Pre-Ship Review

Structured quality review before shipping code at any checkpoint: PRs, releases, milestones. Catches the failures that occur at integration boundaries -- where contracts, examples, constants, and tests must all agree.

Core thesis: AI-generated code excels at isolated components but fails systematically at boundaries between components. This skill systematically checks those boundaries.

When to Use This Skill

Use before any significant code shipment:

• Pull requests with multiple new modules that wire together
• Releases combining work from multiple contributors or branches
• Milestones where quality gates must pass before proceeding
• Any checkpoint where code with examples, constants across files, or interface extensions needs validation

NOT needed for: single-file cosmetic changes, documentation-only updates, dependency bumps.

---

TodoWrite Task Templates

MANDATORY: Select and load the appropriate template before starting review.

Template A: New Feature Ship

1. Detect changed files and scope (git diff --name-only against base branch)
2. Run Phase 1 - External tool checks (Pyright, Vulture, import-linter, deptry, Semgrep, Griffe)
3. Run Phase 2 - cc-skills orchestration (code-hardcode-audit, dead-code-detector, pr-gfm-validator)
4. Run Phase 2 conditional checks based on file types changed
5. Phase 3 - Verify every function parameter has at least one caller passing it by name
6. Phase 3 - Verify every config/example parameter maps to an actual function kwarg
7. Phase 3 - Check for architecture boundary violations (hardcoded feature lists, cross-layer coupling)
8. Phase 3 - Verify domain constants and formulas are correct (cross-reference cited sources)
9. Phase 3 - Audit test quality - do tests test what they claim (not side effects)?
10. Phase 3 - Check for implicit dependencies between new components
11. Phase 3 - Look for O(n^2) patterns where O(n) suffices
12. Phase 3 - Verify error messages give actionable guidance
13. Phase 3 - Confirm examples reflect actual behavior, not aspirational behavior
14. Compile findings report with severity and suggested fixes

Template B: Bug Fix Ship

1. Verify the fix addresses root cause, not symptom
2. Verify the fix does not mask information flow
3. Check that new test reproduces the original bug (fails without fix)
4. Run Phase 1 - External tool checks on changed files
5. Run Phase 2 - cc-skills checks on changed files
6. Verify constants consistency if any values changed
7. Compile findings report

Template C: Refactoring Ship

1. Verify all callers updated to match new signatures
2. Run Phase 1 - External tool checks (especially Griffe for API drift)
3. Run Phase 2 - cc-skills checks (especially dead-code-detector)
4. Verify examples/docs updated to match new parameter names
5. Verify no dead imports from removed features
6. Check for introduced cross-boundary coupling
7. Compile findings report

---

Three-Phase Workflow

Phase 1: External Tool Checks (~15s, parallelizable)

Run static analysis tools on changed files. Skip any tool that is not installed (graceful degradation).

Detect scope:
  git diff --name-only $(git merge-base HEAD main)...HEAD

Run in parallel:
  pyright --outputjson <changed_py_files>          # Type contracts
  vulture <changed_py_files> --min-confidence 80   # Dead code / YAGNI
  lint-imports                                      # Architecture boundaries
  deptry .                                          # Dependency hygiene
  semgrep --config .semgrep/ <changed_files>        # Custom pattern rules
  griffe check --against main <package>             # API signature drift

What each tool catches:

Tool	Anti-Pattern	Install
Pyright (strict)	Interface contracts, return types, cross-file type errors	pip install pyright
Vulture	Dead code, unused constants/imports (YAGNI)	pip install vulture
import-linter	Architecture boundary violations, forbidden imports	pip install import-linter
deptry	Unused/missing/transitive dependencies	pip install deptry
Semgrep	Non-determinism, silent param absorption, banned patterns	brew install semgrep
Griffe	Breaking API changes, signature drift vs base branch	pip install griffe

Graceful degradation: If a tool is not installed, log a warning and skip it. Never fail the entire review because one optional tool is missing.

For detailed tool procedures, see Automated Checks Reference. For installation instructions, see Tool Install Guide.

Phase 2: cc-skills Orchestration (~30s, subagent-parallelizable)

Invoke existing cc-skills that complement external tools.

Always run:

• code-hardcode-audit -- Hardcoded values, magic numbers, leaked secrets
• dead-code-detector -- Polyglot dead code detection (Python, TypeScript, Rust)
• pr-gfm-validator -- PR description link validity (if creating a PR)

Run conditionally based on changed file types:

Condition	Skill to invoke
Python files changed	impl-standards (error handling, constants, logging)
500+ lines changed	code-clone-assistant (duplicate code detection)
Plugin/hook files changed	plugin-validator (structure, silent failures)
Markdown/docs changed	link-validation (broken links, path policy)

Phase 3: Human Judgment Review (Claude-assisted)

These checks require understanding intent, domain correctness, and architectural fitness. Go through each one manually.

