review
The review skill performs structured code review by dynamically loading validation frameworks based on code changes and producing a severity-ranked report with specific findings and fixes. Use it when requested to review code, validate changes, check quality, or assess pull requests. It conditionally applies architecture, security, domain-driven design, and testing checks only when code modifications touch those domains, while always running clean code and project context checks.
git clone --depth 1 https://github.com/techygarg/lattice /tmp/review && cp -r /tmp/review/skills/molecules/review ~/.claude/skills/reviewSKILL.md
# Review ## Required Skills Load/apply skills based on scope (see Step 2 for conditional loading): 1. `framework:knowledge-priming` -- Load project context (tech stack, architecture, conventions) to evaluate against real standards (always loaded) 2. `framework:learning-harvest` -- Load prior operational learnings inform review; harvest new patterns at session end (always) 3. `framework:collaborative-judgment` -- Surface borderline findings with both interpretations instead of silently classifying (always loaded) 4. `framework:clean-code` -- Code craft: SRP, naming, complexity, error handling (always loaded) 5. `framework:architecture` -- Structural: layer rules, dependency direction, architectural flows (conditional) 6. `framework:domain-driven-design` -- Domain modeling: aggregates, entities, value objects (conditional) 7. `framework:secure-coding` -- Security: trust boundaries, injection, secrets, input handling (conditional) 8. `framework:test-quality` -- Test: AAA structure, isolation, assertions, naming (conditional) ## Config Resolution Review molecule supports optional config thru review-standards doc from review-refiner (or hand-written). Configures review *process* — not what atoms check (that's atom-level config via atom refiners). **Resolution steps:** 1. Look for `.lattice/config.yaml` in repo root. 2. Check for config key `paths.review_standards`. 3. If doc exists at path, read & check YAML frontmatter for `mode`: - **`mode: overlay`**: Read embedded defaults first, then apply doc's sections on top. Sections matched by heading — custom replaces matching defaults, new appended. - **`mode: override`** (or no mode): Custom doc full precedence. Must be comprehensive. 4. If no config or no review-standards doc found, use embedded defaults thruout workflow (full backward compat — identical to review with no config). Review-standards doc has 7 sections map to workflow steps: | Section | Affects step | |---------|-------------| | §1 Atom Loading Policy | Step 2 (Load Relevant Atoms) | | §2 Severity Classification | Step 4 (Produce Report) | | §3 Report Preferences | Step 4 (Produce Report) | | §4 Scope Rules | Step 1 (Identify the Delta) | | §5 Insight Capture Preferences | Step 5 (Harvest Learnings and Log Review) | | §6 Health Log Preferences | Step 5 (Harvest Learnings and Log Review) | | §7 Custom Review Dimensions | Step 3 (Run Targeted Validation) | Each step notes where config applies with "**Config override**" callouts. When no review-standards doc exists, ignore callouts & use defaults. ## Workflow ### Step 1: Identify the Delta Use `framework:learning-harvest` Load behavior. Focus hint: "review session — focus: all categories". Prior learnings across all categories inform review — recurring patterns are more likely to be flagged, known fragile areas get extra attention. Determine what code reviewing & establish scope. - **PR or commit**: Use `git diff` for changed files/lines. Delta is changes, not entire codebase. - **Set of files**: User specifies files. Delta is those files. - **Feature or module**: User points to feature. Identify relevant files from codebase. Classify delta: 1. **Which architectural layers touched?** (per loaded architecture rules) -- determines if `architecture` loads. 2. **Is domain code included?** (files in configured `domain_folder` or containing aggregates, entities, value objects) -- determines if `domain-driven-design` loads. 3. **Security-sensitive areas touched?** (auth, authz, input handling, DB queries, external API calls, file I/O, config, secrets) -- determines if `secure-coding` loads. 4. **Test files included?** -- determines if `test-quality` loads. **Config override (§4 Scope Rules):** If review-standards doc defines scope rules, apply after identifying delta: - **Directory exclusions**: Remove files matching exclusion patterns from delta before classification. - **Directory inclusions (always-full-scan)**: When delta touches file in always-full-scan dir, expand delta to include all files in that dir. - **Surrounding-code policy**: Use configured policy (strict/default/expansive) instead of default. - **Dependency expansion**: If enabled, also include files that directly import from changed files. ### Step 2: Load Relevant Atoms **Always load**: `framework:clean-code` -- applies to all code regardless of layer/purpose. **Conditionally load** based on delta classification: | Condition | Load | Why | |-----------|------|-----| | Delta touches multiple layers, adds new files, or changes file locations | `framework:architecture` | Structural changes can break dependency direction or layer responsibilities | | Delta includes files in domain folder or modifies domain objects | `framework:domain-driven-design` | Domain changes can break aggregate boundaries, anemic models, or invariant enforcement | | Delta touches trust boundaries (HTTP handlers, auth, DB queries, external APIs, secrets, config) | `framework:secure-coding` | Security-sensitive code needs injection, validation, and secrets checks | | Delta includes test files | `framework:test-quality` | Test code has own quality standards (AAA, isolation, naming) | When multiple atoms load, run independently -- each atom's checklist applied to parts of delta relevant to it. Findings from different atoms merged Step 4. **Config override (§1 Atom Loading Policy):** If review-standards doc defines atom loading rules, apply instead of (override) or on top of (overlay) table above: - **Always-load overrides**: Additional atoms moved to always-load (e.g., `secure-coding` every review). `clean-code` and `knowledge-priming` must remain always-loaded regardless of config. - **Suppressed atoms**: Atoms listed as suppressed never loaded, even if delta matches trigger condition. - **Custom path-based triggers**: If delta includes files matching custom path pattern, load associated atom regardless of standard conditions. - **Modified conditions**: Replacement trigger condi
Audit and fix all Lattice documentation, README, docs/, GitHub issue templates, and CLAUDE.md to ensure they are fully aligned with the current skill inventory. Documentation drift is the most common source of user confusion in Lattice — a skill exists in the codebase but not in the docs, or a renamed skill leaves a stale reference in the bug report template. If you've made any change to skills/ and haven't run this, run it now. Use when the user says 'align docs', 'audit docs', 'update documentation', 'skill align', 'check docs are in sync', 'audit skill inventory', 'ensure docs are aligned', 'are the docs up to date', or 'what needs updating'. Standalone — does not call other skills.
