| name | rust-review |
| description | Audits Rust code for unsafe blocks, ownership issues, and Cargo dependency risks. Use when reviewing Rust code or before merging Rust changes. |
| globs | **/*.rs |
| alwaysApply | false |
| category | code-review |
| tags | ["rust","ownership","concurrency","unsafe","traits","cargo"] |
| tools | [] |
| usage_patterns | ["rust-audit","unsafe-review","dependency-audit","concurrency-analysis"] |
| complexity | advanced |
| model_hint | deep |
| estimated_tokens | 400 |
| progressive_loading | true |
| dependencies | ["pensive:shared","imbue:proof-of-work","imbue:review-core","imbue:structured-output"] |
| modules | ["ownership-analysis.md","error-handling.md","concurrency-patterns.md","unsafe-audit.md","cargo-dependencies.md","silent-returns.md","collection-types.md","sql-injection.md","cfg-test-misuse.md","error-messages.md","duplicate-validators.md","builtin-preference.md","native-type-modeling.md","idiomatic-elision.md","coercion-params.md","conversion-traits.md","numeric-cast-safety.md","mutable-static-audit.md","match-wildcard.md","transmute-audit.md","float-equality.md","mem-forget-audit.md","repr-packed-audit.md","model-specific-tells.md","iterator-and-allocation-slop.md","test-slop.md","async-slop.md"] |
Table of Contents
Rust Review Workflow
Expert-level Rust code audits with focus on safety, correctness, and idiomatic patterns.
Quick Start
/rust-review
Verification: Run the command with --help flag to verify availability.
When To Use
- Reviewing Rust code changes
- Auditing unsafe blocks
- Analyzing concurrency patterns
- Dependency security review
- Performance optimization review
When NOT To Use
- General code review without Rust - use unified-review
- Performance profiling - use parseltongue:python-performance pattern
Required TodoWrite Items
rust-review:ownership-analysis
rust-review:error-handling
rust-review:concurrency
rust-review:unsafe-audit
rust-review:cargo-deps
rust-review:native-modeling
rust-review:idiomatic-elision
rust-review:coercion-params
rust-review:conversion-traits
rust-review:numeric-cast-safety
rust-review:mutable-static-audit
rust-review:match-wildcard
rust-review:transmute-audit
rust-review:float-equality
rust-review:mem-forget-audit
rust-review:repr-packed-audit
rust-review:evidence-log
rust-review:findings-verified
Progressive Loading
Load modules as needed based on review scope:
Quick Review (ownership and errors):
- See
modules/ownership-analysis.md for borrowing and lifetime analysis
- See
modules/error-handling.md for Result/Option patterns
Concurrency Focus:
- See
modules/concurrency-patterns.md for async and sync primitives
Safety Audit:
- See
modules/unsafe-audit.md for unsafe block documentation
- See
modules/mutable-static-audit.md for static mut globals and
their thread-safe replacements
- See
modules/numeric-cast-safety.md for truncating and
precision-losing as casts
- See
modules/match-wildcard.md for catch-all arms that defeat enum
exhaustiveness
- See
modules/transmute-audit.md for mem::transmute/transmute_copy
calls that reinterpret bytes with no layout check
- See
modules/repr-packed-audit.md for #[repr(packed)] layouts whose
field borrows become unaligned references
Correctness Audit:
- See
modules/float-equality.md for ==/!= against float literals
- See
modules/mem-forget-audit.md for mem::forget leaks and no-op
drop(&x) reference drops
Dependency Review:
- See
modules/cargo-dependencies.md for vulnerability scanning
Idiomatic Patterns:
- See
modules/builtin-preference.md for conversion traits and builtin preference
- See
modules/native-type-modeling.md for enums-over-primitives,
newtype, type-state, and derived ordering
- See
modules/idiomatic-elision.md for lifetime elision,
expression-oriented returns, and explicit -> () unit returns
- See
modules/coercion-params.md for &String/&Vec<T>/&PathBuf
parameters that defeat deref coercion (prefer &str/&[T]/&Path)
- See
modules/conversion-traits.md for impl Into that should be
impl From, and discarded try_into().unwrap() conversion errors
Core Workflow
- Ownership Analysis: Check borrowing, lifetimes, clone patterns
- Error Handling: Verify Result/Option usage, propagation
- Concurrency: Review async patterns, sync primitives
- Unsafe Audit: Document invariants, FFI contracts
- Dependencies: Scan for vulnerabilities, updates
- Evidence Log: Record commands and findings
Rust Quality Checklist
Safety
Correctness
Performance
Idioms
Output Format
## Summary
Rust audit findings
## Ownership Analysis
[borrowing and lifetime issues]
## Error Handling
[error patterns and issues]
## Concurrency
[async and sync patterns]
## Unsafe Audit
### [U1] file:line
- Invariants: [documented]
- Anchor: `verbatim source text at file:line`
- Risk: [assessment]
- Recommendation: [action]
## Native Type Modeling
[stringly-typed comparisons, boolean blindness, newtype/type-state notes]
## Idiomatic Elision
[needless lifetimes, trailing returns, explicit `-> ()` unit returns]
## Coercion Params
[`&String`/`&Vec<T>`/`&PathBuf` params that should be borrowed slices]
## Conversion Traits
[`impl Into` over `impl From`; discarded `try_into().unwrap()` errors]
## Numeric Cast Safety
[length-truncating, byte-narrowing, and f32 precision-losing `as` casts]
## Mutable Static Audit
[`static mut` globals and their thread-safe replacements]
## Match Wildcard
[catch-all `_ =>` arms that defeat enum exhaustiveness]
## Transmute Audit
[`mem::transmute`/`transmute_copy` calls and their typed replacements]
## Float Equality
[exact `==`/`!=` comparisons against float literals]
## Mem Forget Audit
[`mem::forget` leaks and no-op `drop(&x)` reference drops]
## Repr Packed Audit
[`#[repr(packed)]` layouts whose field borrows become unaligned]
## Dependencies
[cargo audit results]
## Recommendation
Approve / Approve with actions / Block
Verification: Run the command with --help flag to verify availability.
Verify Findings Are Grounded (rust-review:findings-verified)
Every finding must cite a real location and a verbatim anchor. Write
findings to .review/findings.json and confirm each citation resolves:
python plugins/imbue/scripts/citation_verifier.py \
--findings .review/findings.json --repo-root .
Drop or label UNVERIFIED any finding the verifier fails (exit 1); only
verified findings enter the report. See Skill(imbue:review-core) Step 5
and Skill(imbue:structured-output) for the schema.
Exit Criteria
- All unsafe blocks audited
- Concurrency patterns verified
- Dependencies scanned
- Evidence logged
- Action items assigned
- Every reported finding carries a
Location + verbatim Anchor confirmed by citation_verifier.py (exit 0), or unverified findings were dropped or labeled UNVERIFIED