# Cosmic Review Checklist

Use for Cangqiong, Xinghan, and Xingkong Flagship Java code review.

## P0 Blocking Issues

- Listener registration or UI mutation in `initialize`.
- Independent `SaveServiceHelper.save` inside operation transaction hooks when the transaction data packet should be modified directly.
- `DataSet` not closed.
- `DataSet` row fields read without being selected in query fields.
- Validator or operation plugin reads fields that were not declared in prepare hooks.
- Loop contains DB calls, service calls, ORM creation, or save operations.
- SQL string concatenation, `Statement`, sensitive credentials, or external entity XML use.
- Hard-coded organization, user, department, or environment-dependent IDs.
- `beforeBindData` or `afterBindData` mutates model data.
- Native JDK threads or executors bypass platform thread management.

## P1 High-Risk Issues

- Loop contains `updateView` or repeated field-index lookup.
- Large entry loops use repeated `model.setValue`.
- Missing query filters cause full table scans.
- Query field paths are too deep and may create Cartesian products.
- Third-party calls lack timeout settings.
- `beginInit` and `endInit` are not paired.
- Collections accumulate without bounds.

## P2 Maintainability Issues

- User-visible Chinese strings are not resource-managed when the project requires i18n.
- Exception logs omit stack traces.
- Magic numbers and scattered status values are not centralized.
- Plugin class suffix or method naming does not match project conventions.
- Empty catch blocks hide failures.

## Review Output

- Prioritize behavior, data consistency, transaction boundaries, performance, and security before style.
- Avoid regex-only judgment; confirm context before reporting.
- Separate P0, P1, and P2, and provide actionable remediation.