What does the code-reviewer sub-agent actually check on a Magento PR?

Six layers. (1) Style: phpcs --standard=Magento2 on changed files. (2) Static analysis: phpstan --level=6. (3) EQP: no ObjectManager in non-setup code, no vendor edits, plugins over preferences, service contracts over direct model access, _isAllowed() on every admin controller. (4) Security: SQL concatenation, unescaped phtml output, missing CSRF, hardcoded secrets. (5) Performance: n+1 queries (look for ->load() in a foreach), missing indexes on new db_schema.xml tables, missing cache tags on blocks. (6) Marketplace: composer.json license, README presence, no GPL deps. Output is a categorised Markdown report — same shape as a GitHub review comment.