菜单
Review Rust interfaces for ease of correct use and resistance to misuse, applying "make interfaces easy to use correctly and hard to use incorrectly"
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Write-then-verify documentation pipeline. Use when a user asks to improve comments or docs, explain algorithms or design choices, write or upgrade docstrings, or raise documentation quality for a codebase (especially Rust crates). Writes docs, then automatically verifies every claim against code reality using a fresh agent to eliminate confirmation bias.
Use when you have code review findings, PR comments, or review reports that need to be systematically addressed — especially when there are multiple findings across different files and severities
Use when creating any beads task — auto-researches the codebase, links related tasks, and produces a rich self-contained description from a structured template. Accepts minimal intent and outputs a complete task ready for agent implementation.
Use when you have code review findings, PR comments, or review reports that need to be systematically addressed — especially when there are multiple findings across different files and severities
Use when a task needs an implementation plan that is iteratively created and stress-tested through review-and-revise cycles before implementation begins — catches blind spots, incorrect codebase assumptions, unnecessary complexity, and performance pitfalls while changes are still cheap
Use when a markdown plan file exists and needs validation before implementation — catches design flaws, logic holes, footguns, unnecessary complexity, and performance concerns while changes are still cheap
| name | interface-design-review |
| description | Review Rust interfaces for ease of correct use and resistance to misuse, applying "make interfaces easy to use correctly and hard to use incorrectly" |
Review public APIs, traits, structs, and module boundaries against the guiding principle: "Make interfaces easy to use correctly and hard to use incorrectly."
The correct path should be the path of least resistance. Incorrect usage should be caught at compile time when possible, at construction time when not, and at runtime only as a last resort.
pub fn, pub struct, pub trait)Prefer enforcement higher in this list. Each level down is weaker:
| Level | Mechanism | Example | Strength |
|---|---|---|---|
| 1. Unrepresentable | Type system makes the wrong state impossible | Newtype, typestate, NonZeroU32 | Strongest |
| 2. Unconstructable | Invalid values can't be built | Private fields + validated new() | Strong |
| 3. Compile error | Misuse fails to compile | Ownership, lifetimes, trait bounds | Strong |
| 4. Visible at call site | Misuse is obvious when reading code | Enums over bools, named types over primitives | Moderate |
| 5. Runtime rejection | Validated at runtime with clear error | TryFrom, Result-returning methods | Weak |
| 6. Documentation | "Don't do this" in a doc comment | /// # Panics | Weakest |
u32/u64/usize values
that carry distinct meaning (file IDs, rule IDs, buffer indices) wrapped in
newtypes to prevent silent mixing?bool parameters? Replace
with a two-variant enum that documents intent at the call site.
// BAD: what does `true` mean here?
scan(data, true, false)
// GOOD: intent is self-documenting
scan(data, Encoding::Utf8, CaseSensitivity::Insensitive)
NonZero* for values that must not be zero — Capacity, counts, sizes.#[non_exhaustive] on enums that may grow to force _ => arms.// BAD: validated but raw — nothing stops later code from skipping validation
fn process(rule_yaml: &str) { validate(rule_yaml)?; /* use rule_yaml */ }
// GOOD: parsing produces a type that is valid by construction
fn process(rule_yaml: &str) -> Result<Rule> { Rule::parse(rule_yaml) }
TryFrom / TryInto — For conversions that can fail, is the
fallible path the only path?pub on fields with invariants — If start <= end must hold,
neither field should be pub.// Compile error if you forget `source`:
ScanConfig::builder()
.source(path) // required — returns SourceSet state
.max_depth(10) // optional
.build() // only available after required fields set
&str not &String,
impl AsRef<Path> not &PathBuf, impl Into<X> for ergonomic construction.Box<dyn Error> when a
concrete error enum would let callers handle cases. Don't return Vec<u8>
when a Digest newtype carries meaning.Default trait — If most callers want the same
config, implement Default so the common case is one line.self methods that return Self
guide callers through a fluent API.String/&str when an enum or newtype would be type-safe?copy(src, dst) or
range(start, end) match what a caller would guess?get_ vs fetch_ vs load_)?#[must_use] on results — Can the caller silently ignore a return
value that indicates failure or carries important data?
