package-code-review
Systematic per-package code review using six specialist perspectives (Correctness, Architecture, Type Safety, Security, Performance, Maintainability) with severity labels. Use when reviewing an entire package or a set of changed files for quality, compliance, and improvement opportunities.
Best use case
package-code-review is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Systematic per-package code review using six specialist perspectives (Correctness, Architecture, Type Safety, Security, Performance, Maintainability) with severity labels. Use when reviewing an entire package or a set of changed files for quality, compliance, and improvement opportunities.
Teams using package-code-review should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/package-code-review/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How package-code-review Compares
| Feature / Agent | package-code-review | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Systematic per-package code review using six specialist perspectives (Correctness, Architecture, Type Safety, Security, Performance, Maintainability) with severity labels. Use when reviewing an entire package or a set of changed files for quality, compliance, and improvement opportunities.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
SKILL.md Source
# Package Code Review
## Rule Anchor
- `AGENTS.md` > "Type System (Strict)"
- `AGENTS.md` > "No Fallback Policy"
- `AGENTS.md` > "Development Patterns"
## Use This Skill When
- Reviewing an entire package for quality and compliance.
- Reviewing a set of changed files before merge.
- Running periodic codebase health checks.
## Severity Labels
| Label | Meaning | Action Required |
| ------------ | --------------------------------------------------- | -------------------------------- |
| **MUST** | Rule violation, bug, or security issue | Fix before merge |
| **SHOULD** | Architecture improvement, missing tests, spec drift | Fix in current or next iteration |
| **CONSIDER** | Refactoring opportunity, alternative approach | Author decides |
| **NIT** | Minor style or naming preference | Ignorable |
Classification rules:
- Any AGENTS.md Mandatory Rules violation → **MUST**
- SPEC.md quality gate gap → **SHOULD**
- Untested public API surface → **SHOULD**
- Everything else → **CONSIDER** or **NIT**
## Review Perspectives
Each package is reviewed through six specialist perspectives, in order:
### 1. Correctness
- Logic bugs and unreachable code paths
- Edge cases: null, undefined, empty arrays, boundary values
- Error handling completeness (catch boundaries narrowed, no silent swallowing)
- Invariant violations (terminal states re-entered, duplicate prevention anti-patterns)
- Promise handling (unhandled rejections, missing await)
### 2. Architecture
- Dependency direction (imports flow toward owner packages, no circular imports)
- Boundary violations (package imports from internals of another package)
- SSOT compliance (no re-declared types, no 1:1 trivial aliases)
- Module cohesion (single responsibility, no god files)
- Import standards (static by default, dynamic only for optional modules)
- No fallback patterns
### 3. Type Safety
- No `any`, `{}`, `as any`, `as unknown as T` in production code
- `unknown` narrowed before domain use
- Naming convention: `I*` for interfaces, `T*` for type aliases
- No trivial 1:1 type aliases
- Explicit return types on exported functions
- Type guards used at trust boundaries
### 4. Security
- No hardcoded secrets, API keys, or credentials
- Input validation at system boundaries (user input, external APIs)
- No command injection, XSS, SQL injection vectors
- No `eval()`, `new Function()`, or unsafe dynamic code execution
- Sensitive data not logged or exposed in error messages
### 5. Performance
- No unnecessary allocations in hot paths or loops
- No N+1 query patterns
- No synchronous blocking in async contexts
- Appropriate use of caching (check before compute, save after success)
- No unbounded growth (arrays, maps, event listeners without cleanup)
### 6. Maintainability
- Test coverage for public API surface
- Naming clarity (functions describe actions, variables describe content)
- File size: production files > 300 lines → **MUST** fix (split into focused modules)
- Function size: functions > 50 lines → **MUST** fix (extract sub-operations)
- Cyclomatic complexity: functions with > 15 branches → **SHOULD** simplify
- Documentation accuracy (SPEC.md reflects current implementation)
- Dead code (unused exports, unreachable branches)
- Magic numbers/strings without named constants → **SHOULD** fix
- Mutable function parameters → **MUST** fix (clone or create new objects)
## Execution Steps
1. **Scope**: Identify the target package(s) and file set.
