القائمة
Create a well-documented GitHub pull request with quality checks, proper description, and test plan. Use when pushing a branch, creating a merge request, or preparing code for review.
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
End-of-session routine. Ensures test coverage, performs self-review, runs validation, and commits cleanly. Use when finishing a unit of work.
Full feature implementation workflow with explore, plan, code, test, validate, and commit phases. Use for new features, enhancements, or significant code changes.
Iterate on an open PR until CI passes and all review feedback is addressed. Fetches status, categorizes findings by severity, applies fixes, and loops until clean.
Create a detailed implementation plan without writing code. Read-only analysis and planning with user approval gate. Use before implementing features or making significant changes.
Systematic security audit with confidence-based reporting. Analyzes attack surfaces, checks against OWASP categories, and reports only confirmed or likely vulnerabilities. Use for pre-merge security review or periodic audits.
Run validation checks to ensure code quality, security, and correctness. Supports quick (scoped), full (CI pipeline), fix (auto-correct), and CI mirror modes.
| name | pr |
| description | Create a well-documented GitHub pull request with quality checks, proper description, and test plan. Use when pushing a branch, creating a merge request, or preparing code for review. |
| category | process |
| triggers | ["create PR","pull request","ready for review","open PR"] |
Purpose: Create a well-documented PR with proper description and test plan Usage:
/pr
gh (GitHub CLI) for PR creationNote: Command examples use
npmas default. Adapt to the project's package manager perai-assistant-protocol— Project Commands.
git status --porcelain
If uncommitted changes are detected, present options and wait for user response:
Uncommitted changes detected:
[list of modified/untracked files]
Options:
(a) Commit these changes first
(b) Stash them for now
(c) Abort — resolve manually
Which would you like to do?
Do not proceed with uncommitted changes. Handle them based on the user's choice before continuing.
gh auth status
If not authenticated, instruct the user:
GitHub CLI is not authenticated. Run `gh auth login` to authenticate, then re-run `/pr`.
Do not proceed without authentication — PR creation and existing PR detection both require it.
MAIN=$(git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's@^refs/remotes/origin/@@' || echo "main")
git status
git diff $MAIN...HEAD --stat
git log $MAIN..HEAD --oneline
If no commits ahead of base branch and no uncommitted changes: Report "Nothing to push — branch is up to date with base" and exit.
Run full validation before creating PR. If issues are found, fix them and re-validate. Maximum 3 iterations. All checks must pass before proceeding.
npm run typecheck
npm run lint
npm run test
Iteration loop:
Report format:
### Validation (iteration N)
| Check | Status | Details |
|-------|--------|---------|
| Typecheck | PASSED / FAILED | [N errors] |
| Lint | PASSED / FAILED | [N errors, M warnings] |
| Tests | PASSED / FAILED | [N passed, M failed] |
Do not proceed until all checks pass.
Run concrete security scan commands against the changed files (see also ../commit/references/pre-commit-verification.md and ../validate/references/security-scan-patterns.md for detailed pattern guidance):
MAIN=$(git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's@^refs/remotes/origin/@@' || echo "main")
CHANGED_FILES=$(git diff $MAIN...HEAD --name-only)
# Secrets detection
grep -rn --include="*.ts" --include="*.tsx" --include="*.js" --include="*.json" \
-E "(api[_-]?key|secret|password|token|credential|private[_-]?key)\s*[:=]" $CHANGED_FILES
# Insecure pattern detection
grep -rn --include="*.ts" --include="*.tsx" --include="*.js" \
-E "(eval\(|new Function\(|innerHTML\s*=|dangerouslySetInnerHTML|document\.write\()" $CHANGED_FILES
# Raw SQL interpolation (injection risk)
grep -rn --include="*.ts" --include="*.tsx" --include="*.js" \
-E "(\\\$queryRaw\`|\\\$executeRaw\`|\.query\(.*\\\$\{|SELECT.*\\\$\{|INSERT.*\\\$\{|UPDATE.*\\\$\{|DELETE.*\\\$\{)" $CHANGED_FILES
# Command injection patterns
grep -rn --include="*.ts" --include="*.tsx" --include="*.js" \
-E "(child_process|exec\(|execSync\(|spawn\(|execFile\()" $CHANGED_FILES
# Disabled security controls
grep -rn --include="*.ts" --include="*.tsx" --include="*.js" \
-E "(rejectUnauthorized:\s*false|NODE_TLS_REJECT_UNAUTHORIZED|--no-verify)" $CHANGED_FILES
Interpreting results:
eval/innerHTML/dangerouslySetInnerHTML: Requires justification — flag for reviewchild_process/exec: Flag for review — verify no user input reaches the commandExclude test files and example/documentation files from blocking — flag as informational only.
