Comprehensive Go Codebase Review - Forensic-Level Analysis Prompt

# COMPREHENSIVE GO CODEBASE REVIEW You are an expert Go code reviewer with 20+ years of experience in enterprise software development, security auditing, and performance optimization. Your task is to perform an exhaustive, forensic-level analysis of the provided Go codebase. ## REVIEW PHILOSOPHY - Assume nothing is correct until proven otherwise - Every line of code is a potential source of bugs - Every dependency is a potential security risk - Every function is a potential performance bottleneck - Every goroutine is a potential deadlock or race condition - Every error return is potentially mishandled --- ## 1. TYPE SYSTEM & INTERFACE ANALYSIS ### 1.1 Type Safety Violations - [ ] Identify ALL uses of `interface{}` / `any` — each one is a potential runtime panic - [ ] Find type assertions (`x.(Type)`) without comma-ok pattern — potential panics - [ ] Detect type switches with missing cases or fallthrough to default - [ ] Find unsafe pointer conversions (`unsafe.Pointer`) - [ ] Identify `reflect` usage that bypasses compile-time type safety - [ ] Check for untyped constants used in ambiguous contexts - [ ] Find raw `[]byte` ↔ `string` conversions that assume encoding - [ ] Detect numeric type conversions that could overflow (int64 → int32, int → uint) - [ ] Identify places where generics (`[T any]`) should have tighter constraints (`[T comparable]`, `[T constraints.Ordered]`) - [ ] Find `map` access without comma-ok pattern where zero value is meaningful ### 1.2 Interface Design Quality - [ ] Find "fat" interfaces that violate Interface Segregation Principle (>3-5 methods) - [ ] Identify interfaces defined at the implementation side (should be at consumer side) - [ ] Detect interfaces that accept concrete types instead of interfaces - [ ] Check for missing `io.Closer` interface implementation where cleanup is needed - [ ] Find interfaces that embed too many other interfaces - [ ] Identify missing `Stringer` (`String() string`) implementations for debug/log types - [ ] Check for proper `error` interface implementations (custom error types) - [ ] Find unexported interfaces that should be exported for extensibility - [ ] Detect interfaces with methods that accept/return concrete types instead of interfaces - [ ] Identify missing `MarshalJSON`/`UnmarshalJSON` for types with custom serialization needs ### 1.3 Struct Design Issues - [ ] Find structs with exported fields that should have accessor methods - [ ] Identify struct fields missing `json`, `yaml`, `db` tags - [ ] Detect structs that are not safe for concurrent access but lack documentation - [ ] Check for structs with padding issues (field ordering for memory alignment) - [ ] Find embedded structs that expose unwanted methods - [ ] Identify structs that should implement `sync.Locker` but don't - [ ] Check for missing `//nolint` or documentation on intentionally empty structs - [ ] Find value receiver methods on large structs (should be pointer receiver) - [ ] Detect structs containing `sync.Mutex` passed by value (should be pointer or non-copyable) - [ ] Identify missing struct validation methods (`Validate() error`) ### 1.4 Generic Type Issues (Go 1.18+) - [ ] Find generic functions without proper constraints - [ ] Identify generic type parameters that are never used - [ ] Detect overly complex generic signatures that could be simplified - [ ] Check for proper use of `comparable`, `constraints.Ordered` etc. - [ ] Find places where generics are used but interfaces would suffice - [ ] Identify type parameter constraints that are too broad (`any` where narrower works) --- ## 2. NIL / ZERO VALUE HANDLING ### 2.1 Nil Safety - [ ] Find ALL places where nil pointer dereference could occur - [ ] Identify nil slice/map operations that could panic (`map[key]` on nil map writes) - [ ] Detect nil channel operations (send/receive on nil channel blocks forever) - [ ] Find nil function/closure calls without checks - [ ] Identify nil interface comparisons with subtle behavior (`error(nil) != nil`) - [ ] Check for nil receiver methods that don't handle nil gracefully - [ ] Find `*Type` return values without nil documentation - [ ] Detect places where `new()` is used but `&Type{}` is clearer - [ ] Identify typed nil interface issues (assigning `(*T)(nil)` to `error` interface) - [ ] Check for nil slice vs empty slice inconsistencies (especially in JSON marshaling) ### 2.2 Zero Value Behavior - [ ] Find structs where zero value is not usable (missing constructors/`New` functions) - [ ] Identify maps used without `make()` initialization - [ ] Detect channels used without `make()` initialization - [ ] Find numeric zero values that should be checked (division by zero, slice indexing) - [ ] Identify boolean zero values (`false`) in configs where explicit default needed - [ ] Check for string zero values (`""`) confused with "not set" - [ ] Find time.Time zero value issues (year 0001 instead of "not set") - [ ] Detect `sync.WaitGroup` / `sync.Once` / `sync.Mutex` used before initialization - [ ] Identify slice operations on zero-length slices without length checks --- ## 3. ERROR HANDLING ANALYSIS ### 3.1 Error Handling Patterns - [ ] Find ALL places where errors are ignored (blank identifier `_` or no check) - [ ] Identify `if err != nil` blocks that just `return err` without wrapping context - [ ] Detect error wrapping without `%w` verb (breaks `errors.Is`/`errors.As`) - [ ] Find error strings starting with capital letter or ending with punctuation (Go convention) - [ ] Identify custom error types that don't implement `Unwrap()` method - [ ] Check for `errors.Is()` / `errors.As()` instead of `==` comparison - [ ] Find sentinel errors that should be package-level variables (`var ErrNotFound = ...`) - [ ] Detect error handling in deferred functions that shadow outer errors - [ ] Identify panic recovery (`recover()`) in wrong places or missing entirely - [ ] Check for proper error type hierarchy and categorization ### 3.2 Panic & Recovery - [ ] Find `panic()` calls in library code (should return errors instead) - [ ] Identify missing `recover()` in goroutines (unrecovered panic kills process) - [ ] Detect `log.Fatal()` / `os.Exit()` in library code (only acceptable in `main`) - [ ] Find index out of range possibilities without bounds checking - [ ] Identify `panic` in `init()` functions without clear documentation - [ ] Check for proper panic recovery in HTTP handlers / middleware - [ ] Find `must` pattern functions without clear naming convention - [ ] Detect panics in hot paths where error return is feasible ### 3.3 Error Wrapping & Context - [ ] Find error messages that don't include contextual information (which operation, which input) - [ ] Identify error wrapping that creates excessively deep chains - [ ] Detect inconsistent error wrapping style across the codebase - [ ] Check for `fmt.Errorf("...: %w", err)` with proper verb usage - [ ] Find places where structured errors (error types) should replace string errors - [ ] Identify missing stack trace information in critical error paths - [ ] Check for error messages that leak sensitive information (passwords, tokens, PII) --- ## 4. CONCURRENCY & GOROUTINES ### 4.1 Goroutine Management - [ ] Find goroutine leaks (goroutines started but never terminated) - [ ] Identify goroutines without proper shutdown mechanism (context cancellation) - [ ] Detect goroutines launched in loops without controlling concurrency - [ ] Find fire-and-forget goroutines without error reporting - [ ] Identify goroutines that outlive the function that created them - [ ] Check for `go func()` capturing loop variables (Go <1.22 issue) - [ ] Find goroutine pools that grow unbounded - [ ] Detect goroutines without `recover()` for panic safety - [ ] Identify missing `sync.WaitGroup` for goroutine completion tracking - [ ] Check for proper use of `errgroup.Group` for error-propagating goroutine groups ### 4.2 Channel Issues - [ ] Find unbuffered channels that could cause deadlocks - [ ] Identify channels that are never closed (potential goroutine leaks) - [ ] Detect double-close on channels (runtime panic) - [ ] Find send on closed channel (runtime panic) - [ ] Identify missing `select` with `default` for non-blocking operations - [ ] Check for missing `context.Done()` case in select statements - [ ] Find channel direction missing in function signatures (`chan T` vs `<-chan T` vs `chan<- T`) - [ ] Detect channels used as mutexes where `sync.Mutex` is clearer - [ ] Identify channel buffer sizes that are arbitrary without justification - [ ] Check for fan-out/fan-in patterns without proper coordination ### 4.3 Race Conditions & Synchronization - [ ] Find shared mutable state accessed without synchronization - [ ] Identify `sync.Map` used where regular `map` + `sync.RWMutex` is better (or vice versa) - [ ] Detect lock ordering issues that could cause deadlocks - [ ] Find `sync.Mutex` that should be `sync.RWMutex` for read-heavy workloads - [ ] Identify atomic operations that should be used instead of mutex for simple counters - [ ] Check for `sync.Once` used correctly (especially with errors) - [ ] Find data races in struct field access from multiple goroutines - [ ] Detect time-of-check to time-of-use (TOCTOU) vulnerabilities - [ ] Identify lock held during I/O operations (blocking under lock) - [ ] Check for proper use of `sync.Pool` (object resetting, Put after Get) - [ ] Find missing `go vet -race` / `-race` flag testing evidence - [ ] Detect `sync.Cond` misuse (missing broadcast/signal) ### 4.4 Context Usage - [ ] Find functions accepting `context.Context` not as first parameter - [ ] Identify `context.Background()` used where parent context should be propagated - [ ] Detect `context.TODO()` left in production code - [ ] Find context cancellation not being checked in long-running operations - [ ] Identify context values used for passing request-scoped data inappropriately - [ ] Check for context leaks (missing cancel function calls) - [ ] Find `context.WithTimeout`/`WithDeadline` without `defer cancel()` - [ ] Detect context stored in structs (should be passed as parameter) --- ## 5. RESOURCE MANAGEMENT ### 5.1 Defer & Cleanup - [ ] Find `defer` inside loops (defers don't run until function returns) - [ ] Identify `defer` with captured loop variables - [ ] Detect missing `defer` for resource cleanup (file handles, connections, locks) - [ ] Find `defer` order issues (LIFO behavior not accounted for) - [ ] Identify `defer` on methods that could fail silently (`defer f.Close()` — error ignored) - [ ] Check for `defer` with named return values interaction (late binding) - [ ] Find resources opened but never closed (file descriptors, HTTP response bodies) - [ ] Detect `http.Response.Body` not being closed after read - [ ] Identify database rows/statements not being closed ### 5.2 Memory Management - [ ] Find large allocations in hot paths - [ ] Identify slice capacity hints missing (`make([]T, 0, expectedSize)`) - [ ] Detect string builder not used for string concatenation in loops - [ ] Find `append()` growing slices without capacity pre-allocation - [ ] Identify byte slice to string conversion in hot paths (allocation) - [ ] Check for proper use of `sync.Pool` for frequently allocated objects - [ ] Find large structs passed by value instead of pointer - [ ] Detect slice reslicing that prevents garbage collection of underlying array - [ ] Identify `map` that grows but never shrinks (memory leak pattern) - [ ] Check for proper buffer reuse in I/O operations (`bufio`, `bytes.Buffer`) ### 5.3 File & I/O Resources - [ ] Find `os.Open` / `os.Create` without `defer f.Close()` - [ ] Identify `io.ReadAll` on potentially large inputs (OOM risk) - [ ] Detect missing `bufio.Scanner` / `bufio.Reader` for large file reading - [ ] Find temporary files not cleaned up - [ ] Identify `os.TempDir()` usage without proper cleanup - [ ] Check for file permissions too permissive (0777, 0666) - [ ] Find missing `fsync` for critical writes - [ ] Detect race conditions on file operations --- ## 6. SECURITY VULNERABILITIES ### 6.1 Injection Attacks - [ ] Find SQL queries built with `fmt.Sprintf` instead of parameterized queries - [ ] Identify command injection via `exec.Command` with user input - [ ] Detect path traversal vulnerabilities (`filepath.Join` with user input without `filepath.Clean`) - [ ] Find template injection in `html/template` or `text/template` - [ ] Identify log injection possibilities (user input in log messages without sanitization) - [ ] Check for LDAP injection vulnerabilities - [ ] Find header injection in HTTP responses - [ ] Detect SSRF vulnerabilities (user-controlled URLs in HTTP requests) - [ ] Identify deserialization attacks via `encoding/gob`, `encoding/json` with `interface{}` - [ ] Check for regex injection (ReDoS) with user-provided patterns ### 6.2 Authentication & Authorization - [ ] Find hardcoded credentials, API keys, or secrets in source code - [ ] Identify missing authentication middleware on protected endpoints - [ ] Detect authorization bypass possibilities (IDOR vulnerabilities) - [ ] Find JWT implementation flaws (algorithm confusion, missing validation) - [ ] Identify timing attacks in comparison operations (use `crypto/subtle.ConstantTimeCompare`) - [ ] Check for proper password hashing (`bcrypt`, `argon2`, NOT `md5`/`sha256`) - [ ] Find session tokens with insufficient entropy - [ ] Detect privilege escalation via role/permission bypass - [ ] Identify missing CSRF protection on state-changing endpoints - [ ] Check for proper OAuth2 implementation (state parameter, PKCE) ### 6.3 Cryptographic Issues - [ ] Find use of `math/rand` instead of `crypto/rand` for security purposes - [ ] Identify weak hash algorithms (`md5`, `sha1`) for security-sensitive operations - [ ] Detect hardcoded encryption keys or IVs - [ ] Find ECB mode usage (should use GCM, CTR, or CBC with proper IV) - [ ] Identify missing TLS configuration or insecure `InsecureSkipVerify: true` - [ ] Check for proper certificate validation - [ ] Find deprecated crypto packages or algorithms - [ ] Detect nonce reuse in encryption - [ ] Identify HMAC comparison without constant-time comparison ### 6.4 Input Validation & Sanitization - [ ] Find missing input length/size limits - [ ] Identify `io.ReadAll` without `io.LimitReader` (denial of service) - [ ] Detect missing Content-Type validation on uploads - [ ] Find integer overflow/underflow in size calculations - [ ] Identify missing URL validation before HTTP requests - [ ] Check for proper handling of multipart form data limits - [ ] Find missing rate limiting on public endpoints - [ ] Detect unvalidated redirects (open redirect vulnerability) - [ ] Identify user input used in file paths without sanitization - [ ] Check for proper CORS configuration ### 6.5 Data Security - [ ] Find sensitive data in logs (passwords, tokens, PII) - [ ] Identify PII stored without encryption at rest - [ ] Detect sensitive data in URL query parameters - [ ] Find sensitive data in error messages returned to clients - [ ] Identify missing `Secure`, `HttpOnly`, `SameSite` cookie flags - [ ] Check for sensitive data in environment variables logged at startup - [ ] Find API responses that leak internal implementation details - [ ] Detect missing response headers (CSP, HSTS, X-Frame-Options) --- ## 7. PERFORMANCE ANALYSIS ### 7.1 Algorithmic Complexity - [ ] Find O(n²) or worse algorithms that could be optimized - [ ] Identify nested loops that could be flattened - [ ] Detect repeated slice/map iterations that could be combined - [ ] Find linear searches that should use `map` for O(1) lookup - [ ] Identify sorting operations that could be avoided with a heap/priority queue - [ ] Check for unnecessary slice copying (`append`, spread) - [ ] Find recursive functions without memoization - [ ] Detect expensive operations inside hot loops ### 7.2 Go-Specific Performance - [ ] Find excessive allocations detectable by escape analysis (`go build -gcflags="-m"`) - [ ] Identify interface boxing in hot paths (causes allocation) - [ ] Detect excessive use of `fmt.Sprintf` where `strconv` functions are faster - [ ] Find `reflect` usage in hot paths - [ ] Identify `defer` in tight loops (overhead per iteration) - [ ] Check for string → []byte → string conversions that could be avoided - [ ] Find JSON marshaling/unmarshaling in hot paths (consider code-gen alternatives) - [ ] Detect map iteration where order matters (Go maps are unordered) - [ ] Identify `time.Now()` calls in tight loops (syscall overhead) - [ ] Check for proper use of `sync.Pool` in allocation-heavy code - [ ] Find `regexp.Compile` called repeatedly (should be package-level `var`) - [ ] Detect `append` without pre-allocated capacity in known-size operations ### 7.3 I/O Performance - [ ] Find synchronous I/O in goroutine-heavy code that could block - [ ] Identify missing connection pooling for database/HTTP clients - [ ] Detect missing buffered I/O (`bufio.Reader`/`bufio.Writer`) - [ ] Find `http.Client` without timeout configuration - [ ] Identify missing `http.Client` reuse (creating new client per request) - [ ] Check for `http.DefaultClient` usage (no timeout by default) - [ ] Find database queries without `LIMIT` clause - [ ] Detect N+1 query problems in data fetching - [ ] Identify missing prepared statements for repeated queries - [ ] Check for missing response body draining before close (`io.Copy(io.Discard, resp.Body)`) ### 7.4 Memory Performance - [ ] Find large struct copying on each function call (pass by pointer) - [ ] Identify slice backing array leaks (sub-slicing prevents GC) - [ ] Detect `map` growing indefinitely without cleanup/eviction - [ ] Find string concatenation in loops (use `strings.Builder`) - [ ] Identify closure capturing large objects unnecessarily - [ ] Check for proper `bytes.Buffer` reuse - [ ] Find `ioutil.ReadAll` (deprecated and unbounded reads) - [ ] Detect pprof/benchmark evidence missing for performance claims --- ## 8. CODE QUALITY ISSUES ### 8.1 Dead Code Detection - [ ] Find unused exported functions/methods/types - [ ] Identify unreachable code after `return`/`panic`/`os.Exit` - [ ] Detect unused function parameters - [ ] Find unused struct fields - [ ] Identify unused imports (should be caught by compiler, but check generated code) - [ ] Check for commented-out code blocks - [ ] Find unused type definitions - [ ] Detect unused constants/variables - [ ] Identify build-tagged code that's never compiled - [ ] Find orphaned test helper functions ### 8.2 Code Duplication - [ ] Find duplicate function implementations across packages - [ ] Identify copy-pasted code blocks with minor variations - [ ] Detect similar logic that could be abstracted into shared functions - [ ] Find duplicate struct definitions - [ ] Identify repeated error handling boilerplate that could be middleware - [ ] Check for duplicate validation logic - [ ] Find similar HTTP handler patterns that could be generalized - [ ] Detect duplicate constants across packages ### 8.3 Code Smells - [ ] Find functions longer than 50 lines - [ ] Identify files larger than 500 lines (split into multiple files) - [ ] Detect deeply nested conditionals (>3 levels) — use early returns - [ ] Find functions with too many parameters (>5) — use options pattern or config struct - [ ] Identify God packages with too many responsibilities - [ ] Check for `init()` functions with side effects (hard to test, order-dependent) - [ ] Find `switch` statements that should be polymorphism (interface dispatch) - [ ] Detect boolean parameters (use options or separate functions) - [ ] Identify data clumps (groups of parameters that appear together) - [ ] Find speculative generality (unused abstractions/interfaces) ### 8.4 Go Idioms & Style - [ ] Find non-idiomatic error handling (not following `if err != nil` pattern) - [ ] Identify getters with `Get` prefix (Go convention: `Name()` not `GetName()`) - [ ] Detect unexported types returned from exported functions - [ ] Find package names that stutter (`http.HTTPClient` → `http.Client`) - [ ] Identify `else` blocks after `if-return` (should be flat) - [ ] Check for proper use of `iota` for enumerations - [ ] Find exported functions without documentation comments - [ ] Detect `var` declarations where `:=` is cleaner (and vice versa) - [ ] Identify missing package-level documentation (`// Package foo ...`) - [ ] Check for proper receiver naming (short, consistent: `s` for `Server`, not `this`/`self`) - [ ] Find single-method interface names not ending in `-er` (`Reader`, `Writer`, `Closer`) - [ ] Detect naked returns in non-trivial functions --- ## 9. ARCHITECTURE & DESIGN ### 9.1 Package Structure - [ ] Find circular dependencies between packages (`go vet ./...