Review Guardrails Skill
When to Use
Activate when the user wants to:
- •Review changes against coding standards and guardrails
- •Validate a changeset before committing or merging
- •Audit code for security, style, or compliance issues
- •Check that changes stay within the allowed scope of a plan
User Preferences
Before reviewing, resolve the user's Profile:
- •Check for
.github/copilot-preferences.ymlor.vscode/copilot-preferences.ymlin the workspace. - •Load policy packs from
policy/packs/*.ymland overrides frompolicy/module-policy.ymlorpolicy/modules/*.ymlif they exist. - •Use the resolved Profile to determine language-specific idioms, diff-size caps, and logging conventions.
Inputs (choose one for the changeset)
- •A) Path to a unified diff file (e.g.,
review/changes.diff), or - •B) Path to a newline-separated list of changed files prefixed by status (
A,M,D), or - •C) The latest
## Change Summaryblock from the issue body.
Also provide the issue file path for front-matter context (phase, plan_lock, status).
What to Read
- •Policy packs under
policy/packs/*.ymland optional overrides inpolicy/module-policy.yml→ resolved Profile. - •Issue front-matter + sections (Plan, Impacted Files, Brainstorm, Activity).
- •
local_issues/_artifacts/*.json(union) forallowed_pathsand currentphase.
Checks (hard → soft)
- •Plan Lock & Mode: if any related issue has
status: brainstormorplan_lock: falseand there are code changes → Fail. - •Plan Presence: if code changes exist but no
_artifacts/plan.json→ Fail. - •Allowlist: every changed path must fall under
## Impacted Filesandplan.json.allowed_paths(union, normalized) → Fail on out-of-scope files. - •Phase Discipline: only steps tagged
phase:<n>wheren= current issuephase. Touched paths belonging to later phases → Warn. - •Generated Files: modifications to
dist/,build/,target/generated-sources/,*.generated.*, or files containingDO NOT EDIT/@Generated→ Fail. - •Language Idioms (Profile):
- •Java: prefer canonical logging per Profile (default slf4j); flag Python logging/JUL in new edits.
- •Python: prefer canonical
logging; flag SLF4J/JUL; encourage lazy formatting. - •Node/TS: prefer canonical logger (e.g., pino); flag
console.login production code. → Fail for cross-language API usage in new edits; Warn for style divergences.
- •Secrets in Logs: added log lines containing
password|token|secret|api_key|Bearer→ Fail. - •Reachability: new classes/functions not referenced by production code or tests → Warn (Fail if large/new subsystems with zero references).
- •Observability Hygiene: logging placeholders vs string concatenation; unbounded cardinality; missing metrics/traces on critical paths → Warn.
- •Diff Size (advisory): if touched lines of code exceed cap from Profile (default 400), suggest splitting → Note.
Output Format
- •Guardrails Report with sections: Fails, Warnings, Notes.
- •For each finding: Rule → Evidence (paths/snippets) → Remediation.
- •End with a concise Decision:
approve/approve-with-changes/reject.
Steps
- •Resolve Profile from packs/overrides; print a short Profile summary.
- •Load issues and artifacts; parse issue front-matter and union of
_artifacts/*.jsonforallowed_paths. - •Collect changes from (A) diff, (B) changed-files list, or (C) Change Summary. Normalize paths.
- •Run checks 1–10. Prefer scanning added lines when a diff is provided; otherwise scan current file content and note uncertainty.
- •Produce the Guardrails Report. Do not modify any file. If inputs are insufficient, output a Needs-Info section listing the minimal artifacts required.
Guardrails
- •This skill never edits code, plans, or phases — it only inspects and reports.
- •Do not call CLIs or the network.