codebase-review

$npx mdskill add HoangNguyen0403/agent-skills-standard/codebase-review

> [!IMPORTANT] > Review an entire codebase against framework best practices and generate a prioritized improvement plan.

SKILL.md

.github/skills/codebase-reviewView on GitHub ↗
---
name: codebase-review
description: "Review an entire codebase against framework best practices and generate a prioritized improvement plan."
metadata:
  triggers:
    keywords:
    - codebase review
    - workflow
---
# Codebase Review Skill

> [!IMPORTANT]
> Review an entire codebase against framework best practices and generate a prioritized improvement plan.

## Instructions

When the user asks to perform this workflow, execute the following steps:


# 🛸 Codebase Review Orchestrator

> **Goal**: Evaluate an entire codebase for health, security, and architecture. Deliver a quantified **Health Score (0-100)** and a phased improvement plan.

---

## Step 1 — Target Discovery & Tech Stack

Identify the core framework and source directories.

1. Run `ls -F` and read `package.json`, `pubspec.yaml`, or `go.mod`.
2. Load `common-architecture-audit`; if synced references are available, map `$SRC`, `$TEST`, and `$EXT` with `<SKILLS>/common/common-architecture-audit/references/detection.md`.

---

## Step 2 — Breadth Scan (SAST & Security)

Identify P0 vulnerabilities and codebase metrics.

1. Load `common-security-audit` and `common-owasp` skills.
2. Execute the SAST commands documented in `<SKILLS>/common/common-security-audit/references/signals.md` when available.
3. Apply `<SKILLS>/common/common-security-audit/references/vibe-security-scan.md` to prioritize common AI-generated security gaps.

---

## Step 3 — Deep Audit: Multi-Layer Lenses

Pick the largest non-generated files (>600 LOC) and apply the following lenses:

1. **Architecture & Logic** from `common-code-review`.
2. **Silent Failures** from `common-code-review`.
3. **Type Design** from `common-code-review`.
4. **AI Safety** from `common-llm-security` if LLM code exists.
5. **Vibe Security**: Trace any Vibe Scan hit from source to reachable route before scoring.

---

## Step 4 — Scored Report & Feedback Loop

**Scoring Calculation**: Start at 100. Apply deductions per finding:

- 🔴 Critical: -15 | 🟠 High: -8 | 🟡 Medium: -3 | 🔵 Low: -1
- **Cap**: Score is capped at 40 if any 🔴 P0 finding exists.

### 📊 Report Format

Output the report using `<SKILLS>/common/common-code-review/references/report.md` when synced; otherwise include Audit Dashboard and Phased Plan sections.

### 🔄 Skill Feedback Loop (Mandatory)

For every **Critical** or **High** finding, if an active skill should have prevented it:

1. Update that skill's `SKILL.md` with an Anti-Pattern rule.
2. Update its `evals/evals.json` with a new assertion.

More from HoangNguyen0403/agent-skills-standard

SkillDescription
android-agp-upgradeUpgrade an Android project to Android Gradle Plugin (AGP) 9. Use when migrating to AGP 9, updating Gradle build files, migrating to built-in Kotlin, or adopting the new AGP DSL.
android-architectureApply Clean Architecture layering, modularization, and Unidirectional Data Flow in Android projects. Use when setting up project structure, placing code in layers, configuring feature/core modules, or implementing UDF patterns.
android-background-workImplement WorkManager and background processing correctly on Android. Use when creating Worker classes, scheduling tasks, choosing between WorkManager and Foreground Services, or setting up Hilt in workers.
android-composeBuild high-performance declarative UI with Jetpack Compose. Use when writing Composable functions, optimizing recomposition, hoisting state, or working with LazyColumn and side effects.
android-compose-migrationMigrate an Android XML View to Jetpack Compose following a structured 10-step workflow. Use when converting XML layouts to Compose, setting up Compose in an existing View-based project, or incrementally adopting Compose.
android-concurrencyWrite correct coroutine scopes, Flow collection, and dispatcher injection in Android. Use when writing suspend functions, choosing between StateFlow and SharedFlow, or injecting Dispatchers for testability.
android-deploymentConfigure release signing, R8 obfuscation, and App Bundle publishing for Android. Use when setting up signing configs, enabling minification, adding ProGuard keep rules, or preparing for Play Store submission.
android-design-systemEnforce Material Design 3 theming and design token usage in Jetpack Compose. Use when implementing M3 components, color schemes, typography, or design tokens.
android-diConfigure Hilt dependency injection with proper scoping, modules, and constructor injection in Android. Use when setting up Hilt DI, defining modules, or configuring component scoping.
android-edge-to-edgeMigrate a Jetpack Compose app to edge-to-edge display and fix system bar inset issues. Use when UI components are obscured by navigation/status bars, fixing IME insets, or enabling edge-to-edge for SDK 35+.