一键导入
wb-review
WannaBuild review phase entrypoint for adaptive code, spec, and risk review with automatic remediation of actionable findings.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
WannaBuild review phase entrypoint for adaptive code, spec, and risk review with automatic remediation of actionable findings.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | wb-review |
| description | WannaBuild review phase entrypoint for adaptive code, spec, and risk review with automatic remediation of actionable findings. |
This prompt follows docs/contract-standard.md and inherits the four mandates in
skills/internal/build/references/doctrine.md; where this file is silent, the doctrine governs.
Shared contract: purpose, inputs, process, hard gates, evidence, output, handoff, forbidden actions.
Runtime gates fail closed and cannot be rationalized past. Specialist judgment is advisory; gates and acceptance criteria require execution evidence and override prose.
Use this phase skill when the user wants review or the active WannaBuild workflow is in Validate/Review. A wb-review or wannabuild:wb-review invocation starts or resumes the full WannaBuild loop unless the user explicitly says review only.
Before any review phase work:
git merge-base with the upstream branch, else the remote default branch resolved via git symbolic-ref refs/remotes/origin/HEAD (or git remote show origin). Only ask the user when both uncommitted changes and a base are genuinely undeterminable after running these commands..wannabuild/spec/requirements.md with an Acceptance Criteria section), route through mandatory discovery first. Review evaluates the change against discovered acceptance criteria, never against an invented intent.Find every correctness, regression, security, testing, architecture, and maintainability issue across the entire changed surface. Each dimension is reviewed on every iteration; none is declared clean without the evidence in the per-dimension completion table below.
Enumerate EVERY changed surface from the diff — files, functions, endpoints, migrations, configs, generated artifacts. Build a coverage table:
| Surface | Hats applied | Dynamic check run | Evidence (command + exit code) |
|---|
The review CANNOT pass and CANNOT hand off to QA until 100% of changed surfaces appear in this table with at least one hat applied and, for any surface whose correctness depends on runtime behavior, a dynamic check with real evidence. A surface examined "partially" is not covered. This mirrors assert-review-ready: a verdict that enumerated a sample is a FAIL.
Every dimension below is exercised on every iteration. A dimension is "clean" only with the listed evidence — never by assertion:
| Dimension | Clean requires |
|---|---|
| Correctness | Acceptance criteria mapped to code; impacted tests executed and passing |
| Regression | Existing test suite run; touched call sites traced |
| Security | Auth/secrets/input-handling paths inspected; no introduced exposure |
| Testing | Every changed surface has covering tests that actually ran (total > 0, failed == 0) |
| Architecture | Boundaries and dependencies of changed modules inspected |
| Maintainability | Changed code read in full; complexity and duplication checked |
If a finding's correctness, regression, security, or behavior cannot be judged from source, you MUST acquire the environment to judge it before reporting — never downgrade an unmet verification requirement to a soft note. "Tests not run", "missing env", "no access", and "can't test" are never a stopping point — they are an instruction to acquire or to ask, then proceed.
.wannabuild/outputs/acquisition-log.json (what was needed, which tools/connectors/CLIs were attempted, the result). assert-acquisition-attempted rejects any blocked status without a logged attempt.Apply the full required hat set to every changed surface on every iteration — no impacted-only subset, no fast-track for small diffs, no self-selecting out. Detect the surface types in the diff and apply the mapped hats; the mapping is fixed, so two runs over the same diff select the same hats.
| Surface type detected | Required hats |
|---|---|
| Backend / data-layer logic | correctness + security + data-integrity |
| API / contract change | contract + regression |
| UI change | behavior (run it in a browser) + accessibility |
| Auth / secrets / payments | security (mandatory) |
| Migration / schema change | data-integrity (run against an ephemeral DB branch) |
| Build / config / CI | regression + integration |
Across all detected surfaces, the union always includes correctness, security, testing, architecture, and maintainability. Add a sub-agent for a surface type when it carries distinct risk ownership (security on an auth surface, data-integrity on a migration); the trigger is the surface type's presence, not subjective judgment.
Classification is fixed so two runs label the same finding identically:
Auto-fix every critical and high finding — bugs, regressions, missing required tests, and clear contract violations — and re-verify each with execution evidence. Medium and low findings are reported; fix them when the change is non-destructive and within the established scope, otherwise present them as options (see Collaboration on Substantive Decisions).
When intended behavior is ambiguous, acceptance criteria conflict, a finding is suspicious-but-not-clearly-wrong, or a fix would change scope/design/product behavior — including subjective style notes, scope changes, destructive changes, and product decisions — surface the interpretations and present the options to the user, each with your recommended answer and its reasoning, before reviewing against an assumed intent or applying the change. Never act on these silently. Do not pause for mechanical choices (which base to diff, which file to open); decide those autonomously and keep moving.
Review PASSES only when ALL hold:
total > 0, failed == 0, errored == 0).At the Review → QA boundary, present what review produced, name QA as the next phase, and wait for an explicit approval word ("go", "proceed", "approved", "continue", "next", "lgtm", "do it"). A vague acknowledgment ("ok", "sure") does not cross the boundary. Only after approval, and only with the Pass Condition met, continue to QA — unless the user requested review only.
Return a review summary: the Coverage Manifest, issues found by severity, fixes applied with their re-verification evidence, checks rerun (commands + exit codes), and any BLOCKED verification with its acquisition-log reference. There is no "no issues found, gaps noted" outcome: an open test gap or residual risk is itself a finding that must be closed by running the test or escalated as a blocking finding before review can pass.
Use when starting any conversation that touches software work — establishes how to find and use WannaBuild skills, requiring skill invocation before ANY response including clarifying questions.
Automatic repo-native WannaBuild full-loop workflow for natural "I want to build/add/change..." prompts and any WannaBuild phase skill entrypoint.
WannaBuild implementation phase entrypoint for implementing a concrete plan or task with focused verification and adaptive delegation.
WannaBuild debugging implementation entrypoint for reproducing, diagnosing, fixing, and verifying bugs within the full loop.
WannaBuild discovery phase entrypoint that grills the user — one question at a time, each with a recommended answer — to clarify vision, audience, flows, constraints, scope, and success signals before continuing the full loop. Also triggers on "grill me" or "grill this idea".
WannaBuild planning phase entrypoint for turning a brief or concrete task into architecture direction, implementation slices, and verification expectations.