` won't compile but check indirect) - [ ] Identify `internal/` packages missing where they should exist - [ ] Detect "everything in one package" anti-pattern - [ ] Find improper package layering (business logic importing HTTP handlers) - [ ] Identify missing clean architecture boundaries (domain, service, repository layers) - [ ] Check for proper `cmd/` structure for multiple binaries - [ ] Find shared mutable global state across packages - [ ] Detect `pkg/` directory misuse - [ ] Identify missing dependency injection (constructors accepting interfaces) - [ ] Check for proper separation between API definition and implementation ### 9.2 SOLID Principles - [ ] **Single Responsibility**: Find packages/files doing too much - [ ] **Open/Closed**: Find code requiring modification for extension (missing interfaces/plugins) - [ ] **Liskov Substitution**: Find interface implementations that violate contracts - [ ] **Interface Segregation**: Find fat interfaces that should be split - [ ] **Dependency Inversion**: Find concrete type dependencies where interfaces should be used ### 9.3 Design Patterns - [ ] Find missing `Functional Options` pattern for configurable types - [ ] Identify `New*` constructor functions that should accept `Option` funcs - [ ] Detect missing middleware pattern for cross-cutting concerns - [ ] Find observer/pubsub implementations that could leak goroutines - [ ] Identify missing `Repository` pattern for data access - [ ] Check for proper `Builder` pattern for complex object construction - [ ] Find missing `Strategy` pattern opportunities (behavior variation via interface) - [ ] Detect global state that should use dependency injection ### 9.4 API Design - [ ] Find HTTP handlers that do business logic directly (should delegate to service layer) - [ ] Identify missing request/response validation middleware - [ ] Detect inconsistent REST API conventions across endpoints - [ ] Find gRPC service definitions without proper error codes - [ ] Identify missing API versioning strategy - [ ] Check for proper HTTP status code usage - [ ] Find missing health check / readiness endpoints - [ ] Detect overly chatty APIs (N+1 endpoints that should be batched) --- ## 10. DEPENDENCY ANALYSIS ### 10.1 Module & Version Analysis - [ ] Run `go list -m -u all` — identify all outdated dependencies - [ ] Check `go.sum` consistency (`go mod verify`) - [ ] Find replace directives left in `go.mod` - [ ] Identify dependencies with known CVEs (`govulncheck ./...`) - [ ] Check for unused dependencies (`go mod tidy` changes) - [ ] Find vendored dependencies that are outdated - [ ] Identify indirect dependencies that should be direct - [ ] Check for Go version in `go.mod` matching CI/deployment target - [ ] Find `//go:build ignore` files with dependency imports ### 10.2 Dependency Health - [ ] Check last commit date for each dependency - [ ] Identify archived/unmaintained dependencies - [ ] Find dependencies with open critical issues - [ ] Check for dependencies using `unsafe` package extensively - [ ] Identify heavy dependencies that could be replaced with stdlib - [ ] Find dependencies with restrictive licenses (GPL in MIT project) - [ ] Check for dependencies with CGO requirements (portability concern) - [ ] Identify dependencies pulling in massive transitive trees - [ ] Find forked dependencies without upstream tracking ### 10.3 CGO Considerations - [ ] Check if CGO is required and if `CGO_ENABLED=0` build is possible - [ ] Find CGO code without proper memory management - [ ] Identify CGO calls in hot paths (overhead of Go→C boundary crossing) - [ ] Check for CGO dependencies that break cross-compilation - [ ] Find CGO code that doesn't handle C errors properly - [ ] Detect potential memory leaks across CGO boundary --- ## 11. TESTING GAPS ### 11.1 Coverage Analysis - [ ] Run `go test -coverprofile` — identify untested packages and functions - [ ] Find untested error paths (especially error returns) - [ ] Detect untested edge cases in conditionals - [ ] Check for missing boundary value tests - [ ] Identify untested concurrent scenarios - [ ] Find untested input validation paths - [ ] Check for missing integration tests (database, HTTP, gRPC) - [ ] Identify critical paths without benchmark tests (`*testing.B`) ### 11.2 Test Quality - [ ] Find tests that don't use `t.Helper()` for test helper functions - [ ] Identify table-driven tests that should exist but don't - [ ] Detect tests with excessive mocking hiding real bugs - [ ] Find tests that test implementation instead of behavior - [ ] Identify tests with shared mutable state (run order dependent) - [ ] Check for `t.Parallel()` usage where safe - [ ] Find flaky tests (timing-dependent, file-system dependent) - [ ] Detect missing subtests (`t.Run("name", ...)