// Performs a thorough review of a single Microbus microservice. Checks for completeness, framework compliance, code quality, security, test coverage, documentation, API design, and data access performance. Produces a structured report with findings and recommendations.
TRIGGER when user asks to add a workflow step, task endpoint, or workflow phase. Tasks are handlers that read/write shared state via workflow.Flow. Affects intermediate.go, *api/client.go, mock.go, manifest.yaml.
TRIGGER when user asks to define a workflow graph, orchestrate tasks, or create a multi-step agentic workflow. Defines task transitions and conditions. Affects intermediate.go, *api/client.go, mock.go, manifest.yaml.
Called by upgrade-microbus. Upgrades the project from v1.35.x to v1.36.0. Removes graph.DeclareInputs / graph.DeclareOutputs and workflow.FilterState (subgraph boundaries are now pass-through). Workflow authors who need narrower contracts at a subgraph boundary bracket the subgraph with Before<NodeName> / After<NodeName> adapter tasks using the new flow.Delete / flow.Clear / flow.Keep / flow.Transform primitives (see .claude/rules/workflows.txt for the convention).
TRIGGER when user asks to create, scaffold, or initialize a new microservice. Creates the full directory structure including service.go, intermediate.go, client.go, mock.go, manifest.yaml, and test scaffolding.
Run after completing any change to a microservice. Vets compilation, updates manifest.yaml, documentation, version, and topology diagram. Skip if the skill you just followed already includes housekeeping as a final step.
Performs an architectural review of a microservice-based system built on the Microbus framework. Examines service boundaries, dependencies, coupling, API design, resilience, data ownership, observability, security, and operational concerns. Produces a structured report with findings and recommendations.
| name | review-microservice |
| user-invocable | true |
| description | Performs a thorough review of a single Microbus microservice. Checks for completeness, framework compliance, code quality, security, test coverage, documentation, API design, and data access performance. Produces a structured report with findings and recommendations. |
CRITICAL: Scope this review strictly to the microservice directory you are asked to review. Do NOT explore or analyze other microservices.
Naming convention used in this skill: service.go refers collectively to all hand-written .go implementation files in the microservice directory (excluding intermediate.go, mock.go, and test files). service_test.go refers collectively to all *_test.go files. In most microservices these are single files, but they may be split across multiple files in rare cases. Step 1 identifies the actual files; subsequent steps use these shorthand names.
Copy this checklist and track your progress:
Microservice review:
- [ ] Step 1: Read the microservice
- [ ] Step 2: MARKER completeness
- [ ] Step 3: Framework compliance
- [ ] Step 4: Test quality
- [ ] Step 5: Manifest consistency
- [ ] Step 6: Code quality
- [ ] Step 7: Security
- [ ] Step 8: Documentation
- [ ] Step 9: API design
- [ ] Step 10: Performance and data access
- [ ] Step 11: Run vet and tests
- [ ] Step 12: Produce the report
List the directory to identify all files. Read manifest.yaml, intermediate.go, mock.go, and all files in the *api/ directory. Read all hand-written .go implementation files (service.go and any others) and all *_test.go files.
Build a feature inventory by collecting all // MARKER: X comments from service.go. This inventory is the ground truth for what features are implemented.
For each // MARKER: X in the feature inventory from Step 1, check the expected files based on feature type:
intermediate.go (subscription wiring)mock.go (mock implementation) and service_test.go (at least one test case)OnChanged callbacks, inbound event sinks, outbound event triggers, tickers - mock.go entry is not expected; service_test.go coverage is desirable but optionalDetermine the feature type from context: OnChangedXxx functions are config callbacks; functions with no return value on a ticker interval are tickers; functions with a *workflow.Flow parameter are tasks or workflow graph builders; outbound events are identified by calls to NewMulticastTrigger.
Report any missing marker where it is expected.
Also check the reverse: are there MARKERs in intermediate.go or mock.go that have no corresponding handler in the feature inventory from Step 1? Flag these as stale wiring.
