PK
Back to archive

Engineering

What Your Code Review Process Actually Measures

An honest audit of code review incentives, reviewer stamina, design risk, and the evidence reviews miss.

What Your Code Review Process Actually Measures

Most teams say code review protects quality. That can be true. It can also protect style, seniority, politics, local preferences, and reviewer stamina while the highest-risk assumptions pass untouched.

The review process measures what it makes easy to see.

The thesis

Code review does not automatically measure correctness. By default, it measures readability under diff view, conformity to local taste, reviewer energy, and social willingness to challenge. To measure engineering risk, the process has to be designed around intent, contracts, tests, and ownership.

The principal concern is incentives. A review process becomes the quality system people actually experience, so it teaches engineers what kind of risk the organization values.

The production pattern

A pull request appears. The diff is medium-sized. The title is clear enough. Reviewers scan changed files in the hosted interface. Comments arrive on naming, formatting, duplication, maybe an edge case. The author responds. The build is green. The code merges.

Later, a regression appears in a contract the diff did not make obvious. A migration changes behavior for old data. A new path bypasses an authorization rule. A retry is not idempotent. A queue consumer assumes ordering that is not guaranteed. A UI change breaks an accessibility promise. Everyone reviewed the code, but nobody reviewed the system property that mattered.

This is not because reviewers are careless. Diff review is a constrained medium. It shows local text changes better than it shows intent, rejected alternatives, runtime behavior, rollout safety, or ownership after launch.

The process also depends on stamina. The fifth review of the day is not the same as the first. Large diffs, powerful authors, and rushed deadlines all reduce the precision of attention.

The model

I use a five-part audit for code review quality.

Intent asks whether the reviewer can state what the change is trying to accomplish. If the intent is vague, the review can only check local plausibility. Good descriptions include the decision, scope, non-goals, and any risk the author already sees.

Diff asks whether the change is sized and organized for human reasoning. The diff should separate mechanical movement from behavioral change, generated code from hand-written code, and setup from policy. A review process that accepts tangled diffs is choosing shallow review.

Contracts asks what promises might change. APIs, events, schemas, permissions, data retention, retries, idempotency, and user-visible behavior need explicit review. The reviewer should know which contracts are stable and which are intentionally changing.

Tests asks what evidence supports the change. I care less about whether a test exists and more about whether the evidence matches the risk. A unit test for a helper does not prove a migration is safe. A broad integration test may be overkill for pure formatting logic.

Ownership asks who will operate, debug, and evolve the change after merge. Code review often stops at "is this acceptable code?" Production asks "who owns this behavior when it fails?"

My checklist:

  • Purpose: can a reviewer summarize the change in one sentence?
  • Risk class: correctness, compatibility, security, reliability, cost, operability, or maintainability?
  • Evidence: what proves the important claim?
  • Reviewers: who understands the affected contract or boundary?
  • Rollout: what happens if the change is wrong?
  • Aftercare: who watches the first production signal?

This moves review from taste arbitration toward risk inspection.

Where this goes wrong

The counterpoint is that not every review needs heavyweight structure. A typo fix, small refactor, or local cleanup should not require a full design packet. Too much process makes engineers batch changes, avoid review, or optimize for paperwork.

The model should scale with blast radius. A low-risk change needs clarity and tests. A cross-boundary change needs contract review, rollout thinking, and ownership. A data migration needs a different level of scrutiny entirely.

Another failure is reviewer overreach. Senior reviewers can slow teams by turning every diff into a platform debate. Not every preference is a risk. If the codebase has standards, automate them where possible. Human review should spend scarce attention on things automation cannot judge well.

There is also a cultural trap. If reviews are used to display cleverness, authors learn to hide uncertainty.

What I do now

I ask authors to make risk reviewable. A good pull request description tells me what changed, why, what did not change, what could go wrong, and what evidence exists. It does not need to be long. It needs to reduce guesswork.

I ask reviewers to name the class of comment they are making. Is it a blocker, a question, a suggestion, a style issue, or a follow-up? This prevents preference from masquerading as correctness.

I prefer smaller diffs, but I care more about coherent diffs. A large structured change may be reviewable, while a small change can still hide a contract shift.

For high-risk changes, I look beyond the diff. I want to see test output, migration plan, logs, dashboards, fallback behavior, or a decision record. The diff is evidence, not the whole case.

The principal-engineer lens is attention design. Code review is a scarce human reasoning system. Spend it on the risks that cannot be linted.

Closing takeaway

Audit your code review process by asking what it actually measures. Then redesign it so the easiest thing to review is the risk you most need to catch.