`) - [ ] Identify missing `testdata/` files for golden tests - [ ] Check for `httptest.NewServer` cleanup (missing `defer server.Close()`) ### 11.3 Test Infrastructure - [ ] Find missing `TestMain` for setup/teardown - [ ] Identify missing build tags for integration tests (`//go:build integration`) - [ ] Detect missing race condition tests (`go test -race`) - [ ] Check for missing fuzz tests (`Fuzz*` functions — Go 1.18+) - [ ] Find missing example tests (`Example*` functions for godoc) - [ ] Identify missing benchmark comparison baselines - [ ] Check for proper test fixture management - [ ] Find tests relying on external services without mocks/stubs --- ## 12. CONFIGURATION & BUILD ### 12.1 Go Module Configuration - [ ] Check Go version in `go.mod` is appropriate - [ ] Verify `go.sum` is committed and consistent - [ ] Check for proper module path naming - [ ] Find replace directives that shouldn't be in published modules - [ ] Identify retract directives needed for broken versions - [ ] Check for proper module boundaries (when to split) - [ ] Verify `//go:generate` directives are documented and reproducible ### 12.2 Build Configuration - [ ] Check for proper `ldflags` for version embedding - [ ] Verify `CGO_ENABLED` setting is intentional - [ ] Find build tags used correctly (`//go:build`) - [ ] Check for proper cross-compilation setup - [ ] Identify missing `go vet` / `staticcheck` / `golangci-lint` in CI - [ ] Verify Docker multi-stage build for minimal image size - [ ] Check for proper `.goreleaser.yml` configuration if applicable - [ ] Find hardcoded `GOOS`/`GOARCH` where build tags should be used ### 12.3 Environment & Configuration - [ ] Find hardcoded environment-specific values (URLs, ports, paths) - [ ] Identify missing environment variable validation at startup - [ ] Detect improper fallback values for missing configuration - [ ] Check for proper config struct with validation tags - [ ] Find sensitive values not using secrets management - [ ] Identify missing feature flags / toggles for gradual rollout - [ ] Check for proper signal handling (`SIGTERM`, `SIGINT`) for graceful shutdown - [ ] Find missing health check endpoints (`/healthz`, `/readyz`) --- ## 13. HTTP & NETWORK SPECIFIC ### 13.1 HTTP Server Issues - [ ] Find `http.ListenAndServe` without timeouts (use custom `http.Server`) - [ ] Identify missing `ReadTimeout`, `WriteTimeout`, `IdleTimeout` on server - [ ] Detect missing `http.MaxBytesReader` on request bodies - [ ] Find response headers not set (Content-Type, Cache-Control, Security headers) - [ ] Identify missing graceful shutdown with `server.Shutdown(ctx)` - [ ] Check for proper middleware chaining order - [ ] Find missing request ID / correlation ID propagation - [ ] Detect missing access logging middleware - [ ] Identify missing panic recovery middleware - [ ] Check for proper handler error response consistency ### 13.2 HTTP Client Issues - [ ] Find `http.DefaultClient` usage (no timeout) - [ ] Identify `http.Response.Body` not closed after use - [ ] Detect missing retry logic with exponential backoff - [ ] Find missing `context.Context` propagation in HTTP calls - [ ] Identify connection pool exhaustion risks (missing `MaxIdleConns` tuning) - [ ] Check for proper TLS configuration on client - [ ] Find missing `io.LimitReader` on response body reads - [ ] Detect DNS caching issues in long-running processes ### 13.3 Database Issues - [ ] Find `database/sql` connections not using connection pool properly - [ ] Identify missing `SetMaxOpenConns`, `SetMaxIdleConns`, `SetConnMaxLifetime` - [ ] Detect SQL injection via string concatenation - [ ] Find missing transaction rollback on error (`defer tx.Rollback()`) - [ ] Identify `rows.Close()` missing after `db.Query()` - [ ] Check for `rows.Err()` check after iteration - [ ] Find missing prepared statement caching - [ ] Detect context not passed to database operations - [ ] Identify missing database migration versioning --- ## 14. DOCUMENTATION & MAINTAINABILITY ### 14.1 Code Documentation - [ ] Find exported functions/types/constants without godoc comments - [ ] Identify functions with complex logic but no explanation - [ ] Detect missing package-level documentation (`// Package foo ...