@aryaminus/controlkeel-opencode 0.3.31 → 0.3.33

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,102 @@
1
+ # Deep Code Quality Checklist
2
+
3
+ Walk this checklist during a deep code quality review. Each item maps to a
4
+ `ck_finding` rule ID. Use `ck_validate` for automated scanning, then manually
5
+ apply these structural checks.
6
+
7
+ ## File Size and Decomposition
8
+
9
+ - **1000-line threshold**: Has any file crossed 1000 lines due to this change?
10
+ Rule: `code_quality.file_size`. Severity: high.
11
+ Check: `wc -l <file>`. If approaching or crossing 1000, recommend decomposition.
12
+
13
+ - **Module cohesion**: Does each module have a single clear responsibility?
14
+ If a module handles auth, formatting, and API calls, flag for extraction.
15
+
16
+ - **Function length**: Are any functions longer than 50 lines?
17
+ Long functions often hide missing abstractions. Recommend extraction.
18
+
19
+ ## Spaghetti and Branching
20
+
21
+ - **Ad-hoc conditionals**: Are new `if`/`case`/`cond` branches added to unrelated flows?
22
+ Rule: `code_quality.spaghetti_condition`. Severity: medium to high.
23
+ Prefer: dedicated abstraction, helper, state machine, or separate module.
24
+
25
+ - **Feature flags in shared code**: Are feature-specific checks scattered across general-purpose modules?
26
+ Rule: `code_quality.wrong_layer`. Severity: medium.
27
+ Prefer: isolate behind a dedicated abstraction.
28
+
29
+ - **One-off booleans or nullable modes**: Do new flags complicate existing control flow?
30
+ Consider whether a typed model or explicit dispatcher would eliminate the branching.
31
+
32
+ - **Narrow edge-case handling**: Is special-case logic inserted in the middle of an already busy function?
33
+ Recommend extracting to a helper or restructuring the flow.
34
+
35
+ ## Abstraction Quality
36
+
37
+ - **Unnecessary abstractions**: Are there wrappers, identity functions, or pass-through helpers that add indirection without clarity?
38
+ Rule: `code_quality.unnecessary_abstraction`. Severity: medium.
39
+ Prefer: delete the layer of indirection.
40
+
41
+ - **Missing abstractions**: Are there repeated conditionals or similar patterns that signal a missing model?
42
+ Rule: `code_quality.missing_abstraction`. Severity: medium.
43
+ Prefer: extract a typed model, helper, or dispatcher.
44
+
45
+ - **Thin wrappers**: Does an abstraction merely call through to another function without adding logic?
46
+ Recommend: inline the call unless the wrapper provides a clear naming or boundary benefit.
47
+
48
+ - **Magic handling**: Are generic mechanisms (dynamic dispatch, reflection-like patterns) used where simple data-shape assumptions would be clearer?
49
+ Rule: `code_quality.magic_handling`. Severity: medium.
50
+ Prefer: explicit typed models.
51
+
52
+ ## Type Boundaries
53
+
54
+ - **Unnecessary casts**: Are there type casts that obscure the real contract?
55
+ Rule: `code_quality.type_boundary`. Severity: low to medium.
56
+ Prefer: make the boundary explicit.
57
+
58
+ - **Loose optionality**: Are optional params or nil returns used where the invariant is actually clear?
59
+ Prefer: explicit types that encode the real state.
60
+
61
+ - **Ad-hoc object shapes**: Are data structures loosely shaped rather than explicitly typed?
62
+ Prefer: structs, typed schemas, or shared contracts.
63
+
64
+ ## Layering and Ownership
65
+
66
+ - **Feature logic in shared paths**: Is feature-specific logic in general-purpose modules?
67
+ Rule: `code_quality.wrong_layer`. Severity: medium to high.
68
+ Prefer: move to a dedicated module behind the right boundary.
69
+
70
+ - **Canonical helper duplication**: Is a new helper created when the codebase already has a canonical utility for the job?
71
+ Rule: `code_quality.duplicate_logic`. Severity: medium.
72
+ Prefer: reuse the existing helper.
73
+
74
+ - **Implementation details leaking through APIs**: Are internal data shapes exposed through public interfaces?
75
+ Recommend: define explicit API contracts.
76
+
77
+ ## Orchestration
78
+
79
+ - **Sequential when parallel is simpler**: Is independent work serialized for no reason?