#[must_use = "dropping the guard releases the lock immediately"]
pub fn acquire(&self) -> LockGuard<'_> { ... }
fn set_flag(&mut self, flag: u32),
use fn enable_unicode(&mut self).&T for
reads and require owned T or &mut T for writes?Cell, RefCell,
Mutex) is necessary, is it encapsulated rather than leaked through the API?Result rather than
unwrap/expect. Reserve panics for genuine invariant violations in internal
code.| Anti-Pattern | Why It's Bad | Fix |
|---|---|---|
fn foo(verbose: bool, recursive: bool) | Callers write foo(true, false) — meaning is invisible | Use enums: Verbosity::Quiet, Traversal::Flat |
pub struct Range { pub start: u32, pub end: u32 } | Nothing enforces start <= end | Private fields + Range::new(start, end) -> Result<Range> |
fn process(id: u64, parent_id: u64) | Easy to swap arguments silently | fn process(id: RuleId, parent: ParentId) |
fn configure(opts: HashMap<String, String>) | Unbounded input, typos compile fine | Typed config struct or builder |
fn init() -> *mut State | Caller must remember to free, can use-after-free | Return Box<State> or Arc<State> |
Returning i32 error codes | Caller can ignore, misinterpret, or mix with valid values | Return Result<T, E> with typed error |
fn send(data: &[u8], compress: bool, encrypt: bool, sign: bool) | 3 bools = 8 combinations, many invalid | Options struct or builder with valid combinations |
| Silent default on invalid input | Caller doesn't know their input was wrong | Return Err or use a type that can't be invalid |
This codebase already uses several "easy to use correctly" patterns. New code should follow them:
NONE_U32 = u32::MAX — centralizes the
sentinel so callers don't invent their own.<const G: usize>
prevents runtime branching on a configuration value.#[cfg(feature = "sim-harness")] ensures test
infrastructure can't accidentally leak into production builds.debug_assert! for internal invariants: Zero-cost in release, catches
contract violations during development.When reviewing, check that new APIs are consistent with these existing patterns.
## Interface Design Review: [module/type/function]
### Enforcement Level Assessment
| Aspect | Current Level | Target Level | Gap |
|--------|--------------|--------------|-----|
| ID parameters | 6 (docs say "pass rule ID") | 1 (newtype `RuleId`) | 5 levels |
| Construction validity | 5 (runtime check in `new()`) | 2 (`new()` → private fields) | 3 levels |
| Flag parameters | 6 (doc: "`true` = verbose") | 4 (enum `Verbosity`) | 2 levels |
### Findings
| Priority | Issue | Location | Enforcement Gap |
|----------|-------|----------|-----------------|
| HIGH | Raw `u64` used for rule ID and parent ID — easy to swap | `fn register(id: u64, parent: u64)` | Unrepresentable → Newtype |
| MEDIUM | `bool` parameter for mode selection | `fn scan(data: &[u8], lenient: bool)` | Visible → Enum |
| LOW | Missing `#[must_use]` on `Result`-returning fn | `fn validate()` | Already level 5, add attribute |
### Recommendations
1. **[Issue]**: [Fix with code showing before/after]
```rust
// Before: callers can silently swap IDs
pub fn register(id: u64, parent: u64) { ... }
// After: compiler rejects swapped arguments
pub fn register(id: RuleId, parent: ParentId) { ... }
## Related Skills
- `security-reviewer` - Complements this: security reviews focus on memory
safety; interface reviews focus on API misuse prevention
- `test-strategy` - Property-based tests are powerful for validating that an
interface's invariants hold across all inputs
- `doc-rigor` - If an interface passes this review, its docs should describe
*why* the design prevents misuse, not just *how* to use it