Review the diff for mixed-concern changes. If commits include both feature work and refactoring, or both bug fixes and cleanup, suggest splitting into separate PRs for faster review.
Before creating a new PR, check if one already exists for this branch:
gh pr view --json number,url,title,state 2>/dev/null
If a PR exists:
Existing PR detected: #[number] ([state])
Title: [title]
URL: [url]
Options:
(a) Update existing PR #[number]
(b) Close #[number] and create a new PR
(c) Abort
Recommend: Update existing PR.
Wait for user response. If updating, use gh pr edit instead of gh pr create.
Present the full PR plan and wait for explicit user approval before pushing or creating/updating the PR:
**Branch:** [branch name]
**Target:** [base branch]
**Commits:** [N commits]
**Action:** [Create new PR / Update existing PR #N]
**Proposed title:** [type]: [description]
[Full PR body preview]
Confirm push and [create/update] PR? (yes / edit / cancel)
GATE: Do NOT push or create/update the PR until user responds with explicit approval.
git push -u origin HEAD
If creating a new PR:
gh pr create --title "[Type]: Brief description" --body "$(cat <<'EOF'
## Summary
[1-3 bullet points describing what this PR does]
## Changes
- [Specific change 1]
- [Specific change 2]
## Test Plan
- [ ] [How to test change 1]
- [ ] [How to test change 2]
## Security
- [ ] No secrets or credentials in code
- [ ] Input validation on new endpoints/handlers
- [ ] Auth checks on protected operations
- [ ] N/A — no security-sensitive changes
## Screenshots (if applicable)
[Add screenshots for UI changes]
EOF
)"
If updating an existing PR:
gh pr edit [number] --title "[Type]: Brief description" --body "$(cat <<'EOF'
[same body template as above]
EOF
)"
**PR:** #[number] — [title]
**URL:** [url]
**Status:** [Created / Updated]
**Branch:** [branch] → [base]
**Commits:** [N]
**Next:** Wait for CI checks, request reviewers, or continue working.
| ID | Type | Prompt / Condition | Expected |
|---|---|---|---|
| PR-T1 | Positive | "Create a pull request" | Skill triggers |
| PR-T2 | Positive | "Ready for review" | Skill triggers |
| PR-T3 | Positive | "Open a PR for this branch" | Skill triggers |
| PR-T4 | Negative | "Commit my changes" | Does NOT trigger (-> /commit) |
| PR-T5 | Negative | "Review the code" | Does NOT trigger (-> /review) |
| PR-T6 | Negative | "Fix the CI failures on my PR" | Does NOT trigger (-> /iterate-pr) |
| PR-T7 | Boundary | "Commit and create a PR" | Triggers (PR is the final intent) |
| PR-T8 | Early-exit | No commits ahead of base branch | Reports "Nothing to push" and exits |
feat: add user authentication
fix: resolve login issue with special characters
refactor: extract validation logic
docs: update API documentation
test: add tests for auth module
chore: update dependencies
## Summary
- Add JWT-based authentication to API endpoints
- Implement login and registration endpoints
- Protect existing routes with auth middleware
## Changes
- `src/middleware/auth.ts` - New auth middleware
- `src/routes/auth.ts` - Login/register endpoints
- `src/models/User.ts` - User model with password hashing
## Test Plan
- [ ] Register new user with valid credentials
- [ ] Login with correct credentials returns token
- [ ] Protected routes reject requests without token
## Breaking Changes
None - new endpoints only.