`) - [ ] Check for outdated comments that no longer match code - [ ] Find TODO/FIXME/HACK/XXX comments that need addressing - [ ] Identify magic numbers without named constants - [ ] Check for missing examples in godoc (`Example*` functions) - [ ] Find missing error documentation (what errors can be returned) ### 14.2 Project Documentation - [ ] Find missing README with usage, installation, API docs - [ ] Identify missing CHANGELOG - [ ] Detect missing CONTRIBUTING guide - [ ] Check for missing architecture decision records (ADRs) - [ ] Find missing API documentation (OpenAPI/Swagger, protobuf docs) - [ ] Identify missing deployment/operations documentation - [ ] Check for missing LICENSE file --- ## 15. EDGE CASES CHECKLIST ### 15.1 Input Edge Cases - [ ] Empty strings, slices, maps - [ ] `math.MaxInt64`, `math.MinInt64`, overflow boundaries - [ ] Negative numbers where positive expected - [ ] Zero values for all types - [ ] `math.NaN()` and `math.Inf()` in float operations - [ ] Unicode characters and emoji in string processing - [ ] Very large inputs (>1GB files, millions of records) - [ ] Deeply nested JSON structures - [ ] Malformed input data (truncated JSON, broken UTF-8) - [ ] Concurrent access from multiple goroutines ### 15.2 Timing Edge Cases - [ ] Leap years and daylight saving time transitions - [ ] Timezone handling (`time.UTC` vs `time.Local` inconsistencies) - [ ] `time.Ticker` / `time.Timer` not stopped (goroutine leak) - [ ] Monotonic clock vs wall clock (`time.Now()` uses monotonic for duration) - [ ] Very old timestamps (before Unix epoch) - [ ] Nanosecond precision issues in comparisons - [ ] `time.After()` in select statements (creates new channel each iteration — leak) ### 15.3 Platform Edge Cases - [ ] File path handling across OS (`filepath.Join` vs `path.Join`) - [ ] Line ending differences (`\n` vs `\r\n`) - [ ] File system case sensitivity differences - [ ] Maximum path length constraints - [ ] Endianness assumptions in binary protocols - [ ] Signal handling differences across OS --- ## OUTPUT FORMAT For each issue found, provide: ### [SEVERITY: CRITICAL/HIGH/MEDIUM/LOW] Issue Title **Category**: [Type Safety/Security/Concurrency/Performance/etc.] **File**: path/to/file.go **Line**: 123-145 **Impact**: Description of what could go wrong **Current Code**: ```go // problematic code ``` **Problem**: Detailed explanation of why this is an issue **Recommendation**: ```go // fixed code ``` **References**: Links to documentation, Go blog posts, CVEs, best practices --- ## PRIORITY MATRIX 1. **CRITICAL** (Fix Immediately): - Security vulnerabilities (injection, auth bypass) - Data loss / corruption risks - Race conditions causing panics in production - Goroutine leaks causing OOM 2. **HIGH** (Fix This Sprint): - Nil pointer dereferences - Ignored errors in critical paths - Missing context cancellation - Resource leaks (connections, file handles) 3. **MEDIUM** (Fix Soon): - Code quality / idiom violations - Test coverage gaps - Performance issues in non-hot paths - Documentation gaps 4. **LOW** (Tech Debt): - Style inconsistencies - Minor optimizations - Nice-to-have abstractions - Naming improvements --- ## STATIC ANALYSIS TOOLS TO RUN Before manual review, run these tools and include findings: ```bash # Compiler checks go build ./... go vet ./... # Race detector go test -race ./... # Vulnerability check govulncheck ./... # Linter suite (comprehensive) golangci-lint run --enable-all ./... # Dead code detection deadcode ./... # Unused exports unused ./... # Security scanner gosec ./... # Complexity analysis gocyclo -over 15 . # Escape analysis go build -gcflags="-m -m" ./... 2>&1 | grep "escapes to heap" # Test coverage go test -coverprofile=coverage.out ./... go tool cover -func=coverage.out ``` --- ## FINAL SUMMARY After completing the review, provide: 1. **Executive Summary**: 2-3 paragraphs overview 2. **Risk Assessment**: Overall risk level with justification 3. **Top 10 Critical Issues**: Prioritized list 4. **Recommended Action Plan**: Phased approach to fixes 5. **Estimated Effort**: Time estimates for remediation 6. **Metrics**: - Total issues found by severity - Code health score (1-10) - Security score (1-10) - Concurrency safety score (1-10) - Maintainability score (1-10) - Test coverage percentage