一键在 Manus 中运行任何 Skill

code-review

星标1

分支0

更新时间2026年6月23日 22:43

Synthex code quality enforcer. NEVER flag Synthex conventions as bugs (Australian English, Supabase-only auth, SWR with credentials:'include', selective error boundaries). NEVER suggest Redux, Zustand, tRPC, or any pattern absent from this codebase. ALWAYS enforce: useRouter from next/navigation, no window.location.href, SWR for client data fetching, { error: string } response shape. Activate on ANY request to review code, audit a PR, check a component, or validate an implementation.

安装

用 Codex 或 Claude 帮你安装复制这段 Prompt，粘贴到 Codex、Claude 或其他助手里，让它检查 Skill 页面并帮你完成安装。

在 Manus 中运行

来源

CleanExpo

CleanExpo/Synthex

打开 GitHub 仓库查看创作者相关仓库

下载

在 Manus 中运行

文件资源管理器

2 个文件

SKILL.md

readonly

同仓库更多 Skills

同仓库

north-star

CleanExpo/Synthex

The engineering navigation layer for Synthex — holds the mission, the current course, the rules of the ship, and routes work to the right existing specialist. Load at the START of any planning, prioritisation, "what's next", roadmap, scope, or new-feature decision. NEVER let work drift off the critical path or add capabilities the ship already carries (see dependency-discipline). NEVER claim done without the verification gate. NEVER merge to production or change prod data without a human gate. ALWAYS trace a task to the NorthStar, the live Linear epic, and an existing system before writing code.

2026-06-241

playwright-cli

CleanExpo/Synthex

Authenticated browser automation for Synthex — drive real Chrome to log in, screenshot, and audit dashboard/integration surfaces. Use for live visual verification, "audit the dashboard", "check what's connected", or closing the verification gate on /dashboard/* routes. Two backends: the Playwright MCP server (interactive, in-session tools) and the committed CLI scripts (scripts/browser/*.mjs, reliable + headless). RUNS WHERE THE BROWSER + NETWORK + AUTH EXIST — i.e. a local machine, not a network-restricted sandbox.

2026-06-241

api-testing

CleanExpo/Synthex

Synthex API testing enforcer. NEVER mock the database in integration tests — use real Supabase. NEVER skip the 401 (unauthenticated) or 403 (wrong org) test cases. NEVER use pnpm. ALWAYS structure tests as: 401 → 403 → 400 → 200/201 happy path. Activate on ANY request to write API tests, validate endpoints, add test coverage, or check test quality.

2026-06-231

database-prisma

CleanExpo/Synthex

Synthex database operations enforcer. NEVER use prisma db push for schema changes — use migrate diff + db execute. NEVER add non-nullable columns without defaults. NEVER write Prisma queries without organizationId scope. ALWAYS use backward-compatible migrations and validate with prisma validate first. Activate on ANY request to change schema, write a query, create a migration, add a model, or modify database operations.

2026-06-231

design

CleanExpo/Synthex

Synthex design system enforcer. NEVER use Inter as a heading font, purple (#8B5CF6) gradients on white, or generic glassmorphism without Synthex tokens. ALWAYS use Space Grotesk headings, #f97316 brand orange, #0f172a slate background, and the Synthex glass token set. Activate on ANY request involving UI, components, styling, layout, visual design, colour, typography, spacing, shadows, animations, or anything a user will see on screen.

2026-06-231

security-hardener

CleanExpo/Synthex

Synthex security posture enforcer. NEVER apply generic OWASP checklists without grounding in Synthex's specific threat model. NEVER suggest any auth system other than Supabase. ALWAYS audit: SSRF via validateExternalUrl, JWT tier elevation via resolveVerifiedTier, CORS via CORS_ORIGIN exact-match, org-scope bypass in Prisma. Activate on ANY request to harden security, audit vulnerabilities, review auth patterns, check for injection risks, or assess an attack surface.

2026-06-231

name	code-review
description	Synthex code quality enforcer. NEVER flag Synthex conventions as bugs (Australian English, Supabase-only auth, SWR with credentials:'include', selective error boundaries). NEVER suggest Redux, Zustand, tRPC, or any pattern absent from this codebase. ALWAYS enforce: useRouter from next/navigation, no window.location.href, SWR for client data fetching, { error: string } response shape. Activate on ANY request to review code, audit a PR, check a component, or validate an implementation.
metadata	{"author":"synthex","version":"2.0","engine":"synthex-ai-agency","type":"capability-uplift-code","triggers":["code review","pr review","quality check","security scan","standards check","review code","code audit","pr review","check implementation","validate code"]}
context	fork

Code Review Agent

Purpose

Enforces SYNTHEX coding standards, catches regressions, and validates adherence to architectural patterns, security requirements, and CLAUDE.md guidelines. Performs TypeScript strict mode checks, security reviews, performance analysis, and standards enforcement.

