| name | verification |
| description | Deep verification of code changes before committing. Traces code paths, detects semantic changes, identifies code smells and security issues. Reads GitHub PR reviews to propose implementation decisions. Use before commits, after implementation, or when asked to verify/review changes. |
Code Verification
Verify generated code in depth before committing. This skill complements the pre-commit checklist by adding semantic analysis.
When to Use
- Before committing implementation changes
- After completing implementation steps
- When PR review feedback needs to be addressed
- When explicitly asked to verify code
- When starting a new session of an implementation plan
Verification Workflow
Copy this checklist and track progress:
Verification Progress:
- [ ] Step 1: Load project rules and standards
- [ ] Step 2: Trace code paths for modified files
- [ ] Step 3: Check for semantic changes
- [ ] Step 4: Identify code smells
- [ ] Step 5: Run security scans
- [ ] Step 6: Step 6: If PR exists: trigger feedback by commenting `/review` in the PR. Wait for the bot to review. Review ALL comments in the PR feedback including the pr-review-bot comments
- [ ] Step 7: Get check results from github with gh cli
- [ ] Step 8: Update implementation plan with findings
- [ ] Step 9: Fix issues (TDD REQUIRED - test first, then fix)
- [ ] Step 10: Check coverage of changed files > 80%
- [ ] Step 11: Add tests if coverage not sufficient
- [ ] Step 12: Commit changes
Step 1: Load Project Rules
Read and apply these project standards:
.windsurf/rules/general.md - critical rules and workflow.github/CONTRIBUTING.md - coding standards
Key rules to verify against:
- Outside-in TDD followed
- Minimum necessary changes
- No workarounds or commented-out code
- gomock used for mocking (no custom mocks)
- Generated types used for mock responses
Step 2: Trace Code Paths
For each modified file, trace the execution flow:
- Identify entry points: API handlers, public functions, exported methods
- Follow the call chain: Map function calls through the codebase
- Verify dependencies: Check that all called functions exist and have correct signatures
- Check return paths: Ensure all code paths return appropriate values/errors
Verification Questions
- Does the new code integrate correctly with existing callers?
- Are all error cases handled?
- Do interface implementations satisfy their contracts?
- Are there unreachable code paths?
Step 3: Check for Semantic Changes
Detect unintended behavioral changes:
Breaking Changes
- Modified function signatures
- Changed return types or error conditions
- Altered struct field types or tags
- Modified interface definitions
Behavioral Changes
- Different error messages (may break client parsing)
- Changed response structure
- Modified validation logic
- Altered default values
Database/API Impact
- Schema changes requiring migrations
- API contract changes requiring versioning
- Query behavior changes
Action: Flag any semantic changes and ask if they are intentional.
Step 4: Identify Code Smells
Check for these patterns:
Structural Smells
Go-Specific Smells
Design Smells
Copy-Paste Code (Refactoring Candidates)
Identify duplicated code that should be extracted:
Detection approach:
- Search for similar function names across packages
- Look for identical error messages or log statements
- Check for repeated struct field assignments
- Compare new code against existing patterns in the codebase
Action: For duplicated code, propose extraction with:
- Suggested function/package location
- Shared interface if applicable
- Impact on existing callers
Action: For each smell found, propose a specific fix or flag for discussion.
Step 5: Run Security Scans
Execute security checks using Snyk:
pwd
Then run:
snyk_sca_scan - dependency vulnerabilitiessnyk_code_scan - code security issues
Manual Security Checklist
Action: Fix security issues using the implementation skill. If in test data, note but don't fix.
Step 6: Review PR Feedback
If a GitHub PR exists for the current branch:
Fetch PR Information
gh pr view --json number,reviews,comments,url 2>/dev/null
- If PR exists: trigger feedback by commenting
/review in the PR.
- Wait for the bot to review.
- Review ALL comments in the PR feedback including the pr-review-bot comments
Process Feedback
For each review comment:
- Categorize: Bug | Enhancement | Style | Question | Blocker
- Assess: Is this actionable? Does it require a decision?
- Prioritize: Critical (must fix) | Should fix | Nice to have
Create Decision Proposals
For feedback requiring decisions, add to implementation plan:
## PR Feedback Decisions Required
### [Comment summary]
- **Reviewer**: @username
- **Category**: [Bug/Enhancement/etc]
- **Context**: [Quote relevant comment]
- **Options**:
1. [Option A with pros/cons]
2. [Option B with pros/cons]
- **Recommendation**: [Your recommendation]
- **Decision**: [ ] Pending
Step 7: Update Implementation Plan
Add verification findings to the implementation plan:
## Verification Results
### Code Path Analysis
- [List traced paths and any issues found]
### Semantic Changes
- [List any behavioral changes detected]
### Code Smells
- [List smells found with proposed fixes]
### Refactoring Candidates
- [List duplicated code with extraction proposals]
### Security Findings
- [List security issues and resolutions]
### PR Feedback Items
- [List items requiring decisions]
Quick Reference
Commands
| Task | Command |
|---|
| Check PR | gh pr view --json number,reviews,comments |
| SCA scan | snyk_sca_scan with absolute path |
| Code scan | snyk_code_scan with absolute path |
| Run tests | make cover && ./gradlew test-integration-local |
Red Flags (Stop and Discuss)
- Breaking API changes without versioning
- Security vulnerabilities in non-test code
- Significant behavioral changes
- Unresolved PR blockers
- Significant code duplication (>20 lines copied)
Step 9: Fix Issues (TDD Required)
CRITICAL: ALL fixes MUST follow TDD. NEVER implement a fix without writing a failing test first.
CRITICAL: Use implementation skill.
When verification identifies issues to fix:
9.1 Write Failing Test First
Before touching production code:
- Write a test that exposes the issue
- Run the test - confirm it FAILS (or would fail to catch the issue)
- The test proves the fix is needed and will prevent regression
Example for security fix (URL sanitization):
func TestSanitizeURLForLogging_StripsCredentialsInAllLogStatements(t *testing.T) {
urlWithCreds := "https://user:token@github.com/org/repo"
}
9.2 Implement Minimal Fix
Only after the test exists:
- Apply the minimum change to make the test pass
- Run the test - confirm it PASSES
- Run all test suites to verify no regressions (read
commit skill for details)
9.3 TDD Violation Check
Before applying ANY code fix, ask yourself:
If you catch yourself implementing before testing, STOP, revert, and start with the test.