80
+ Rule: `code_quality.orchestration`. Severity: low to medium.
81
+ Prefer: parallel execution for independent work.
82
+
83
+ - **Non-atomic related updates**: Can related updates leave state half-applied?
84
+ Prefer: more atomic structure (transaction, batch, single operation).
85
+
86
+ ## Code Judo Opportunities
87
+
88
+ For each change, explicitly ask:
89
+
90
+ - Can this be reframed so fewer concepts, branches, or helper layers are needed?
91
+ - Is there a reorganization that uses the existing architecture more effectively?
92
+ - Can whole categories of complexity be deleted rather than rearranged?
93
+ - Does the change improve or worsen the local architecture?
94
+ - Is this the simplest implementation that solves the actual task?
95
+
96
+ **Priority order** for findings:
97
+ 1. Structural quality regressions (file size, spaghetti)
98
+ 2. Missed opportunities for dramatic simplification
99
+ 3. Boundary and abstraction problems
100
+ 4. Layering and ownership issues
101
+ 5. Type boundary concerns
102
+ 6. Legibility and maintainability
@@ -0,0 +1,99 @@
1
+ ---
2
+ name: deslop
3
+ description: "Clean AI slop: remove narrative comments, verbosity, hallucinated patterns, padding. Also cleans AI-generated issue/PR text. Trigger: 'unslop', 'clean up AI code', 'remove slop', 'clean up issue description'. Complements aislop detection."
4
+ when_to_use: "Activate ONLY when explicitly asked to clean up AI-generated slop in code or issue/PR text. Do NOT auto-trigger during normal coding."
5
+ argument-hint: "[file, diff, or aislop findings to clean]"
6
+ disable-model-invocation: true
7
+ license: Apache-2.0
8
+ compatibility:
9
+ - opencode-native
10
+ - claude-standalone
11
+ - cursor-native
12
+ - codex
13
+ metadata:
14
+ author: controlkeel
15
+ version: "1.1"
16
+ category: quality
17
+ ck_mcp_tools: [ck_validate, ck_git_diff, ck_git_commit, ck_finding]
18
+ related_skills: [deep-code-quality-review]
19
+ ---
20
+
21
+ # Deslop
22
+
23
+ Remove AI-generated slop while preserving behavior. Companion to aislop scanner — aislop detects, this skill cleans.
24
+
25
+ ## Do NOT use when
26
+ - Normal coding or refactoring (use `deep-code-quality-review`)
27
+ - Security issues found (use `security-review`)
28
+ - Writing new code (not applicable)
29
+ - Reviewing issue/PR technical correctness (use `investigate` or appropriate review skill)
30
+
31
+ ## Slop patterns (see [catalog](references/slop-patterns.md))
32
+
33
+ **Code patterns:**
34
+ 1. Narrative comments — describing what code obviously does
35
+ 2. Unnecessary verbosity — 10 lines where 3 suffice
36
+ 3. Hallucinated imports — modules not used or not existing
37
+ 4. Mechanical padding — single-call wrappers, unnecessary intermediates
38
+ 5. Generic error messages — "An error occurred" instead of context
39
+ 6. TODO stubs with no implementation
40
+ 7. Redundant type annotations — already inferred
41
+
42
+ **Issue/PR text patterns:**
43
+ 8. Over-confident root cause analysis without evidence
44
+ 9. Generic implementation strategies without project-specific context
45
+ 10. Long lists of irrelevant error classes
46
+ 11. AI-generated issue expansion that broadens scope with hypotheses
47
+ 12. Hallucinated code references or function names
48
+
49
+ ## Subtraction rules
50
+
51
+ - **Delete, don't replace.** If a comment explains what → delete it, don't rewrite it.
52
+ - **Inline, don't redirect.** Single-call helper → inline and delete.
53
+ - **Shrink, don't reorganize.** 10-line function can be 3 → shrink, don't split.
54
+ - **Remove dead code.** Unused imports, unreachable branches.
55
+ - **Preserve intent.** Comments explaining **why** → keep. Helpers with meaningful naming → keep.
56
+
57
+ ## Workflow
58
+
59
+ **For code cleanup:**
60
+ 1. Run `ck_git_diff` to scope changes. Run `ck_validate` for aislop findings.
61
+ 2. List slop patterns found. Plan removals — do not start editing until plan is clear.
62
+ 3. Apply removals. Run tests after each logical group.
63
+ 4. The diff must be **smaller** after cleanup, not just different.