When to Use

Activate this skill when:

Reviewing pull requests or code changes
Analyzing code quality across files or directories
Checking for security vulnerabilities in code
Validating against CLAUDE.md standards
Auditing component architecture patterns

When NOT to Use This Skill

When reviewing visual design or UI aesthetics (use design)
When validating database schema or migration safety (use database-prisma)
When testing API endpoint behavior (use api-testing)
When auditing UX flows or accessibility (use ui-ux)
When reviewing non-code assets (images, configs, docs)
Instead use: design for visual reviews, database-prisma for schema work

Tech Stack

Framework: Next.js 14+ App Router
Language: TypeScript (strict mode)
Styling: Tailwind CSS + Glassmorphic UI
State: React hooks, SWR for data fetching
Testing: Jest, React Testing Library

Instructions

Identify review scope — Determine files, directories, or PR to review
Run static analysis — Execute pnpm turbo run type-check lint
Check TypeScript compliance — Verify strict mode, no any types, proper generics
Validate component patterns — Confirm Server/Client component separation
Scan for security issues — Check for hardcoded secrets, exposed env vars, XSS vectors
Validate environment variables — Confirm env-validator usage, no client-side secrets
Analyse performance — Identify unnecessary re-renders, missing lazy loading, large bundles
Check error handling — Verify try-catch on async ops, error boundaries present
Enforce naming conventions — PascalCase components, camelCase hooks, kebab-case utils
Generate review report — Output findings grouped by severity (critical/warning/info)

Input Specification

Parameter	Type	Required	Description
target	string	yes	File path, directory, or PR number
scope	string	no	`security`, `performance`, `standards`, `full` (default: `full`)

Output Specification

Field	Type	Description
file	string	File path reviewed
severity	critical/warning/info	Issue severity
category	string	security/performance/standards/pattern
description	string	Issue description
suggestion	string	Recommended fix
line	number	Line number (if applicable)

Error Handling

Error	Action
Binary file encountered	Skip with info message
File too large (>5000 lines)	Warn and review in chunks
Corrupted/unreadable file	Log error, skip file
Lint/typecheck crash	Report tool failure, continue manual review
PR not found	Report clear error with correct PR format

Review Checklist

TypeScript strict mode compliance
Proper error boundaries
Security validation on API routes
Environment variables not exposed
No hardcoded secrets
Consistent component patterns
Adequate test coverage
Performance considerations
Australian English in user-facing strings

Key Files

CLAUDE.md — Project configuration and standards
.claude/rules/ — Development workflow rules
tsconfig.json — TypeScript configuration
eslint.config.js — Linting rules (flat config)

Commands

npm run lint              # Run linting (eslint . --max-warnings 0)
npm run type-check        # Type checking (tsc --noEmit)
npm run type-check && npm run lint && npm test  # Run all checks

Integration Points

Works with api-testing for endpoint coverage
Coordinates with database-prisma for query optimisation
Reports to ui-ux for component standards

Capability Uplift — Override Defaults

NEVER apply generic clean code principles that contradict Synthex conventions. Australian English spellings are correct. Supabase-only auth is correct. SWR with credentials: 'include' is correct. Don't flag these as issues.

INSTEAD reviews enforce Synthex-specific patterns:

useRouter from next/navigation (never next/router, never window.location.href)
SWR for all client-side data fetching with credentials: 'include' fetcher
{ error: string, details?: unknown } for all 4xx responses
{ organizationId } filter on every Prisma query
Zod safeParse (not parse) on all mutation inputs
getUserIdFromRequestOrCookies (not any other auth helper)

Blockers: security issues (missing auth/org-scope), runtime errors. Warnings: code quality (any types, silent catches, missing error shape). Suggestions: improvements that don't change behaviour.

REFERENCE .claude/skills/synthex-standards/references/code-standards.md

Review Board Output

When invoked as part of the Synthex Review Board pipeline, produce output matching the schema in .claude/skills/review-board/_shared/output-schema.md.

Map this skill's findings to the shared format:

specialist: Use this skill's name from frontmatter
severity: Map findings to CRITICAL/HIGH/MEDIUM/LOW per .claude/skills/review-board/_shared/severity-levels.md
confidence: Assign 0-100 based on certainty. Only findings >= 80 are shown to the developer.
verdict: BLOCK if any CRITICAL finding exists, otherwise PASS
Include file, line, issue, fix, and optional reference for each finding
If no findings, return empty findings array with verdict PASS

Foundation & Gate Wiring (SYN-1049)

Adopted from the senior-skill standard so every artefact this connector produces is checked against the locked foundation before it lands.

Reads at every invocation (never cached — re-read each run):

.claude/memory/ceo-foundation.md — verification discipline, evidence standard.
.claude/memory/verification-gates.md — gate state for any claim referenced.

Output gate: every output passes the verification gate (.claude/rules/verification-gate.md) before being reported complete — run the real command/check and report actual results, never "should work".

Evidence standard: every quantitative or factual claim carries exactly one tag — [VERIFIED] / [INFERENCE] / [UNCONFIRMED]. Untagged = defect (.claude/rules/fabel-evidence-standard.md). Never state a projected result as fact.

Spec: see spec.md in this skill directory.