codebase-review
$
npx mdskill add HoangNguyen0403/agent-skills-standard/codebase-review> [!IMPORTANT] > Review an entire codebase against framework best practices and generate a prioritized improvement plan.
SKILL.md
.github/skills/codebase-reviewView on GitHub ↗
---
name: codebase-review
description: "Review an entire codebase against framework best practices and generate a prioritized improvement plan."
metadata:
triggers:
keywords:
- codebase review
- workflow
---
# Codebase Review Skill
> [!IMPORTANT]
> Review an entire codebase against framework best practices and generate a prioritized improvement plan.
## Instructions
When the user asks to perform this workflow, execute the following steps:
# 🛸 Codebase Review Orchestrator
> **Goal**: Evaluate an entire codebase for health, security, and architecture. Deliver a quantified **Health Score (0-100)** and a phased improvement plan.
---
## Step 1 — Target Discovery & Tech Stack
Identify the core framework and source directories.
1. Run `ls -F` and read `package.json`, `pubspec.yaml`, or `go.mod`.
2. Load `common-architecture-audit`; if synced references are available, map `$SRC`, `$TEST`, and `$EXT` with `<SKILLS>/common/common-architecture-audit/references/detection.md`.
---
## Step 2 — Breadth Scan (SAST & Security)
Identify P0 vulnerabilities and codebase metrics.
1. Load `common-security-audit` and `common-owasp` skills.
2. Execute the SAST commands documented in `<SKILLS>/common/common-security-audit/references/signals.md` when available.
3. Apply `<SKILLS>/common/common-security-audit/references/vibe-security-scan.md` to prioritize common AI-generated security gaps.
---
## Step 3 — Deep Audit: Multi-Layer Lenses
Pick the largest non-generated files (>600 LOC) and apply the following lenses:
1. **Architecture & Logic** from `common-code-review`.
2. **Silent Failures** from `common-code-review`.
3. **Type Design** from `common-code-review`.
4. **AI Safety** from `common-llm-security` if LLM code exists.
5. **Vibe Security**: Trace any Vibe Scan hit from source to reachable route before scoring.
---
## Step 4 — Scored Report & Feedback Loop
**Scoring Calculation**: Start at 100. Apply deductions per finding:
- 🔴 Critical: -15 | 🟠 High: -8 | 🟡 Medium: -3 | 🔵 Low: -1
- **Cap**: Score is capped at 40 if any 🔴 P0 finding exists.
### 📊 Report Format
Output the report using `<SKILLS>/common/common-code-review/references/report.md` when synced; otherwise include Audit Dashboard and Phased Plan sections.
### 🔄 Skill Feedback Loop (Mandatory)
For every **Critical** or **High** finding, if an active skill should have prevented it:
1. Update that skill's `SKILL.md` with an Anti-Pattern rule.
2. Update its `evals/evals.json` with a new assertion.
More from HoangNguyen0403/agent-skills-standard
- android-agp-upgradeUpgrade an Android project to Android Gradle Plugin (AGP) 9. Use when migrating to AGP 9, updating Gradle build files, migrating to built-in Kotlin, or adopting the new AGP DSL.
- android-architectureApply Clean Architecture layering, modularization, and Unidirectional Data Flow in Android projects. Use when setting up project structure, placing code in layers, configuring feature/core modules, or implementing UDF patterns.
- android-background-workImplement WorkManager and background processing correctly on Android. Use when creating Worker classes, scheduling tasks, choosing between WorkManager and Foreground Services, or setting up Hilt in workers.
- android-composeBuild high-performance declarative UI with Jetpack Compose. Use when writing Composable functions, optimizing recomposition, hoisting state, or working with LazyColumn and side effects.
- android-compose-migrationMigrate an Android XML View to Jetpack Compose following a structured 10-step workflow. Use when converting XML layouts to Compose, setting up Compose in an existing View-based project, or incrementally adopting Compose.
- android-concurrencyWrite correct coroutine scopes, Flow collection, and dispatcher injection in Android. Use when writing suspend functions, choosing between StateFlow and SharedFlow, or injecting Dispatchers for testability.
- android-deploymentConfigure release signing, R8 obfuscation, and App Bundle publishing for Android. Use when setting up signing configs, enabling minification, adding ProGuard keep rules, or preparing for Play Store submission.
- android-design-systemEnforce Material Design 3 theming and design token usage in Jetpack Compose. Use when implementing M3 components, color schemes, typography, or design tokens.
- android-diConfigure Hilt dependency injection with proper scoping, modules, and constructor injection in Android. Use when setting up Hilt DI, defining modules, or configuring component scoping.
- android-edge-to-edgeMigrate a Jetpack Compose app to edge-to-edge display and fix system bar inset issues. Use when UI components are obscured by navigation/status bars, fixing IME insets, or enabling edge-to-edge for SDK 35+.