64
+ 5. Full suite must pass. Zero new failures.
65
+ 6. `ck_validate` on cleaned diff. `ck_git_commit`.
66
+
67
+ **For issue/PR text cleanup:**
68
+ 1. Identify the issue or PR description text to clean.
69
+ 2. Run `ck_validate` with `source_type: "issue"` or `source_type: "pull_request"` to assess trust level.
70
+ 3. List slop patterns found (over-confident analysis, generic strategies, hallucinated references).
71
+ 4. Remove AI-generated expansions and stick to observed facts: command run, expected behavior, actual behavior, exact error/log.
72
+ 5. Replace hallucinated code references with accurate ones after verification.
73
+ 6. Remove generic implementation advice; keep only specific, actionable guidance.
74
+ 7. Validate the cleaned text preserves the core issue report without the AI-generated noise.
75
+
76
+ ## Rules
77
+
78
+ **For code:**
79
+ - Behavior preservation — every passing test stays passing
80
+ - No scope creep — fix slop only, do not refactor or add features
81
+ - Smaller diff — fewer lines after cleanup, not same or more
82
+
83
+ **For issue/PR text:**
84
+ - Fact preservation — keep the actual observed behavior and errors
85
+ - No scope narrowing — don't remove important context or edge cases
86
+ - Evidence-based — replace confident analysis with observed facts
87
+ - Specific over generic — keep concrete details, remove vague suggestions
88
+
89
+ ## Output
90
+
91
+ **For code:**
92
+ - Cleaned code with slop removed
93
+ - Full suite passing
94
+ - Commit with cleanup
95
+
96
+ **For issue/PR text:**
97
+ - Cleaned description with AI-generated noise removed
98
+ - Preserved core issue report with observed facts
99
+ - Specific, actionable guidance without over-confident analysis
@@ -0,0 +1,188 @@
1
+ # Slop Pattern Catalog
2
+
3
+ Common AI-generated code patterns that should be removed during deslop. Each
4
+ pattern includes what to look for and the subtraction rule.
5
+
6
+ ## Issue and PR Text Patterns
7
+
8
+ ### Over-confident root cause analysis without evidence
9
+ ```markdown
10
+ # Bad: confident diagnosis without supporting evidence
11
+ The issue is clearly caused by a race condition in the user session manager. We should add a mutex lock around the session state mutations to prevent concurrent access.
12
+
13
+ # Good: stick to observed facts
14
+ When two requests hit the session endpoint simultaneously, I see session state corruption in the logs. Here's the exact error and reproduction steps.
15
+ ```
16
+
17
+ ### Generic implementation strategies
18
+ ```markdown
19
+ # Bad: generic advice without project-specific context
20
+ The best approach would be to implement a comprehensive retry mechanism with exponential backoff, circuit breaker pattern, and extensive monitoring.
21
+
22
+ # Good: specific, actionable guidance tied to the actual problem
23
+ Add retry with exponential backoff (max 3 attempts) to the `ApiClient.post/2` function, which currently fails on network timeouts.
24
+ ```
25
+
26
+ ### Long lists of irrelevant error classes
27
+ ```markdown
28
+ # Bad: enumerating possible issues without narrowing down
29
+ This could be caused by: network timeouts, SSL certificate errors, DNS resolution failures, malformed JSON responses, rate limiting, authentication failures, or server-side bugs.
30
+
31
+ # Good: specific error with context
32
+ The specific error is `{:error, :timeout}` after 30 seconds when calling the external payment API. Here's the full stack trace.
33
+ ```
34
+
35
+ ### AI-generated issue expansion
36
+ ```markdown
37
+ # Bad: expands narrow observation into broad hypotheses
38
+ The login button doesn't work. This suggests potential problems with the authentication flow, session management, CSRF token validation, user database integrity, or frontend event handling. We should audit the entire auth subsystem.
39
+
40
+ # Good: focused on the actual observation
41
+ Clicking the login button does nothing. No network request is sent to `/auth/login` and no error appears in the console. Here are the browser devtools screenshots.
42
+ ```
43
+
44
+ ### Hallucinated code references
45
+ ```markdown
46
+ # Bad: confident but wrong code references
47
+ The bug is in `lib/my_app/auth/session_manager.ex` line 45 where the `validate_session/1` function doesn't check for expired tokens.
