mindforge-cc 11.5.1 → 11.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (214) hide show
  1. package/.agent/mindforge/skill-tdd.md +53 -0
  2. package/.agent/mindforge/skills-index.md +118 -0
  3. package/.agent/mindforge/systematic-debug.md +60 -0
  4. package/.agent/mindforge/wf-catalog.md +37 -0
  5. package/.agent/mindforge/wf-code-audit.md +31 -0
  6. package/.agent/mindforge/wf-competitive-analysis.md +31 -0
  7. package/.agent/mindforge/wf-deep-research.md +32 -0
  8. package/.agent/mindforge/wf-feature-planner.md +31 -0
  9. package/.agent/mindforge/wf-incident-response.md +31 -0
  10. package/.agent/mindforge/wf-onboard-codebase.md +31 -0
  11. package/.agent/mindforge/wf-perf-optimize.md +31 -0
  12. package/.agent/mindforge/wf-pr-review.md +31 -0
  13. package/.agent/mindforge/wf-refactor-plan.md +31 -0
  14. package/.agent/mindforge/wf-release-prep.md +31 -0
  15. package/.agent/mindforge/wf-tdd-sprint.md +31 -0
  16. package/.agent/mindforge/wf-tech-evaluation.md +31 -0
  17. package/.agent/skills/1password-skill/SKILL.md +156 -0
  18. package/.agent/skills/1password-skill/references/cli-examples.md +31 -0
  19. package/.agent/skills/1password-skill/references/get-started.md +21 -0
  20. package/.agent/skills/article-illustrator/SKILL.md +199 -0
  21. package/.agent/skills/article-illustrator/references/prompt-construction.md +426 -0
  22. package/.agent/skills/article-illustrator/references/style-presets.md +80 -0
  23. package/.agent/skills/article-illustrator/references/styles.md +224 -0
  24. package/.agent/skills/article-illustrator/references/usage.md +50 -0
  25. package/.agent/skills/article-illustrator/references/workflow.md +332 -0
  26. package/.agent/skills/arxiv/SKILL.md +275 -0
  27. package/.agent/skills/blogwatcher/SKILL.md +130 -0
  28. package/.agent/skills/code-wiki/SKILL.md +438 -0
  29. package/.agent/skills/code-wiki/templates/README.md +31 -0
  30. package/.agent/skills/code-wiki/templates/architecture.md +30 -0
  31. package/.agent/skills/code-wiki/templates/getting-started.md +47 -0
  32. package/.agent/skills/code-wiki/templates/module.md +38 -0
  33. package/.agent/skills/codebase-inspection/SKILL.md +109 -0
  34. package/.agent/skills/comic-creator/SKILL.md +240 -0
  35. package/.agent/skills/comic-creator/references/analysis-framework.md +176 -0
  36. package/.agent/skills/comic-creator/references/auto-selection.md +71 -0
  37. package/.agent/skills/comic-creator/references/base-prompt.md +98 -0
  38. package/.agent/skills/comic-creator/references/character-template.md +180 -0
  39. package/.agent/skills/comic-creator/references/ohmsha-guide.md +85 -0
  40. package/.agent/skills/comic-creator/references/partial-workflows.md +106 -0
  41. package/.agent/skills/comic-creator/references/storyboard-template.md +143 -0
  42. package/.agent/skills/comic-creator/references/workflow.md +401 -0
  43. package/.agent/skills/concept-diagrams/SKILL.md +355 -0
  44. package/.agent/skills/concept-diagrams/references/dashboard-patterns.md +43 -0
  45. package/.agent/skills/concept-diagrams/references/infrastructure-patterns.md +144 -0
  46. package/.agent/skills/concept-diagrams/references/physical-shape-cookbook.md +42 -0
  47. package/.agent/skills/creative-ideation/SKILL.md +144 -0
  48. package/.agent/skills/creative-ideation/references/full-prompt-library.md +110 -0
  49. package/.agent/skills/devops-cli/SKILL.md +149 -0
  50. package/.agent/skills/devops-cli/references/app-discovery.md +112 -0
  51. package/.agent/skills/devops-cli/references/authentication.md +59 -0
  52. package/.agent/skills/devops-cli/references/cli-reference.md +104 -0
  53. package/.agent/skills/devops-cli/references/running-apps.md +171 -0
  54. package/.agent/skills/devops-watchers/SKILL.md +103 -0
  55. package/.agent/skills/docker-management/SKILL.md +273 -0
  56. package/.agent/skills/domain-intel/SKILL.md +96 -0
  57. package/.agent/skills/duckduckgo-search/SKILL.md +230 -0
  58. package/.agent/skills/github-auth/SKILL.md +240 -0
  59. package/.agent/skills/github-code-review/SKILL.md +474 -0
