ワンクリックで
workflow-agent-review
Perform focused Smelter code and security review after implementation before E2E validation.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Perform focused Smelter code and security review after implementation before E2E validation.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Use when: User wants to run a SUBSTANTIAL multi-step coding task as a workflow (fix/implement a whole issue or feature, comprehensive review), CREATE workflows or commands, set up workflow automation, or manage workflow configuration. Triggers (run): "use workflow to", "run workflow", "with workflow", "workflow to", "workflow run", "use a workflow to", "run a workflow", and generic task-completion intents that imply a full coding deliverable: "실행해줘", "돌려줘", "구현해줘", "고쳐줘", "이슈 고쳐줘", "PR 만들어줘", "implement this", "fix this issue", "build this feature", "ship this". Triggers (create): "create a workflow", "write a workflow", "make a command", "author a workflow", "new workflow", "new command", "workflow yaml". Triggers (setup): "set up workflows", "install workflow automation", "how to use workflows", "configure workflows", "workflow setup", "get started with workflows". Triggers (config): "change my workflow config", "modify workflow config", "workflow
Automates browser interactions for web testing, form filling, screenshots, and data extraction. Use when the user needs to navigate websites, interact with web pages, fill forms, take screenshots, test web applications, or extract information from web pages.
Smelter deep interview for planning-first requirement discovery before /brainstorm, /implement, or /fix execution
Create a release from dev branch. Generates changelog entries from commits, bumps version, and creates a PR to main. TRIGGERS - Use this skill when user says: - "/release" - create a patch release (default) - "/release minor" - create a minor release - "/release major" - create a major release - "make a release", "cut a release", "ship it", "release to main"
Replicate and validate a GitHub issue by spinning up Smelter, analyzing the issue, and systematically testing all described symptoms using browser automation. Use when: User wants to reproduce a bug, validate a GitHub issue, confirm a reported problem, or investigate whether an issue is real before working on a fix. Triggers: "replicate issue", "reproduce issue", "validate issue", "confirm bug", "test issue", "can you reproduce", "try to replicate", "verify the bug". Capability: Checks out main, pulls latest, starts Smelter, reads the GitHub issue, then uses agent-browser to systematically test every symptom and produce a findings report. NOT for: Fixing issues (use /smelter or /exp-piv-loop:fix-issue), general UI testing (use /validate-ui).
Autonomous rule adherence checker. Scans the codebase for rule violations, fixes the highest-impact ones in an isolated worktree, runs full validation, creates a PR. Uses memory to track progress across runs.
| name | workflow-agent-review |
| description | Perform focused Smelter code and security review after implementation before E2E validation. |
| version | 0.55 |
| type | workflow |
| consumes | src/** diff |
| produces | agent-review.md, "## Risks" updated |
| default_pattern | B |
| default_agents | ["code-reviewer","security-reviewer"] |
| supports_patterns | ["A","B"] |
| team_template | {"B":{"agents":["code-reviewer","security-reviewer"],"mode":"dual_adversarial","aggregator":"arbitrator"}} |
| result_types | ["pass","fail"] |
| min_verification_rounds | 2 |
| verification_rounds | [{"n":1,"focus":"omission","prompt_template":"templates/verification/round-1-omission.md"},{"n":2,"focus":"contradiction","prompt_template":"templates/verification/round-2-contradiction.md"}] |
| gate | {"postcondition":[{"file_exists":"agent-review.md"},{"contains_verdict":"pass|fail"}]} |
Immediately after implementation, a Pattern B Dual Adversarial review:
code-reviewer: quality, readability, bugs, logic errorssecurity-reviewer: vulnerabilities, data exposure, permissionsThe two agents review in parallel and independently; arbitrator then merges results.
Core principle: Implementation is unverified until two independent reviewers (code + security) both pass through 2 rounds (omission, contradiction).
Violating the letter of this rule is violating the spirit of this rule.
Announce at start: "I'm using workflow-agent-review to run Pattern B dual adversarial review + 2-round verification on the diff."
NO E2E HANDOFF WITHOUT DUAL REVIEW AT pass AND 2/2 ROUNDS AT pass
Two independent enforcements must both hold:
code-reviewer and security-reviewer return pass (Pattern B consensus)passDeclaring pass with completed_rounds < 2 or only one reviewer is blocked by hook.
Only when tasker declares security_surface: false does code-reviewer run alone (Pattern A). Default remains B. The demotion is a tasker-time decision; workflow-agent-review cannot demote itself.
agent-review.md:
## Code Review — code-reviewer findings## Security Review — security-reviewer findings## Risks Added — updates to the ## Risks section (LOW/MEDIUM/HIGH/CRITICAL)## Verdict — pass / fail## Risks
- [LOW] <style / naming improvement suggestion>
- [MEDIUM] <possible minor bug>
- [HIGH] <major logic flaw>
- [CRITICAL] <data loss / security vulnerability>
| Thought | Reality |
|---|---|
| "The diff is small, skip security-reviewer" | Pattern B demotion is a tasker decision, not a reviewer decision. Run both unless security_surface: false was declared. |
| "Code-reviewer passed, ship it" | Pattern B needs BOTH reviewers. One is not consensus. |
| "Only round 1 is needed for small diffs" | Hook blocks sub-2 pass. Run both rounds. |
| "Reviewer disagrees with me, I'm right" | Push back with evidence, not confidence. If you cannot verify, say so and ask. |
| "Findings are just style, ignore them" | LOW findings go in ## Risks. Ignoring is not the same as acknowledging. |
| "We already reviewed this in the previous session" | Session-local. Re-verify. Critic Watchdog blocks "already verified" skips. |
| Excuse | Reality |
|---|---|
| "The reviewer doesn't understand the context" | Provide missing context, don't dismiss findings. |
| "Great point!" / "You're absolutely right!" | Forbidden response. Technical acknowledgment or reasoned pushback only. |
| "Let me implement that now" (before verification) | Verify the reviewer's finding is technically correct for THIS codebase first. Then implement. |
| "I'll bundle feedback for later" | Fix Critical immediately. Fix Important before proceeding to workflow-e2e. Minor goes in ## Risks. |
When receiving review feedback, NEVER say:
feedback_precision memoryINSTEAD:
fail → workflow-codingsecurity cause detection → workflow-coding with security guidance attached via active_feedbackThis skill runs 2 mandatory rounds before declaring pass. Each round has a distinct focus:
| Round | Focus | Question |
|---|---|---|
| 1 | Omission | Are any diff paths, error branches, or security surfaces unreviewed? |
| 2 | Contradiction | Are there inconsistencies between code review and security review findings, or with the plan? |
All rounds recorded in state.json.team_runtime.workflow-agent-review.rounds[]. Skill-level pass is declared only when completed_rounds === 2 && all rounds result === pass.
fail → skill-level fail with cause: verification_failed, evidence: {round, focus, findings[]}workflow-coding (the consumed artifact's producer)pass with completed_rounds < 2 is blocked by hookREQUIRED NEXT SKILL on pass: workflow-e2e
On fail: route to workflow-coding with active_feedback.
Do NOT:
workflow-team-code-review — workflow-e2e must run first on interface-changing surfacesIf the surface is in exempt_if_surface: [style, typography, typo, dialogue], the mode's configuration may route directly to workflow-team-code-review. Otherwise workflow-e2e is mandatory.
Every fail verdict MUST cite at least one anchor in the strict form:
Evidence: path/to/file.ext:LINE[-LINE] "verbatim quote substring"
Rules:
PostToolUse hook (scripts/review-evidence-verifier.mjs) blocks writes that violate these rules.