48
+
49
+ # Good: accurate code references after actual investigation
50
+ The issue is in `lib/my_app/web/auth_plug.ex` where the `call/2` function doesn't validate session expiration before proceeding.
51
+ ```
52
+
53
+ ## Comments
54
+
55
+ ### Narrative comments
56
+ ```elixir
57
+ # Bad: describes what the code does
58
+ # Check if the user is authenticated before proceeding
59
+ if user do
60
+ ...
61
+ end
62
+
63
+ # Good: delete the comment, the code is self-explanatory
64
+ if user do
65
+ ...
66
+ end
67
+ ```
68
+
69
+ ### Story comments
70
+ ```elixir
71
+ # Bad: tells a story
72
+ # First, we need to get the user from the database.
73
+ # Then, we check if they have admin privileges.
74
+ # If they do, we allow access to the dashboard.
75
+ user = Accounts.get_user!(id)
76
+ if Accounts.admin?(user), do: render_dashboard(user)
77
+
78
+ # Good: just the code
79
+ user = Accounts.get_user!(id)
80
+ if Accounts.admin?(user), do: render_dashboard(user)
81
+ ```
82
+
83
+ ### Kept comments
84
+ ```elixir
85
+ # Keep: explains WHY, not what
86
+ # Using pessimistic locking here because concurrent updates
87
+ # caused a race condition in production (see #1234)
88
+ Repo.lock(user)
89
+ ```
90
+
91
+ ## Verbosity
92
+
93
+ ### Unnecessary intermediate variables
94
+ ```elixir
95
+ # Bad
96
+ result = do_something()
97
+ final_result = process(result)
98
+ return_value = format(final_result)
99
+ return_value
100
+
101
+ # Good
102
+ do_something() |> process() |> format()
103
+ ```
104
+
105
+ ### Overly explicit pattern matching
106
+ ```elixir
107
+ # Bad
108
+ case value do
109
+ true -> handle_true()
110
+ false -> handle_false()
111
+ end
112
+
113
+ # Good
114
+ if value, do: handle_true(), else: handle_false()
115
+ ```
116
+
117
+ ## Dead Code
118
+
119
+ ### Unused imports
120
+ ```elixir
121
+ # Bad: imported but never referenced
122
+ alias MyApp.SomeModule # never used
123
+
124
+ # Good: delete the import
125
+ ```
126
+
127
+ ### TODO stubs with no implementation
128
+ ```elixir
129
+ # Bad
130
+ def handle_error(error) do
131
+ # TODO: implement error handling
132
+ :ok
133
+ end
134
+
135
+ # Good: implement it or remove the function if not called
136
+ ```
137
+
138
+ ### Unreachable branches
139
+ ```elixir
140
+ # Bad: else branch can never execute
141
+ if true do
142
+ do_thing()
143
+ else
144
+ handle_impossible_case() # dead code
145
+ end
146
+
147
+ # Good: remove the conditional entirely
148
+ do_thing()
149
+ ```
150
+
151
+ ## Padding
152
+
153
+ ### Single-call wrappers
154
+ ```elixir
155
+ # Bad: helper adds no logic, just redirects
156
+ def get_user_name(user), do: user.name
157
+
158
+ # Good: just call user.name directly at the call site
159
+ ```
160
+
161
+ ### Generic error messages
162
+ ```elixir
163
+ # Bad
164
+ {:error, "An error occurred while processing the request"}
165
+
166
+ # Good
167
+ {:error, "Payment gateway timeout: #{status} after #{timeout}ms"}
168
+ ```
169
+
170
+ ## Hallucinated Patterns
171
+
172
+ ### Imports for non-existent modules
173
+ ```elixir
174
+ # Bad: module does not exist in the project
175
+ alias Phoenix.HTML.Form # wrong module name
176
+
177
+ # Good: use the actual module
178
+ alias Phoenix.Component
179
+ ```
180
+
181
+ ### Redundant type specs
182
+ ```elixir
183
+ # Bad: typespec repeats what the function body already makes clear
184
+ @spec add(integer(), integer()) :: integer()
185
+ def add(a, b), do: a + b
186
+
187
+ # Good: keep typespecs for public APIs, remove for trivial private functions
188
+ ```
@@ -0,0 +1,52 @@
1
+ ---
2
+ name: investigate
3
+ description: "Read-only codebase Q&A: trace code paths, answer how/why/where questions without changes. Trigger: 'how does X work', 'why was Y built this way', 'trace the data flow'."