Check 1: Architecture Boundaries

• Does new code in a "core" layer reference names from a "plugin" or "capability" layer?
• Are there hardcoded lists of feature/plugin names? (Boundary violation)
• Would adding another instance of this feature type require modifying core code?

Check 2: Domain Correctness

• Are mathematical formulas correct? Cross-reference with cited papers.
• Are constants labeled correctly? (e.g., a "daily" constant should use the daily value)
• Do units and time periods match? (annual vs daily rates, quarterly vs monthly lambdas)

Check 3: Test Quality

• Does each test exercise the specific function it claims to test?
• Or does it test a side-effect? (Function A tests function B which internally calls A)
• Are edge cases covered? (Empty input, NaN, single element, division by zero)

Check 4: Dependency Transparency

• If component A requires component B to run first, is this documented?
• Are ordering requirements explicit in interfaces, not just in examples?

Check 5: Performance

• Any nested loops over the same data? (Potential O(n^2))
• Any expanding-window operations that could be rolling or full-sample?
• Any per-element operations that could be vectorized?

Check 6: Error Message Quality

• Do errors tell users what to DO, not just what went wrong?
• Do validation errors reference the specific parameter/value that failed?

Check 7: Example Accuracy

• Do examples demonstrate features that actually work in the code?
• Are there parameters in examples that get silently absorbed by **kwargs or **_?

For detailed check procedures, see Judgment Checks Reference.

---

Universal Pre-Ship Checklist

Phase 1 (Tools):
- [ ] Pyright strict passes on changed files (no type errors)
- [ ] Vulture finds no unused code in new files (or allowlisted)
- [ ] import-linter passes (no architecture boundary violations)
- [ ] deptry passes (no unused/missing dependencies)
- [ ] Semgrep custom rules pass (no non-determinism, no silent param absorption)
- [ ] Griffe shows no unintended API breaking changes vs base branch

Phase 2 (cc-skills):
- [ ] code-hardcode-audit passes (no magic numbers or secrets)
- [ ] dead-code-detector passes (no unused code)
- [ ] PR description links valid (pr-gfm-validator)

Phase 3 (Judgment):
- [ ] No new cross-boundary coupling introduced
- [ ] Domain constants and formulas are mathematically correct
- [ ] Tests actually test what they claim (not side effects)
- [ ] Implicit dependencies between components are documented
- [ ] No O(n^2) where O(n) suffices
- [ ] Error messages give actionable guidance
- [ ] Examples reflect actual behavior, not aspirational behavior

---

Anti-Pattern Catalog

This skill is built on a taxonomy of 9 integration boundary anti-patterns. For the full catalog with examples, detection heuristics, and fix approaches, see Anti-Pattern Catalog.

#	Anti-Pattern	Detection Method
1	Interface contract violation	Pyright + Griffe + manual trace
2	Misleading examples	Semgrep + manual config-to-code comparison
3	Architecture boundary violation	import-linter + manual review
4	Incorrect domain constants	Semgrep + domain expertise
5	Testing gaps	mutmut + manual test audit
6	Non-determinism	Semgrep custom rules
7	YAGNI	Vulture + dead-code-detector
8	Hidden dependencies	Manual dependency trace
9	Performance anti-patterns	Manual complexity analysis

---

Post-Change Checklist

After modifying THIS skill:

• Anti-pattern catalog reflects real-world findings
• Tool install guide has current versions and commands
• TodoWrite templates cover the three ship types
• Universal checklist is complete and non-redundant
• All references/ links resolve correctly
• Append changes to references/evolution-log.md

---

Troubleshooting

Issue	Cause	Solution
Tool not found	External tool not installed	Install per tool-install-guide.md or skip (graceful degradation)
Too many Vulture false positives	Framework entry points look unused	Create allowlist: vulture --make-whitelist > whitelist.py
Semgrep too slow	Large codebase scan	Scope to changed files only: semgrep --include=<changed>
import-linter has no contracts	Project not configured	Add [importlinter] section to pyproject.toml
Griffe reports false breaking changes	Intentional API change	Use griffe check --against main --allow-breaking
Phase 3 finds nothing but reviewer finds issues	New anti-pattern category	Add to catalog and evolution-log.md
cc-skill not triggering	Skill not installed in marketplace	Verify with /plugin list

---

Reference Documentation

For detailed information, see:

• Automated Checks Reference -- Phase 1 external tool procedures
• Judgment Checks Reference -- Phase 3 human-judgment procedures
• Anti-Pattern Catalog -- Full 9-category taxonomy with examples
• Tool Install Guide -- Installation and setup for all external tools
• Evolution Log -- Change history