review

# review — refute the spec before build

**Every finding cites evidence — file:line or a source. No evidence → flag `[unverified]`. Default to refuted: a flaw you cannot prove is a flaw you note, not one you wave through.**

An LLM cannot self-correct on its own judgment — left alone it drifts or
degrades. Review fixes that the only way that works: a *separate* skeptic
anchored to an *external oracle* — the code, §R, the test suite, the docs.
"Looks good" is not a review. A refutation attempt is.

## WHEN TO REVIEW

- Before `/build` on a high-blast-radius change (shared module, auth, data, money, public API).
- Spec touched §I or §V that other code depends on.
- Right-sizing says the cost of a wrong build > the cost of one review pass.

Skip for a trivial, reversible, well-understood change. Adversarial review on a
typo hallucinates flaws & wastes the budget — the self-critique paradox is real.

## PHASE 0 — CAPTURE

Read the spec: §G §C §I §R §V §T. Hold the whole thing. You review the *spec*,
not your memory of the conversation.

## PHASE 1 — CONSTRUCT THE SENIOR

Build a reviewer with real authority, not a generic critic:
- **Codebase** — grep/read the modules this spec touches. What patterns, what invariants already hold?
- **§R** — what did research establish? A spec decision that contradicts §R is a finding.
- **Live** — for any best-practice claim you are unsure of, fetch it. An out-of-date assumption is a flaw.

A reviewer with no evidence is just an opinion. Earn the authority first.

## PHASE 2 — REFUTE

Attack the spec on these axes. For each, try to find the case where it breaks:
- **Goal vs reality** — does §G solve the actual problem, or a proxy?
- **Missing invariant** — what can go wrong that no §V catches? (most findings live here)
- **Interface drift** — does §I match what callers already expect? (cite the caller, file:line)
- **Constraint conflict** — do two §C bullets contradict? does one fight §R?
- **Unowned edge** — the input, ordering, failure, or concurrency case no §T covers.
- **Altitude** — §T too vague to act on, or so granular it is just typing?

## PHASE 3 — CLASSIFY

Each finding: `evidence → claim → severity`.
- **BLOCK** — build on this spec ships a real defect. Must fix first.
- **HARDEN** — add/sharpen a §V so the build cannot regress it.
- **NOTE** — worth knowing, not blocking.

No evidence? Down-rank to NOTE & tag `[unverified]`. ⊥ inflate a hunch to BLOCK.

## PHASE 4 — HARDEN §V & GATE

- Each HARDEN finding → a draft §V line (testable, cites the §I/behavior it guards). Hand to **spec** to write.
- End on an explicit gate:

```
## review verdict
BLOCK: 1 — §I.api shape ≠ caller src/client.ts:40. fix §I before build.
HARDEN: 2 — drafted V8 (idempotent refund), V9 (tx around dual write).
NOTE: 1 — §T4 vague, split before /build.
gate: NO-GO until BLOCK cleared. then /build §T after spec writes V8,V9.
```

GO or NO-GO, never a shrug. Review is the checkpoint that stops a confident wrong build.

## BOUNDARIES

- ⊥ write SPEC.md. Draft §V & hand to spec.
- ⊥ pass a finding with no evidence as fact. Flag `[unverified]`.
- ⊥ review trivia. Right-size or skip.
- ⊥ rewrite the user's intent. You harden the spec, you do not replace its goal.