// [Documentation] Use when scanning code conventions, anti-patterns, architecture rules, and review checklists.
[HINT] Download the complete skill directory including SKILL.md and all related files
| name | scan-code-review-rules |
| description | [Documentation] Use when scanning code conventions, anti-patterns, architecture rules, and review checklists. |
Codex compatibility note:
- Invoke repository skills with
$skill-namein Codex; this mirrored copy rewrites legacy Claude/skill-namereferences.- Prefer the
plan-hardskill for planning guidance in this Codex mirror.- Task tracker mandate: BEFORE executing any workflow or skill step, create/update task tracking for all steps and keep it synchronized as progress changes.
- User-question prompts mean to ask the user directly in Codex.
- Ignore Claude-specific mode-switch instructions when they appear.
- Strict execution contract: when a user explicitly invokes a skill, execute that skill protocol as written.
- Subagent authorization: when a skill is user-invoked or AI-detected and its protocol requires subagents, that skill activation authorizes use of the required
spawn_agentsubagent(s) for that task.- Do not skip, reorder, or merge protocol steps unless the user explicitly approves the deviation first.
- For workflow skills, execute each listed child-skill step explicitly and report step-by-step evidence.
- If a required step/tool cannot run in this environment, stop and ask the user before adapting.
Codex does not receive Claude hook-based doc injection. When coding, planning, debugging, testing, or reviewing, open project docs explicitly using this routing.
Always read:
docs/project-config.json (project-specific paths, commands, modules, and workflow/test settings)docs/project-reference/docs-index-reference.md (routes to the full docs/project-reference/* catalog)docs/project-reference/lessons.md (always-on guardrails and anti-patterns)Situation-based docs:
backend-patterns-reference.md, domain-entities-reference.md, project-structure-reference.mdfrontend-patterns-reference.md, scss-styling-guide.md, design-system/README.mdfeature-docs-reference.mdintegration-test-reference.mde2e-test-reference.mdcode-review-rules.md plus domain docs above based on changed filesDo not read all docs blindly. Start from docs-index-reference.md, then open only relevant files for the task.
Goal: Scan project codebase for established conventions, lint rules, common patterns, and anti-patterns → populate docs/project-reference/code-review-rules.md with actionable review rules and checklists. (read directly when relevant; do not rely on hook-injected conversation text)
Workflow:
Key Rules:
file:lineBefore any other step, run in parallel:
Read docs/project-reference/code-review-rules.md
Detect project scope:
| Signal | Scope | Agent Routing |
|---|---|---|
.csproj files present | Full-stack or Backend-only | Run Agent 1 (Backend) |
angular.json / nx.json / package.json with framework | Frontend present | Run Agent 2 (Frontend) |
| Both above | Full-stack | Run Agents 1+2+3 |
docker-compose.yml / K8s manifests | Infrastructure present | Run Agent 3 (Architecture) |
Linter configs (.eslintrc, stylecop.json) | Code quality infra found | Prioritize Agent 1/2 |
.eslintrc, .editorconfig, stylecop.json, .prettierrc, ruff.toml)Evidence gate: Confidence <60% on scope → report uncertainty, ask user before proceeding.
Create task tracking entries for each sub-agent and each review dimension. Do not start Phase 2 without tasks created.
Launch sub-agents matching detected scope. Each MUST:
file:line for every rule exampleAll findings → plans/reports/scan-code-review-rules-{YYMMDD}-{HHMM}-report.md
Think: What does a GOOD backend file look like in this project? What naming, error handling, and DI choices separate "good code" from "code that got merged but shouldn't have"? Where are the active anti-patterns?
Scan targets:
Think: What makes Angular/React/Vue code reviewable vs unmaintainable here? Where is state management discipline enforced? What cleanup patterns are used?
Scan targets:
Think: What dependency directions are enforced here? Where do services communicate directly vs via messages? What's shared vs duplicated, and is that intentional?
Scan targets:
Read report. Apply evidence confidence to classify each rule:
| Confidence | Documentation |
|---|---|
| HIGH (3+ examples, consistent) | Document as rule with DO/DON'T pair |
| MEDIUM (1-2 examples) | Document as "observed pattern (verify)" |
| LOW (<1 consistent example) | Omit — insufficient evidence |
Round 1 (main agent): Build section drafts from report.
Round 2 (fresh sub-agent, zero memory): Re-reads report + draft independently.
file:line violations (not hypothetical)?| Section | Content |
|---|---|
| Critical Rules | Top 5-10 rules that cause most bugs if violated |
| Backend Rules | Naming, patterns, error handling, DI with DO/DON'T examples |
| Frontend Rules | Component, state, styling, cleanup with DO/DON'T examples |
| Architecture Rules | Layer boundaries, cross-service rules, shared code conventions |
| Anti-Patterns | Common mistakes found in codebase with real file:line, fixes |
| Decision Trees | For common decisions: which base class, where to put logic |
| Checklists | PR review checklists for backend, frontend, cross-cutting |
file:line or clearly marked realistic)file:line references for all code examples<!-- Last scanned: YYYY-MM-DD --> at top[IMPORTANT] Use task tracking to break ALL work into small tasks BEFORE starting — including tasks per file read. Prevents context loss from long files. Simple tasks: ask user whether to skip.
Prerequisites: MUST ATTENTION READ before executing:
Critical Thinking Mindset — Every claim needs traced proof, confidence >80% to act. Anti-hallucination: Never present guess as fact — cite sources, admit uncertainty, self-check output, cross-reference independently. Certainty without evidence = root of all hallucination.
Scan & Update Reference Doc — Surgical updates only, NEVER full rewrite.
- Read existing doc first — understand structure and manual annotations
- Detect mode: Placeholder (headings only) → Init. Has content → Sync.
