEC: is there an explicit layer responsible for safety/contracts?

parameterized queries / ORM

strict validation schema

length/format constraints

tests for “bad” inputs

allowlist domains/endpoints

timeouts/retries policy

payload size limits

logging without leaks

forbid or enforce a strict allowlist

never build shell commands via string concatenation

dedicated “executor” layer covered by tests

masking/redaction

volume limits

exclude secrets/PII

analysis=partial

Review Python changes via CodeGuard: per-file risk → top hotspots → decision.

Review out-of-profile files manually:

• configs: schema validity, backward compatibility, secrets, environments

• data/CSV: format, migrations, size/diff noise

• docs/Markdown: correctness of instructions/examples/commands

formalize rules in .revieko/semantics.yaml (invariants),

enforce the style “effects separate from computation”,

agree on: “if we introduce a new pattern → isolate + contract + tests”.