Grep the hand-written .go files (same set as Step 1) for violations of Microbus framework conventions:
http.Client, http.Get, http.Post, http.DefaultClient - outbound HTTP must go through the HTTP egress proxy (httpegressapi)go func or go followed by a function call must use svc.Go(ctx, func) insteadfmt.Errorf - must use errors.New insteadreturn err without errors.Trace(err) - all non-nil error returns must be traced (allow exceptions for nil checks and errors.Trace already applied in the same line)fmt.Print, log.Print, println - structured logging must use svc.LogDebug/Info/Warn/Errorcontext.Background() or context.TODO() - handlers must propagate the received context, not create a new root contexterrors.Newc, errors.Newf, errors.Newcf - deprecated constructors; use errors.New insteadhttpx.PathValues - deprecated; use r.PathValue("name") insteadOnStartup (connections, file handles, hooks) should have a corresponding release or unsubscribe in OnShutdown. Flag asymmetric lifecycle management.Review all *_test.go files in the microservice directory (commonly just service_test.go, but tests may be split across multiple files):
TestXxx_FeatureName) have at least one assert call? Flag empty test bodies or tests that call the endpoint but make no assertions.application.New() + RunInTest(t) harness?mock_test.go present and unmodified? It is generated by cmd/genmock from the ToDo interface and should not be edited by hand. Flag any service that lacks it or whose TestXxx_Mock lives in service_test.go instead.t.Parallel()? A missing t.Parallel() is acceptable if the same line is preceded by a comment of the form // No parallel: {reason} explaining why.MockXxx calls exercise the feature in a meaningful way, or do they return zero values unconditionally? Flag mocks that always return the same constant regardless of inputs, as these may mask bugs in the caller./* HINT: ... */ or // HINT: ... blocks in test files are intentional placeholders for future work. Do not flag their presence.Compare the manifest against the feature inventory from Step 1:
service.go (via MARKERs) also declared in manifest.yaml?manifest.yaml implemented in service.go?description fields non-empty and meaningful (not placeholder text)?downstream section match the actual *api imports used in the code?db: SQL set if the code imports database/sql or github.com/microbus-io/sequel?cloud set if the code makes outbound HTTP requests via the egress proxy?default and a validation range, verify the default falls within the declared range.metrics section, check that svc.IncrementXxx or svc.RecordXxx is called somewhere in the hand-written code. Flag metrics that are declared but never recorded.MyHandler → /my-handler) but deviations are acceptable when intentional (e.g. REST-style paths, versioned routes). Flag routes that appear inconsistent without obvious reason.:443 for standard endpoints, :444 for internal-only, :888 for management, :417 for events, :428 for tasks, but these are defaults not enforced rules. Flag deviations only when they appear unintentional or inconsistent with the endpoint's stated purpose.errors.New strings start with a lowercase letter and not end with punctuation?errors.New and errors.Trace accept an unpaired int argument as the HTTP status code. Errors caused by user input (validation failures, missing fields, unauthorized state) should attach a 4xx code (e.g. http.StatusBadRequest); errors caused by internal failures default to 500. Flag user-caused errors that return a generic 500.service.go and *api/ have godoc comments?sub.Description(...) string in intermediate.go, the description: field in manifest.yaml, the godoc on the handler in service.go, and the godoc on the corresponding client stub methods in *api/client.go should all describe the same behavior. Flag any that are meaningfully inconsistent (not just minor wording differences).httpRequestBody, httpResponseBody, and httpStatusCode used correctly in function signatures?*api/endpoints.go use omitzero (not omitempty)?jsonschema tags - do structs used in functional endpoint signatures have jsonschema:"description=..." tags on their fields?svc.Go calls, or OnStartup vs. request handlers) protected by a mutex or replaced with sync.Map? Flag unprotected shared maps.requiredClaims or relies on act.Of(ctx) for tenant scoping, it must establish its actor context explicitly. Flag tickers that call authorized endpoints without setting up an actor.svc.Go - callbacks passed to svc.Go that contain for { ... } loops or unbuffered channel reads must include a case <-ctx.Done(): arm or another ctx check, otherwise they leak across service shutdown. Flag long-lived svc.Go callbacks with no ctx-cancellation path.svc.Parallel opportunities - look for sequential blocks of two or more independent downstream calls (each result unused by the next