uinaf/review
Review existing code, diffs, branches, or pull requests using concern-specific reviewer personas and evidence. Use when auditing someone else's work, triaging risk in a PR, or producing a ship-it / needs-review / blocked verdict. Do not use to verify your own completed change; use `verify` for that.
98
100%
Does it follow best practices?
Impact
96%
1.20xAverage score across 4 eval scenarios
Passed
No known issues
task.mdevals/scenario-1/
Auth Token Module Review
Problem/Feature Description
The platform team at a SaaS company recently extended their TypeScript authentication service to support JWT refresh tokens. A developer added the new functionality under time pressure to meet a sprint deadline. The tech lead wants an independent review of the module before it merges to main — specifically focused on code quality, safety, and long-term maintainability rather than feature correctness.
The module handles token decoding, validation, and refresh. It has been working in local testing, but no one has reviewed the code shape since the new functionality was added. The tech lead is concerned about patterns that could cause silent failures in production, unclear error behavior, and code that a new team member might struggle to maintain.
Output Specification
Produce a file named review-report.md containing your code-shape findings. The report should:
- Cover each quality concern you find in the module
- Include a final verdict on whether the code is ready to ship, needs revision, or is blocked
- For each finding, state the specific concern, what the risk is, and a suggested improvement
Input Files
The following file is provided as input. Extract it before beginning.
=============== FILE: inputs/token-manager.ts =============== // token-manager.ts // Utilities for JWT token handling in the auth service
function decodeToken(token: any): any { const parts = token.split('.'); return JSON.parse(Buffer.from(parts[1], 'base64').toString()); }
// Backup decode path used during migration function parseJwt(rawToken: any): any { const segments = rawToken.split('.'); return JSON.parse(Buffer.from(segments[1], 'base64').toString()); }
// Was used by the old session system - kept for now just in case function legacyValidate(token: string): boolean { return token.length > 0; }
export function validateToken(token: string): boolean { // Check if the token exists if (!token) { // Token is falsy, return false return false; }
try { // Decode the token to get the payload const payload = decodeToken(token); // Get the expiry from the payload const expiry = payload.exp; // Return true if the token has not yet expired return Date.now() / 1000 < expiry; } catch (e) { // Something went wrong return false; } }
export function getUserId(token: string): string { // Decode the token const payload = decodeToken(token); // Return the user ID field return payload.userId!; }
export function refreshToken(token: string): string { const payload = decodeToken(token) as { userId: string; role: string; iat: number }; // Build a new token payload return Buffer.from(JSON.stringify({ userId: payload.userId, role: payload.role, iat: Date.now(), exp: Date.now() / 1000 + 3600 })).toString('base64'); }
export function hasPermission(token: string, permission: string): boolean { try { const payload = decodeToken(token); const perms = payload.permissions as string[]; return perms.includes(permission); } catch (e) { return false; } }