- Scan codebase (grep/glob) for current patterns
- Diff findings vs doc — identify stale sections only
- Update ONLY diverged sections. Preserve manual annotations.
- Update metadata (date, version) in frontmatter/header
- NEVER rewrite entire doc. NEVER remove sections without evidence obsolete.
Output Quality — Token efficiency without sacrificing quality.
- No inventories/counts — stale instantly
- No directory trees — use 1-line path conventions
- No TOCs — AI reads linearly
- One example per pattern — only if non-obvious
- Lead with answer, not reasoning
- Sacrifice grammar for concision in reports
- Unresolved questions at end
AI Mistake Prevention — Failure modes to avoid:
Verify AI-generated content against actual code. AI hallucinates class names/signatures. Grep to confirm existence before documenting. Trace full dependency chain after edits. Changing a definition misses downstream consumers. Always trace full chain. Holistic-first — resist nearest-attention trap. List EVERY precondition before forming hypothesis. Surgical changes — apply diff test. Every changed line traces directly to the task. Surface ambiguity before coding. Multiple interpretations → present each with effort estimate. NEVER pick silently.
IMPORTANT MUST ATTENTION read existing doc first, scan codebase, diff, surgical update only. Never rewrite entire doc.
IMPORTANT MUST ATTENTION output quality: no counts/trees/TOCs, 1 example per pattern, lead with answer.
MUST ATTENTION apply critical thinking — every claim needs traced proof, confidence >80% to act. Anti-hallucination: never present guess as fact.
MUST ATTENTION apply AI mistake prevention — holistic-first debugging, fix at responsible layer, surface ambiguity before coding, re-read files after compaction.
IMPORTANT MUST ATTENTION break work into small task tracking tasks BEFORE starting
IMPORTANT MUST ATTENTION detect project scope FIRST in Phase 0 — agent routing depends on it
IMPORTANT MUST ATTENTION cite file:line evidence for every claim (confidence >80% to act)
IMPORTANT MUST ATTENTION derive rules from ACTUAL patterns — generic best practices are forbidden
IMPORTANT MUST ATTENTION sub-agents write findings incrementally — NEVER batch at end
IMPORTANT MUST ATTENTION when Round 1 finds issues, Round 2 fresh sub-agent after fixing catches what main agent missed. Clean Round 1 ENDS the scan.
Anti-Rationalization:
| Evasion | Rebuttal |
|---|---|
| "Scope obvious, skip Phase 0 detection" | Phase 0 is BLOCKING — agent routing depends on detected scope |
| "Rules are standard, don't need examples" | Every rule MUST have file:line evidence from this project |
| "Anti-patterns are hypothetical" | Anti-Patterns section requires REAL file:line violations only |
| "Round 2 review not needed" | Main agent rationalizes own decisions. Fresh sub-agent is non-negotiable. |
| "Doc has content, skip re-read" | Show section list extracted from doc as proof of re-read |
[TASK-PLANNING] Before acting, analyze task scope and break into small todo tasks and sub-tasks using task tracking.
Source: .claude/hooks/lib/prompt-injections.cjs + .claude/.ck.json
$workflow-start <workflowId> for standard; sequence custom steps manually[CRITICAL] Hard-won project debugging/architecture rules. MUST ATTENTION apply BEFORE forming hypothesis or writing code.
Goal: Prevent recurrence of known failure patterns — debugging, architecture, naming, AI orchestration, environment.
Top Rules (apply always):
ExecuteInjectScopedAsync for parallel async + repo/UoW — NEVER ExecuteUowTaskwhere python/where py) — NEVER assume python/python3 resolvesExecuteInjectScopedAsync, NEVER ExecuteUowTask. ExecuteUowTask creates new UoW but reuses outer DI scope (same DbContext) — parallel iterations sharing non-thread-safe DbContext silently corrupt data. ExecuteInjectScopedAsync creates new UoW + new DI scope (fresh repo per iteration).AccountUserEntityEventBusMessage = Accounts owns). Core services (Accounts, Communication) are leaders. Feature services (Growth, Talents) sending to core MUST use {CoreServiceName}...RequestBusMessage — never define own event for core to consume.HrManagerOrHrOrPayrollHrOperationsPolicy names set members, not what it guards. Add role → rename = broken abstraction. Rule: names express DOES/GUARDS, not CONTAINS. Test: adding/removing member forces rename? YES = content-driven = bad → rename to purpose (e.g., HrOperationsAccessPolicy). Nuance: "Or" fine in behavioral idioms (FirstOrDefault, SuccessOrThrow) — expresses HAPPENS, not membership.python/python3 resolves — verify alias first. Python may not be in bash PATH under those names. Check: where python / where py. Prefer py (Windows Python Launcher) for one-liners, node if JS alternative exists.Test-specific lessons →
docs/project-reference/integration-test-reference.mdLessons Learned section. Production-code anti-patterns →docs/project-reference/backend-patterns-reference.mdAnti-Patterns section. Generic debugging/refactoring reminders → System Lessons in.claude/hooks/lib/prompt-injections.cjs.
ExecuteInjectScopedAsync, NEVER ExecuteUowTask (shared DbContext = silent data corruption){CoreServiceName}...RequestBusMessagepython/python3 resolves — run where python/where py first, use py launcher or nodeBreak work into small tasks (task tracking) before starting. Add final task: "Analyze AI mistakes & lessons learned".
Extract lessons — ROOT CAUSE ONLY, not symptom fixes:
$learn.$code-review/$code-simplifier/$security/$lint catch this?" — Yes → improve review skill instead.$learn.
[TASK-PLANNING] [MANDATORY] BEFORE executing any workflow or skill step, create/update task tracking for all planned steps, then keep it synchronized as each step starts/completes.