  60. package/.agent/skills/github-code-review/references/review-output-template.md +74 -0
  61. package/.agent/skills/github-issues/SKILL.md +363 -0
  62. package/.agent/skills/github-issues/templates/bug-report.md +35 -0
  63. package/.agent/skills/github-issues/templates/feature-request.md +31 -0
  64. package/.agent/skills/github-pr-workflow/SKILL.md +360 -0
  65. package/.agent/skills/github-pr-workflow/references/ci-troubleshooting.md +183 -0
  66. package/.agent/skills/github-pr-workflow/references/conventional-commits.md +71 -0
  67. package/.agent/skills/github-pr-workflow/templates/pr-body-bugfix.md +35 -0
  68. package/.agent/skills/github-pr-workflow/templates/pr-body-feature.md +33 -0
  69. package/.agent/skills/github-repo-management/SKILL.md +509 -0
  70. package/.agent/skills/github-repo-management/references/github-api-cheatsheet.md +161 -0
  71. package/.agent/skills/godmode/SKILL.md +396 -0
  72. package/.agent/skills/godmode/references/jailbreak-templates.md +128 -0
  73. package/.agent/skills/godmode/references/refusal-detection.md +142 -0
  74. package/.agent/skills/hyperframes/SKILL.md +182 -0
  75. package/.agent/skills/hyperframes/references/cli.md +185 -0
  76. package/.agent/skills/hyperframes/references/composition.md +129 -0
  77. package/.agent/skills/hyperframes/references/features.md +289 -0
  78. package/.agent/skills/hyperframes/references/gsap.md +136 -0
  79. package/.agent/skills/hyperframes/references/troubleshooting.md +137 -0
  80. package/.agent/skills/hyperframes/references/website-to-video.md +145 -0
  81. package/.agent/skills/jupyter-live-kernel/SKILL.md +160 -0
  82. package/.agent/skills/kanban-orchestrator/SKILL.md +209 -0
  83. package/.agent/skills/kanban-worker/SKILL.md +188 -0
  84. package/.agent/skills/llm-wiki/SKILL.md +499 -0
  85. package/.agent/skills/meme-generation/SKILL.md +122 -0
  86. package/.agent/skills/node-inspect-debugger/SKILL.md +312 -0
  87. package/.agent/skills/obsidian/SKILL.md +60 -0
  88. package/.agent/skills/osint-investigation/SKILL.md +269 -0
  89. package/.agent/skills/osint-investigation/templates/source-template.md +59 -0
  90. package/.agent/skills/oss-forensics/SKILL.md +422 -0
  91. package/.agent/skills/oss-forensics/references/evidence-types.md +89 -0
  92. package/.agent/skills/oss-forensics/references/github-archive-guide.md +184 -0
  93. package/.agent/skills/oss-forensics/references/investigation-templates.md +131 -0
  94. package/.agent/skills/oss-forensics/references/recovery-techniques.md +164 -0
  95. package/.agent/skills/oss-forensics/templates/forensic-report.md +151 -0
  96. package/.agent/skills/oss-forensics/templates/malicious-package-report.md +43 -0
  97. package/.agent/skills/parallel-cli/SKILL.md +384 -0
  98. package/.agent/skills/pinggy-tunnel/SKILL.md +302 -0
  99. package/.agent/skills/pixel-art/SKILL.md +209 -0
  100. package/.agent/skills/pixel-art/references/palettes.md +49 -0
  101. package/.agent/skills/plan/SKILL.md +331 -0
  102. package/.agent/skills/polymarket/SKILL.md +75 -0
  103. package/.agent/skills/polymarket/references/api-endpoints.md +220 -0
  104. package/.agent/skills/python-debugpy/SKILL.md +368 -0
  105. package/.agent/skills/requesting-code-review/SKILL.md +273 -0
  106. package/.agent/skills/research-paper-writing/SKILL.md +2367 -0
  107. package/.agent/skills/research-paper-writing/references/autoreason-methodology.md +394 -0
  108. package/.agent/skills/research-paper-writing/references/checklists.md +434 -0
  109. package/.agent/skills/research-paper-writing/references/citation-workflow.md +563 -0
  110. package/.agent/skills/research-paper-writing/references/experiment-patterns.md +728 -0
  111. package/.agent/skills/research-paper-writing/references/human-evaluation.md +476 -0
  112. package/.agent/skills/research-paper-writing/references/paper-types.md +481 -0
  113. package/.agent/skills/research-paper-writing/references/reviewer-guidelines.md +433 -0
  114. package/.agent/skills/research-paper-writing/references/sources.md +191 -0
  115. package/.agent/skills/research-paper-writing/references/writing-guide.md +474 -0
  116. package/.agent/skills/research-paper-writing/templates/README.md +251 -0
  117. package/.agent/skills/rest-graphql-debug/SKILL.md +507 -0
  118. package/.agent/skills/s6-container-supervision/SKILL.md +171 -0
  119. package/.agent/skills/scrapling/SKILL.md +328 -0
  120. package/.agent/skills/sherlock/SKILL.md +186 -0
  121. package/.agent/skills/simplify-code/SKILL.md +168 -0
  122. package/.agent/skills/skill-authoring/SKILL.md +158 -0
  123. package/.agent/skills/spike/SKILL.md +190 -0
  124. package/.agent/skills/subagent-driven-development/SKILL.md +345 -0
  125. package/.agent/skills/subagent-driven-development/references/context-budget-discipline.md +53 -0
  126. package/.agent/skills/subagent-driven-development/references/gates-taxonomy.md +93 -0
  127. package/.agent/skills/systematic-debugging/SKILL.md +360 -0
  128. package/.agent/skills/test-driven-development/SKILL.md +336 -0
  129. package/.agent/skills/video-orchestrator/SKILL.md +194 -0
  130. package/.agent/skills/video-orchestrator/references/examples.md +227 -0
  131. package/.agent/skills/video-orchestrator/references/intake.md +166 -0
  132. package/.agent/skills/video-orchestrator/references/kanban-setup.md +278 -0
  133. package/.agent/skills/video-orchestrator/references/monitoring.md +180 -0
  134. package/.agent/skills/video-orchestrator/references/role-archetypes.md +298 -0
  135. package/.agent/skills/video-orchestrator/references/tool-matrix.md +317 -0
  136. package/.agent/skills/web-pentest/SKILL.md +332 -0
  137. package/.agent/skills/web-pentest/references/bypass-techniques.md +133 -0
  138. package/.agent/skills/web-pentest/references/exploitation-techniques.md +204 -0
  139. package/.agent/skills/web-pentest/references/scope-enforcement.md +110 -0
  140. package/.agent/skills/web-pentest/references/vuln-taxonomy.md +81 -0
  141. package/.agent/skills/web-pentest/templates/authorization.md +69 -0
  142. package/.agent/skills/web-pentest/templates/pentest-report.md +178 -0
  143. package/.claude/commands/mindforge/skill-tdd.md +53 -0
  144. package/.claude/commands/mindforge/skills-index.md +118 -0
  145. package/.claude/commands/mindforge/systematic-debug.md +60 -0
  146. package/.claude/commands/mindforge/wf-catalog.md +37 -0
  147. package/.claude/commands/mindforge/wf-code-audit.md +31 -0
  148. package/.claude/commands/mindforge/wf-competitive-analysis.md +31 -0
  149. package/.claude/commands/mindforge/wf-deep-research.md +32 -0
  150. package/.claude/commands/mindforge/wf-feature-planner.md +31 -0
  151. package/.claude/commands/mindforge/wf-incident-response.md +31 -0
  152. package/.claude/commands/mindforge/wf-onboard-codebase.md +31 -0
  153. package/.claude/commands/mindforge/wf-perf-optimize.md +31 -0
  154. package/.claude/commands/mindforge/wf-pr-review.md +31 -0
  155. package/.claude/commands/mindforge/wf-refactor-plan.md +31 -0
  156. package/.claude/commands/mindforge/wf-release-prep.md +31 -0
  157. package/.claude/commands/mindforge/wf-tdd-sprint.md +31 -0
  158. package/.claude/commands/mindforge/wf-tech-evaluation.md +31 -0
  159. package/.mindforge/config.json +2 -2
  160. package/.mindforge/dynamic-workflows/REGISTRY.md +65 -0
  161. package/.mindforge/dynamic-workflows/index.json +171 -0
  162. package/.mindforge/dynamic-workflows/scripts/code-audit.js +103 -0
  163. package/.mindforge/dynamic-workflows/scripts/competitive-analysis.js +85 -0
  164. package/.mindforge/dynamic-workflows/scripts/deep-research.js +151 -0
  165. package/.mindforge/dynamic-workflows/scripts/feature-planner.js +104 -0
  166. package/.mindforge/dynamic-workflows/scripts/incident-response.js +106 -0
  167. package/.mindforge/dynamic-workflows/scripts/onboard-codebase.js +102 -0
  168. package/.mindforge/dynamic-workflows/scripts/perf-optimize.js +128 -0
  169. package/.mindforge/dynamic-workflows/scripts/pr-review.js +87 -0
  170. package/.mindforge/dynamic-workflows/scripts/refactor-plan.js +121 -0
  171. package/.mindforge/dynamic-workflows/scripts/release-prep.js +102 -0
  172. package/.mindforge/dynamic-workflows/scripts/tdd-sprint.js +103 -0
  173. package/.mindforge/dynamic-workflows/scripts/tech-evaluation.js +72 -0
  174. package/.mindforge/memory/sync-manifest.json +1 -1
  175. package/.mindforge/skills/arxiv/SKILL.md +294 -0
  176. package/.mindforge/skills/blogwatcher/SKILL.md +147 -0
  177. package/.mindforge/skills/code-wiki/SKILL.md +457 -0
  178. package/.mindforge/skills/codebase-inspection/SKILL.md +126 -0
  179. package/.mindforge/skills/concept-diagrams/SKILL.md +373 -0
  180. package/.mindforge/skills/creative-ideation/SKILL.md +162 -0
  181. package/.mindforge/skills/domain-intel/SKILL.md +116 -0
  182. package/.mindforge/skills/duckduckgo-search/SKILL.md +249 -0
  183. package/.mindforge/skills/github-code-review/SKILL.md +493 -0
  184. package/.mindforge/skills/github-issues/SKILL.md +382 -0
  185. package/.mindforge/skills/github-pr-workflow/SKILL.md +379 -0
  186. package/.mindforge/skills/jupyter-live-kernel/SKILL.md +179 -0
  187. package/.mindforge/skills/kanban-orchestrator/SKILL.md +227 -0
  188. package/.mindforge/skills/kanban-worker/SKILL.md +206 -0
  189. package/.mindforge/skills/meme-generation/SKILL.md +141 -0
  190. package/.mindforge/skills/obsidian/SKILL.md +80 -0
  191. package/.mindforge/skills/osint-investigation/SKILL.md +288 -0
  192. package/.mindforge/skills/oss-forensics/SKILL.md +421 -0
  193. package/.mindforge/skills/pixel-art/SKILL.md +228 -0
  194. package/.mindforge/skills/plan/SKILL.md +350 -0
  195. package/.mindforge/skills/requesting-code-review/SKILL.md +292 -0
  196. package/.mindforge/skills/research-paper-writing/SKILL.md +2384 -0
  197. package/.mindforge/skills/scrapling/SKILL.md +345 -0
  198. package/.mindforge/skills/sherlock/SKILL.md +203 -0
  199. package/.mindforge/skills/simplify-code/SKILL.md +187 -0
  200. package/.mindforge/skills/spike/SKILL.md +209 -0
  201. package/.mindforge/skills/subagent-driven-development/SKILL.md +364 -0
  202. package/.mindforge/skills/systematic-debugging/SKILL.md +379 -0
  203. package/.mindforge/skills/test-driven-development/SKILL.md +355 -0
  204. package/.mindforge/skills/web-pentest/SKILL.md +327 -0
  205. package/CHANGELOG.md +71 -0
  206. package/MINDFORGE.md +2 -2
  207. package/README.md +72 -3
  208. package/RELEASENOTES.md +109 -0
  209. package/bin/installer-core.js +6 -2
  210. package/bin/mindforge-cli.js +7 -0
  211. package/bin/workflows/workflow-runner.js +110 -0
  212. package/docs/commands-reference.md +25 -0
  213. package/docs/getting-started.md +42 -5
  214. package/package.json +2 -1
@@ -0,0 +1,474 @@
1
+ ---
2
+ name: github-code-review
3
+ description: "Review PRs: diffs, inline comments via gh or REST."
4
+ version: 1.1.0
5
+ ---
6
+
7
+ # GitHub Code Review
8
+
9
+ Perform code reviews on local changes before pushing, or review open PRs on GitHub. Most of this skill uses plain `git` — the `gh`/`curl` split only matters for PR-level interactions.
10
+
11
+ ## Prerequisites
12
+
13
+ - Authenticated with GitHub (see `github-auth` skill)
14
+ - Inside a git repository
15
+
16
+ ### Setup (for PR interactions)
17
+
18
+ ```bash
19
+ if command -v gh &>/dev/null && gh auth status &>/dev/null; then
20
+ AUTH="gh"
21
+ else
22
+ AUTH="git"
23
+ if [ -z "$GITHUB_TOKEN" ]; then
24
+ if _agent_env="${AGENT_HOME:-$HOME/.agent}/.env"; [ -f "$_agent_env" ] && grep -q "^GITHUB_TOKEN=" "$_agent_env"; then
25
+ GITHUB_TOKEN=$(grep "^GITHUB_TOKEN=" "$_agent_env" | head -1 | cut -d= -f2 | tr -d '\n\r')
26
+ elif grep -q "github.com" ~/.git-credentials 2>/dev/null; then
27
+ GITHUB_TOKEN=$(grep "github.com" ~/.git-credentials 2>/dev/null | head -1 | sed 's|https://[^:]*:\([^@]*\)@.*|\1|')
28
+ fi
29
+ fi
30
+ fi
31
+
32
+ REMOTE_URL=$(git remote get-url origin)
33
+ OWNER_REPO=$(echo "$REMOTE_URL" | sed -E 's|.*github\.com[:/]||; s|\.git$||')
34
+ OWNER=$(echo "$OWNER_REPO" | cut -d/ -f1)
35
+ REPO=$(echo "$OWNER_REPO" | cut -d/ -f2)
36
+ ```
37
+
38
+ ---
39
+
40
+ ## 1. Reviewing Local Changes (Pre-Push)
41
+
42
+ This is pure `git` — works everywhere, no API needed.
43
+
44
+ ### Get the Diff
45
+
46
+ ```bash
47
+ # Staged changes (what would be committed)
48
+ git diff --staged
49
+
50
+ # All changes vs main (what a PR would contain)
51
+ git diff main...HEAD
52
+
53
+ # File names only
54
+ git diff main...HEAD --name-only
55
+
56
+ # Stat summary (insertions/deletions per file)
57
+ git diff main...HEAD --stat
58
+ ```
59
+
60
+ ### Review Strategy
61
+
62
+ 1. **Get the big picture first:**
63
+
64
+ ```bash
65
+ git diff main...HEAD --stat
66
+ git log main..HEAD --oneline
67
+ ```
68
+
69
+ 2. **Review file by file** — use `read_file` on changed files for full context, and the diff to see what changed:
70
+
71
+ ```bash
72
+ git diff main...HEAD -- src/auth/login.py
73
+ ```
74
+
75
+ 3. **Check for common issues:**
76
+
77
+ ```bash
78
+ # Debug statements, TODOs, console.logs left behind
79
+ git diff main...HEAD | grep -n "print(\|console\.log\|TODO\|FIXME\|HACK\|XXX\|debugger"
80
+
81
+ # Large files accidentally staged
82
+ git diff main...HEAD --stat | sort -t'|' -k2 -rn | head -10
83
+
84
+ # Secrets or credential patterns
85
+ git diff main...HEAD | grep -in "password\|secret\|api_key\|token.*=\|private_key"
86
+
87
+ # Merge conflict markers
88
+ git diff main...HEAD | grep -n "<<<<<<\|>>>>>>\|======="
89
+ ```
90
+
91
+ 4. **Present structured feedback** to the user.
92
+
93
+ ### Review Output Format
94
+
95
+ When reviewing local changes, present findings in this structure:
96
+
97
+ ```
98
+ ## Code Review Summary
99
+
100
+ ### Critical
101
+ - **src/auth.py:45** — SQL injection: user input passed directly to query.
102
+ Suggestion: Use parameterized queries.
103
+
104
+ ### Warnings
105
+ - **src/models/user.py:23** — Password stored in plaintext. Use bcrypt or argon2.
106
+ - **src/api/routes.py:112** — No rate limiting on login endpoint.
107
+
108
+ ### Suggestions
109
+ - **src/utils/helpers.py:8** — Duplicates logic in `src/core/utils.py:34`. Consolidate.
110
+ - **tests/test_auth.py** — Missing edge case: expired token test.
111
+
112
+ ### Looks Good
113
+ - Clean separation of concerns in the middleware layer
114
+ - Good test coverage for the happy path
115
+ ```
116
+
117
+ ---
118
+
119
+ ## 2. Reviewing a Pull Request on GitHub
120
+
121
+ ### View PR Details
122
+
123
+ **With gh:**
124
+
125
+ ```bash
126
+ gh pr view 123
127
+ gh pr diff 123
128
+ gh pr diff 123 --name-only
129
+ ```
130
+
131
+ **With git + curl:**
132
+
133
+ ```bash
134
+ PR_NUMBER=123
135
+
136
+ # Get PR details
137
+ curl -s \
138
+ -H "Authorization: token $GITHUB_TOKEN" \
139
+ https://api.github.com/repos/$OWNER/$REPO/pulls/$PR_NUMBER \
140
+ | python3 -c "
141
+ import sys, json
142
+ pr = json.load(sys.stdin)
143
+ print(f\"Title: {pr['title']}\")
144
+ print(f\"Author: {pr['user']['login']}\")
145
+ print(f\"Branch: {pr['head']['ref']} -> {pr['base']['ref']}\")
146
+ print(f\"State: {pr['state']}\")
147
+ print(f\"Body:\n{pr['body']}\")"
148
+
149
+ # List changed files
150
+ curl -s \
151
+ -H "Authorization: token $GITHUB_TOKEN" \
152
+ https://api.github.com/repos/$OWNER/$REPO/pulls/$PR_NUMBER/files \
153
+ | python3 -c "
154
+ import sys, json
155
+ for f in json.load(sys.stdin):
156
+ print(f\"{f['status']:10} +{f['additions']:-4} -{f['deletions']:-4} {f['filename']}\")"
157
+ ```
158
+
159
+ ### Check Out PR Locally for Full Review
160
+
161
+ This works with plain `git` — no `gh` needed:
162
+
163
+ ```bash
164
+ # Fetch the PR branch and check it out
165
+ git fetch origin pull/123/head:pr-123
166
+ git checkout pr-123
167
+
168
+ # Now you can use read_file, search_files, run tests, etc.
169
+
170
+ # View diff against the base branch
171
+ git diff main...pr-123
172
+ ```
173
+
174
+ **With gh (shortcut):**
175
+
176
+ ```bash
177
+ gh pr checkout 123
178
+ ```
179
+
180
+ ### Leave Comments on a PR
181
+
182
+ **General PR comment — with gh:**
183
+
184
+ ```bash
185
+ gh pr comment 123 --body "Overall looks good, a few suggestions below."
186
+ ```
187
+
188
+ **General PR comment — with curl:**
189
+
190
+ ```bash
191
+ curl -s -X POST \
192
+ -H "Authorization: token $GITHUB_TOKEN" \
193
+ https://api.github.com/repos/$OWNER/$REPO/issues/$PR_NUMBER/comments \
194
+ -d '{"body": "Overall looks good, a few suggestions below."}'
195
+ ```
196
+
197
+ ### Leave Inline Review Comments
198
+
199
+ **Single inline comment — with gh (via API):**
200
+
201
+ ```bash
202
+ HEAD_SHA=$(gh pr view 123 --json headRefOid --jq '.headRefOid')
203
+
204
+ gh api repos/$OWNER/$REPO/pulls/123/comments \
205
+ --method POST \
206
+ -f body="This could be simplified with a list comprehension." \
207
+ -f path="src/auth/login.py" \
208
+ -f commit_id="$HEAD_SHA" \
209
+ -f line=45 \
210
+ -f side="RIGHT"
211
+ ```
212
+
213
+ **Single inline comment — with curl:**
214
+
215
+ ```bash
216
+ # Get the head commit SHA
217
+ HEAD_SHA=$(curl -s \
218
+ -H "Authorization: token $GITHUB_TOKEN" \
219
+ https://api.github.com/repos/$OWNER/$REPO/pulls/$PR_NUMBER \
220
+ | python3 -c "import sys,json; print(json.load(sys.stdin)['head']['sha'])")
221
+
222
+ curl -s -X POST \
223
+ -H "Authorization: token $GITHUB_TOKEN" \
224
+ https://api.github.com/repos/$OWNER/$REPO/pulls/$PR_NUMBER/comments \
225
+ -d "{
226
+ \"body\": \"This could be simplified with a list comprehension.\",
227
+ \"path\": \"src/auth/login.py\",
228
+ \"commit_id\": \"$HEAD_SHA\",
229
+ \"line\": 45,
230
+ \"side\": \"RIGHT\"
231
+ }"
232
+ ```
233
+
234
+ ### Submit a Formal Review (Approve / Request Changes)
235
+
236
+ **With gh:**
237
+
238
+ ```bash
239
+ gh pr review 123 --approve --body "LGTM!"
240
+ gh pr review 123 --request-changes --body "See inline comments."
241
+ gh pr review 123 --comment --body "Some suggestions, nothing blocking."
242
+ ```
243
+
244
+ **With curl — multi-comment review submitted atomically:**
245
+
246
+ ```bash
247
+ HEAD_SHA=$(curl -s \
248
+ -H "Authorization: token $GITHUB_TOKEN" \
249
+ https://api.github.com/repos/$OWNER/$REPO/pulls/$PR_NUMBER \
250
+ | python3 -c "import sys,json; print(json.load(sys.stdin)['head']['sha'])")
251
+
252
+ curl -s -X POST \
253
+ -H "Authorization: token $GITHUB_TOKEN" \
254
+ https://api.github.com/repos/$OWNER/$REPO/pulls/$PR_NUMBER/reviews \
255
+ -d "{
256
+ \"commit_id\": \"$HEAD_SHA\",
257
+ \"event\": \"COMMENT\",
258
+ \"body\": \"Code review from
259
+ \"comments\": [
260
+ {\"path\": \"src/auth.py\", \"line\": 45, \"body\": \"Use parameterized queries to prevent SQL injection.\"},
261
+ {\"path\": \"src/models/user.py\", \"line\": 23, \"body\": \"Hash passwords with bcrypt before storing.\"},
262
+ {\"path\": \"tests/test_auth.py\", \"line\": 1, \"body\": \"Add test for expired token edge case.\"}
263
+ ]
264
+ }"
265
+ ```
266
+
267
+ Event values: `"APPROVE"`, `"REQUEST_CHANGES"`, `"COMMENT"`
268
+
269
+ The `line` field refers to the line number in the *new* version of the file. For deleted lines, use `"side": "LEFT"`.
270
+
271
+ ---
272
+
273
+ ## 3. Review Checklist
274
+
275
+ When performing a code review (local or PR), systematically check:
276
+
277
+ ### Correctness
278
+ - Does the code do what it claims?
279
+ - Edge cases handled (empty inputs, nulls, large data, concurrent access)?
280
+ - Error paths handled gracefully?
281
+
282
+ ### Security
283
+ - No hardcoded secrets, credentials, or API keys
284
+ - Input validation on user-facing inputs
285
+ - No SQL injection, XSS, or path traversal
286
+ - Auth/authz checks where needed
287
+
288
+ ### Code Quality
289
+ - Clear naming (variables, functions, classes)
290
+ - No unnecessary complexity or premature abstraction
291
+ - DRY — no duplicated logic that should be extracted
292
+ - Functions are focused (single responsibility)
293
+
294
+ ### Testing
295
+ - New code paths tested?
296
+ - Happy path and error cases covered?
297
+ - Tests readable and maintainable?
298
+
299
+ ### Performance
300
+ - No N+1 queries or unnecessary loops
301
+ - Appropriate caching where beneficial
302
+ - No blocking operations in async code paths
303
+
304
+ ### Documentation
305
+ - Public APIs documented
306
+ - Non-obvious logic has comments explaining "why"
307
+ - README updated if behavior changed
308
+
309
+ ---
310
+
311
+ ## 4. Pre-Push Review Workflow
312
+
313
+ When the user asks you to "review the code" or "check before pushing":
314
+
315
+ 1. `git diff main...HEAD --stat` — see scope of changes
316
+ 2. `git diff main...HEAD` — read the full diff
317
+ 3. For each changed file, use `read_file` if you need more context
318
+ 4. Apply the checklist above
319
+ 5. Present findings in the structured format (Critical / Warnings / Suggestions / Looks Good)
320
+ 6. If critical issues found, offer to fix them before the user pushes
321
+
322
+ ---
323
+
324
+ ## 5. PR Review Workflow (End-to-End)
325
+
326
+ When the user asks you to "review PR #N", "look at this PR", or gives you a PR URL, follow this recipe:
327
+
328
+ ### Step 1: Set up environment
329
+
330
+ ```bash
331
+ source "${AGENT_HOME:-$HOME/.agent}/skills/github/github-auth/scripts/gh-env.sh"
332
+ # Or run the inline setup block from the top of this skill
333
+ ```
334
+
335
+ ### Step 2: Gather PR context
336
+
337
+ Get the PR metadata, description, and list of changed files to understand scope before diving into code.
338
+
339
+ **With gh:**
340
+ ```bash
341
+ gh pr view 123
342
+ gh pr diff 123 --name-only
343
+ gh pr checks 123
344
+ ```
345
+
346
+ **With curl:**
347
+ ```bash
348
+ PR_NUMBER=123
349
+
350
+ # PR details (title, author, description, branch)
351
+ curl -s -H "Authorization: token $GITHUB_TOKEN" \
352
+ https://api.github.com/repos/$GH_OWNER/$GH_REPO/pulls/$PR_NUMBER
353
+
354
+ # Changed files with line counts
355
+ curl -s -H "Authorization: token $GITHUB_TOKEN" \
356
+ https://api.github.com/repos/$GH_OWNER/$GH_REPO/pulls/$PR_NUMBER/files
357
+ ```
358
+
359
+ ### Step 3: Check out the PR locally
360
+
361
+ This gives you full access to `read_file`, `search_files`, and the ability to run tests.
362
+
363
+ ```bash
364
+ git fetch origin pull/$PR_NUMBER/head:pr-$PR_NUMBER
365
+ git checkout pr-$PR_NUMBER
366
+ ```
367
+
368
+ ### Step 4: Read the diff and understand changes
369
+
370
+ ```bash
371
+ # Full diff against the base branch
372
+ git diff main...HEAD
373
+
374
+ # Or file-by-file for large PRs
375
+ git diff main...HEAD --name-only
376
+ # Then for each file:
377
+ git diff main...HEAD -- path/to/file.py
378
+ ```
379
+
380
+ For each changed file, use `read_file` to see full context around the changes — diffs alone can miss issues visible only with surrounding code.
381
+
382
+ ### Step 5: Run automated checks locally (if applicable)
383
+
384
+ ```bash
385
+ # Run tests if there's a test suite
386
+ python -m pytest 2>&1 | tail -20
387
+ # or: npm test, cargo test, go test ./..., etc.
388
+
389
+ # Run linter if configured
390
+ ruff check . 2>&1 | head -30
391
+ # or: eslint, clippy, etc.
392
+ ```
393
+
394
+ ### Step 6: Apply the review checklist (Section 3)
395
+
396
+ Go through each category: Correctness, Security, Code Quality, Testing, Performance, Documentation.
397
+
398
+ ### Step 7: Post the review to GitHub
399
+
400
+ Collect your findings and submit them as a formal review with inline comments.
401
+
402
+ **With gh:**
403
+ ```bash
404
+ # If no issues — approve
405
+ gh pr review $PR_NUMBER --approve --body "Reviewed by
406
+
407
+ # If issues found — request changes with inline comments
408
+ gh pr review $PR_NUMBER --request-changes --body "Found a few issues — see inline comments."
409
+ ```
410
+
411
+ **With curl — atomic review with multiple inline comments:**
412
+ ```bash
413
+ HEAD_SHA=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \
414
+ https://api.github.com/repos/$GH_OWNER/$GH_REPO/pulls/$PR_NUMBER \
415
+ | python3 -c "import sys,json; print(json.load(sys.stdin)['head']['sha'])")
416
+
417
+ # Build the review JSON — event is APPROVE, REQUEST_CHANGES, or COMMENT
418
+ curl -s -X POST \
419
+ -H "Authorization: token $GITHUB_TOKEN" \
420
+ https://api.github.com/repos/$GH_OWNER/$GH_REPO/pulls/$PR_NUMBER/reviews \
421
+ -d "{
422
+ \"commit_id\": \"$HEAD_SHA\",
423
+ \"event\": \"REQUEST_CHANGES\",
424
+ \"body\": \"##
425
+ \"comments\": [
426
+ {\"path\": \"src/auth.py\", \"line\": 45, \"body\": \"🔴 **Critical:** User input passed directly to SQL query — use parameterized queries.\"},
427
+ {\"path\": \"src/models.py\", \"line\": 23, \"body\": \"⚠️ **Warning:** Password stored without hashing.\"},
428
+ {\"path\": \"src/utils.py\", \"line\": 8, \"body\": \"💡 **Suggestion:** This duplicates logic in core/utils.py:34.\"}
429
+ ]
430
+ }"
431
+ ```
432
+
433
+ ### Step 8: Also post a summary comment
434
+
435
+ In addition to inline comments, leave a top-level summary so the PR author gets the full picture at a glance. Use the review output format from `references/review-output-template.md`.
436
+
437
+ **With gh:**
438
+ ```bash
439
+ gh pr comment $PR_NUMBER --body "$(cat <<'EOF'
440
+ ## Code Review Summary
441
+
442
+ **Verdict: Changes Requested** (2 issues, 1 suggestion)
443
+
444
+ ### 🔴 Critical
445
+ - **src/auth.py:45** — SQL injection vulnerability
446
+
447
+ ### ⚠️ Warnings
448
+ - **src/models.py:23** — Plaintext password storage
449
+
450
+ ### 💡 Suggestions
451
+ - **src/utils.py:8** — Duplicated logic, consider consolidating
452
+
453
+ ### ✅ Looks Good
454
+ - Clean API design
455
+ - Good error handling in the middleware layer
456
+
457
+ ---
458
+ *Reviewed by
459
+ EOF
460
+ )"
461
+ ```
462
+
463
+ ### Step 9: Clean up
464
+
465
+ ```bash
466
+ git checkout main
467
+ git branch -D pr-$PR_NUMBER
468
+ ```
469
+
470
+ ### Decision: Approve vs Request Changes vs Comment
471
+
472
+ - **Approve** — no critical or warning-level issues, only minor suggestions or all clear
473
+ - **Request Changes** — any critical or warning-level issue that should be fixed before merge
474
+ - **Comment** — observations and suggestions, but nothing blocking (use when you're unsure or the PR is a draft)
@@ -0,0 +1,74 @@
1
+ # Review Output Template
2
+
3
+ Use this as the structure for PR review summary comments. Copy and fill in the sections.
4
+
5
+ ## For PR Summary Comment
6
+
7
+ ```markdown
8
+ ## Code Review Summary
9
+
10
+ **Verdict: [Approved ✅ | Changes Requested 🔴 | Reviewed 💬]** ([N] issues, [N] suggestions)
11
+
12
+ **PR:** #[number] — [title]
13
+ **Author:** @[username]
14
+ **Files changed:** [N] (+[additions] -[deletions])
15
+
16
+ ### 🔴 Critical
17
+ <!-- Issues that MUST be fixed before merge -->
18
+ - **file.py:line** — [description]. Suggestion: [fix].
19
+
20
+ ### ⚠️ Warnings
21
+ <!-- Issues that SHOULD be fixed, but not strictly blocking -->
22
+ - **file.py:line** — [description].
23
+
24
+ ### 💡 Suggestions
25
+ <!-- Non-blocking improvements, style preferences, future considerations -->
26
+ - **file.py:line** — [description].
27
+
28
+ ### ✅ Looks Good
29
+ <!-- Call out things done well — positive reinforcement -->
30
+ - [aspect that was done well]
31
+
32
+ ---
33
+ *Reviewed by
34
+ ```
35
+
36
+ ## Severity Guide
37
+
38
+ | Level | Icon | When to use | Blocks merge? |
39
+ |-------|------|-------------|---------------|
40
+ | Critical | 🔴 | Security vulnerabilities, data loss risk, crashes, broken core functionality | Yes |
41
+ | Warning | ⚠️ | Bugs in non-critical paths, missing error handling, missing tests for new code | Usually yes |
42
+ | Suggestion | 💡 | Style improvements, refactoring ideas, performance hints, documentation gaps | No |
43
+ | Looks Good | ✅ | Clean patterns, good test coverage, clear naming, smart design decisions | N/A |
44
+
45
+ ## Verdict Decision
46
+
47
+ - **Approved ✅** — Zero critical/warning items. Only suggestions or all clear.
48
+ - **Changes Requested 🔴** — Any critical or warning item exists.
49
+ - **Reviewed 💬** — Observations only (draft PRs, uncertain findings, informational).
50
+
51
+ ## For Inline Comments
52
+
53
+ Prefix inline comments with the severity icon so they're scannable:
54
+
55
+ ```
56
+ 🔴 **Critical:** User input passed directly to SQL query — use parameterized queries to prevent injection.
57
+ ```
58
+
59
+ ```
60
+ ⚠️ **Warning:** This error is silently swallowed. At minimum, log it.
61
+ ```
62
+
63
+ ```
64
+ 💡 **Suggestion:** This could be simplified with a dict comprehension:
65
+ `{k: v for k, v in items if v is not None}`
66
+ ```
67
+
68
+ ```
69
+ ✅ **Nice:** Good use of context manager here — ensures cleanup on exceptions.
70
+ ```
71
+
72
+ ## For Local (Pre-Push) Review
73
+
74
+ When reviewing locally before push, use the same structure but present it as a message to the user instead of a PR comment. Skip the PR metadata header and just start with the severity sections.