Create a new Lattice skill — atom, molecule, or refiner — following all framework conventions. Writing skill files manually almost always produces convention violations: wrong section order, missing confirmation gates, defaults.md without the right structure. This skill knows all of that and guides you through it. Use whenever adding any new atom, molecule, or refiner to Lattice, or when the user says 'create a new skill', 'add an atom', 'add a molecule', 'add a refiner', 'build X for Lattice', 'new lattice skill', or 'skill forge'. Does not validate, align docs, or deploy — those are separate skills you run after.
Deep behavioral audit of a Lattice skill — proposes 3 review personas relevant to the skill, runs independent scenario analysis from each persona's perspective, then merges only the high-confidence, practical findings into a severity-ordered gap report with proposed fixes. Structural validation (conventions, cross-references) is skill-validate's job — this skill finds gaps that would realistically surface when someone actually uses the skill: missing scenario handling, ambiguous instructions, silent failure cases, and behavioral inconsistencies. Filters out theoretical edge cases, low-likelihood speculation, and findings owned by other skills. Use after writing or significantly changing any skill, or when the user says 'review this skill', 'deep review', 'does this skill work', 'find gaps in this skill', 'stress test this skill', 'review from different angles', or 'skill review'. Standalone — does not call other skills.
Validate any Lattice SKILL.md against all tier conventions — atoms, molecules, and refiners. Catches structural errors, broken cross-references, and convention violations before they reach the repo. If you just wrote or modified a Lattice skill file and haven't run this yet, run it now — manual review consistently misses the same categories of errors this skill is specifically designed to catch. Use when the user says 'validate this skill', 'check this skill', 'does this follow conventions', 'review this skill file', 'check my SKILL.md', or 'skill validate'. Reports PASS/FAIL with specific file-and-section findings and actionable fixes. Standalone — does not call other skills.
Architectural thinking partner for an existing repository — scans the codebase, conducts a structured interview, agrees on current architectural state and recommended direction, and produces a shareable insights document. Scoped to one repository, module, or folder. Does not execute transformation — it orients. Use when the user says 'assess my codebase architecture', 'what direction should my codebase go', 'architecture compass', 'understand my architecture', 'audit architecture drift', 'architectural assessment', or 'help me understand what is wrong with my codebase'.
Facilitate a structured conversation to define architecture principles for a repository. Supports multiple architecture styles: clean architecture (default), hexagonal / ports & adapters, modular monolith, or custom. Produces a formal architecture document that the corresponding atom will use. Use when setting up a new project, defining architecture standards, or when the user says 'setup architecture', 'define layers', 'architecture principles', 'help me define my architecture', 'hexagonal architecture', 'modular monolith', 'ports and adapters', or 'define my architecture style'.
Enforce architectural rules when generating or modifying code. Defaults to clean architecture; supports any architecture style via the architecture-refiner. Validates layer responsibilities, dependency direction, and structural constraints using the loaded architecture rules. Use when generating code, reviewing architecture, creating new files, or when the user mentions 'architecture', 'layers', 'structure', 'dependency rules', 'hexagonal architecture', 'ports and adapters', 'modular monolith', or 'onion architecture'. Also use when reviewing generated code for structural compliance.
Investigate, reproduce, and safely fix a bug with regression protection. Composes context, diagnosis, architecture, code quality, and testing guardrails into a reproduce-first repair workflow. Use when the user says 'fix this bug', 'debug this', 'investigate this failure', 'patch this regression', 'repair this issue', or 'why is this broken'.