Assay
Use this skill to perform a local, gate-based static code review. The review opens quality gates in order; a failure at a lower gate blocks higher gates because later judgments are not useful when basic hygiene, naming, or error handling is already broken.
This skill does not call remote services, post comments, approve code, or modify files. It reviews local or pasted input and produces a structured report.
Workflow
Phase 0: Resolve Local Input
Normalize the user's input into a review scope:
| Input | Resolution |
|---|---|
| Pasted code or diff | Review the provided content directly |
| Local file path(s) | Read full file content; no diff context unless available |
| Local git diff | Review changed files and hunks |
| Commit hash or range | Use local git diff when available |
| Branch name | Use local merge-base diff when available |
| Ambiguous request | Ask for files, diff, commit/range, branch, or pasted code |
Do not fetch MR/PR data, call remote APIs, or require authentication. If remote context is needed, ask the user to provide a local diff or pasted content.
Phase 1: Calibrate Review Depth
Choose how many gates to open. Default to Gates 1-5 for ordinary local changes.
| Context | Gate Range |
|---|---|
| Draft, WIP, exploratory code | Gates 1-3 |
| Ordinary feature or internal tool | Gates 1-5 |
| Shared library, production path, or public API | Gates 1-7 |
| Security-sensitive code, auth, crypto, command execution, or user input boundary | Gates 1-8 |
When ambiguous, ask what destination or risk level the code has.
Phase 2: Triage Large Scopes
When the review scope contains more than 5 files, run a rapid triage before deep inspection. For 5 or fewer files, skip triage and proceed to structural extraction.
Triage checks:
| # | Check | Fail Signal |
|---|---|---|
| 1 | Dead code | Commented-out code, unused imports, debug output |
| 2 | Naming clarity | Public names are vague or misleading |
| 3 | Nesting depth | Nesting deeper than 3 levels |
| 4 | Function length | Functions are long enough to hide multiple responsibilities |
| 5 | Error swallowing | Empty catch/except or ignored failure |
| 6 | Domain mixing | I/O and business logic mixed in one unit |
| 7 | Raw field assembly | Complex conditions lack semantic helpers |
| 8 | Duplication scent | Similar logic appears repeatedly |
| 9 | Security smell | Secrets, unsafe interpolation, sensitive logs, unchecked dangerous input |
Classify files:
| Class | Criteria | Next Action |
|---|---|---|
| Red | 3 or more checks fail | Full gate inspection |
| Yellow | 1-2 checks fail | Inspect targeted gate and all lower gates |
| Green | 0 checks fail | Pass unless specifically requested |
Security smell is dual-track: report it as a triage alert even if Gate 8 is blocked by a lower gate.
Phase 3: Structural Extraction
Before opening gates, extract structure for each reviewed function, class, module, or relevant code unit. Use extraction to guide the gate review; do not rely only on raw diff text.
Record:
- Closures, callbacks, or nested functions.
- Inline objects or local entities with behavior.
- I/O operations and external side effects.
- Deepest nesting and the reason for it.
- Domain distribution: infrastructure, business, presentation, or mixed.
- Lifecycle: one-shot, persistent, or mixed.
- Captured variables and hidden dependencies.
- Obvious anomalies discovered during extraction.
- Available source of truth for Gate 6: locate any spec or governance doc
(
openspec/,PROJECT.md,AGENTS.md, ADRs, a linked issue) to judge logic against, or note that none was found.
Phase 4: Sequential Gate Review
Read references/gates.md for gate definitions.
Open gates in order. If a gate fails, stop opening higher gates for that file or review scope. Do not manufacture findings. Silence means compliance for detail sections; the gate index still records which gates opened, passed, failed, or were blocked.
Phase 5: Report
Produce a report using this format:
## Review Record
**Source**: [input reference]
**Calibration**: Gates 1-[N] ([reason])
**Triage**: [skipped | Red M / Yellow N / Green K]
**Verdict**: [PASS | FAIL at Gate N]
### Gate Index
| Gate | Focus | Status |
|---:|---|---|
| 1 | Formatting & Syntax Hygiene | [pass | fail | blocked | not inspected] |
| 2 | Naming & Readability | [pass | fail | blocked | not inspected] |
| 3 | Error Handling & Observability | [pass | fail | blocked | not inspected] |
| 4 | Control Flow & Structural Clarity | [pass | fail | blocked | not inspected] |
| 5 | Responsibility & Boundaries | [pass | fail | blocked | not inspected] |
| 6 | Business Logic Integrity | [pass | fail | blocked | not inspected] |
| 7 | Deduplication & Composition | [pass | fail | blocked | not inspected] |
| 8 | Security & Parameter Integrity | [pass | fail | blocked | not inspected] |
### Security Triage Alert
[Include only when triage check 9 fails.]
### Gate N: [name]
| # | Location | Violation | Correction |
|---|---|---|---|
| 1 | `file:line` | Gate N: specific standard violated | Concrete correction |
### Structural Appendix
[Include summaries for code units related to findings.]
Phase 6: Optional Fix Plan
Produce a fix plan only when the user asks for one.
Fix-plan rules:
- One violation per fix.
- Fix order follows gate order.
- Within the same gate, order by file and line unless logical dependencies require otherwise.
- No opportunistic fixes.
- Each fix includes verification criteria.
Rules
- Review only; do not modify code.
- Use local or pasted inputs only; do not call remote PR/MR APIs.
- Open gates sequentially and stop at the first failed gate.
- Report security triage alerts even when deep security inspection is blocked.
- Give concrete corrections; avoid vague suggestions such as "consider improving".
- If all opened gates pass, the Gate Index is the report; do not invent findings.
- Mention when tests, builds, or runtime checks were not run.
- Stay in lane; hand off at the boundary. This skill is static, local review only.
For runtime/behavioral correctness point to
verify; for deep security analysis beyond Gate 8's surface checks point tosecurity-review. Name the handoff rather than half-doing the other skill's job.