Check

1---2name: check3description: Invoke after any implementation task completes or before merging. Reviews the diff, auto-fixes safe issues, runs specialist security and architecture reviewers on large diffs. Not for exploring ideas or debugging.4metadata:5  version: "3.10.1"6---7 8# Check: Review Before You Ship9 10Prefix your first line with 🥷 inline, not as its own paragraph.11 12 13Read the diff, find the problems, fix what can be fixed safely, ask about the rest. Done means verification ran in this session and passed.14 15## Get the Diff16 17Get the full diff between the current branch and the base branch. If unclear, ask. If already on the base branch, ask which commits to review.18 19## Scope20 21Measure the diff and classify depth:22 23| Depth | Criteria | Reviewers |24|-------|----------|-----------|25| **Quick** | Under 100 lines, 1-5 files | Base review only |26| **Standard** | 100-500 lines, or 6-10 files | Base + conditional specialists |27| **Deep** | 500+ lines, 10+ files, or touches auth/payments/data mutation | Base + all specialists + adversarial pass |28 29State the depth before proceeding.30 31## Did We Build What Was Asked?32 33Before reading code, check scope drift: do the diff and the stated goal match? Label: **on target** / **drift** / **incomplete**.34 35Drift signals (examples, not exhaustive -- any one is enough to label drift):36- A changed file has no connection to the stated goal37- The diff includes pure refactoring (renames, formatting, restructuring) when the goal was a bug fix or feature38- A new dependency appears that the goal did not mention39- Code unrelated to the goal was deleted or commented out40- A new abstraction or helper was introduced that is not required by the goal41 42## Hard Stops (fix before merging)43 44Examples, not exhaustive -- flag any diff that could cause irreversible harm if merged unreviewed.45 46- **Destructive auto-execution**: any task marked "safe" or "auto-run" that modifies user-visible state (history files, config, preferences, installed software) must require explicit confirmation.47- **Release artifacts missing**: verify every artifact listed in the release template exists as a local file and has been uploaded before declaring done.48- **Unknown identifiers in diff**: any function, variable, or type introduced in the diff that does not exist in the codebase is a hard stop. Grep before writing or approving any reference: `grep -r "name" .` -- no results outside the diff = does not exist.49- **Injection and validation**: SQL, command, path injection at system entry points. Credentials hardcoded or logged.50- **Dependency changes**: unexpected additions or version bumps in package.json, Cargo.toml, go.mod, requirements.txt. Flag any new dependency not obviously required by the diff.51 52## Specialist Review (Standard and Deep only)53 54Load `references/persona-catalog.md` to determine which specialists activate. Launch all activated specialists in parallel via the environment's agent or sub-agent facility when available, passing the full diff. If no parallel reviewer facility exists, run the specialist passes sequentially in the same session.55 56Merge findings: when two specialists flag the same code location, keep the higher severity and note cross-reviewer agreement. Findings on different code locations are never duplicates even if they share a theme.57 58## Autofix Routing59 60| Class | Definition | Action |61|-------|------------|--------|62| `safe_auto` | Unambiguous, risk-free: typos, missing imports, style inconsistencies | Apply immediately |63| `gated_auto` | Likely correct but changes behavior: null checks, error handling additions | Batch into one user confirmation block |64| `manual` | Requires judgment: architecture, behavior changes, security tradeoffs | Present in sign-off |65| `advisory` | Informational only | Note in sign-off |66 67Apply all `safe_auto` fixes first. Batch all `gated_auto` into one confirmation block. Never ask separately about each one.68 69## Adversarial Pass (Deep only)70 71"If I were trying to break this system through this specific diff, what would I exploit?" Four angles (see `references/persona-catalog.md`): assumption violation, composition failures, cascade construction, abuse cases. Suppress findings below 0.60 confidence.72 73## GitHub Operations74 75Use `gh` CLI for all GitHub interactions, not MCP or raw API. Confirm CI passes before merging.76 77## Verification78 79Run `bash "${CLAUDE_SKILL_DIR:-$HOME/.agents/skills/check}/scripts/run-tests.sh"` or the project's known verification command. Paste the full output.80 81If the script exits non-zero or prints `(no test command detected)`: halt. Do not claim done. Ask the user for the verification command before proceeding. If the user also cannot provide one, document this explicitly in the sign-off as `verification: none -- no command available` and flag it as a structural gap, not a pass.82 83For bug fixes: a regression test that fails on the old code must exist before the fix is done.84 85If any of these phrases appear in your reasoning, stop and run verification first:86- "should work now" / "probably correct" / "seems to be working" / "trivial change"87 88## Gotchas89 90| What happened | Rule |91|---------------|------|92| Commented on #249 when discussing #255 | Run `gh issue view N` to confirm title before acting |93| PR comment sounded like a report | 1-2 sentences, natural, like a colleague. Not structured, not AI-sounding. |94| PR comment used bullet points | Write as paragraphs; thank the contributor first |95| article.en.md inside _posts_en/ doubled the suffix | Check naming convention of existing files in the target directory first |96| Deployed without env vars set | Run `vercel env ls` before deploying; diff against local keys |97| Push failed from auth mismatch | Run `git remote -v` before the first push in a new project |98 99## Sign-off100 101```102files changed:    N (+X -Y)103scope:            on target / drift: [what]104review depth:     quick / standard / deep105hard stops:       N found, N fixed, N deferred106specialists:      [security, architecture] or none107new tests:        N108verification:     [command] -> pass / fail109```