// Execute a structured code review protocol that inspects code quality against the full rule set. Use when auditing code written by yourself or another agent, during code audit workflows, or when the user asks for a code review. Produces a findings document with severity tags.
Structured research protocol for investigating technologies, patterns, and APIs before implementation. Use when exploring unfamiliar technologies, evaluating library options, or documenting technical findings. Covers multi-tool search strategy, research log conventions, and training data fallback honesty protocol.
Apply WCAG accessibility standards when building UI components, forms, interactive elements, or any user-facing interface. Covers semantic HTML, ARIA attributes, keyboard navigation, color contrast, and screen reader support.
Document significant architectural decisions using the ADR (Architecture Decision Record) format. Use during research phases when choosing between approaches, when introducing new dependencies or patterns, or when the user asks to document a technical decision.
Apply REST/HTTP API design conventions when implementing endpoints, handlers, middleware, request validation, or response formatting. Covers resource naming, status codes, error formats, versioning, and pagination.
Apply Kubernetes deployment and GitOps patterns when configuring container orchestration, deployment strategies (rolling, blue-green, canary), ArgoCD/Flux manifests, or Kubernetes secrets management. Supplement to ci-cd-principles.
Apply CI/CD pipeline design patterns when configuring build pipelines, deployment processes, release strategies, Dockerfiles, or GitHub Actions workflows. Covers pipeline stages, artifact management, environment promotion, and rollback strategies.
| name | code-review |
| description | Execute a structured code review protocol that inspects code quality against the full rule set. Use when auditing code written by yourself or another agent, during code audit workflows, or when the user asks for a code review. Produces a findings document with severity tags. |
Systematically review code against the full rule set. Catches issues that linters miss: architectural violations, missing observability, business logic errors, pattern inconsistencies.
Identify the files/features to review. Determine the review scope:
Read all applicable rules from .claude/rules/. Use rule-priority.md for severity classification.
Review each file/feature against these categories, in order from rule-priority.md:
Output a structured findings document:
# Code Review: {Feature/Module Name}
Date: {date}
Reviewer: AI Agent (fresh context)
## Summary
- **Files reviewed:** N
- **Issues found:** N (X critical, Y major, Z minor, W nit)
## Critical Issues
- [ ] **[SEC]** {description} — [{file}:{line}](file:///path)
- [ ] **[DATA]** {description} — [{file}:{line}](file:///path)
## Major Issues
- [ ] **[TEST]** {description} — [{file}:{line}](file:///path)
- [ ] **[OBS]** {description} — [{file}:{line}](file:///path)
## Minor Issues
- [ ] **[PAT]** {description} — [{file}:{line}](file:///path)
## Nit
- [ ] {description} — [{file}:{line}](file:///path)
## Rules Applied
List of rules referenced during this review.
When invoked via an audit workflow, you MUST persist the findings to the repo:
Path: docs/audits/review-findings-{feature}-{YYYY-MM-DD}-{HHmm}.md
docs/audits/ if it doesn't existWhen invoked as a standalone review (not via audit), saving to docs/audits/ is recommended but optional.
| Tag | Category | Rule Source |
|---|---|---|
[SEC] | Security | security-principles.md |
[DATA] | Data integrity | error-handling-principles.md |
[RES] | Resource leak | resources-and-memory-management skill |
[TEST] | Testability | architectural-pattern.md, testing-strategy.md |
[OBS] | Observability | logging-and-observability-mandate.md |
[ERR] | Error handling | error-handling-principles.md |
[ARCH] | Architecture | architectural-pattern.md, project-structure.md |
[PAT] | Pattern consistency | code-organization-principles.md |
[INT] | Integration contract | api-design-principles skill |
[DB] | Database design | database-design-principles skill |
[CFG] | Configuration | configuration-management-principles skill |
Load the anti-pattern checklist for the language(s) under review:
| Language | Anti-Patterns |
|---|---|
| Go | languages/go.md |
| TypeScript | languages/typescript.md (placeholder — create when needed) |
| Flutter/Dart | languages/flutter.md (placeholder — create when needed) |
| Rust | languages/rust.md (placeholder — create when needed) |
Anti-patterns listed in language files are auto-fail — they require no judgment call. If the pattern exists in the code, it is a finding.
For full audits, apply the cross-boundary dimension checklist below. For standalone reviews, apply only the dimensions that are relevant to the project.
At the start of cross-boundary checks, you MUST state which dimensions are active:
"Activating dimensions: A, B, C, D, E. Skipping F (no mobile app)."
| Dimension | Activate When |
|---|---|
| A. Integration Contracts | Project has both a frontend and a backend |
| B. Database & Schema | Project uses a relational/document database |
| C. Configuration & Environment | Always — universal |
| D. Dependency Health | Always — universal |
| E. Test Coverage Gaps | Always — universal |
| F. Mobile ↔ Backend | Project has a mobile app and a backend |
Applies to: full-stack projects with frontend + backend
fetch/axios)Applies to: projects using a relational or document database
id, created_at, updated_at)Always active
.env.template exists and covers every env var referenced in the codebaseAlways active
go.mod / package.json / Cargo.tomlnpm audit / go list -m -json all | nancy / cargo audit — flag high-severity CVEsAlways active
Applies to: projects with a mobile app and a backend
If this review produces fewer than 3 findings, you MUST produce a "Dimensions Covered" attestation section in the findings document:
## Dimensions Covered
| Dimension | Status | Files / Queries Examined |
|---|---|---|
| A. Integration Contracts | ✅ Checked / ⏭ Skipped (reason) | e.g., all 26 routes vs 11 adapters |
| B. Database & Schema | ✅ Checked / ⏭ Skipped (reason) | e.g., 8 tables + 4 storage adapters |
| C. Configuration & Environment | ✅ Checked | e.g., scanned for secrets, verified .env.template |
| D. Dependency Health | ✅ Checked | e.g., ran npm audit, checked for unused deps |
| E. Test Coverage Gaps | ✅ Checked | e.g., verified handler tests for all endpoints |
| F. Mobile ↔ Backend | ⏭ Skipped | No mobile app in this project |
Only then may you declare a clean result.
This skill enforces all rules in .claude/rules/. Key references: