Walk the rounds before you turn the key.
The watchman's job isn't drama. It's completeness. Lantern in one hand, keyring in the other, a clock-watch on the belt punched at every station — front gate, side door, vault, window, fire-door, stair-well. Nothing is skipped. Nothing is assumed. Claude Code's /security-review walks a pending diff the same way, in the same order, every time.
The route
/security-review is a built-in slash command that asks
Claude Code to walk your pending changes with a single lens:
could this change make the system less safe? It reads the diff —
uncommitted edits, the current branch against main, or a
named ref — and reports back with a ranked list of findings, each one
tied to a file, a line, and a category. The point isn't a verdict.
The point is that nothing was skipped.
A watchman's rounds work because the route is fixed. Front gate, side door, vault, window, fire-door, stair-well — same order, every night, whether the building is sleeping or burning. /security-review brings that discipline to a diff: secrets, injection, auth, input, crypto, dependencies, error paths. Same lens, every change, even the ones that look harmless.
The stations
null that becomes admin.
every pane tried
A pass at the clock-watch
· punch the clock at the start of the round claude> /security-review ⏵ walking the rounds… reading diff against main (14 files, +312 / −47) FINDINGS — 3 high · 2 medium · 1 low ● HIGH · src/auth/session.ts:48 jwt.verify(token, secret, { algorithms: ['HS256','none'] }) The 'none' algorithm lets an attacker present an unsigned token. Remove it; pin to the algorithm you actually use. ● HIGH · src/api/refund.ts:112 User-supplied orderId interpolated directly into the SQL string. Use the parameterised db.query(sql, [orderId]) form. ● HIGH · .env.example:7 Looks like a real Stripe live key (sk_live_…) committed to the example file. Rotate it now; replace with a placeholder. · …two mediums and a low follow, each with file:line and a fix ● CLEAN · 11 files walked, no issues found in: src/api/health.ts · src/lib/format.ts · tests/* · README.md … · the round ends with a single sentence you can paste claude> summarise that for the PR description → "Security review: 3 high findings (JWT 'none' alg, SQL injection in refund flow, live Stripe key in .env.example) — all fixed in this branch. 2 medium / 1 low filed for follow-up."
The watchman doesn't decide who comes through the door. He decides that nobody comes through unseen. — A note from the gatehouse
When to call the round
The natural moment is just before a pull request goes up — when
the diff is final but the title still says WIP. The findings
become commits, and the PR opens already walked. The second moment is
just before merge, after the last round of reviews; it catches
what slipped in during the back-and-forth. The third — the one most
teams skip — is on the dependency-bump branch, where the diff looks
small and the risk is hiding in someone else's tree.
Wire it into your CLAUDE.md as part of the pre-merge ritual
and the review stops being something a human has to remember. Bind it to
a PreToolUse hook on git push if you want the
watchman on every shift. The point isn't that /security-review
replaces a security engineer — it doesn't. The point is that the boring
half of the round is always done before the engineer is woken up.
A short glossary
- Clock-watch
- The watchman's tamper-proof clock, punched at every station on the route. Here: the timestamped log of each /security-review pass, proof the round actually happened.
- Master key
- The one key on the ring that opens every door. The thing /security-review looks for first — and the thing it would rather you didn't commit.
- Bull's-eye lantern
- A lantern with a single forward-facing lens — a focused beam, not a glow. The metaphor for a review with one lens (security) instead of a general code read.
- Hue and cry
- The old common-law shout that summoned the parish when a thief was found. Here: the ranked finding list — loud, specific, and addressed to whoever's awake.