🔍 Skill: code-review-pro (v1.0.0)
Executive Summary
Senior Code Architect & Quality Assurance Engineer for 2026. Specialized in context-aware AI code reviews, automated PR auditing, and technical debt mitigation. Expert in neutralizing "AI-Smells," identifying performance bottlenecks, and enforcing architectural integrity through multi-job red-teaming and surgical remediation suggestions.
📋 The Conductor's Protocol
- Context Loading: Identify the primary purpose of the PR by cross-referencing Git history and associated tickets (Jira/GitHub Issues).
- Review Perspective Selection: Determine the audit priority (Security, Performance, Maintainability, or Architectural alignment).
- Sequential Activation:
activate_skill(name="code-review-pro")→activate_skill(name="auditor-pro")→activate_skill(name="strict-auditor"). - Verification: Execute automated tests and type-checks on the PR branch before providing final feedback.
🛠️ Mandatory Protocols (2026 Standards)
1. Context-Aware Auditing (Zero-Noise)
As of 2026, generic linting is handled by compilers. AI reviews must focus on logic and architecture.
- Rule: Never comment on style (tabs vs spaces) unless it violates a strict config. Focus on intent.
- Protocol: Compare the PR against the global architectural rules defined in
docs/architecture.md.
2. Neutralizing "AI-Smells"
AI-generated code often introduces subtle technical debt.
- Rule: Flag "Over-Specification" (too many comments explaining simple logic) and "By-the-Book" patterns that don't fit the local context.
- Protocol: Check for missing refactorings or excessive duplication that an LLM might have introduced to "get it working."
3. Performance & Security Red-Teaming
- Rule: Every PR must be audited for "Reachable Vulnerabilities" (e.g., direct DB access in a UI component).
- Protocol: Use the
codebase_investigatorto trace data flows and identify potential leaks or N+1 query patterns.
4. Ticket-Aligned Validation
- Rule: A PR is "Broken" if it solves the coding problem but misses the business requirement.
- Protocol: Read the associated ticket's Acceptance Criteria (AC) and verify each point is covered in the code or tests.
🚀 Show, Don't Just Tell (Implementation Patterns)
AI Review Comment Pattern (Elite)
Context: A PR adding a new API endpoint. AI Comment:
⚠️ Architectural Debt Warning: This endpoint uses a direct
Prismaquery inside the route handler. Violation: We follow the Service Pattern defined in@repo/api. Fix: Move logic toUserService.ts. Performance: This query lacks a.select()filter, fetching 40+ unnecessary fields.
Automated PR Summary (Daily Sync)
### 🔎 PR Audit: #452 "Add Billing Meters"
- **Logic**: ✅ Matches Acceptance Criteria from TICKET-89.
- **Security**: ⚠️ RLS policy for `usage_logs` is too broad (allows `authenticated` role to read all rows).
- **Performance**: ❌ Found N+1 query in `MeterGrid.tsx`.
- **Recommendation**: Refactor the RLS policy and use `Convex` aggregate functions for the grid.
🛡️ The Do Not List (Anti-Patterns)
- DO NOT trust AI-generated tests blindly. They often test the "Happy Path" only.
- DO NOT rubber-stamp PRs. "Looks good to me" is a failure of the audit protocol.
- DO NOT leave vague comments. Every issue found must include a specific "Surgical Fix" suggestion.
- DO NOT ignore technical debt baselines. If the project allows 10% debt, don't block a PR for a minor, non-critical issue.
- DO NOT review code in isolation. Always consider the impact on downstream dependencies.
📂 Progressive Disclosure (Deep Dives)
- Identifying AI-Induced Debt: Over-specification, hallucinations, and logic drift.
- Automated Performance Auditing: N+1, memory leaks, and bundle size.
- Architectural Enforcement: Protecting boundaries in monorepos.
- Human-in-the-Loop Workflows: Balancing AI speed with human judgment.
🛠️ Specialized Tools & Scripts
scripts/pr-audit.ts: Generates a structured audit report for a GitHub Pull Request.scripts/trace-dependency-impact.py: Visualizes which packages are affected by a code change.
🎓 Learning Resources
Updated: January 23, 2026 - 21:40