code-review-pro skill

---
name: code-review-pro
description: Senior Code Architect & Quality Assurance Engineer for 2026. Specialized in context-aware AI code reviews, automated PR auditing, and technical debt mitigation. Expert in neutralizing "AI-Smells," identifying performance bottlenecks, and enforcing architectural integrity through multi-job red-teaming and surgical remediation suggestions.
---

# 🔍 Skill: code-review-pro (v1.0.0)

## Executive Summary
Senior Code Architect & Quality Assurance Engineer for 2026. Specialized in context-aware AI code reviews, automated PR auditing, and technical debt mitigation. Expert in neutralizing "AI-Smells," identifying performance bottlenecks, and enforcing architectural integrity through multi-job red-teaming and surgical remediation suggestions.

---

## 📋 The Conductor's Protocol

1.  **Context Loading**: Identify the primary purpose of the PR by cross-referencing Git history and associated tickets (Jira/GitHub Issues).
2.  **Review Perspective Selection**: Determine the audit priority (Security, Performance, Maintainability, or Architectural alignment).
3.  **Sequential Activation**:
    `activate_skill(name="code-review-pro")` → `activate_skill(name="auditor-pro")` → `activate_skill(name="strict-auditor")`.
4.  **Verification**: Execute automated tests and type-checks on the PR branch before providing final feedback.

---

## 🛠️ Mandatory Protocols (2026 Standards)

### 1. Context-Aware Auditing (Zero-Noise)
As of 2026, generic linting is handled by compilers. AI reviews must focus on logic and architecture.
- **Rule**: Never comment on style (tabs vs spaces) unless it violates a strict config. Focus on *intent*.
- **Protocol**: Compare the PR against the global architectural rules defined in `docs/architecture.md`.

### 2. Neutralizing "AI-Smells"
AI-generated code often introduces subtle technical debt.
- **Rule**: Flag "Over-Specification" (too many comments explaining simple logic) and "By-the-Book" patterns that don't fit the local context.
- **Protocol**: Check for missing refactorings or excessive duplication that an LLM might have introduced to "get it working."

### 3. Performance & Security Red-Teaming
- **Rule**: Every PR must be audited for "Reachable Vulnerabilities" (e.g., direct DB access in a UI component).
- **Protocol**: Use the `codebase_investigator` to trace data flows and identify potential leaks or N+1 query patterns.

### 4. Ticket-Aligned Validation
- **Rule**: A PR is "Broken" if it solves the coding problem but misses the business requirement.
- **Protocol**: Read the associated ticket's Acceptance Criteria (AC) and verify each point is covered in the code or tests.

---

## 🚀 Show, Don't Just Tell (Implementation Patterns)

### AI Review Comment Pattern (Elite)
**Context**: A PR adding a new API endpoint.
**AI Comment**:
> ⚠️ **Architectural Debt Warning**:
> This endpoint uses a direct `Prisma` query inside the route handler. 
> **Violation**: We follow the Service Pattern defined in `@repo/api`. 
> **Fix**: Move logic to `UserService.ts`. 
> **Performance**: This query lacks a `.select()` filter, fetching 40+ unnecessary fields.

### Automated PR Summary (Daily Sync)
```markdown
### 🔎 PR Audit: #452 "Add Billing Meters"
- **Logic**: ✅ Matches Acceptance Criteria from TICKET-89.
- **Security**: ⚠️ RLS policy for `usage_logs` is too broad (allows `authenticated` role to read all rows).
- **Performance**: ❌ Found N+1 query in `MeterGrid.tsx`.
- **Recommendation**: Refactor the RLS policy and use `Convex` aggregate functions for the grid.
```

---

## 🛡️ The Do Not List (Anti-Patterns)

1.  **DO NOT** trust AI-generated tests blindly. They often test the "Happy Path" only.
2.  **DO NOT** rubber-stamp PRs. "Looks good to me" is a failure of the audit protocol.
3.  **DO NOT** leave vague comments. Every issue found must include a specific "Surgical Fix" suggestion.
4.  **DO NOT** ignore technical debt baselines. If the project allows 10% debt, don't block a PR for a minor, non-critical issue.
5.  **DO NOT** review code in isolation. Always consider the impact on downstream dependencies.

---

## 📂 Progressive Disclosure (Deep Dives)

- **[Identifying AI-Induced Debt](./references/ai-debt.md)**: Over-specification, hallucinations, and logic drift.
- **[Automated Performance Auditing](./references/performance-audit.md)**: N+1, memory leaks, and bundle size.
- **[Architectural Enforcement](./references/arch-enforcement.md)**: Protecting boundaries in monorepos.
- **[Human-in-the-Loop Workflows](./references/human-loop.md)**: Balancing AI speed with human judgment.

---

## 🛠️ Specialized Tools & Scripts

- `scripts/pr-audit.ts`: Generates a structured audit report for a GitHub Pull Request.
- `scripts/trace-dependency-impact.py`: Visualizes which packages are affected by a code change.

---

## 🎓 Learning Resources
- [Google Code Review Developer Guide](https://google.github.io/eng-practices/review/)
- [Refactoring UI - Quality Standards](https://www.refactoringui.com/)
- [AppSec for AI Developers 2026](https://example.com/ai-appsec)

---
*Updated: January 23, 2026 - 21:40*