AgentSkillsCN

review

对代码进行审计,以确保符合 Outfitter Stack 的规范,包括 Result 类型、错误处理、日志记录模式以及路径安全。适用于提交前的代码审查、代码质量检查、迁移验证,或当提及“审计”、“检查合规性”、“审查栈”或“栈模式”时使用。

SKILL.md
--- frontmatter
name: review
version: 0.1.0
description: Audits code for Outfitter Stack compliance including Result types, error handling, logging patterns, and path safety. Use for pre-commit reviews, code quality checks, migration validation, or when "audit", "check compliance", "review stack", or "stack patterns" are mentioned.
allowed-tools: Read Grep Glob Bash(rg *)

Stack Compliance Review

Audit code for @outfitter/* pattern compliance.

Quick Audit

bash
# Critical issues
rg "throw new|catch \(" --type ts -c

# Console usage
rg "console\.(log|error|warn)" --type ts -c

# Handler patterns
rg "Handler<" --type ts -A 2

Checklist

Result Types

  • Handlers return Result<T, E>, not thrown exceptions
  • Errors use taxonomy classes (ValidationError, NotFoundError, etc.)
  • Result checks use isOk() / isErr(), not try/catch
  • Combined results use combine2, combine3, etc.

Anti-patterns:

typescript
// BAD: Throwing
if (!user) throw new Error("Not found");

// GOOD: Result.err
if (!user) return Result.err(new NotFoundError("user", id));

// BAD: try/catch for control flow
try { await handler(input, ctx); } catch (e) { ... }

// GOOD: Result checking
const result = await handler(input, ctx);
if (result.isErr()) { ... }

Error Taxonomy

  • Errors from @outfitter/contracts
  • category matches use case
  • _tag used for pattern matching
CategoryUse For
validationInvalid input, schema failures
not_foundResource doesn't exist
conflictAlready exists, version mismatch
permissionForbidden action
internalUnexpected errors, bugs

Logging

  • Uses ctx.logger, not console.log
  • Metadata is object, not string concatenation
  • Sensitive fields redacted

Anti-patterns:

typescript
// BAD
console.log("User " + user.name);
logger.info("Config: " + JSON.stringify(config));

// GOOD
ctx.logger.info("Processing", { userId: user.id });
ctx.logger.debug("Config loaded", { config });  // redaction enabled

Path Safety

  • User paths validated with securePath()
  • No hardcoded ~/. paths
  • XDG paths via @outfitter/config
  • Atomic writes for file modifications

Anti-patterns:

typescript
// BAD
const configPath = path.join(os.homedir(), ".myapp", "config.json");
const userFile = path.join(baseDir, userInput);  // traversal risk!

// GOOD
const configDir = getConfigDir("myapp");
const result = securePath(userInput, workspaceRoot);
await atomicWriteJson(configPath, data);

Context Propagation

  • createContext() at entry points
  • Context passed through handler chain
  • requestId used for tracing

Validation

  • Uses createValidator() with Zod
  • Validation at handler entry
  • Validation errors returned, not thrown

Output

  • CLI uses await output() with mode detection
  • exitWithError() for error exits
  • Exit codes from error categories

Audit Commands

bash
# Find thrown exceptions
rg "throw new" --type ts

# Find console usage
rg "console\.(log|error|warn)" --type ts

# Find hardcoded paths
rg "(homedir|~\/\.)" --type ts

# Find custom errors
rg "class \w+Error extends Error" --type ts

# Find handlers without context
rg "Handler<.*> = async \(input\)" --type ts

Severity Levels

LevelExamples
CriticalThrown exceptions, unvalidated paths, missing error handling
HighConsole logging, hardcoded paths, missing context
MediumMissing type annotations, non-atomic writes
LowStyle issues, missing documentation

Report Format

markdown
## Stack Compliance: [file/module]

**Status**: PASS | WARNINGS | FAIL
**Issues**: X critical, Y high, Z medium

### Critical
1. [file:line] Issue description

### High
1. [file:line] Issue description

### Recommendations
- Recommendation with fix

Related Skills

  • stack:patterns — Correct patterns reference
  • stack:migration — Converting non-compliant code
  • stack:debug — Troubleshooting issues