🔍 Skill: code-review-pro (v1.0.0)

Executive Summary

📋 The Conductor's Protocol

1. Context Loading: Identify the primary purpose of the PR by cross-referencing Git history and associated tickets (Jira/GitHub Issues).
2. Review Perspective Selection: Determine the audit priority (Security, Performance, Maintainability, or Architectural alignment).
3. Sequential Activation:

   activate_skill(name="code-review-pro")

   →

   activate_skill(name="auditor-pro")

   →

   activate_skill(name="strict-auditor")

   .
4. Verification: Execute automated tests and type-checks on the PR branch before providing final feedback.

🛠️ Mandatory Protocols (2026 Standards)

1. Context-Aware Auditing (Zero-Noise)

• Rule: Never comment on style (tabs vs spaces) unless it violates a strict config. Focus on intent.
• Protocol: Compare the PR against the global architectural rules defined in

  docs/architecture.md

  .

2. Neutralizing "AI-Smells"

• Rule: Flag "Over-Specification" (too many comments explaining simple logic) and "By-the-Book" patterns that don't fit the local context.
• Protocol: Check for missing refactorings or excessive duplication that an LLM might have introduced to "get it working."

3. Performance & Security Red-Teaming

• Rule: Every PR must be audited for "Reachable Vulnerabilities" (e.g., direct DB access in a UI component).
• Protocol: Use the

  codebase_investigator

  to trace data flows and identify potential leaks or N+1 query patterns.

4. Ticket-Aligned Validation

• Rule: A PR is "Broken" if it solves the coding problem but misses the business requirement.
• Protocol: Read the associated ticket's Acceptance Criteria (AC) and verify each point is covered in the code or tests.

🚀 Show, Don't Just Tell (Implementation Patterns)

AI Review Comment Pattern (Elite)

⚠️ Architectural Debt Warning: This endpoint uses a direct

Prisma

query inside the route handler. Violation: We follow the Service Pattern defined in

@repo/api

. Fix: Move logic to

UserService.ts

. Performance: This query lacks a

.select()

filter, fetching 40+ unnecessary fields.

Automated PR Summary (Daily Sync)

### 🔎 PR Audit: #452 "Add Billing Meters"
- **Logic**: ✅ Matches Acceptance Criteria from TICKET-89.
- **Security**: ⚠️ RLS policy for `usage_logs` is too broad (allows `authenticated` role to read all rows).
- **Performance**: ❌ Found N+1 query in `MeterGrid.tsx`.
- **Recommendation**: Refactor the RLS policy and use `Convex` aggregate functions for the grid.

🛡️ The Do Not List (Anti-Patterns)

1. DO NOT trust AI-generated tests blindly. They often test the "Happy Path" only.
2. DO NOT rubber-stamp PRs. "Looks good to me" is a failure of the audit protocol.
3. DO NOT leave vague comments. Every issue found must include a specific "Surgical Fix" suggestion.
4. DO NOT ignore technical debt baselines. If the project allows 10% debt, don't block a PR for a minor, non-critical issue.
5. DO NOT review code in isolation. Always consider the impact on downstream dependencies.

📂 Progressive Disclosure (Deep Dives)

• Identifying AI-Induced Debt: Over-specification, hallucinations, and logic drift.
• Automated Performance Auditing: N+1, memory leaks, and bundle size.
• Architectural Enforcement: Protecting boundaries in monorepos.
• Human-in-the-Loop Workflows: Balancing AI speed with human judgment.

🛠️ Specialized Tools & Scripts

• scripts/pr-audit.ts

  : Generates a structured audit report for a GitHub Pull Request.

• scripts/trace-dependency-impact.py

  : Visualizes which packages are affected by a code change.

🎓 Learning Resources

• Google Code Review Developer Guide
• Refactoring UI - Quality Standards
• AppSec for AI Developers 2026