con un clic
review
Routed PR review orchestrator. Load for `/review` command or any PR review task.
Instalar con Codex o Claude Copia este prompt, pégalo en Codex, Claude u otro asistente, y deja que revise la página de la skill y la instale por ti.
Menú
Routed PR review orchestrator. Load for `/review` command or any PR review task.
Instalar con Codex o Claude Copia este prompt, pégalo en Codex, Claude u otro asistente, y deja que revise la página de la skill y la instale por ti.
Basado en la clasificación ocupacional SOC
The full QC8 comment-quality catalog — eight bad comment shapes to delete with before/after examples, plus the keep-list of comments that earn their place. Load before writing or editing code comments, or when a review flags comment quality. AGENTS.md carries the one-line rule and the shape titles; this skill carries the worked examples.
Per-PR documentation-drift prevention. When a PR adds new code subsystems, scripts, skills, docs, plugin routes, feature flags, or changes architecture relationships, this skill produces the AGENTS.md, CLAUDE.md, and .cursor/rules/ updates needed in the same PR so agent guidance never falls behind the code. Use this on /review or directly before merge.
Security audit — frontend (F1-F6 rules from `.cursor/rules/frontend-security.mdc`), Go backend (URL allowlists, token handling, hardcoded secrets, unbounded reads), MCP HTTP transport (size / wallclock / concurrency caps, Zod-validated tool inputs), and dependency audit (`npm audit` high+critical, Go module advisories). Reports findings with concrete remediation per rule. Never edits source — the user applies fixes.
Generate a structured PR description from the current diff using `docs/design/CONCERNS.md` routing. Interviews the author for motivation before drafting. Produces canonical sections (Summary, What to look at, Why, How to verify, Breaking changes, Reversibility) tailored to change type. Outputs the draft for human review; can apply via `gh pr edit` after explicit confirmation. Pair with `/review` — this skill drafts, `/review` reviews.
Locate technical debt in a subsystem or architectural component of a codebase. Use when the user runs `/techdebt <subsystem>` or asks to audit a module for smells, duplication, prop drilling, dead code, or other debt patterns. Examples: "/techdebt src/auth", "find tech debt in components/docs-panel", "audit the interactive-engine for smells".
Orchestrate the pre-release flow for grafana-pathfinder-app — bump the version in package.json, draft a CHANGELOG entry (via the `changelog` skill), run `npm run check` and `npm run build`, then print the exact `git tag` command for the user to execute. Never creates or pushes the tag itself; tagging is a one-way door the user owns.
| name | review |
| description | Routed PR review orchestrator. Load for `/review` command or any PR review task. |
Conduct a Principal Engineer level review in seven phases.
Always read:
docs/design/CONCERNS.mdDo not maintain a separate hardcoded subsystem concern list if the concern registry already defines it.
Before routing specific concerns, classify the overall shape of the PR using the classes defined in docs/design/CONCERNS.md.
At minimum, consider:
product-runtimecontracts-and-schemasinfra-build-citests-onlydocs-onlymixedClassification exists to improve routing efficiency, not to reduce safety. If uncertain, classify as mixed.
Route using trigger_paths and trigger_keywords from the routing table in docs/design/CONCERNS.md. Apply the routing defaults defined there. Never route on paths alone.
Produce: activated_concerns, activation_reason, risk_signals, likely_one_way_doors, reviewers_to_run, coverage_confidence.
Always consider these concerns:
securitycorrectness-and-reliabilitytesting-and-verificationreversibility-and-one-way-doorcross-cutting-architectureDepending on change classification, some always-on concerns may be satisfied by the synthesizer instead of a separate early reviewer, but they still must be considered.
Never suppress:
reversibility-and-one-way-doorDo not suppress security for workflow, publish, release, token, permission, URL, or trust-boundary changes.
Do not suppress testing-and-verification for executable changes, including CI and build system changes.
Run additional reviewers when activated by the routing table in docs/design/CONCERNS.md.
