review-all

Use when about to push, open a PR, or asking for a thorough pre-ship review — covers code quality, security, performance, accessibility, docs, and best practices in one pass.

5 stars

Best use case

review-all is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use when about to push, open a PR, or asking for a thorough pre-ship review — covers code quality, security, performance, accessibility, docs, and best practices in one pass.

Teams using review-all should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/review-all/SKILL.md --create-dirs "https://raw.githubusercontent.com/forbee-dev/ForgeBee/main/forgebee/skills/review-all/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/review-all/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How review-all Compares

Feature / Agentreview-allStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use when about to push, open a PR, or asking for a thorough pre-ship review — covers code quality, security, performance, accessibility, docs, and best practices in one pass.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

Related Guides

SKILL.md Source

# Full Review — Pre-Push Quality Gate

## Objective

Find bugs, security holes, performance issues, and quality problems in changed code. Every issue has a file:line reference and a recommended fix. Runs inline — leverages session context (what you've been editing, why, what trade-offs were discussed).

**Success looks like:** A clear READY/NEEDS FIXES/BLOCKED verdict with actionable items.

> Findings (own and delegated) use the shared format: `forgebee/skills/_review-finding-contract.md`. As the aggregator, sum the per-skill footer counts into one combined footer so `/audit-self` can parse the whole pass.

## Karpathy Principle (P2 — Senior Engineer Test)

Before issuing a `READY` verdict, ask explicitly: **would a senior engineer call this overcomplicated?** If yes, the verdict is `NEEDS FIXES` — list the simplification as a `High` issue. Do not pass overcomplicated code on the grounds that it "works."

## Never

- Never flag issues in unchanged code — only review the diff
- Never skip a review section because the change "looks small"
- Never give READY verdict if any Critical issue is open
- Never nitpick stylistic preferences — focus on substance

## Calibration

Only flag issues that actually matter. Use this severity guide:

| Severity | Blocks push? | Examples |
|----------|-------------|----------|
| **Critical** | YES — must fix | SQL injection, secret exposure, data loss, broken auth |
| **High** | YES — must fix | Missing error handling on external calls, N+1 queries, XSS |
| **Medium** | No — recommend fix | DRY violations, missing edge cases, unclear naming |
| **Low** | No — informational | Missing docblocks, minor style issues, optional optimizations |

Only Critical and High block the push. Medium and Low are recommendations — mention them briefly, don't belabor them. If the diff is clean on Critical/High, say READY even if there are Medium/Low items.

**Anti-patterns to avoid:**
- Flagging pre-existing issues in unchanged code
- Suggesting refactors unrelated to the change
- Reporting style issues as High severity
- Reviewing more than 3 iterations on the same diff

## Engineering Preferences

- DRY is important — flag repetition aggressively (but as Medium, not Critical)
- Code should be "engineered enough" — not fragile, not over-abstracted
- Handle edge cases — err on the side of more, not fewer
- Explicit over clever — readability wins

## Before Starting

1. Check session context — what files have been discussed? What was the goal?
2. Run `git diff HEAD` to see all uncommitted changes. If none, run `git diff HEAD~1` for the last commit.
3. Run `git log --oneline -5` for context.
4. Only report issues on **changed code**.

## Review Sections

Work through each section systematically.

### 1. CODE QUALITY
- Code organization and module structure
- DRY violations
- Error handling patterns and missing edge cases
- Areas that are over-engineered or under-engineered
- Naming and readability

### 2. PERFORMANCE
- N+1 queries and database access patterns
- Missing caching opportunities
- Memory concerns and expensive loops
- Slow or high-complexity code paths

### 3. SECURITY
- Injection vulnerabilities (SQL, XSS, command)
- Unescaped output, missing sanitization
- Hardcoded secrets, broken auth
- CSRF, access control issues
- Framework-specific sanitization and escaping

### 4. ACCESSIBILITY (if UI changes)
- Missing alt text, ARIA labels
- Keyboard navigation, focus management
- Color contrast, semantic HTML
- WCAG 2.1 AA compliance

### 5. DOCUMENTATION (brief — don't over-flag)
- Missing/outdated docblocks on public APIs
- Undocumented complex logic

### 6. BEST PRACTICES
- SOLID principles violations that affect maintainability
- Coding standards for the project's language/framework
- File organization, separation of concerns

## For Large Diffs (>500 lines changed)

Delegate to specialized review skills with `context:fork` for parallel deep review.
Map the change type to the skill so high-blast-radius areas (schema, public API, untested code) always get a deep pass — mirror checkpoint-preview's `[schema]` / `[public API]` hot-spot tags:

| Change includes… | Delegate to |
|---|---|
| auth, sessions, secrets, user-data handling | `review-security` |
| DB-heavy code, hot loops, render paths | `review-performance` |
| SQL migrations, schema changes, RLS/policies, ORM access | `review-database` |
| new/changed route handlers, REST/GraphQL endpoints, API contracts | `review-api` |
| new code paths or changed test files (or new code with no tests) | `review-tests` |
| UI components, markup, interaction | `review-accessibility` |
| WordPress plugin/theme files | `review-wordpress` |
| prompts, tool definitions, LLM calls, model output handling | `review-prompt` |

Synthesize their findings into your final report.