4
+ when_to_use: "Activate for read-only exploration questions. Do NOT use when code changes are needed."
5
+ argument-hint: "[question about the codebase]"
6
+ disable-model-invocation: true
7
+ license: Apache-2.0
8
+ compatibility:
9
+ - opencode-native
10
+ - claude-standalone
11
+ - cursor-native
12
+ - codex
13
+ metadata:
14
+ author: controlkeel
15
+ version: "1.1"
16
+ category: exploration
17
+ ck_mcp_tools: [ck_memory_search]
18
+ related_skills: [architect-first]
19
+ ---
20
+
21
+ # Investigate
22
+
23
+ Read-only codebase Q&A. Trace code, not guesses. No file changes.
24
+
25
+ ## Do NOT use when
26
+ - Code changes are needed (use appropriate dev skill)
27
+ - The question is about planning (use `align`)
28
+ - The question is about security (use `security-review`)
29
+
30
+ ## Workflow
31
+
32
+ 1. Search `ck_memory_search` for prior analysis on this area.
33
+ 2. Trace actual code paths for the question type:
34
+ - **How**: entry point → call chain → data flow → side effects
35
+ - **Why**: `git log --oneline -20 -- <file>`, linked issues, commit messages
36
+ - **Where**: search for function/module references, trace callers
37
+ - **What-if**: trace the code path for that scenario, identify edge cases
38
+ 3. Check multiple sources: source control, tests, comments. Code shows what, not why.
39
+ 4. Answer concisely: direct answer + evidence (file:line, commit SHA) + caveats.
40
+
41
+ ## Rules
42
+
43
+ - Read-only — no file changes. If fix needed, record and recommend appropriate skill.
44
+ - Every claim backed by code evidence or git history.
45
+ - Answer what was asked — do not explore tangentially.
46
+ - Stop at external boundaries — say so instead of speculating.
47
+
48
+ ## Output
49
+
50
+ - Concise answer with file:line evidence
51
+ - Optional `ck_memory_record` for durable findings
52
+ - No file changes
@@ -0,0 +1,70 @@
1
+ ---
2
+ name: orchestrate-tasks
3
+ description: "Fan large tasks across parallel agents with planner/worker/verifier roles and structured handoffs. Trigger: 'parallelize', 'fan out', 'orchestrate', or when plan-slice produces 3+ independent slices."
4
+ when_to_use: "Activate ONLY when a task is too large for a single agent and has independent parallelizable slices. Do NOT use for single-agent tasks."
5
+ argument-hint: "[goal or slice plan to orchestrate]"
6
+ disable-model-invocation: true
7
+ license: Apache-2.0
8
+ compatibility:
9
+ - opencode-native
10
+ - claude-standalone
11
+ - cursor-native
12
+ - codex
13
+ metadata:
14
+ author: controlkeel
15
+ version: "1.1"
16
+ category: orchestration
17
+ ck_mcp_tools: [ck_route, ck_delegate, ck_budget, ck_review_submit, ck_finding, ck_git_diff, ck_memory_record, ck_rollback]
18
+ related_skills: [plan-slice]
19
+ ---
20
+
21
+ # Orchestrate Tasks
22
+
23
+ Fan large tasks across parallel agents with planner/worker/verifier roles. Adapted from Cursor's orchestrate plugin for CK governance.
24
+
25
+ ## Do NOT use when
26
+ - Single-agent task (just use `controlkeel-governance`)
27
+ - Task has no parallelizable slices
28
+ - Budget is tight (orchestration is expensive — multiple delegations)
29
+
30
+ ## Principles
31
+
32
+ 1. **Planners own scope, not code** — decompose, publish tasks, read handoffs, decide next. No file edits.
33
+ 2. **Workers are isolated** — one task, one agent, one scope. Talk up through handoffs only.
34
+ 3. **Verifiers check independently** — read worker output, verify against acceptance criteria.
35
+ 4. **State on disk** — `ck_memory_record` and git, no long-running agent state.
36
+ 5. **Continuous convergence** — each cycle produces progress. No progress → escalate.
37
+
38
+ ## Workflow
39
+
40
+ 1. Check `ck_budget` — orchestration costs multiple delegations. Stop if insufficient.
41
+ 2. Decompose into tasks (or use existing `plan-slice` output). Each task: name, type (worker/verifier/subplanner), scoped goal, acceptance criteria, dependencies, paths.
