菜单
Applies NASA Power of 10 rules for safety-critical verifiable code. Use when auditing financial, medical, or high-reliability system code.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Detects AI-generated writing patterns in prose. Use when reviewing docs for slop, vague language, or identity leaks before publishing.
Audits Rust code for unsafe blocks, ownership issues, and Cargo dependency risks. Use when reviewing Rust code or before merging Rust changes.
Recommends context compression strategies for bloated or quota-heavy sessions. Use when context feels sluggish or quota burns faster than expected.
Guide minimal code via a decision ladder with full safety, edge, and negative-case coverage. Use when adding code, choosing a dependency, or auditing a diff.
Optimizes context window via MECW principles and memory tiering. Use when context exceeds 30% or before long multi-step tasks.
Generates or remediates documentation with human-quality writing. Use when creating new docs, rewriting AI-generated content, or applying style profiles.
| name | safety-critical-patterns |
| description | Applies NASA Power of 10 rules for safety-critical verifiable code. Use when auditing financial, medical, or high-reliability system code. |
| alwaysApply | false |
| category | code-quality |
| tags | ["safety","defensive-coding","assertions","NASA","robustness","verification"] |
| tools | [] |
| complexity | intermediate |
| model_hint | standard |
| estimated_tokens | 600 |
| dependencies | ["pensive:shared","pensive:code-refinement","imbue:review-core","imbue:structured-output"] |
Guidelines adapted from NASA's Power of 10 rules for safety-critical software.
Full rigor: Safety-critical systems, financial transactions, data integrity code Selective application: Business logic, API handlers, core algorithms Light touch: Scripts, prototypes, non-critical utilities
"Match rigor to consequence" - The real engineering principle
Avoid goto, setjmp/longjmp, and limit recursion.
Why: Ensures acyclic call graphs that tools can verify. Adaptation: Recursion acceptable with provable termination (tail recursion, bounded depth).
All loops should have verifiable upper bounds.
# Good - bound is clear
for i in range(min(len(items), MAX_ITEMS)):
process(item)
# Risky - unbounded
while not_done: # When does this end?
process_next()
Adaptation: Document expected bounds; add safety limits on potentially unbounded loops.
Avoid heap allocation in critical paths after startup.
Why: Prevents allocation failures at runtime. Adaptation: Pre-allocate pools; use object reuse patterns in hot paths.
Functions should fit on one screen/page.
Why: Cognitive limits on comprehension remain valid. Adaptation: Flexible for declarative code; strict for complex logic.
Include defensive assertions documenting expectations.
def transfer_funds(from_acct, to_acct, amount):
assert from_acct != to_acct, "Cannot transfer to same account"
assert amount > 0, "Transfer amount must be positive"
assert from_acct.balance >= amount, "Insufficient funds"
# ... implementation
Adaptation: Focus on boundary conditions and invariants, not arbitrary quotas.
Declare variables at narrowest possible scope.
# Good - scoped tightly
for item in items:
total = calculate(item) # Only exists in loop
results.append(total)
# Avoid - unnecessarily broad
total = 0 # Why is this outside?
for item in items:
total = calculate(item)
results.append(total)
Validate inputs; never ignore return values.
# Good
result = parse_config(path)
if result is None:
raise ConfigError(f"Failed to parse {path}")
# Bad
parse_config(path) # Ignored return
Restrict macros, decorators, and code generation.
Why: Makes static analysis possible. Adaptation: Document metaprogramming thoroughly; prefer explicit over magic.
Limit indirection levels; be explicit about ownership.
Adaptation: Use type hints, avoid deep nesting of optionals, prefer immutable data.
Compile/lint with strictest settings from day one.
# Python
ruff check --select=ALL
mypy --strict
# TypeScript
tsc --strict --noImplicitAny
| Rule | When to Relax |
|---|---|
| No recursion | Tree traversal, parser combinators with bounded depth |
| No dynamic memory | GC languages, short-lived processes |
| 60-line functions | Declarative configs, state machines |
| No function pointers | Callbacks, event handlers, strategies |
Reference this skill from:
pensive:code-refinement - Clean code and quality dimensionsanctum:pr-review - Code quality phase/harden - composed in the hardening pipeline/full-review safety-critical - focused entry point, and an
auto-detection row when assertion density is low, loops are
unbounded, or recursion lacks a termination proofFor each rule violation, report:
Rule N: <rule name>
Location: file.py:42
Anchor: `<verbatim source text at line 42>`
Issue: <what violates the rule>
Fix: <concrete remediation>
safety-critical:findings-verified)Every finding must cite a real location and a verbatim anchor. Write
findings to .review/findings.json and confirm each citation resolves:
python plugins/imbue/scripts/citation_verifier.py \
--findings .review/findings.json --repo-root .
Drop or label UNVERIFIED any finding the verifier fails (exit 1); only
verified findings enter the report. See Skill(imbue:review-core) Step 5
and Skill(imbue:structured-output) for the schema.
file:line and the
rule number it breaksLocation + verbatim Anchor
confirmed by citation_verifier.py (exit 0), or unverified
violations were dropped or labeled UNVERIFIED.