call before all complete). Flag these as candidates for svc.Parallel to reduce latency.ctx.Err(). A cancelled request should not continue doing expensive work.svc.DistribCache is used, is it initialized in OnStartup with SetMaxAge and/or SetMaxMemory? Reasonable defaults exist, but explicit initialization avoids surprises under load.svc.DistribCache, the corresponding cache entry must be invalidated (Delete) or overwritten (Set). Flag mutating handlers that change the canonical store without updating the cache, since subsequent reads will return stale data until the entry expires.svc.DistribCache miss paths that perform expensive work (DB query, downstream call, heavy computation), prefer GetOrCompute/LoadOrCompute over the Get+miss+compute+Set pattern. The compute methods deduplicate concurrent callers in the same process via singleflight, bounding backend load to one call per key per process instead of one per request. Flag heavy miss paths that use the read-then-write pattern.requiredClaims - do endpoints on :443 or :444 that handle sensitive operations (mutations, private data, admin actions) specify requiredClaims? Flag endpoints that appear sensitive but lack authorization.iss=~"access.token.core" (or iss==) predicates inside requiredClaims as redundant. Issuer verification is enforced at the framework layer via JWKS pinning, so these predicates are no longer load-bearing and just add noise. Recommend removal.Key, Password, Token, Secret, APIKey) have secret: true in the manifest?WHERE and JOIN ON clause on tenant-scoped tables must include the tenant predicate. Bare queries without a tenant filter are cross-tenant data leaks. svc.DistribCache keys for tenant-scoped data must include the tenant ID in the key, otherwise cache hits cross tenants.LogInfo/LogWarn/LogError/LogDebug calls for arguments named or containing password, token, secret, apiKey, authorization, email, ssn. Flag direct logging of values from config properties marked secret: true in the manifest.CLAUDE.md - does the file contain meaningful content beyond the H1 hostname heading? Is the design rationale captured (the why, not just the what)?PROMPTS.md - if present, does it accurately describe how to reproduce the microservice in its current form?TODO, FIXME, HACK, XXX comments. Flag any that indicate unfinished work.Review the public interface of the microservice - its functions, web handlers, events, and configs - for design quality:
GetAndValidate, CreateOrUpdate without a clear reason).Get/Fetch/Load for the same semantic)?*api/endpoints.go and *api/client.go against the main branch. Flag removed or renamed exported types, fields, JSON tag names, endpoint definitions, and method signatures - all of these break downstream services that import the package. Skip this check if the project is not source-controlled or if the microservice was just created on this branch.This step applies primarily to SQL CRUD microservices. Skip checks that are not relevant if the service does not use a database.
svc.* client, or a call to a downstream *api client.resources/ or a migrations/ subdirectory). Extract all indexed columns (from PRIMARY KEY, UNIQUE, CREATE INDEX, and INDEX declarations). Then examine hardcoded SQL WHERE, JOIN ON, and ORDER BY clauses in the code and flag conditions on columns that have no index and are likely to cause full table scans.SELECT statements without a LIMIT clause that could return arbitrarily large result sets.DROP TABLE, DROP COLUMN, type-narrowing ALTER COLUMN) should be flagged for review even if intentional. New NOT NULL columns without a default break in-flight rollouts where old replicas still write rows that omit the column.Run the following and report any failures:
go vet ./main/...
go test -coverprofile=/tmp/coverage.out ./path/to/microservice/...
go tool cover -func=/tmp/coverage.out
Flag compilation errors, vet warnings, and test failures with their full output.
From the coverage output, read the coverage percentage reported for the main microservice package (e.g. github.com/.../myservice). Ignore the *api/ subpackage (generated client code) and the resources/ subpackage (embed-only). Flag as a Warning if the main package coverage is below 70%.
Compile findings into a structured report. For each category (Steps 2–11), list specific findings with file paths and line numbers where applicable, followed by actionable recommendations.
Use severity levels:
Omit categories with no findings but mention them as passing in the summary.
# Microservice Review: {hostname}
## Summary
Brief description of the microservice, what was reviewed, and overall assessment.
Note categories that passed without issues.
## MARKER Completeness
### Findings
- ...
### Recommendations
- [severity] ...
(repeat for each category that has findings)
## Conclusion
Prioritized action items.