42
+ 3. Record plan via `ck_memory_record` (type: `decision`, tags: `orchestration-plan`).
43
+ 4. Submit plan via `ck_review_submit` (review_type: `plan`). **Wait for approval** before spawning.
44
+ 5. Execute loop:
45
+ - Select ready tasks (dependencies satisfied, not started)
46
+ - Check budget before each delegation
47
+ - Delegate: `ck_route` → `ck_delegate`
48
+ - Collect handoffs
49
+ - Verify completed tasks
50
+ - `ck_rollback` checkpoint after each success
51
+ - Decide: new tasks, retry failures, or completion
52
+ 6. Synthesize: `ck_git_diff` for total change, `parallel-review` if large.
53
+
54
+ ## Failure recovery
55
+
56
+ - Worker failure → record `ck_finding`, retry once, escalate if retry fails
57
+ - Budget exhaustion → checkpoint state, stop, record for resumption
58
+ - Verifier failure → worker output not trusted, fix or escalate
59
+
60
+ ## Output
61
+
62
+ - Approved orchestration plan
63
+ - Delegated tasks with handoffs
64
+ - `ck_finding` for failures
65
+ - `ck_rollback` checkpoints
66
+ - Synthesized result
67
+
68
+ ## Reference
69
+
70
+ - [Handoff format](references/handoff-format.md)
@@ -0,0 +1,42 @@
1
+ # Handoff Format
2
+
3
+ Workers and verifiers produce a handoff document when they complete. This is the
4
+ only communication channel between a worker and its planner.
5
+
6
+ ## Structure
7
+
8
+ ```markdown
9
+ # Handoff: <task-name>
10
+
11
+ ## Status
12
+ <completed | failed | blocked>
13
+
14
+ ## What was done
15
+ <1-5 bullets describing the actual changes made>
16
+
17
+ ## Files changed
18
+ - `path/to/file.ex`: <what changed and why>
19
+ - `path/to/test.exs`: <what was tested>
20
+
21
+ ## Acceptance criteria met
22
+ - [x] <criterion 1>
23
+ - [x] <criterion 2>
24
+ - [ ] <criterion not met> — <why>
25
+
26
+ ## Test results
27
+ <mix test output summary>
28
+
29
+ ## Issues encountered
30
+ - <any blockers, unexpected complexity, or things the planner should know>
31
+
32
+ ## Recommendations for planner
33
+ <suggestions for follow-up tasks, verifications, or adjustments>
34
+ ```
35
+
36
+ ## Rules
37
+
38
+ - **Be specific, not narrative.** "Added `validate_email/1` to `Accounts` module" not "improved validation".
39
+ - **Include test evidence.** Every completed worker must include test output.
40
+ - **Flag blocked criteria.** If acceptance criteria are not met, explain why and what the planner should do.
41
+ - **No code dumps.** The handoff summarizes changes; the actual code is in the repo.
42
+ - **Be concise.** A good handoff fits in one screen. If it doesn't, the task was too broad.
@@ -0,0 +1,55 @@
1
+ ---
2
+ name: parallel-review
3
+ description: "Run security + code quality reviews concurrently, synthesize deduplicated findings. Trigger: 'full review', 'parallel review', 'both reviews', comprehensive pre-merge check."
4
+ when_to_use: "Activate ONLY when explicitly asked for comprehensive security+quality review. Do NOT use when only one review type is needed."
5
+ argument-hint: "[PR, branch, or diff]"
6
+ disable-model-invocation: true
7
+ license: Apache-2.0
8
+ compatibility:
9
+ - opencode-native
10
+ - claude-standalone
11
+ - cursor-native
12
+ - codex
13
+ metadata:
14
+ author: controlkeel
15
+ version: "1.1"
16
+ category: review
17
+ ck_mcp_tools: [ck_validate, ck_finding, ck_git_diff, ck_review_submit, ck_route, ck_delegate]
18
+ related_skills: [security-review, deep-code-quality-review]
19
+ ---
20
+
21
+ # Parallel Review
22
+
23
+ Run `security-review` and `deep-code-quality-review` concurrently, synthesize into one prioritized report.
24
+
25
+ ## Do NOT use when
26
+ - Only security OR quality review needed (use the specific skill directly)
27
+ - During normal coding
28
+ - For single-file changes where sequential review is fast enough
29
+
30
+ ## Workflow
31
+
32
+ 1. Run `ck_git_diff` to gather the diff. Run `ck_validate` for automated findings.