2. **Context**: Read SPEC.md, package.json, and index.ts to understand the package boundary and public surface.
3. **Scan**: Read each production source file (exclude tests, examples, generated files).
4. **Review**: Apply all six perspectives to each file. Record findings with severity, perspective, file:line, and description.
5. **Cross-check**: Run harness commands to validate mechanical checks:
```bash
pnpm --filter <pkg> build
pnpm --filter <pkg> test
pnpm harness:scan
```
6. **Report**: Output the review summary in the format below.
## Output Format
```
## [package-name] Code Review
### Summary
| Severity | Count |
|----------|-------|
| MUST | N |
| SHOULD | N |
| CONSIDER | N |
| NIT | N |
### Findings
#### MUST
1. (Perspective) `file:line` — Description
#### SHOULD
1. (Perspective) `file:line` — Description
#### CONSIDER
1. (Perspective) `file:line` — Description
#### NIT
1. (Perspective) `file:line` — Description
### Positive Observations
- Things done well that should be preserved.
```
## Stop Conditions
- Do not review test files, example files, or generated output (`.d.ts`, `dist/`).
- Do not flag patterns explicitly allowed by AGENTS.md (e.g., `unknown` at catch boundaries).
- Do not suggest changes beyond the review — create task files for large-scale work.
## Relationship to Other Skills
- Findings that require code changes → follow `repo-change-loop` skill.
- Findings about SPEC.md gaps → follow `spec-writing-standard` skill.
- Findings about type ownership → follow `type-boundary-and-ssot` skill.
- Findings about test gaps → reference `vitest-testing-strategy` skill.Related Skills
web-design-guidelines
Review UI code for Web Interface Guidelines compliance. Use when asked to "review my UI", "check accessibility", "audit design", "review UX", or "check my site against best practices".
vitest-testing-strategy
Defines a practical testing strategy for TypeScript and JavaScript using Vitest across unit, integration, and type-level tests. Use when adding features, refactoring, or preventing regressions with fast feedback loops.
version-management
All packages must have the same version. Use changesets for coordinated version bumps. Never version packages independently.
vercel-react-native-skills
React Native and Expo best practices for building performant mobile apps. Use when building React Native components, optimizing list performance, implementing animations, or working with native modules. Triggers on tasks involving React Native, Expo, mobile performance, or native platform APIs.
vercel-react-best-practices
React and Next.js performance optimization guidelines from Vercel Engineering. This skill should be used when writing, reviewing, or refactoring React/Next.js code to ensure optimal performance patterns. Triggers on tasks involving React components, Next.js pages, data fetching, bundle optimization, or performance improvements.
vercel-composition-patterns
React composition patterns that scale. Use when refactoring components with boolean prop proliferation, building flexible component libraries, or designing reusable APIs. Triggers on tasks involving compound components, render props, context providers, or component architecture. Includes React 19 API changes.
user-request-gate
Use immediately when the user requests any implementation, code change, feature addition, fix, or modification. Gates code writing behind a backlog draft document. Read-only exploration is always permitted.
type-boundary-and-ssot
Applies Robota's preferred workflow for trust-boundary validation, strict typing, quality gates, and owner-based SSOT reuse. Use when adding or reviewing type contracts, boundary parsing, shared contract ownership, or running quality checks.
tdd-red-green-refactor
Kent Beck's TDD workflow. Use when writing new code or modifying existing behavior. Enforces the Red-Green-Refactor cycle with small, verifiable steps.
task-tracking
Track work using task files in .agents/tasks/. Use when starting, progressing, or completing a task to maintain a persistent record of work.
tailwind-truncation
Provide Tailwind truncation patterns for single-line and multi-line text. Use when discussing text ellipsis, truncation, or line-clamp usage.
state-machine-design
Designs finite state machines as pure, declarative transition tables with guards and actions. Use when modeling lifecycle states, status flows, or any system with discrete states and controlled transitions.