## For Each Issue Found

1. Describe the problem concretely, with **file and line references**
2. Present **2-3 options**, including "do nothing" where reasonable
3. Give your **recommended option and why**
4. Assign severity (Critical/High/Medium/Low)

## Example (Critical vs Low)

```
[Critical] Auth check missing on a state-changing route
File: src/routes/admin.ts:14
Issue: `POST /admin/users/:id/role` updates roles with no session/permission check — any caller can grant themselves admin.
Fix: Require an authenticated session and `requireRole('admin')` before the handler runs.

[Low] Console.log left in shipped code path
File: src/lib/cart.ts:27
Issue: `console.log(cart)` in the add-to-cart path leaks state to the browser console.
Fix: Remove it or route through the project logger gated to dev.
```

## Final Summary

```markdown
## Review: [Target]

### Verdict: READY | NEEDS FIXES | BLOCKED
**Quality score:** <0-100> (per `_review-finding-contract.md` — same scale as the footer below)

### Blocking Issues (Critical + High)
| # | Issue | File:Line | Severity | Fix |
|---|-------|-----------|----------|-----|

### Recommendations (Medium + Low)
| # | Issue | File:Line | Severity | Suggestion |
|---|-------|-----------|----------|------------|

### Positive Notes
[What's done well — always include at least 2]
```

End with the combined machine-parseable footer from the shared contract (counts summed across all sections and any delegated review skills):

```
SCORE: <0-100> | {critical:N, high:N, medium:N, low:N} | verdict: <pass|block>
```

`READY` maps to `verdict: pass`; `NEEDS FIXES`/`BLOCKED` map to `verdict: block`.

## Communication

When working on a team, report:
- Push readiness verdict
- Critical blockers (if any)
- Issue count by category and severity

Related Skills

review-wordpress

5
from forbee-dev/ForgeBee

Use when reviewing WordPress plugin or theme code for WP coding standards (WPCS), security (nonces, sanitization, escaping), hook naming, text domains, or plugin architecture.

review-tests

5
from forbee-dev/ForgeBee

Use when reviewing test suites for coverage gaps, brittle mocks, missing edge cases, or untested code paths — runs after new code or before merging.

review-security

5
from forbee-dev/ForgeBee

Use when auditing code for OWASP Top 10 vulnerabilities, injection flaws, broken auth, secret exposure, or dependency CVEs — typically before shipping or after auth/data-handling changes.

review-prompt

5
from forbee-dev/ForgeBee

Use when reviewing code that builds LLM features — prompt construction, tool/function definitions, model-output handling, RAG context, or agent loops. Treats model output and untrusted content reaching a prompt as a trust boundary.

review-performance

5
from forbee-dev/ForgeBee

Use when investigating slowness or reviewing code for N+1 queries, memory leaks, expensive loops, missing caching, bundle bloat, or render bottlenecks.

review-docs

5
from forbee-dev/ForgeBee

Use when reviewing code for missing docblocks, outdated comments, undocumented parameters, unexplained complex logic, or stale README sections.

review-database

5
from forbee-dev/ForgeBee

Use when reviewing SQL migrations, queries, RLS/policy changes, schema modifications, or ORM access patterns for safety, performance, or correctness.

review-code

5
from forbee-dev/ForgeBee

Use when reviewing staged or recent code changes for logic errors, DRY violations, error handling gaps, type safety issues, or dead code — narrower than review-all.

review-code-style

5
from forbee-dev/ForgeBee

Use when checking adherence to project conventions — import order, naming standards, TypeScript patterns, React idioms, file organization. Not formatting (use a linter).

review-best-practices

5
from forbee-dev/ForgeBee

Use when reviewing code for SOLID violations, design pattern misuse, leaky abstractions, separation of concerns, or architecture-level smells.

review-api

5
from forbee-dev/ForgeBee

Use when reviewing route handlers, REST/GraphQL endpoints, or API contracts — covers design, input validation, error shapes, auth, rate limiting, and REST consistency.

review-accessibility

5
from forbee-dev/ForgeBee

Use when auditing UI changes for WCAG 2.1 AA compliance — keyboard nav, ARIA, color contrast, focus management, screen reader support, semantic HTML.