pma-code-review
PMA Code Review
Use this skill to review changed code with a high-signal, low-noise process.
This skill is designed for:
- local diff review before commit or merge
- pull request review for changed lines and surrounding context
- repository-wide audit of an existing codebase
- PMA-managed repositories that want stack-aware review, not generic checklist spam
Scope
The skill has one entry point and multiple internal review packs:
- shared review policy
- TypeScript frontend review
- TypeScript backend / Bun review
- Go review
- Rust review
- Python review
Keep the entry skill lean. Load only the reference files needed for the detected stack.
Quick Start
Local review:
/pma-code-review
PR review:
/pma-code-review <PR-number-or-URL>
Repository audit:
/pma-code-review audit
/pma-code-review repo
/pma-code-review --repo
Workflow
- Detect review mode:
- no argument: local diff review
- PR number or URL: PR review
audit,repo, or--repo: repository audit
- Read
references/core-review-policy.md. - For repository audit, also read
references/repository-audit.md. - Detect stack from changed files and project manifests.
- Read only the matching stack packs:
references/typescript-frontend.mdreferences/typescript-backend.mdreferences/go.mdreferences/rust.mdreferences/python.md
- Review changed code plus the minimal surrounding context required to verify behavior.
- Report only issues that are likely real and introduced by the change, or for repository audit, issues that are evidenced by current repository code.
Stack Selection
Use these heuristics:
- TypeScript frontend:
tsx, React, Next.js, Vite, routing, UI components, browser state, client forms - TypeScript backend / Bun: Hono, Express, Fastify, Nest, Bun server code, API routes, DB access, workers
- Go:
go.mod,*.go - Rust:
Cargo.toml,*.rs - Python:
pyproject.toml,setup.py,requirements.txt,*.py
If the change spans multiple stacks, load all relevant packs and review each changed area against the correct pack.
Review Priorities
Always review in this order:
- Correctness and regressions
- Security and trust boundaries
- Data integrity and error handling
- Concurrency, cancellation, and resource lifetime
- Performance and scalability
- Maintainability and tests
Do not spend review budget on stylistic nits unless they violate an explicit project rule.
Local Review Mode
Use local mode for uncommitted or staged changes.
- inspect staged and unstaged diffs
- read enough surrounding code to validate behavior
- produce a findings-first report ordered by severity
- block approval for critical issues
PR Review Mode
Use PR mode for GitHub pull requests.
- inspect PR metadata and diff with
gh - skip ineligible PRs such as closed or draft PRs
- gather relevant
CLAUDE.md/AGENTS.mdguidance - review only changed behavior and nearby context, not unrelated legacy code
- when useful, split the audit by concern or stack, then merge only high-confidence findings
- post review to GitHub via
gh pr review— request changes when issues found, approve when clean
Repository Audit Mode
Use repository audit mode when the goal is to assess the current repository, not a diff.
- inventory manifests, entry points, CI, tests, and stack markers
- identify hotspot areas such as auth, API edges, DB access, jobs, filesystem, external calls, config loading, and isolated dead code
- inspect the highest-risk modules first
- deduplicate findings by root cause, not by file count
- separate confirmed findings from coverage gaps and suggested next actions
Output Rules
Report findings only when they are strong enough to matter:
- prioritize issues that can break behavior, security, correctness, or operations
- skip issues that linters, compilers, or typecheckers already guarantee
- skip unchanged legacy problems unless the change makes them worse or exposes them
- consolidate repeated instances into one finding when the root cause is shared
For local mode, output:
- severity
- file and line
- issue
- fix direction
For PR mode, output concise review comments that can be posted directly.
For repository audit mode, output:
- findings grouped by
P0toP3 - affected areas
- issue and impact
- dead-code findings
- dead-code removal candidates
- needs runtime verification
- coverage gaps
- recommended next actions
Reference Packs
references/core-review-policy.md: confidence filter, severity policy, shared review heuristicsreferences/repository-audit.md: repository-wide audit workflow, hotspot selection, and report structurereferences/typescript-frontend.md: React / Next.js / Vite / browser UI review rulesreferences/typescript-backend.md: Node / Bun / API / validation / DB / async review rulesreferences/go.md: Go review rules around context, errors, concurrency, HTTP, and resource safetyreferences/rust.md: Rust review rules around panic boundaries, async blocking, unsafe, docs, and API contractsreferences/python.md: Python review rules around validation, deserialization, async, type safety, and command injection
These packs intentionally hold the detailed rules so this file stays small and cheap to load.
More from zzci/skills
pma
Project development lifecycle management with a strict three-phase workflow (investigate -> proposal -> implement), file-based plan tracking in docs/plan/, task tracking in docs/task/, and claim-before-work multi-agent coordination. Use when handling feature development, bug fixes, refactors, planning, progress tracking, or multi-agent execution in an existing codebase. English-first for repository docs and remote-visible metadata; use Chinese docs only when the user explicitly requests a specific document in Chinese.
118pma-web
Frontend implementation guide for PMA-managed React 19 + TypeScript + Vite 8 SPA projects. Defaults to a single-app layout (the right choice for a Rust/Go service that ships a UI); promotes to a Bun monorepo only when multiple apps or shared packages exist. UI is hard-locked to shadcn/ui (base-nova) + `@base-ui/react` — Radix and other UI ecosystems (MUI / Mantine / Chakra / Ant Design / Headless UI / Ariakit / NextUI / …) are forbidden. Covers required quality gates, file-based type-safe routing with TanStack Router, state conventions (TanStack Query + Zustand), Tailwind CSS v4 patterns, Vitest 4 testing, dual-channel theming, i18n, nsl-based dev integration with backend services, and delivery rules for frontend applications.
110pma-rust
Rust implementation guide for PMA-managed multi-crate workspace projects. Covers workspace config, pinned stable toolchains, strict linting with clippy and cargo-cranky, async data access (Diesel-async or SQLx), Axum/Tokio service patterns, layered config with figment + clap, rustls-only TLS, OpenTelemetry observability, and CI quality gates.
96bkd
Operate a BKD kanban board over its REST API. Use when the user wants to manage BKD projects, issue execution workflows, cron jobs, or execution capacity through a reachable BKD server.
95pma-cr
Stack-aware review for local diffs, pull requests, and repository-wide audits. Routes review across shared policy plus language packs for TypeScript frontend, TypeScript backend/Bun, Go, Rust, and Python. Use after implementation, before merge, or when auditing an existing codebase.
93pma-bun
Bun implementation guide for PMA-managed backend services. Defaults to a single-API-project layout; promotes to a Bun monorepo only when multiple deployable apps or shared packages exist. Covers API modules under `src/modules`, strict linting with ESLint + @antfu/eslint-config, Drizzle over SQLite-first storage, OpenAPIHono on top of `Bun.serve()`, validated env config, nsl-based dev URL routing (paired with `pma-web`), standalone binary compilation with embedded assets and migrations, and CI quality gates.
92