Posture: breadth over economy. This review is the automated safety net under human review. Run all always-on concerns as independent parallel reviewers, plus every conditional concern the router activates. Do not throttle fan-out to save cost — the goal is to raise the bar on what is caught automatically so human review can focus on novel findings.
docs-only PR has no Go backend surface to review)In addition to the security concern reviewer, when the PR touches any of:
package.json, go.mod, lockfiles)…also invoke .cursor/skills/secure/SKILL.md as a dedicated lens running alongside the security concern. The concern-level reviewer applies the F1–F6 / G1–G7 catalog against the diff; the standalone secure skill runs the full audit (frontend F1–F6 + backend allowlists + MCP transport + deps) with deeper context. Both report findings under the security concern; the synthesizer dedupes per §5.
Each reviewer should receive only:
docs/design/CONCERNS.mdDo not give each reviewer the full repository or unrelated subsystem docs.
Prefer changed functions, nearby symbols, and directly related tests over whole-file or whole-directory reads.
When launching a subsystem reviewer, instruct it to follow this exact reasoning order:
purpose and review_questions.reviewed_clean or not_applicable.Additional instructions for subsystem reviewers:
Every reviewer emits the schema defined in docs/design/PR_REVIEW.md (Reviewer output schema), including the severity, confidence, and reversibility values.
Before synthesis, run an adversarial verification pass on the reviewer output:
medium or higher across all reviewers.refuted=true when uncertain. Skeptics receive only the finding, the relevant diff hunks, and the concern entry — not the original reviewer's reasoning.{ refuted: boolean, reason: string }.verification_dropped list with the skeptics' reasoning, so the synthesizer can surface them if a human wants to inspect.low severity or below are passed through without verification — the cost of verifying low-severity items exceeds the value.This pass exists to kill plausible-but-wrong findings before they reach the human reviewer. False positives erode trust in the automated safety net; spending tokens to suppress them is the right trade.
After concern-specific reviewers finish, run one final cross-cutting reviewer that:
This reviewer is required even if all subsystem reviewers are clean.
The synthesizer must:
docs/design/CONCERNS.md when the same unowned area appears important enough to deserve subsystem-aware reviewReport findings ordered by severity, then confidence.
Each finding should include:
If all activated concerns return no_findings, say so explicitly and mention any residual confidence gaps or testing gaps.
If coverage_confidence is not high, include a short coverage note such as:
Coverage note: this PR appears to center on an area that is only lightly modeled by
docs/design/CONCERNS.md. I reviewed it with general concerns and adjacent subsystem logic, but review confidence is reduced there. If this area is important long-term, consider refining or adding a concern entry.
After synthesis, spawn a sub-agent scoped to only the files changed in this PR to detect tech-debt patterns. The sub-agent reads .cursor/skills/techdebt/SKILL.md and runs all categories (A–E) against the changed file set.
Instructions for the sub-agent:
SKILL.md workflow steps 1–6 against that file list exactly.mixed or product-runtime and the router has flagged correctness risk.Include the tech-debt report in the final review output under a Tech debt section. If the sub-agent returns no findings, emit:
Tech debt: no high-confidence patterns found in the changed files.
The tech-debt scan is non-blocking — findings do not block merge, but they are included in the review for the author's awareness. Dedupe against synthesis findings per §5.
After synthesis, invoke .cursor/skills/prevent-doc-drift/SKILL.md in review mode to detect whether this PR introduces new subsystems, scripts, skills, docs, plugin routes, feature flags, or architecture changes that require updates to agent guidance (AGENTS.md, CLAUDE.md, .cursor/rules/).
If the skill emits a "Doc-drift updates recommended" section, include it verbatim in the review output. The PR author can apply the diffs themselves or invoke prevent-doc-drift in apply mode to commit them on the same branch.
The doc-drift check is non-blocking — guidance drift does not block merge, but unfixed drift accumulates as tech debt future reviewers and agents will pay for.
The unified detection table (R1-R21, F1-F6, QC1-QC7), Go backend table (G1-G7), comment prefixes, and disposition matrix all live in docs/design/PR_REVIEW.md. Apply those checks during subsystem review under the correctness-and-reliability, security, and go-backend concerns, and use the prefix and disposition tables when reporting.