33
+ 2. Launch both reviews (via `ck_delegate` or sequential invocation):
34
+ - **Security**: `security-review` skill — OWASP, injection, auth, secrets, deps
35
+ - **Quality**: `deep-code-quality-review` skill — abstraction, file size, spaghetti, layering
36
+ Both record findings independently via `ck_finding`.
37
+ 3. Synthesize:
38
+ - Deduplicate: same code path flagged by both → one finding, higher severity
39
+ - Prioritize: critical > high > medium > low; security > quality > reviewability
40
+ - Weight overlaps: flagged by both = higher confidence
41
+ - Resolve disagreements with your own judgment
42
+ 4. Submit via `ck_review_submit` (review_type: `diff`) with combined findings.
43
+ 5. **Wait for approval** before merge/deploy.
44
+
45
+ ## Rules
46
+
47
+ - Both reviews must complete — do not skip one
48
+ - Blocked finding from either = merge blocked
49
+ - Deduplicate, do not double-count
50
+
51
+ ## Output
52
+
53
+ - Combined findings (deduplicated, prioritized)
54
+ - `ck_review_submit` diff review
55
+ - Clear verdict: merge / merge with warnings / blocked
@@ -0,0 +1,63 @@
1
+ ---
2
+ name: reviewable-pr
3
+ description: "Prepare PRs for review: clean noisy history, improve descriptions, add reviewer guidance. Trigger: 'make easy to review', 'tidy PR', 'clean up commits', 'annotate diff'."
4
+ when_to_use: "Activate ONLY when explicitly asked to prepare a PR for review. Do NOT auto-trigger during normal coding or review tasks."
5
+ argument-hint: "[PR URL, branch, or current]"
6
+ disable-model-invocation: true
7
+ license: Apache-2.0
8
+ compatibility:
9
+ - opencode-native
10
+ - claude-standalone
11
+ - cursor-native
12
+ - codex
13
+ metadata:
14
+ author: controlkeel
15
+ version: "1.1"
16
+ category: review
17
+ ck_mcp_tools: [ck_git_diff, ck_git_status, ck_validate, ck_review_submit, ck_finding]
18
+ related_skills: [security-review, deep-code-quality-review]
19
+ ---
20
+
21
+ # Reviewable PR
22
+
23
+ Prepare a PR so a reviewer can quickly understand intent, risk, and key files — without changing code behavior.
24
+
25
+ ## Do NOT use when
26
+ - Doing normal coding or bug fixing
27
+ - Running security or quality reviews (use those skills directly)
28
+ - Making behavior changes (this skill only improves reviewability)
29
+
30
+ ## Workflow
31
+
32
+ 1. Resolve the PR (URL, branch, or current). Run `ck_git_diff` and `ck_git_status`.
33
+ 2. Run `ck_validate` on the diff. Resolve blocked findings first — reviewability is secondary to correctness.
34
+ 3. Diagnose reviewability issues against [checklist](references/pr-checklist.md):
35
+ - Noisy/mixed-intent commit history
36
+ - Missing or stale PR description
37
+ - Unrelated changes mixed in
38
+ - Mechanical changes mixed with logic
39
+ - Missing test coverage for core change
40
+ - Unclear reviewer entry points
41
+ 4. Record issues as `ck_finding` (category `reviewability`, severity `medium`/`low`).
42
+ 5. Submit plan via `ck_review_submit` (review_type: `plan`) describing what will change. **Wait for approval** before rewriting history or force-pushing.
43
+ 6. Apply approved improvements. After any history rewrite, verify tree hash unchanged:
44
+ ```
45
+ ORIGINAL_TREE=$(git rev-parse origin/<branch>^{tree})
46
+ # ... rewrite ...
47
+ # Tree must match
48
+ ```
49
+ 7. Update PR description with: TL;DR, core files (3-7), mechanical files, risk callouts, context links.
50
+
51
+ ## Guardrails
52
+
53
+ - Never hide behavior changes inside cleanup
54
+ - Never force-push without `ck_review_submit` approval
55
+ - If PR too large to review, recommend splitting instead of polishing
56
+ - If `ck_validate` blocked, fix those first
57
+
58
+ ## Output
59
+
60
+ - `ck_finding` records for reviewability issues
61
+ - `ck_review_submit` plan (approved)
62
+ - Updated PR description with reviewer guidance
63
+ - Verified tree identity after any history changes